Planning and Assurance Services

UniSA home

Directory

Email

myUniSA

Library

About UniSA

Study at UniSA

Research

Community

• Planning and Assurance Services
  • UniSAinfo Reporting
  • PAS Teams
    • Audit and Risk Management
    • Business Intelligence
    • Institutional Analytics
    • Review and Planning
  • Staff
  • Local Resources
  • Business Intelligence
    • Governance (BISSG)
    • UniSAinfo Reporting
    • Data Quality
    • Developer Resources
    • Enterprise Planning
    • Training
  • Enterprise Planning
  • Evaluation (surveys)
  • Internal Audit
    • ARMC Charter
    • ARMC Minutes
    • 2009 Audit Plan
    • 2008 Audit Plan
    • Fraud
    • Internal Audit Charter
    • Internal Control
    • Legislative Compliance
    • Selected Reports
  • Key Statistics
  • Management Information
    • A35A Program Review
    • At A Glance - Schools
    • At a Glance - Units
    • KPI Trends
  • Historical Management Information
  • Organisational Codes
  • Quick Guide to Data Resources
  • Review and Planning
  • Risk Management
    • Guidelines for Managing Business Risk
    • Project Risk Assessment
    • Guidelines for Update of Risk Registers
    • Risk Assessment for Controlled, Associated and Other Related Entities
    • Risk Assessment Worksheets for Legislative Compliance
  • UniSA Slide Bank
  • Vice Chancellor's Authorisations

Guidelines for Risk Assessment for Controlled, Associated and Other Related Entities

Introduction	Information and Communication
Reporting on Risk Assessment	Assessment of Risk
University Ownership Interest	Risk Management
Current Involvement in Governance/Management	Approval
Nature of Business	Further Information

Introduction

The Council of the University of South Australia is committed to managing the risks of the University.

This includes a requirement that risk assessments of all partially owned entities be completed annually. The approach to risk assessment that is contained in the following guidelines ensures that the University assesses the risks attached to its relationships with all "related" entities, even where no University ownership exists.

These guidelines have been developed to assist responsible officers in making their risk assessment of each relevant entity.

return to top of page    go to Risk Assessment Template    go to Completed Risk Assessment Example

Reporting on Risk Assessment

The University has relationships with a variety of entities ranging from wholly owned and controlled entities through to related entities (as reported in the University's annual financial statements). Various organisational units are responsible for completing a risk assessment of these relationships on an annual basis. A summary of these assessments will be provided to Council in order for them to fulfil their governance duties. This risk assessment process has been based on the University's Guidelines for Managing Business Risk.

Please ensure that reference is made to the University's Guidelines for Managing Business Risk, especially the risk consequence and likelihood tables. These tables show the weighting of risk with regard to consequence and likelihood, and guide the assessor in determining the overall level of risk in each area. It is important that these scales are used, so that the final assessments will be consistent across the University.

A Risk Assessment Template is provided. The template is to be completed for each entity that falls within the scope of these guidelines. Brief guidance is provided in the left hand column of the template, with links to further information on this webpage. Simply read the instructions and refer to the guidance notes provided in the left hand column, and enter your information in the right hand column of the table. Save an electronic copy of the document so that it can be forwarded to the Director: Planning and Assurance Services, and be kept for update in the following year. These documents form evidence by way of supporting working papers for the relevant risk register.

The Risk Assessment Template has been designed as a simple reporting framework, which we hope is self explanatory and easy to use. Your response is expected to be brief but cover all significant issues. Dot points are acceptable. You may also want to append any significant information sources you have used in your assessment of the entities for which you are responsible. It also contains requests for information that is required for the preparation of the University's financial statements. It is important that information provided is accurate and up to date.

return to top of page    go to Risk Assessment Template    go to Completed Risk Assessment Example

University Ownership Interest (Section 1 of Template)

Where the entity is a company, list the known shareholders, together with the percentage shareholding. Where the University has a majority shareholding, its ability to influence decision making and have effective control of the entity should be enhanced. Under such circumstances, information flows and directorship roles should be clear and conclusive.

Where the entity is not a company, determine the University ownership interest by whatever means possible. This may be the proportion of initial investment in the entity at the time of its formation.

Historical carrying values may be recorded in the University's consolidated annual financial statements available from the Finance Unit. Generally, this applies only to controlled and associated entities. This information will provide some context in terms of materiality of the University investment in the entity.

return to top of page    go to Risk Assessment Template    go to Completed Risk Assessment Example

Current Involvement in Governance/Management (Section 2 of Template)

Information for these sections may be gleaned from various sources, including company searches on the ASIC website, using one of the information brokers listed.

The degree of board or governing body involvement by University staff may influence the risk assessment. Where involvement is minimal or non-existent, the level of information flow to the University will be limited. The University will not be in a position to monitor or influence decision making at the governance level.

The risk assessment is not limited simply to financial exposure; issues such as whether the entity has an external auditor may influence the overall risk assessment. Governance risk may be an issue if an external auditor is not involved in verifying the accuracy of financial reports.

return to top of page    go to Risk Assessment Template    go to Completed Risk Assessment Example

Nature of Business (Section 3 of Template)

Business activity that is unrelated to University core business may expose the University to reputation and loss of image risk.

The actual location of the entity's operation may provide contextual information about ancillary risks relating to the nature of business activity. Unrelated business activity physically located on campus may be undesirable and carry risk.

return to top of page    go to Risk Assessment Template    go to Completed Risk Assessment Example

Information and Communication (Section 4 of Template)

Information flows relating to audited financial statements, planning and budgets (monitoring the business) are likely to influence the degree of governance and control, and therefore the overall level of risk. The level of information provided to the University will possibly diminish in direct proportion to the level of ownership. The risk assessment should therefore consider the extent of the University ownership or control and balance the need for information flows accordingly.

Financial statements will provide the University with an overview of the financial health of an entity, its asset makeup, income streams and any significant liabilities. Audited financial statements, prepared in accordance with Australian Accounting Standards, will provide the most reliable form of financial information. However, management and other financial reports may provide a sufficient level of information for the purposes of managing risk.

Evidence of planning (including monitoring) will provide a level of assurance that the entity is being governed well and that any significant matters will be brought to the attention of the University promptly. It is important that information in relation to planning is provided to a part of the University that will note and action any significant matters (eg ensure important information flows to Council or its committees).

Budgetary information (including monitoring) will enable some insight into materiality and provide some evidence of sound governance.

return to top of page    go to Risk Assessment Template    go to Completed Risk Assessment Example

Assessment of Risk (Section 5.1 of Template)

This section of the template is structured to enable you to make an assessment of risk in four categories. The assessment will require an analysis of the consequence and likelihood of a risk causing an issue. The consequence and likelihood are expressed in scales (1-5) as detailed in the Guidelines for Managing Business Risk. The combined consequence and likelihood scores will give the residual risk score and subsequent scaling between Low and High+. All High+, High and Moderate residual risk levels require risk management/treatment options to be considered.

In determining the level of risk, consideration will need to be given (and documented on the template) to risk factors and current controls.

Risk Categories

Financial Risk

(NOTE: Interpretation and analysis of financial reports may require the assistance of a qualified accountant. If assistance is required, please contact the Finance Unit.)

The assessment should be made in the context of financial risk to the University and not (necessarily) the financial viability of the entity itself. In the case of controlled entities, financial viability may have more bearing as the University's investment will be higher. With other entities, as the University's investment reduces, the financial status of the entity will have less influence over financial risk. This area of risk considers financially related issues such as:

• the entity type and any limits on liability (such as a limited liability company where the University's potential liability would be limited, at law, to the cost of its shares)
• where the entity is a controlled entity, the following matters will be relevant to financial risk:

profit and loss, by examining the certainty of revenues sources (eg how viable is the entity into the future?) balance sheet, by examining assets (nature and currency of valuation); liabilities (contingent and actual, the extent and nature); equity and sources of capital; recent adjustments such as write down in asset values (eg investments in other entities); and liquidity (the ability to pay its debts as and when they fall due) cash flow, by considering circumstances where cash injection (top up funding) may be required, or if surplus funds are available (eg is this a capital negative business?)

• audited financial statements are provided to the University (if they are externally audited, reliance can be placed upon their accuracy)
• income streams to the University and their certainty.

Controls likely to be in place include:

• audited financial statements
• business plans and cash flow analysis
• UniSA board membership
• agreements, etc, which guarantee income streams
• general insurance cover
• fiduciary insurance.

Provision is made in the discussion section of the template to establish a rationale for the overall result of the risk analysis.

Reputation and Political Risk

This area of risk considers matters relating to reputation such as:

• nature of business activity and the link to University business and objectives
• where the activity is physically located (if an activity may be perceived as not aligning well to University objectives, physical location off campus may help mitigate any reputation risk)
• nature and business of controlling entity (where it is not the University) eg a partially owned entity in which the University is involved, but has no control over, may be involved in business activity which is contrary to University objectives or culture
• historical evidence of reputation issues associated with the type of activity; the history need not be restricted to the University, but may have taken place in other universities or the higher education sector.

Controls likely to be in place include:

• business plans
• board representation
• methods of distancing the University (physical location, naming).

Legal Risk

(NOTE: Interpretation of legal risk may require the assistance of a lawyer. If assistance is required, please contact a Legal Officer, Research and Innovation Services.)

This area of risk considers potential litigation through issues such as:

• nature and type of entity, including limits on liability
• potential for 'shadow directorship' and therefore loss of protection on limits of liability (refer to the article, To Whom do Director's Duties Apply? at Find Law Australia for a useful explanation of the issue)
• litigious climate (how often does litigation occur in this industry?)
• involvement in various legal environments (interstate and offshore)
• history of claims (internally and across the sector)
• product warranty arrangements and any exclusions, etc
• clarity and contracting around intellectual property (IP) ownership and licensing arrangements.

Controls likely to be in place include:

• the University distancing itself from significant influence over decision making by entity boards (applies to companies only)
• constitution or other foundation document which clearly defines legal status
• corporate or other legal 'shell'
• legal advice/opinions
• rulings by authority (eg ATO).

Other Risk

This section is provided to allow the assessor to explore matters such as:

• the effect operations and/or failure of the entity would have on University operations such as research
• potential impact on marketing efforts (eg international involvement may influence marketing efforts for prospective students)
• upside potential for growth of associated entity
• growth and the potential for capital expansion through various means such as share issues
• community impact and potential for reputation damage.

return to top of page    go to Risk Assessment Template    go to Completed Risk Assessment Example

Risk Management (Section 5.2 of Template)

Risk areas determined to be High+, High or Moderate must examine methods of risk treatment or mitigation.

The treatment section of the template is provided to explain how risks are to be handled. In many cases, the risk will simply be accepted (noted) and monitored, as often the reason the University is involved with the entity is entrepreneurial or for the purposes of commercialisation, development and growth. In such cases, the potential returns provide a trade-off to the level of risk taken. In some instances, however, risk mitigation strategies (control) will need to be strengthened or considered. This especially applies in situations where the governance level is suboptimal. Treatments will normally be limited to matters relating to communication and information. Except in the case of controlled entities, the University will have minimal influence over the decision making and operations of an entity and therefore treatments relating to operational exposures should not normally be listed here. The University should consider its options in situations where it is informed in relation to an operational risk, such as an exit strategy or distancing itself from matters surrounding the exposure.

Possible treatment options include:

for Financial Risk

• exit strategies including sale or disposal of (share in) entity
• creation of corporate shell (limiting financial liability)
• increased information flows (audited statements, board minutes, etc)
• insurance.

for Reputation and Political Risk

• distancing strategies, including press releases
• name and location choice
• exit strategies including sale or disposal of (share in) entity.

for Legal Risk

• increased/decreased board or committee involvement (increased/decreased membership and voting rights)
• creation of corporate shell (limiting legal liability)
• insurance
• clear contractual arrangements.

Treatments should be summarised and address the individual risk areas (eg financial).

Systems for monitoring risk (as well as enabling treatments to occur) should be briefly described.

return to top of page    go to Risk Assessment Template    go to Completed Risk Assessment Example

Approval (Section 6 of Template)

The template should be signed by the responsible officer upon completion of the risk assessment. Templates should be forwarded to the Director: Planning and Assurance Services. A copy should be retained by the relevant area as it forms part of ongoing risk management documentation. Another copy should be forwarded to the relevant person who is responsible for updating the applicable risk register (where the person responsible for the entity risk assessment is not responsible for a risk register).

return to top of page    go to Risk Assessment Template    go to Completed Risk Assessment Example

Further Information

Should you require assistance beyond what is available here, or have any problems or comments relating to the template or reporting requirements,  please contact the Director: Planning and Assurance Services.

top^