The Enterprise Risk Unit at UQ exists to support educated risk decision making across the university, through information, tools and consistency in approach.

The Unit does not manage risk for you, but provides support to management in the identification and management of risk in your area.

Risk is the effect of uncertainty on the achievement of objectives. Read more about risk here.

For queries in relation to Enterprise Risk Activities please contact;

Suresh Chand, Senior Project Officer


T: +61 7 33651078


Enterprise Risk Governance Framework

Risk management requires strong and sustained commitment by management of the organisation, as well as strategic and rigorous planning to achieve commitment at all levels. Risk management - Principles and guidelines (AS/NZS ISO 31000:2009)

Senate is responsible for our overall risk management strategy and has delegated responsibility for approving our risk appetite and risk management frameworks to the Senate Risk Committee.

The Vice-Chancellor’s Risk and Compliance Committee (VC RCC) implement the strategy and frameworks, and develop policies and processes for identifying and managing risk in all of UQ’s activities.

By using a Management level committee and Senate level committee we are able to re-enforce that risk is not the responsibility of one unit, or one DVC, ‘risk is everyone’s business’, and that responsibility and accountability for risk begins with the organisational units that originate the risk.

UQ has a governance framework for the Senate Risk Committee and the Vice-Chancellor's Risk and Compliance Committee.

Policy, Principles and Process

The Enterprise Risk Management (ERM) policy is located in the Policies and Procedures Library

Principles of ERM at UQ:

  • create and protect University value by contributing to the achievement of UQ objectives;
  • become an integral part of the way we think - from strategic planning, project management and day to day activities;
  • make “risk” part of decision making process – making informed choices between activities with different risk profiles;
  • explicitly address “uncertainty”;
  • be systematic, structured, timely;
  • use the best available information, and acknowledge limitations of data;
  • be based on the University’s risk profile, and risk appetite;
  • recognise the impact of human, cultural and environmental factors on objectives;
  • include perspectives of all stakeholders, not just management;
  • be dynamic and responsive to change, taking account of new or emerging risks;
  • continually improve as the University grows.


Risk Assessments and Examples

Strategic Risk

Strategic risks are be identified as part of the strategic planning processes. Identifying uncertainty surrounding the achievement of strategic goals, allows processes to be put into place to either capitalise on opportunities or mitigate threats as they arise.

Operational Risk Registers

Operational risks are identified and documented at the time of developing the portfolio and enabling operational plans. Operational risks are those risks inherent in the type of activities conducted day to day. The risk may arise from internal or external sources. Whilst the formal review of risks is conducted annually, operational risks should be reviewed at any time where there is a change in procedures, or new uncertainty is identified.

Formal Risk Registers are completed for Faculties, Institutes, and major central support units. They can be accessed here.

Three Lines of Defence

The University has adopted a “three lines of defence” assurance model as part of its governance, risk and compliance frameworks.  The Vice-Chancellor’s Risk and Compliance Committee (VC RCC) has oversight of the three lines of defence as follows:

  • UQ's operational management has ownership, responsibility and accountability for identification, assessment, and management of risk and ensuring compliance (First Line of Defence).

  • Enterprise Risk, Occupational Health and Safety, Compliance and other relevant risk-oversight functions are responsible for facilitating, monitoring and supporting effective risk management and compliance practices by operational management (Second line of Defence).

  • Internal Audit, Investigations and other internal review functions are responsible for providing oversight, review and assurance on the effectiveness of controls and identifying breakdowns and systemic issues in risk and compliance  (Third Line of Defence).


The Enterprise Risk Unit offers training on Enterprise Risk Management and Business Continuity Management.

Participants are encouraged to consider attending both courses. The courses are complementary to one another and each is run as a half day session on the same day. 

Risk Registers

University staff can access the Risk Register here.

You will need to login with your UQ credentials.