Appendix A

Risk Ratings Matrix

A Risk Ratings Matrix is a table which matches specific Likelihood ratings and
Consequence ratings to a Risk Rating of low, medium, high or very high.

Likelihood

Consequence 1 2 3 4 5
Rare Unlikely Possible Likely Almost
Certain
5 Extreme Medium High High Very High Very High
4 Major Medium Medium High Very High Very High
3 Moderate Low Medium Medium High High
2 Minor Low Low Medium Medium High
1 Insignificant Low Low Low Low Medium

Likelihood Ratings Guide

The following table is a general guide to assess the chance of a risk event happening. It is
desirable to adhere to the common meaning of these descriptors however it may on
occasion be necessary to align the descriptors to the probabilities used by specific areas of
the University or which are appropriate for a different timeframe.

Rating Likelihood Indicative frequency of General definition

occurrence
1 Rare Less than 5% chance of occurring /
once every 5 – 10 years
2 Unlikely 5% and 30% chance of occurring /
once every 3 – 5 years
3 Possible 30% to 50% chance of occurring /
once every 2 – 3 years
4 Likely 51% to 90% chance of occurring /
once every 1 – 2 years
5 Almost Greater than 90% chance of
Certain occurring / known to occur every
year
The event will only
occur in exceptional
The event is not likely to
occur in the planning
The event may occur
within the planning
The event is likely to
occur within the planning
The event will occur
within the planning
period

Example: The event of a systemic academic misconduct by a large cohort of students has
happened once every 2 – 3 years at the University, hence, a “Possible” event. These would
attract some media coverage and scrutiny from regulators which can be of “Major”
consequence. Therefore, the inherent risk rating of this event is “Very High”.
 Risk Consequence Matrix

Risk Consequence Definition and Guidance

Risk Categories
5 Extreme 4 Major 3 Moderate 2 Minor 1 Insignificant
General  Core business objectives of  A number of key business  Some important business  Little impact on  Impact to University
Definition the University can no objectives can no longer objectives can no longer be achieving University wide objectives can
longer be achieved for an be achieved in the achieved in the short term objectives. Some be addressed by
extended period of time. medium term (18 – 36 (12 – 18 months) and additional effort or existing business
months). requires reprioritisation of resources required to activities.
resources. stay on track.

Academic Quality  Suspension or loss of TEQSA  Loss of accreditation or  Breaches which attract  Isolated failures and  Isolated non-
accreditation to operate or significant qualifications interest from regulators to breaches in academic compliance of
provide educational imposed by regulators for show cause or University put quality or conduct with academic quality
services arising from multiple courses or a on notice. limited external impact processes or conduct
systemic academic single flagship course.  Loss or unsuccessful or interest from which only affect a
governance failures and  Major breaches of professional accreditation of regulators. specific cohort of
mismanagement. academic policies or courses including ability to  Breaches of academic students, subject or
accreditation offer Workplace Learning quality and standards course.
requirements across (WPL). with only localised  Events which do not
multiple  Loss of key academic impact to a particular concern stakeholders
faculties/disciplines. partnerships due to a major faculty or discipline and such as regulators,
 Deterioration in academic quality breach. can be rectified within professional
quality and reputation  Multiple failures and 12 months. accreditation bodies
which will take 18 – 36 breaches of academic or students.
months to restore. quality or conduct with
 Significant increase in considerable external
student attrition rate and impact and reputational
decline in student impact.
enrolments.

Research  Significant decline (greater  Decline in research  Loss of research income or  Minimal impact on  Non-compliances
Performance than50%) in University performance / output performance which can be University’s research which do not affect
research performance or (between 30% - 50%) due recovered in the next 12 – funding and the University’s
output due to loss of key to loss of key research 18 months resulting in a performance and will integrity and
research centres, clusters centres, clusters or minimal decline in research not affect research managed through day
or research talent. research talent. ranking. rankings. to day compliance
 Severe damage to  Loss of major research  Research misconduct which  Breach of compliance management
University’s research funding contracts. will not impact the obligations, which can processes.
reputation impacting  Inquiry or investigation reputation and integrity of be rectified without  Loss of insignificant
ability to secure future with adverse impact on the University but is subject active regulator or research funding or
research funding and University’s reputation by to scrutiny by funding funding agency not in line with
engage with industry. regulators and/or funding agencies. intervention. research strategy.
 Suspension of multiple / agencies on major
large research programs by research projects.
regulators or funding
agencies.

Community  Severe tension and loss of  Loss of University  Isolated negative publicity  Media exposure and  Little to no impact on
Engagement & confidence between the presence and importance from the media which public awareness, but of community or brand.
Brand University and the in the community, seeing requires swift response from no lasting concern to
community, requiring a reduction in regional the University. stakeholders,
Reputation
government or regulator participation rates.  Events that affect only one government or the
intervention.  Students and/or of the campuses or section general public.
 Long lasting reputational community outrage on the of the University.
impact to the University University for a prolonged  Events that are likely to
domestically and period affecting attract interest from specific
internationally from reputation. lobbying groups or activists.
adverse publicity in the  Adverse media exposure
media. of short term duration
which may spark interests
from regulators and
government.

Risk Categories
5 Extreme
Financial &  Financial loss or exposure  Financial loss or exposure  Financial loss or exposure
Commercial in excess of $50m or
impacts which requires
greater than 3 years to
restore to current financial  University current
position.
 University current liabilities
exceed cash, short and
medium term investments.
 Complex commercial
activities, arrangements
and partnerships with
commitments exceeding
$50m per year and/or has
significant reputational
impact domestically and
internationally.
Risk Consequence Definition and Guidance
4 Major 3 Moderate 2 Minor 1 Insignificant
 Financial loss or  Financial loss or
between $20m - $50m or between $2m - $20m or exposure between exposure is
impacts which requires 2- impacts which requires 1-2 $500K - $2m or impacts insignificant and can
3 years to recover. years to recover. which can be recovered be absorbed through
 University current liabilities within 1 year. current year budget.
liabilities exceed cash and exceeds cash.  Commercial activities,
short term investments.  Commercial activities, arrangements and
 Commercial activities, arrangements and partnerships with
arrangements and partnerships with commitments up to
partnerships with commitments between $10m per year
commitments between $10m - 20m per year contained within a
$20m - $50m per year contained within a specific specific area of the
and/or has significant area of the University. University.
reputational impact
domestically.

Service Delivery  Unavailability of critical  Unavailability of critical
& Infrastructure business systems / business systems /
infrastructure or loss of infrastructure or loss of
data integrity affecting data affecting multiple
whole of University University operations for a
operations for a longer longer than tolerable
than tolerable period (e.g. 2 period (e.g. 2 days – 1
days – 1 week) and/or at a week) and/or at a critical  Events where reallocation of
critical time of the time of the University
University calendar. calendar.
 Events which require  Events which require
immediate replacement of replacement of staff and
staff and resources resources within 4-12
impacting ability to deliver weeks where temporary
University wide critical reallocation of resources is
and/or core services. not sustainable without
impacting delivery of
University wide core
services.
 Unavailability of business
systems / infrastructure or
loss of data in isolated
University operations for a
longer than tolerable period
not critical in the University
calendar.
resources and temporary
arrangements would not be
sustainable in the short term
(e.g. 3-12 months) without
impacting delivery of
services.
 Disruptions to business  Disruptions to business
systems and systems and
infrastructure which are infrastructure will not
not critical and tolerable affect the delivery of
for 6 months to 1 year services and can be
until resolved. dealt with comfortably
 Events where through reallocation
reallocation of resources of resources.
and temporary
arrangements would not
be sustainable for more
than 12 months.

Health, Safety  Events / incidents that may  Events / incidents which  Incidents / accidents which  Incidents / accidents  Incidents that are not
and cause a fatality and / or may cause serious injuries may cause non-life which may cause minor likely to result in injury
Environment serious physical and and require critical threatening injuries and injuries and first aid or that may result in a
psychological injuries. medical treatment. require medical attention. medical attention. minor injury that is
 Long term / irreversible  Medium term  Short term environmental  Minimal environmental not likely to require
high grade environmental environmental degradation in isolated degradation. first aid attention.
degradation. degradation which may areas.  Negligible
significantly impact the environmental impact.
University’s reputation.

Culture, Legal &  Significant breach of key
Compliance legislation and/or
regulations with
widespread impact to the
University and may result in
loss of license to operate,
sanctions against
University, criminal
prosecution and/or heavy
fines or penalties.
 High profile fraud,
misconduct and/or
maladministration which is
investigated by ICAC and/or
regulators with attention
from the media and public.
 Significant contract
breaches which will attract
costly litigation, potential
 Major breach of key  Isolated fraud or misconduct  Minor and isolated non-  Non-compliance
legislation and/or which is reportable to ICAC compliance or matters which will not
regulations with impacts and investigated internally misconduct matters pose a threat to the
multiple key areas of by the University. which can be through integrity of processes
University operations  Non-compliances which may existing management and reputation of the
which may trigger an result in show cause or processes. University.
external enquiry, notice from regulatory  Not likely to give rise to
investigation or regulatory authorities and may require regulatory
review. reporting or disclosure to consequences (so
 Negative sanction by regulatory authorities with unlikely to result in
regulators result in minimal fines or penalties. prosecution, fines or
potential sanctions against  Contract breaches in key penalties), and litigation
University, criminal university contracts which is unlikely.
prosecution and/or heavy may lead to relationship
fines or penalties. issues and minor damages
 Major or systemic fraud, claims
misconduct and/or
maladministration which is
reportable to ICAC or

Risk Categories
5 Extreme
class actions, leading to
material relationship issues
and major damages claims.
 Major contract breaches
Risk Consequence Definition and Guidance
4 Major 3 Moderate 2 Minor 1 Insignificant
regulators and may attract
some attention from the
media and public.
which may lead to
litigation and/or potential
for material relationship
issues and major damages
claims.