Skip to main content

Risk Management

As a leading global university, UNSW operates in a dynamic and complex environment that introduces a wide range of risks that may impact UNSW’s ability to achieve its goals or operational objectives. Risk management is crucial in order to manage all the risks.

For UNSW risk management means take appropriate action to identify and analyse the risks. Risks are inherent in the objectives set by UNSW and can result from changes in the environment in which UNSW operates. As such, it is a dynamic process which should be continually updated. The response to risk will be impacted UNSW’s risk appetite and risk tolerance which defines acceptable deviations from the desired objectives.

All risks within UNSW are managed through UNSW Enterprise Risk Management Framework (ERM). Follow the link below to find out more on UNSW ERM.

For a complete overview of the Enterprise Risk Model please go to:


Financial Risk Management

UNSW Finance takes the role of ‘enabler’ in the operation of Financial Risk management and Internal Control across the University. UNSW Finance aids in the establishment and operation of an effective Internal Control system through designing finance processes that manage identified risks while balancing compliance with customisation. Guiding the University in establishing a culture of proactive and risk based control allows Finance to assist individuals and teams across the University to stay focused on the fundamental University mission of education, research and community engagement as aspired to in B2B. It is the responsibility of all individuals to play their part in the operation of the internal control system. Based on the Enterprise Risk Framework Finance has adopted the Three Lines of Defence as a method to manage the Financial Risk and Internal Control.


Lines of defence model

The University has adopted the three lines of defence model in the management of risk and controls. The three lines of defence are a means of strengthening the University’s control environment through the assigning of specific roles and responsibilities, as well as clearly defined accountabilities. As the responsibility for the operation of the internal control system is split across multiple areas in the University, it is critical that, control activities are coordinated carefully to ensure that risk and control processes operate as intended. The lines of defence make it easier to identify existing gaps in controls and any duplication in activities. The three lines of defence model distinguish among three groups or lines involved in effective risk management.

1st Line of Defence – Risk Owners

This is the first level of the control environment and refers to “front-line” employees who perform day to day risk management activities. As part of this line of defence, management are responsible to:

- Establish and implement policies and procedures.

- Ensure that controls are in place for identified risks which may prevent the University from achieving its business


- Establish an understanding of roles and responsibilities with regards to processing transactions and processes followed to apply internal controls to treat the identified risks associated with those transactions.

- Implement early warning indicators and take corrective action where required.

2nd Line of Defence – Risk Control and Compliance

The second line of defence performs an oversight role on business process as well as risk and controls, and encourages best practice. Those performing activities under this defence should be independent of the activities and decision making of the 1st line of defence. These functions set the direction and define policy and procedures as well as support the business frontlines with regards to risk and compliance.

3rd Line of Defence – Risk Assurance

The third line of defence provides assurance on the activities and effectiveness of the 1st and 2nd lines of defence. These activities are normally conducted by the internal and external auditors, who regularly review both the business frontlines and the oversight functions to ensure they are carrying out their tasks to the required level of competency. The governance bodies and senior management receive reports from audit, oversight and the business, and will act on any items of concern; they will also ensure the three lines of defence are operating effectively and according to best practice.


Financial Risk Register

The Senior Leadership team and the Risk and Control Champions identified and discussed the key risks facing each of the separate finance departments. These risks were all documented in the departmental key risk register. In the overall Financial Risk Register the highest risks are summarised. The identification of all key risks provides the Senior Leadership team a top down perspective of managing all risks.

All identified risks are divided into a specific risk category (operational, strategic or external) and linked to a certain time horizon. Furthermore, for all risks the control confidence, the likelihood and impact are assessed. Based on the aforementioned assessment for all risks a certain risk exposure for UNSW has been identified.

Financial Risk Register

1. Fraud and Corruption

Your quick ‘What to do’ reference guide for fraud and corruption.

It is UNSW policy for all employees to report any incident they become aware of involving fraud, corrupt conduct, maladministration and serious substantial waste of public money to their manager or supervisor. Staff who come forward to report incidents of wrongdoing are helping to promote integrity, accountability and good management with the University. This guide can be used as a quick reference when you identify fraud and/or corruption and helps you to highlight certain higher risk areas.

The guide is based on following UNSW policies:

1) ‘Fraud and corruption prevention policy’

2) ‘Procedure for making and Handling Public Interest Disclosures’

3) ‘Staff Complaint Procedure’

What each of us can do?


Fraud or any other misconduct can occur in all kind of different ways. Staff members who are working in the following areas or performing these activities should use particular caution. This is not an exhaustive list and examples are not mutually exclusive to a particular area.

  • Procurement of goods and services
  • Failure to comply with tender procedure
  • Manipulating a tender process to achieve a desired outcome
  • Unauthorised or improper release of pricing or other tendering information
  • Accepting or conferring gifts and benefits contrary to the University’s Gifts and Benefits procedure
  • Non-compliance with the Conflicts of Interest policy
  • Capital works projects, real estate management and maintenance
  • Accepting bribes and/or kickbacks from suppliers
  • Negligent or deliberate mis-management of contracts which may include non-compliance with contract schedules or rates
  • Incorrect charging for labour and material, misuse of assets or product substitution (substituting a product for one of lesser quality)
  • Purchases and accounts payable
  • Failure to comply with tender procedures
  • Entering into a commercial transaction where there is a conflict of interest
  • Invoice and purchase order splitting to circumvent procedures or delegation levels
  • False documentation in support of invoices
  • Creation and payments made to ghost suppliers
  • Making or using forged or falsified documents or signatures


Bribery & Corruption

Generally, bribery and corruption are off-book frauds that occur in the form of kickbacks, gifts, or gratuities to government employees from contractors or to private business employees from vendors. At its heart, a bribe is a business transaction, albeit an illegal or unethical one. A person ‘buys’ something with the bribes he pays. What he buys is the influence of the recipient.

According to the UNSW ‘Gifts and Benefits’ procedure all UNSW staff members must not accept cash gifts or equivalents in any circumstances. If you are offered a bribe, you must immediately report this to your manager or University’s contact person.


Example of a kick-back scheme

A manager was authorized to purchase fixed assets for his employer as part of a leasehold improvement. The materials ordered were of a cheaper quality and lower price than what was specified by the employer, but the contract he negotiated did not reflect this. Therefore, the employer paid for high-quality materials, but received low-quality materials. The difference in price between the true costs of the low-quality materials and what the company paid was diverted back to the manager as a kickback.


Detection of bribery schemes

Most bribery schemes are detected through tips from honest and disgruntled co-workers or vendors. The following practices may indicate that single (sole) source vendors are being favoured, or competitive bidding policies are not being followed:

- Orders are consistently made from the same vendor.

- Established bidding policies are not being followed.

- The costs of materials are out of line compared to other vendors.

- The agreed hourly rate paid for contractors are out of line compared to others.


What should you do when you come across possible misconduct and you want to make a report?


A person who wishes to make a report or complaint should follow the following procedures:

1. Procedure for making and handling Public Interest Disclosures; or

2. Staff Complaint Procedure.


In many cases reports of misconduct (e.g. corrupt conduct, maladministration, serious and substantial waste of public money) will be covered by the ‘Procedure for making and handling Public Interest Disclosures’. Improper or unacceptable conduct not covered by this procedure may be reported using the ‘Staff Complaints Procedure’.


The ‘Procedure for making and handling Public Interest Disclosures’ can be summarised as follows:

A.  A report can be made in writing and verbally (preferably in writing) and must be made to a public official
     (e.g. President, Vice Chancellor, Deans or Vice-Presidents).

B.  Based on the report the Disclosures Co-ordinator will determine the appropriate approach and provide directions as to how the report will be handled.

C.  Once a report has been identified as a Public Interest Disclosure the Disclosures Co-ordinator shall set out for
     the investigating officer, or the manager responsible, the procedure to be used and the matters to be investigated.

D.  Where a staff member makes a report under this Procedure, UNSW is committed to keeping their identity, and the fact that they have made a report, confidential where possible.


The ‘Staff Complaint Procedure’ can be summarized as follows:

A.  Self-resolution: if appropriate, try to resolve the matter directly with the persons concerned.

B.  Making a complaint: Make a complaint to your immediate supervisor. You can specify whether you would like your
     complaint handled under the informal or formal procedure.

C . Informal complaint procedure: The informal complaint procedure is handled by the complainant’s supervisor.
     The supervisor will attempt to resolve the complaint through informal processes, such as discussion and mediation.

D.  Formal complaint procedure: there are two steps under the formal complaint procedure: preliminary inquiry and formal investigation.

          i. A preliminary inquiry will be conducted by the Complainant’s Head of School or Department Head.

          ii. The University may appoint an investigation officer to conduct an investigation and make findings. 
              The investigation officer does not determine outcomes.

E. Determination of outcomes:

          i. Under the informal complaint procedures, the supervisor is responsible for determining outcomes, through
              discussion and consultation with the parties.

          ii. Under the formal complaint procedure, the Head of School, Department Head or Deputy Vice-Chancellor 
              (Academic) is responsible for determining outcomes.

F. Internal Appeal: Lodge an appeal with the Director, Human Resources (or if the complaint is about the Director, with the Deputy Vice-Chancellor (Academic)). The matter will be allocated to an Executive Team member (not involved in process before this point) to determine.