CARM Risk Management System

CARM, custom built by ACU, adds a new level of automation and sophistication to our existing risk management processes.

CARM captures the management of risks in ACU's Enterprise Risk Registers. Enterprise Risk Registers (Organisational, Strategic and Major) help us identify risks and assess the threat they present. We can then develop strategies to respond to the risks and assign actions to reduce the threat as efficiently and effectively as possible.

Enterprise Risk Registers are not to be confused with WHS risk reporting via Riskware or other function-specific systems.

ACU's Enterprise Risk Registers are prepared by the Senior Executives (Strategic Risk Register) and organisational units such as faculties, directorates etc (Organisational Risk Registers). These registers capture all the key risks faced by different parts of our institution. Risks are identified in CARM, where they are assessed for likelihood and consequence, and actions are assigned for mitigation and control.

The acronym CARM represents the four key processes for managing risks: Capture, Assess, Respond and Monitor. The system guides users through each step of the risk management process, allowing them to construct and manage their Risk Register more effectively.

Key features of the CARM system include:

• Identifies key risk categories to group risks across ACU effectively.
• Establishes tolerance limits for each key risk category to define acceptable risk levels.
• Defines baselines for likelihoods and consequences of risks in each category, ensuring consistent impact assessment.
• Monitors completion of risk mitigation actions, notifying senior management when risks are not addressed.
• Utilises dashboards and reports with granular filtering to enable detailed risk analysis.
• Allows real-time updates, keeping risk registers current and effective for ongoing management.

Who should report a risk and how?

Everyone should report risks. If a risk can be addressed and resolved immediately, staff should act accordingly. Risks that require further attention should be escalated to supervisors or managers.

For risks that are potentially significant or recurring, they should be registered in the CARM Risk Management System. If you identify a risk that you believe should be recorded in CARM, please escalate to your manager and CARM team member for assessment.

Note: With regards to all WHS incidents and hazards, all risks should continue to be reported within the WHS Riskware system. Similarly, all cyber-related risks should be reported via Service Central, or to IT directly. For concerns regarding emails received, that potentially represent a threat to ACU's system integrity or are fraudulently sent, report the email asap using the function key on the top right-hand side of the Outlook toolbar.

What risks should in CARM?

The CARM Risk Management System registers risks that could impact the success of ACU's strategic plan mission, and vision. They may be for example, once-off but potentially material, or smaller but recurring (therefore presenting an ongoing or larger aggregate threat to ACU's operations or priorities).

ACU has identified ten key categories of risk that should be recorded in CARM:

Who are the Risk Register Owners?

Each organisational unit maintains its own Risk Register, with the head of the unit serving as the Risk Register Owner. This individual is responsible for managing the risks associated with their unit.

The Risk Register Owner will nominate members who have direct access to CARM to update and manage their units' Risk Register accordingly.