TEQSA’s Risk Assessment Framework
TEQSA’s risk assessments of registered higher education providers are a key component of TEQSA’s risk-based approach to assuring higher education standards. TEQSA’s Risk Assessment Framework outlines the key steps and components of the risk assessment process, and provides detailed supporting information on the risk indicators used.
What will be covered under the current risk assessment cycle?
For the current risk assessment cycle, we will:
- include risk assessment for student, staff and audited financial data, two years prior to the current risk assessment cycle year
- continue to share provisional risk assessment reports with providers. Providers will have an opportunity to comment on the provisional report before a final risk assessment report is completed.
Risk ratings explained
The standard ‘low’, ‘moderate’ or ‘high’ risk ratings are applied to each indicator. There may be instances where a rating is ‘suspended’ or a No Confidence in Data (NCID) rating is applied. For example, a rating may be suspended if a provider is new and does not have enough data to form a view on an indicator, while NCID may be applied if the data is missing, or the data received from the Department of Education is inconsistent.
What can I expect if my Overall Risk Rating is rated high?
For providers that receive a ‘high’ Overall Risk to Students or Overall Risk to Financial Position, we ask that you carefully review the risk indicators associated with the risks identified and consider whether you have appropriate controls or treatment plans in place.
We expect providers would have already identified risks to their education operations, as required by Higher Education Standards Framework (Threshold Standards) 2021 (6.2.1e) and would have plans in place to mitigate these risks. We may contact you to discuss your risk assessment and seek information on actions your governing body has taken and further steps in response to the identified risks.
Which providers will be in scope for the current Risk Assessment cycle?
Providers registered on or after 1 January of the year, two years prior to the current risk assessment cycle year, are not in scope for the current risk assessment cycle– noting that 3 years of financial data is required to assess financial sustainability and at least 2 years of student is required for student indicators.
Will my risk assessment be made public?
Risk assessments relating to individual providers are not publicly released by TEQSA or shared with other providers. Where risk assessment information is released, it is released in aggregate to avoid identifying a single provider.
Will the risk thresholds be published?
The risk thresholds used to inform ratings are not published. Risk thresholds are considered in the context of other information and are not the sole determinant of risk ratings. Professional judgement is used regarding the specificities of each indicator, in determining the levels which may represent potential risk.
It is important to note that the sector benchmarks which appear in the risk assessment are not the risk thresholds and are not framed around the thresholds. They are median values of each indicator by provider category.
Do I need to respond to the provisional risk assessment report?
You do not need to provide a response to your provisional risk assessment report. However, if you have evidence that may inform our assessment of your risk rating, you should provide that information within three weeks of receiving the provisional report.
Responses received after the due date for a response will not be considered in the current cycle and will be considered in the next risk cycle.
What should I do if the data in the risk assessment is incorrect?
TEQSA uses data providers have submitted to the Department of Education and validated as accurate.
Providers are required to ensure they submit correct data and validate that data well before the submission due date set by TCSI. Changes will not be made to the data submitted and verified by providers through TCSI.
Data updated on TCSI after the submission due date or changes in data conveyed through a provider’s response to a provisional risk report may not be considered in the assessment for the current cycle unless there are exceptional circumstances. Failing to appropriately verify your data prior to submission will not be considered exceptional circumstances.
How does TEQSA use risk assessments?
Risk assessments are one tool used to assist TEQSA gather a fuller understanding of the risks to compliance that may be posed by providers. This information is considered with other intelligence to inform the approach and intensity of our regulatory assessments.
What data is used to conduct the risk assessment?
The risk assessment is based on staff, student and audited financial data from two years prior to the current risk assessment cycle year. This is the most current data we can access on a sector-wide scale via existing reporting mechanisms.
TEQSA works closely with the Department of Education to access data for providers that already report data to existing collections. These collections include:
- HELP IT System (HITS) – financial data for higher education providers
- Department of Education – financial data for Table A and B providers
- Tertiary Collection of Student Information (TCSI) – staff and student data
- QILT system for Graduate Outcome Survey (GOS) and TEQSA GOS template for providers for whom data is not collected through QILT.
In addition, TEQSA considers a provider’s regulatory history when applying ratings. For example, information provided through material change notifications, regulatory decisions such as shortened periods of registration, and compliance concerns known to providers.
How do I submit data for the Provider Information Request (PIR)?
From 2022, TEQSA required providers to report against the revised PIR collection using the new Tertiary Collection of Student Information (TCSI) (pronounced as 'taxi'). For information about TCSI, including TCSI FAQs, a range of support materials and information about webinars, please visit TCSI Support.
We strongly encourage providers to prioritise the onboarding process, so that they can submit, check and validate the required data within the deadline.
How is S2-attrition rate calculated?
As per TCSI’s calculation, attrition rate in year (x) = (R1 - R2 – R3 – R4) *100/ R1.
Where:
R1=commencing students – students who have enrolled in a course at a higher education provider with a commencement date in year (x)
R2=returning students – commencing students who have an enrolment record in year (x + 1) and have no completion record in year (x)
R3=completing students in year (x) – commencing students who have a completion record in year (x)
R4=completing students in year (x + 1) – commencing students who have a completion record in year (x + 1) and no enrolment record in year (x + 1)
For details about the calculation of attrition rate please refer to TCSI website.
Are any courses excluded while calculating the risk rating for S2-Attrition Rate?
Yes, the data for Element E310 - Course of study type with values of 30 (Enabling course) and 50 (Non-award course (including Bridging for overseas trained professionals)) are excluded while calculating the risk rating for S2-Attrition Rate.
In the calculation of S3-Progression rate, 'R3 = Actual student load (EFTSL) for units of study that are withdrawn in the last academic year or 12-month period'. Does calculation include students that have withdrawn before the census date?
Based on the Department of Education definition, the percentage of actual student load (EFTSL) for units of study that are passed to all units of study completed in the last academic year or 12 month period includes, passed, failed and withdrawn.
Why does the Risk Assessment report for S3-Progression Rate indicator show no data and suspended rating even after data has been submitted?
Any units of study undertaken as ‘Work Experience’ in Industry are excluded from the calculation of S3 Progression Rate. Check if the Element E337 Work experience in industry code is populated with a value of 1 or 2 for all units of study.
While calculating the S4-Graduate Satisfaction risk rating, are negative responses also considered?
TEQSA considers only the number of positive responses to the questionnaire (i.e. the number of responses above a neutral response. Could be “moderately agree, agree, somewhat agree, strongly agree.”)
Are non-award courses included in the Broad Field of Education (BFOE) while calculating the risk rating for S5-Senior Academic Leaders?
We exclude ‘Non-Award Course’ while considering the BFOE count, however we include ‘Mixed Field Programmes’ in our calculations. For more information about the non-award courses please refer to TCSI website.
What academic levels are included under the Senior Academic Leaders for non-university providers?
In addition to Level D and E, TEQSA includes data reported to the Tertiary Collection of Student Information (TCSI) against Level C for assessing the Senior Academic Leaders (SAL) risk rating.
TEQSA has included this information in its assessment because:
- providers who were subject to the Education Services (Post Secondary Education) Award 2020 (the Award), used to report some of their senior academic staff to TCSI under code 160
- in 2021, TCSI removed code 160, and required providers to report senior academic leaders against Level C, D and E
- in the absence of information about which non-university providers are subject to the Award, TEQSA assesses all non-university providers to include staff reported against Level C as senior academic leaders. This allows for having a common formula for calculating the SAL risk ratings and does not disadvantage any provider.
Why is there a difference in the EFTSL values used in the calculation of S1-Student Load and S6-Student Staff Ratio? Are students enrolled in research units, VET, and short courses, etc., considered in the calculation of S6-Student Staff Ratio?
Student to staff ratio is calculated by considering the ratio of total onshore coursework student load (EFTSL) to total onshore teaching only (TO) and teaching and research (T&R) staff full-time equivalent (FTE) employed by the provider, including casuals. Students enrolled in research units, VET, and short courses, etc., are not considered in the calculation of S6-Student to Staff ratio, whereas they are included in the total EFTSL count under S1-Student Load.
Please also refer to TCSI site for further information.
Are any staff excluded while calculating the risk rating for S7-Casualisation?
Yes, non-academic staff are excluded.
To filter out non-academic staff, the data for Element E509 - Current duties classification group code with a value of 11 (Non-academic classification level group) is excluded from the calculations.
Non-academic staff are excluded because S7- Casualisation only captures the percentage of academic FTE employed on a basis other than full time or fractional full time to total academic FTE employed by a provider.
I follow the calendar year, when should I submit the finance data?
A condition of registration is that registered higher education providers must provide an audited annual financial statement in the approved form, within 6 months after the end of the annual reporting period (Section 27 of the Tertiary Education Quality and Standards Agency Act 2011 (TEQSA Act)). This reporting is also a requirement under Subdivision 19-B, section 19-10 of the Higher Education Support Act 2003.
Providers following the calendar year, i.e. with a financial year ending 31 December, should submit the finance data by 30 June of the following year.
Providers following the financial year, i.e. with the financial year ending 30 June, should submit the finance data by 31 December of that year.
For example, for 2025 Risk Assessment cycle:
- if following calendar year, i.e. January- December 2024, data should be submitted by 30 June 2025
- if following financial year, i.e. July 2023-June 2024, should have already submitted the data by 31 December 2024.
Do I need to submit financial performance data as well as the audited financial statements?
Yes, both financial performance data and audited financial statements should be submitted by the due date.
All providers are required to report their financial performance data and audited financial statements (pdf) on an annual basis to the Department of Education. Except for universities, all providers report data through the Department’s HELP IT System (HITS). For all HITS related enquiries, please email FEE-HELP@education.gov.au.
See the Department’s HELP Resources for Providers page for more information about HITS, including a user guide.
For universities, audited financial statements should be submitted to the Department of Education at ppfinance@education.gov.au, along with a completed Annual Financial Return spreadsheet provided by the Department of Education.
If you are a new provider, then please register in HITS. Instructions on how to register are available on pages 41-43 of the HITS User Guide. From this page, you will be prompted to input the sector (HE, VET or dual) and other relevant information. If you have any specific questions about HITS, please email FEE-HELP@education.gov.au.
What will happen if the financial performance data and audited finance data are submitted after the due date?
Finance data should also be submitted by the due date. Failure to submit financial information within required timeframes is a breach of a condition of registration for which TEQSA may apply sanctions.
Such sanctions may include TEQSA issuing an infringement notice, shortening the period of registration or cancelling registration (sections 98, 100-101, 113 and 118 of the TEQSA Act). In addition, TEQSA may assign a ‘high’ risk rating to the provider in the annual risk assessment cycle.
Are provider risk ratings for risk indicators decided by comparing them with sector benchmarks?
Provider risk ratings for indicators are not decided by comparing them with the sector benchmarks. The risk assessment framework enables a consistent, structured, and systematic approach to assessing risk across all providers. This is achieved by using a standard format and set of risk indicators across areas of institutional practice and outcomes that are central to all providers.
Why are there inconsistencies in the percentage scales across different indicators within the Risk Assessment reports?
The Risk Assessment reports involve a variety of data related to staff, student and finance across multiple providers. This makes it difficult to have one standard approach for the percentage scales. Furthermore, the axes on different pages of the report are adjusted to accurately reflect the varying ranges and distributions of data for each provider, ensuring clarity and precision.
The current approach:
- highlights key insights specific to each risk indicator dataset
- avoids misinterpretation from a uniform scale
- maintains meaningful relative comparisons within each chart.
Additionally, customized axes help capture outliers effectively, enhancing the visual appeal and readability, and makes the presentation more engaging and easier to follow.
Which casual staff data is used by TEQSA for calculating risk ratings – estimates or actual?
TEQSA uses casual staff data from the Casual Staff Actuals packet.
TEQSA does not use data from the Casual Staff Estimates packet to calculate risk ratings.
Which staff data packets are used by TEQSA for its Risk Assessment?
Using the example of Risk Assessment Cycle RA2024 (Data Year 2023), staff data from the 2023 Full-Time Staff packet and the 2023 Casual Staff Actuals packet (collected the following year) will be used by TEQSA for its Risk Assessment.
Providers submit the Casual Staff Actual data using the Element E514 - Actual full-time equivalence prior year. However, TEQSA gets the value for the Staff Actual Casual from the Department of Education’s internal dataset Element E506 - Work contract code filtered for a value of 4 - Casual work contract - actual data reported in year after the collection year.
For any further queries on staff data reporting, please contact the TCSI Support Team at TCSIsupport@education.gov.au.
What is the process to verify provider data in the TCSI system?
The screenshot below taken from the Provider Data Verification User Guide on the TCSI website provides an overview of the verification process.
For further information, please contact the TCSI Support Team at TCSIsupport@education.gov.au.
I have changed my LIVE data in the TCSI system after collection sign-off, why does the updated LIVE data not reflect in my Risk Assessment reports?
The above figure provides an overview of the different types of reports in TCSI. Unless unique circumstances arise, TEQSA only uses the Verified Report Data for its Annual Risk Assessment. Therefore, any change made to the LIVE data is not automatically reflected in TEQSA’s Risk Assessment reports.
Therefore, it is important for providers to ensure the data they submit to the TCSI system is accurate before verifying and signing off on it.
What are the deadlines for submitting the data for Risk Assessment?
The Annual Information Collection page on the TEQSA website provides all the details and submission deadlines for Risk Assessment.
Risk assessment cycle