Your board is responsible for ensuring risks are well managed in your entity.
As a board director, you must work with your colleagues to identify and manage risks.
You also have a duty to notify your minister and portfolio department secretary of:
There are a range of laws, policies and regulations that set out requirements about risk. These may apply across the Victorian public sector or be specific to your sector or entity.
Familiarise yourself with these requirements and ensure you keep up to date with changes that could impact your role or entity.
Your board must:
Also check if your entity has any specific responsibilities to manage risk. For example, in the laws that established your entity.
As a board director, you bring your own perspectives and experience to the role. This helps the board decide what risks to accept including:
Your board will need to consider how changing circumstances, people and resources will impact your entity into the future.
Document these uncertainties and how you intend to manage them if they occur.
Your CEO must ensure your entity has effective risk management systems.
They also need to manage and respond to any risks in a timely manner using your entity’s risk management policy.
Your board and CEO must ensure your entity has a positive risk culture.
A positive risk culture is one where all employees manage risk as part of their day-to-day work.
Even if you have a good risk framework in place, it will be ineffective if employees don’t follow it.
For more advice, read creating an organisational culture that takes a positive attitude to risk .
Be aware of your entity’s current and emerging risks. Changes to government policy, funding arrangements and technology could all impact your entity.
Be curious and ask questions. Scan your environment for issues that could affect your entity.
Your board may want to categorise risks to make them more visible.
Here are some examples of common risk categories in the Victorian public sector.
If we fail accreditation, our reputation will suffer and we may not be able to secure grants or attract people to work at our entity.
If we don’t have a robust succession plan for key roles, we won’t be able to deliver critical business functions.
If we don’t target communication of new public policy to the right people, the community will not benefit from the new policy.
If we lose money on a poor investment decision, we won’t have sufficient funds to support new initiatives.
If a third party fails to pay our invoices, we incur costs in seeking recovery and may have to write off the outstanding amount.
If workplace injuries occur because we haven’t trained people in using specific equipment, we lose employee trust and our WorkSafe premiums increase.
If a dangerous chemical spill impacts a nearby wetland, we would incur significant remediation costs and need to rebuild confidence with key stakeholders and the community.
If there is a major cyber breach, we may be unable to deliver services and our revenue will decrease.
If there is a major breakdown in services, we may lose the confidence of the public and government.
If our building is not maintained to a satisfactory level, this will negatively impact our health and safety and reputation.
If a board director fails to identify, declare and manage a conflict of interest, we could make inappropriate decisions and lose credibility.
If an employee steals money, we’ll have to redirect resources to investigate and take legal action. This may mean we’re unable to deliver services.
Think about risk from short, medium and long-term perspectives.
Take climate change as an example.
Your duty of care, skill and diligence now includes managing emerging risks linked to climate change.
Read more about managing climate risk.
Also consider:
Your entity needs to tailor how it identifies, manages and reports on risk based on its work, size, complexity and risk profile.
The Victorian Government Risk Management Framework (VGRMF) sets the minimum requirements to manage risk for entities defined as a public body or department under the Financial Management Act 1994.
Each year, your board must ensure that your entity complies with the VGRMF’s 2 sets of mandatory requirements:
Find these requirements in the Victorian Government Risk Management Framework- August 2020 (PDF, 421KB).
Even if your board doesn’t need to comply, the VGRMF is a useful tool that sets out good practices on how to manage risk.
As set out in the VGRMF, key elements of your board’s risk framework need to include:
Link all these elements to your entity’s purpose and strategic objectives.
Get more advice at: