Your board is responsible for ensuring risks are well managed in your entity.
As a board director, you must work with your colleagues to identify and manage risks.
You also have a duty to notify your minister and portfolio department secretary of:
- known major risks to your entity
- what measures you have in place to address those risks.
There are a range of laws, policies and regulations that set out requirements about risk. These may apply across the Victorian public sector or be specific to your sector or entity.
Familiarise yourself with these requirements and ensure you keep up to date with changes that could impact your role or entity.
What your board must do
Your board must:
- approve and review your entity’s risk management framework and policy regularly
- integrate risk management into your entity’s strategic and business planning and its organisational culture
- maintain, review and update a risk register of current and emerging risks
- monitor how effective your entity’s risk reporting systems are
- establish a system of reporting and oversight that includes your entity's audit and risk committee and internal audit plan.
Also check if your entity has any specific responsibilities to manage risk. For example, in the laws that established your entity.
What to consider as a director
As a board director, you bring your own perspectives and experience to the role. This helps the board decide what risks to accept including:
- what actions you take to create value for your entity
- what actions you need to take to protect your entity.
Your board will need to consider how changing circumstances, people and resources will impact your entity into the future.
Document these uncertainties and how you intend to manage them if they occur.
Role of your CEO
Your CEO must ensure your entity has effective risk management systems.
They also need to manage and respond to any risks in a timely manner using your entity’s risk management policy.
Build a positive risk culture
Your board and CEO must ensure your entity has a positive risk culture.
A positive risk culture is one where all employees manage risk as part of their day-to-day work.
Even if you have a good risk framework in place, it will be ineffective if employees don’t follow it.
For more advice, read creating an organisational culture that takes a positive attitude to risk .
Be aware of your entity’s current and emerging risks. Changes to government policy, funding arrangements and technology could all impact your entity.
Be curious and ask questions. Scan your environment for issues that could affect your entity.
Your board may want to categorise risks to make them more visible.
Here are some examples of common risk categories in the Victorian public sector.
Legal and compliance
If we fail accreditation, our reputation will suffer and we may not be able to secure grants or attract people to work at our entity.
People and Culture
If we don’t have a robust succession plan for key roles, we won’t be able to deliver critical business functions.
If we don’t target communication of new public policy to the right people, the community will not benefit from the new policy.
If we lose money on a poor investment decision, we won’t have sufficient funds to support new initiatives.
If a third party fails to pay our invoices, we incur costs in seeking recovery and may have to write off the outstanding amount.
Occupational health and safety
If workplace injuries occur because we haven’t trained people in using specific equipment, we lose employee trust and our WorkSafe premiums increase.
If a dangerous chemical spill impacts a nearby wetland, we would incur significant remediation costs and need to rebuild confidence with key stakeholders and the community.
If there is a major cyber breach, we may be unable to deliver services and our revenue will decrease.
If there is a major breakdown in services, we may lose the confidence of the public and government.
If our building is not maintained to a satisfactory level, this will negatively impact our health and safety and reputation.
If a board director fails to identify, declare and manage a conflict of interest, we could make inappropriate decisions and lose credibility.
If an employee steals money, we’ll have to redirect resources to investigate and take legal action. This may mean we’re unable to deliver services.
Think about risk from short, medium and long-term perspectives.
Take climate change as an example.
Your duty of care, skill and diligence now includes managing emerging risks linked to climate change.
- Is there uncertainty about our ability to respond to more bushfires, floods and heatwaves?
- What decisions do we need to make today to reduce the impact of harm or to respond more quickly if we need to?
- How certain are we that our occupational health and safety policies consider future changes in temperature?
- Is there uncertainty about how we determine new site locations?
- Are we considering other climate change-related factors such as rising sea levels?
Read more about managing climate risk.
- the rate at which risks may arise, quickly or overtime
- the relationship between risks and other uncertainty this may create
- if your entity is managing a risk well or if you need to do more.
Frameworks for managing risk
Your entity needs to tailor how it identifies, manages and reports on risk based on its work, size, complexity and risk profile.
The Victorian Government’s Risk Management Framework
The Victorian Government Risk Management Framework (VGRMF) sets the minimum requirements to manage risk for entities defined as a public body or department under the Financial Management Act 1994.
Each year, your board must ensure that your entity complies with the VGRMF’s 2 sets of mandatory requirements:
- Risk management requirements
- Insurance requirements.
Find these requirements in the Victorian Government Risk Management Framework- August 2020 (PDF, 421KB).
Even if your board doesn’t need to comply, the VGRMF is a useful tool that sets out good practices on how to manage risk.
As set out in the VGRMF, key elements of your board’s risk framework need to include:
- A statement of risk appetite(opens in a new window) that sets out the nature and level of risk your entity will accept to achieve its objectives.
- A risk management policy(opens in a new window) that describes your entity’s risk profile and approach to managing risk.
- A risk management process(opens in a new window) to identify, analyse, evaluate, treat, monitor and review risks.
- A risk register(opens in a new window) to record risks and provide information to manage them.
Link all these elements to your entity’s purpose and strategic objectives.
Get more advice at: