Departments and agencies are required to provide an attestation, or a written confirmation, as part of their report of operations that they understand, manage and control key risk or exposure.
The Victorian Government Risk Management Framework
The Department of Treasury and Finance released the Victorian Government Risk Management Framework originally in 2007 with an update in 2011. The framework provides for a minimum risk standard across State entities and outlines their roles and responsibilities. Attestation, for example, is required in annual reports.
We recommend that all public sector agencies adopt the framework, however it is compulsory for those agencies that report in the Annual Financial Report for the State of Victoria.
Elements of the Framework
One significant requirement under the framework is the need for accountable officers to ‘attest’ in their organisation’s annual report, that:
- risk management processes consistent with the AS/NZS ISO 31000:2009 Standard are in place
- an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures
- the audit committee/board verify the assurance made and that the risk profile has been critically reviewed within the last 12 months.
The attestation process ensures that organisation-wide risk management culture, processes and structures are embedded across the business, so that risk management is relevant, effective, efficient and sustained.
^ Back to the Top
Frequently asked questions
- Will management need to formally sign off the process?
- What systems and processes will allow/support this?
- What does satisfactory look like? How do you demonstrate a satisfactory effort?
- What evidence will the secretary/chairman need to support the attestation?
- What about the internal auditors? Will, or can they sign off?
- What if we don’t attest? What are the consequences?
- What about a phase in period?
Frequently asked questions about attestation are answered in our Risk Insight publication:
Attestation - What does it mean for your organisation? [PDF, 350 KB]
If you require further information please contact our Risk Management Team on 03 9270 6900 or by email email@example.com.