The risk framework quality review (RFQR) process developed by VMIA during 2006 aimed at providing an insight into the robustness of client risk management frameworks. It was delivered to 208 clients across Victoria.

The 2006 RFQR has enabled the State through the VMIA to have a greater understanding of the key risks across the sector and the nature of the risk management frameworks in place to manage those risks. As a result we have established a greater appreciation of the maturity of client risk management frameworks and have identified tools, information, education and support services that VMIA can provide to clients.

The RFQR is based upon AS/NZS 4360 - Risk Management Standard and involves the following steps:

• Completion of a self assessment survey
• Submission of supporting risk management documentation
• Interviews with key staff (including Departmental secretaries/CEO’s, audit/risk committee chairpersons, risk managers and line staff)
• A review process completed by the VMIA
• Provision of an individual client report
• Submission by VMIA of a consolidated report to the Minister for Finance

The knowledge gained through the process has enabled VMIA to build a greater understanding of the role of risk management within government and individual clients, and a more effective VMIA client risk management service. The full report on the 2006 RFQR available below:

Back to Top

Primary Findings

In addition to client specific risk framework findings, the VMIA asked clients to identify what they considered as the top five risks facing the Victorian Public Sector (VPS). It is important to note that the risks listed are the subjective view of RFQR participants and are not based on any quantitative analysis of risk data.

Across the Victorian Government sector the top five key risks categories identified were:

• Service delivery with key underlying concerns around business continuity management and major events planning.
• People availability specifically related to succession planning and workforce management.
• Planning and resource allocation in relation to project risk management.
• Physical asset risks including ageing infrastructure and the complexity of resource management.
• Stakeholder impact issues related to the potential pressures arising from failures in business continuity plans, the results of major service disruptions and event planning issues.

Client perception of risk was influenced by the size and priorities of the organisation. Overall there was a high degree of uniformity in risk identification, with the concern over the ability to attract and retain the right skills in the future as a key theme.

Back to Top

Key areas for improvement across the State

In addition to identifying what clients felt were the key risks, the RFQR also identified common areas for improvement in risk management frameworks. Areas for risk framework improvement included:

Improving risk reporting to Management and the Board to ensure a high level of visibility was a common issue. Through ensuring the existence of strong processes to identify, escalate and monitor risks, the ability of the organisation to implement effective treatment plans and avoid potential consequences will be significantly enhanced.

One of the more important aspects of risk management is the development of KRI’s. These are predictive indicators regarding changes to the risk profile of a business. They can be used to predict areas of increasing risk or "hot spots" identify control weakness or used to improve behaviour and operational efficiency. VMIA will be working with clients to improve their use of KRI’s.

There was evidence from the RFQR that the business continuity management systems, for a number of organisations, require improvement. Business continuity management is seen as a priority area for action, and one the VMIA has taken steps to assist selected clients with as discussed later in this article.

It was identified that whilst Internal Audit groups provided support to the risk function and in some cases acted as the risk consultant to the organisation, it was evident that the link between strategic and operational risk through to the risk register and risk assurance process was negligible. There was a need to provide support to clients through tools and training, including the use of Control Self Assessment (CSA) techniques and linking risk and audit methods.

Another general area of weakness was the form & function of risk registers. Whilst registers may have a number of common elements, there were very few exemplar risk registers identified. Common weaknesses included poor risk definitions, lack of depth in risk registers, failure to identify controls or control effectiveness, not allocating risk to accountable individuals, no follow up activity etc etc. VMIA will be working with clients to overcome some of these shortfalls.

A critical factor in building strong risk management frameworks is the support of the Executive and Board. For success, a strong governance structure needs to underpin the risk management framework.

Project risk management is a critical element within a robust risk management framework. It assists with ensuring the objectives of the project are achieved and in ensuring the reputation and aims of the organisation are supported.

Back to Top