The Victorian Managed Insurance Authority Act and the Financial Management Act (both as amended) coalesce to require that each Department and Participating Body (Public Body) maintain:

• A register of assets
• A risk management strategy

The VMIA Act also requires that a report be provided as to the implementation of the risk management strategy. Under the legislation VMIA is required to report to the Minister and to the agency concerned on the adequacy of the above documents.

The purpose of this information sheet is to confirm the respective obligations of the VMIA and its clients and to communicate the processes for compliance.

With regard to the requirements in respect of the Register of Assets, it is known that information is already developed by most agencies for the purpose of consolidated reporting, and investigations are currently underway to determine the adequacy of that information for the VMIA's purposes. Further advice will be provided in this regard in due course.

It is intended that compliance with regard to the development of a risk management strategy and the consequential report will be tested against the guidelines established within the Australian/New Zealand Risk Management Standard (AS/NZS4360: 1999). In an attempt to simplify the process, the VMIA has developed and makes available to its clients a program entitled Risk Management Performance Assessment Tool (RIMPAT) which, when completed and supported by indicated documentation, will represent compliance with the requirements of the Act.

The level of risk management documentation to be submitted to the VMIA will vary according to such things as the size of the organisation, the development stages of the risk management program and the risk profile of the organisation. The constant factor will be for the documentation to support the self-assessment scoring of the RIMPAT survey. So, for example, a large organisation with an advanced risk management program would submit to the VMIA, copies of the following:

• the risk management policy and context document
• a sample risk register
• a sample risk treatment plan
• excerpts from Board reports or similar outlining the activities and performance of the risk management function
• examples of risk management material circulated throughout the organisation

A similar organisation with a less advanced or informal program may need only to submit copies of such things as the following:

• risk management policy documents for fire and security, liability risks etc.
• sample copies of incident database reports
• examples of risk management activity not captured in the responses to the RIMPAT survey.
• There will be some organisations where the completion of RIMPAT and the submission of documentation will be redundant because the size of the organisation and the low risk profile does not warrant it. VMIA will identify and notify those organisations accordingly, together with what will be required in terms of compliance.

Further information on "compliance" may be obtained from your VMIA Client Relationship Manager.