Managing shared risk

You’ll need to manage a shared risk when

you depend on the cooperation of others to achieve your objectives
your efforts to control the risk depends on others or has consequences for them
achieving your objectives produces consequences for others.

The Victorian Government Risk Management Framework (VGRMF)(opens in a new window) requires organisations to identify and manage shared risks in cooperation with other organisations:

“shared risks are identified and managed through communication, collaboration and/ or coordination by the impacted agencies”

The VGRMF focusses on risks shared between organisations in the Victorian public sector. To fulfil the broader remit to create and protect value, an organisation may need to look at partnerships with organisations in other levels of governments and outside the public sector.

Also, many shared risks have state-significant consequences that are covered in the VGRMF.

Grasping the full effects of uncertainty in a highly connected world

Risk is the effect of uncertainty on our objectives.

Often, a risk is specific to an organisation. It’s a risk to your objectives. Most of our work to create and protect value for Victorians will depend on others and have consequences for them too.

As public service organisations, we also need to bear in mind that, although we may be on the staff of one organisation, we’re implementing the policies of the Victorian Government and creating and protecting value for all Victorians equally.

We’re also working in a sophisticated, interconnected economy, which means when you’re thinking about dependencies and impacts, you may need to look more widely than the Victorian public sector.

It may be better to assume that a risk is shared

Moving a patient from one healthcare facility to another carries risks. The more time it takes, the more likely something will go wrong. On top of that, if something does go wrong, health practitioners have fewer resources to deal with it.
All healthcare facilities share an objective, the patient’s safety, which means they must collaborate on shared risks. To manage the risk, healthcare facilities involved in a transfer need to play their part in a single transfer process, which they all understand and are committed to. It needs to be followed consistently and standardised across the sector. Any interdependencies, such as communication of information about the patient, need to be mapped out, understood by all participants, and resourced so that anything critical to the patient’s safety is transferred with the patient.
Healthcare organisations share an objective and their efforts to control the risks depend on others and have consequences for them. It’s a classic case of a shared risk.
Family violence is a complex problem produced by complex causes. To implement the recommendations of the Royal Commission into Family Violence(opens in a new window), eight major government departments must collaborate on controlling the risks to their objectives and managing the consequences of their work.
This case study

VMIA - Interagency Case Study FVR
PDF 364.43 KB

(opens in a new window)

details some of the strategies used to manage this shared risk.

Collaborating on the management of shared risk

1. Start by identifying a risk as shared

As part of your risk assessment, you identify risks to your objectives and analyse their source and its causes, factors and likelihood.

That assessment should reveal where you depend on others to control a risk and where potential consequences would affect others.

We recommend you start with the assumption that a risk is shared and ‘prove’ that it’s not by working through your risk assessment.

Analyse your risk to find out if your

risk has its source in what another organisation is doing
ability to achieve your objective depends on another organisation doing something differently from before
achievement of your objectives produces a risk for another organisation
achievement of your objectives would actually impact another organisation in some way

Based on the risk assessment, look at how to control that risk. Again, look at whether

your ability to control this risk on your own depends on other organisations
the only way to control the risk is to cooperate with others.

Having uncovered a shared risk, don’t assume that the other organisations are managing it. Instead, start the conversation. Find out what they’re doing. If they haven’t identified this risk yet, work on getting buy in.

A shared assessment of likelihood and consequences?

Working with other partners and stakeholders to analyse a risk will very likely lead to a better analysis because you build a richer understanding of the consequences and a more accurate estimation of its likelihood.

Does this mean all the organisations must share the same evaluation of a risk?

Not necessarily. During the evaluation stage of the risk assessment, a risk is checked against the organisation’s risk appetite and tolerance—both are specific to an organisation.

So you might share the same analysis of the likelihood and consequences of the risk but differ in your evaluations.

The point is not about you having the same evaluation but your organisations agreeing that it’s significant and warrants shared risk management.

This video on systems mapping(opens in a new window) by BehaviourWorks will help you to identify where you depend on others in a situation of uncertainty.
Scenario analysis can help you to analyse consequences and their impacts. This technical supplement(opens in a new window) from the Taskforce on Climate-Related Financial Disclosures, even though it’s focussed on climate change, is a thorough description of the technique and is therefore useful for other risks.
No single stakeholder has a complete view of a complex shared risk. Use VMIAs

VMIA - Stakeholder List Template
Excel 13.49 KB

(opens in a new window)

to analyse the different stake that organisations, communities and individuals have in these risks.
The following example illustrates what this means in relation to bushfire.
Bushfire risk is always present for Victorians. Everyone shares the same objective of keeping safe and resilient.
Managing it requires collaboration between government agencies on planned bush burning, managing fuel and risks, and communication of planned burning information.
It also involves collaboration and cooperation of people who live and work in areas exposed to the risk of bushfire—not just government organisations. The other parties may be homeowners and business people, informally organised community groups, small not-for-profit organisations dealing with local needs and Aboriginal Land Corporations.
These are very different kinds of partners, with local knowledge and a high stake in the management of the risk. They should be involved in managing the shared risk but bear in mind they don’t have the resources and systems that formal organisations do. They also have different practices and cultures of self-management from the government sector.
Your collaboration should keep this in mind. For example, if you
- grant a large amount of money to a small community organisation, will they have the organisational skill to manage the change in their operations and governance?
- consult with Aboriginal communities, how will you make sure it’s an equal collaboration?
- are working with community groups during a period of economic transition in a Victorian region, then how will you balance the values and needs to create and protect value for the region?
If you’re re-designing your services to move on to a self-service model, then how will you work with users on the design so that it’s an effective service for the wide range of users in the community?

2. Get buy-in

Once you’ve identified a risk as shared and analysed the dependencies and impacts, you’ll need to open discussions with organisations, communities, groups and individuals.

At this point, the quality of the relationships you have with other organisations and their leaders’ willingness to influence their peers and get ‘buy-in’ will often make the difference.

Open the discussion

Use the systems mapping technique(opens in a new window) again to identify all the participants and their influence.

Work out who

you need to talk to in the other organisations that might be part of this situation of uncertainty
in your own organisation is best placed to use their influence to get buy-in from others.

Now, apply your risk management skills to

define the objective of your communications with potential participants
assess the risks to the success of your communication with other organisations
plan your opening communications to increase your chances of getting buy-in.

The initial goal of these discussions with other organisations is to understand the amount and type of uncertainty you’re all facing and, potentially, agree to cooperate on a thorough assessment of the risks arising from that.

Talk about our situation of uncertainty rather than your risk

We recommend that when you start your conversations, speak about the uncertainty that has produced this risk for you rather than focus on the risks that it presents for your organisation specifically.

This way you’ll open up the discussion about something that should matter to them, rather than trying to get them to cooperate on something that matters to you. You’ll start to create a common language and a shared understanding of the risk.

Another benefit of this approach is you’ll get a richer picture of the uncertainty that’s producing this risk for you and how the consequences of a potential event could impact others.

It’s unlikely that any single organisation will fully grasp the uncertainty and its implications for their own objectives, let alone another organisation’s objectives, so this is a worthwhile exercise even if it doesn’t result in an agreement to share the management of risks.

It’s also an opportunity to talk frankly about where your interests and objectives diverge, or even conflict. In both cases, the differences will need to be managed.

Find the right level of influence

You don’t need to go straight to the top for your influencer. The system mapping technique(opens in a new window) will help you identify who the best people are to influence potential partners.

Use that influence well by assessing the risks thoroughly: both the shared risk and the risks associated with the initial discussions with potential partners. Go into your meeting with your potential influencer with a strategy and brief them well on your risk assessment and the opportunity to collaborate.

East Gippsland Water is a small organisation that depends on others to achieve its objectives in relation to climate adaptation, but also data security and public health and safety. This case study

VMIA - EGW Interagency Case Study
PDF 393.12 KB

(opens in a new window)

looks at how they’ve used their influence to reduce uncertainty, mobilise resources and create value for the sector.

The role of the executive

Executive team members have an important role in using their influence to get buy-in from others on sharing the management of risk.

- championing thorough risk assessment and the organisation’s statement of risk appetite
- demonstrating how to influence and collaborate with other organisations
- directing processes and frameworks to be set up for the shared risk
- being involved in identifying key risk indicators
- establishing governance for decisions and monitoring.
The executive team is also responsible for communicating on state-significant risk. With so many shared risks and state-significant risks, it’s an important line of communication.

Tools

Use these guides and templates to help you to identify and manage stakeholders

VMIA - Interagency Risk Stakeholder Mapping Facilitator Guide_Clients

Word 1.76 MB

VMIA - Interagency Risk Stakeholder Mapping Workshop slides Clients

PPT 8.39 MB

VMIA - Stakeholder List Template

Excel 13.49 KB

3. Commit to working together

If, because of your discussions, your organisations agree that they should collaborate to manage shared risk, then the next step is to commit resources to

a more detailed risk assessment
options for controlling the risk
frameworks and processes
governance.

A crucial decision at this point is to agree on which organisation will lead the partnership.

Every organisation has different frameworks, processes, governance and even language for managing risk, so we recommend that you concentrate on the culture of your collaboration to start with. This way, all the participants remain open to the work of managing the risks that emerge from this situation of uncertainty.

What about frameworks and processes?

Frameworks and processes are vital for risk management because they facilitate the flow of information and formalise responsibility and governance. They are also ‘scalable’ and consistent, which improves accountability and efficiency.

Whatever frameworks and processes you and your partner organisations design, they should help you to collaborate on shared risk

We have topics on designing processes and building frameworks, so we’ll focus here on the design criteria that you’ll need to bear in mind for the various aspects of collaboration on shared risks.

Your frameworks and processes should help you to
- facilitate deliberation to reach crucial decisions
- communicate decisions
- communicate the progress of work
- consciously create the culture you want in the partnership
- manage disagreement
Your frameworks and processes should help you to
- seek subject matter expertise
- share information and research outputs
- keep information secure
Your frameworks and processes should help you to
- watch the internal and external context for new risks
- revise assessment of known risks
- develop shared analysis of consequences and likelihood
Your frameworks and processes should help you to
- identify controls
- map the various impacts if the consequences of the risk were to materialise
- map stakeholders
- decide on risk owners and control owners
- determine performance indicators for shared management of risk
- identify key risk indicators
- come to a decision on risk appetite and the various tolerances of your organisations
Your frameworks and processes should help you to collect data on
- key risk indicators, analyse and prepare reports
- performance indicators, analyse and prepare reports
During project setup, your frameworks and processes should help you to
- reconcile different appetites for risks
- agree who’ll supply the time and other resources to management actions
- decide what existing frameworks, processes and decision-making bodies will be used to manage the risk
- decide what new frameworks, processes and decision-making bodies will be set up
At planned decision points, they should help you to
- reconcile different appetites for risks
- decide if resources need to be redirected to more effective controls
In response to changes in your context, they should help you to
- reassess risks
- map impacts
- map stakeholders
- reconcile different appetites for risks
- decide if resources need to be redirected to more effective controls
Your frameworks and processes should help you to
- document commitments and actions taken
- maintain a library of reports on risk and performance indicators
- agree on the lead organisation that’ll be responsible for the shared risk
- assign a person to be a risk owner
- support the lead organisation and risk owner to perform their role
- resolve any disagreements about roles and responsibility.
For establishing a network of collaboration:

VMIA - Interagency Risk Establish a Network Guide
Word 978.87 KB

(opens in a new window)

VMIA - Interagency Risk Establish Network Workshop Facilitator Guide Clients
Word 1.64 MB

(opens in a new window)

VMIA - Interagency Risk_Establish Workshop PPslides Clients
PPT 4.8 MB

(opens in a new window)

VMIA - Interagency Risk Network Agreement
Word 2.04 MB

(opens in a new window)

For assessing risks and planning management:

VMIA - RIMP Clients Facilitator Guide
Word 3.72 MB

(opens in a new window)

VMIA - RIMP Clients Phase1 slides
PPT 8.72 MB

(opens in a new window)

VMIA - RIMP Clients Phase2 slides
PPT 2.82 MB

(opens in a new window)

For managing collaboration:

VMIA - Initial Pulse Check
Word 216.41 KB

(opens in a new window)

VMIA - Ongoing Pulse Check
Word 216.65 KB

(opens in a new window)

Even when you’ve established relationships, frameworks and processes …

Many of our examples show how important it is to identify a risk as shared and analyse it so that you can start the conversation with potential partners about the work that needs to be done and set up appropriate governance and resources to manage it.

Sometimes risk can fall off the table though, even when a partnership has a long history of working together and well-established practices.

The transport sector, for example, has a long history of multi-partner collaboration to develop and deliver strategy and projects to promote road safety, change behaviour and reduce road trauma.
The current Victorian Road Safety Strategy(opens in a new window), developed by Road Safety Victoria in collaboration with the Victorian Road Safety Partnership—itself a collaboration between the Transport Accident Commission (TAC), Victoria Police, the Department of Justice and Community Safety, and the Department of Health and Human Services—is an excellent example of this.
TAC is responsible for delivering the strategy and relies on well-established frameworks and processes and the culture of collaboration in the sector.
This reduces a lot of the uncertainty about delivering the projects, but even in this context, it’s important not to become complacent about risks.
For example, TAC owns the risks associated with the objectives of the strategy while the other organisations own the controls and treatments.
This could lead to a situation where the partners respond to different pressures and incentives as they focus on their part in the delivery of the strategy. Shared risk is the only way to unify those various pressures, incentives and short-term goals.
What does this mean in practical terms? Partner organisations need to use the language of shared risk in all their communications about delivery, whether that’s in steering committee meetings or informal exchange.
Their collaboration should be grounded in a shared risk policy specific to the partnership or a Memorandum of Understanding. Accountability should be secured with clear governance and reports to executives, Audit and Risk Committee and the Minister. VMIA can help by facilitating quarterly shared risk workshops.

Updated 5 June 2025