The Victorian Government Risk Management Framework (VGRMF)(opens in a new window) sets out the requirements for your organisation when it comes to managing risk. One of its requirements is that your organisation has a framework that's adequate for managing risks in its internal and external context.
The VGRMF also requires your responsible body to attest to the adequacy of your organisation’s framework at the end of the financial year.
What's a risk management framework?
A risk management framework is a set of references and tools that decision-makers rely on to make decisions about how to manage risk. It could include, for example, policies, strategies, plans, processes and models, and statements of your organisation’s position on risk.
What you have in your framework depends on two things:
- the risks, threats and challenges in your internal and external context
- your organisation’s risk maturity.
Who's responsible for building it?
The executive team and board of your organisation need to decide what mix of references and tools are fit for this purpose.
They'll decide based on their agreed position on
- the governance they want to see in the organisation
- the culture of decision-making
- how dynamic or volatile they assess the risks to be in their internal and external context.
The person or team tasked with the organisation’s risk services works with the executive team to
- analyse the internal and external environment which the organisation is operating in
- produce a framework of references and tools to guide decision-makers throughout the organisation—including themselves
- communicate to decision-makers about the framework and how it helps them to do their work.
The responsible body endorses that the framework is of the right quality and it's adequate for the organisation's activities and functions. At the end of the financial year, they'll need to publicly attest that their framework is adequate, or that they've put in place measures to improve it.
The framework's purpose is to give decision-makers the knowledge and the tools to manage their organisation’s exposure to risk.
Managing risk and making decisions about objectives, strategies and projects are one and the same activity. The references and tools that make up your risk management framework should be embedded into the organisation's governance framework. See Embedding risk management for more on that.
An auditor may also look for evidence that your framework is
- aligned with the eight principles in the Risk Management Standard 31000(opens in a new window)
- aligned with the VGRMF(opens in a new window)
- used by decision-makers across the organisation from the board to the frontline.
Examining your internal and external context
We recommend that you use an analytical tool like PESTLE to understand the current events, plausible future scenarios, and risks to your organisation’s objectives that are in your external context.
For your internal context, we recommend PPRACKIF.
We also encourage you to use the process of identifying, analysing and evaluating risks to understand how changes in these contexts could affect the people, places and systems in your care. Look at the topics on Making decisions in situations of uncertainty, and What is risk? for more information.
Don’t restrict yourselves to these though. You may, for instance, need to carry out desktop or observational research to inform your analysis. The point is to thoroughly assess what’s going on in and outside the organisation in enough detail to make decisions about the framework you need.
Building your framework
Having examined your internal and external context, you are now able to build your framework.
Begin by establishing your foundation-level risk management framework. Once you've developed your foundation-level framework, ask yourself two questions.
Important note
You're unlikely to need dedicated documents and tools for every risk. Take cyber threat, for example. Depending on your assessment of the risk and your risk appetite you could either
- Prepare stand-alone documents devoted specifically to the risks; for example, a policy or a strategy on cyber threat, or
- Add an explicit and well-considered section describing your policy on cyber threat to your organisation’s IT policy, for example, and in other key IT strategies and plans.
Making sure you have the right tool for the task...policies, strategies, plans
We have more information here on how you can decide whether you need a policy or a strategy, a plan or a process.
Keep hold of your supply chains
Most public sector organisations rely on a commercial or not-for-profit organisation to help them deliver some of their services. Though they blur the boundary between external and internal context, they still need to be assessed as a source of risk to your organisation and have controls put in place. They do, after all, operate on different incentives to a public organisation—particularly commercial organisations.
Check the Buyer’s guide to procurement(opens in a new window) on the website of the Victorian Government Purchasing Board, for an excellent overview from planning procurement to closing and reviewing a contract.
Embedding risk management into the organisation’s functions and activities
As noted earlier: managing risk and making decisions about objectives, strategies and projects are one and the same activity.
That means that the references and tools that make up your risk management framework shouldn't be a siloed or parallel system, but instead be part of strategic and operational planning and reporting.
Your corporate strategy and business plans could refer explicitly to risk and show evidence that a thorough risk assessment has informed their content and that the actions described in the strategy and plans will manage those risks.
Policies, strategies, statements, and governance
Those of you looking to embed and optimise your risk management framework may be interested in building it out with policies or strategies that deal with specific risks, or which lift your organisation’s maturity.
The language of management and governance can be vague, so it can be unclear sometimes if you need a policy or strategy, for example. Being precise about the differences will help ensure your framework is fit for purpose.
The following section set out definitions and examples of different types of references and tools that you might put in place.
Policy
A policy states the organisation’s intent and guides decisions. It defines outcomes in definite and measurable terms. It can also have the imperative of an internal law for the organisation, including sanctions.
Importantly, a policy is something that can be implemented, whether that's through a strategy, or some sort of procedure or activity.
Strategy
A strategy defines how to get from where you currently are to where you want to be. For example, you might put together a strategy to carry out a policy.
Note that not all paths from where you are now to a future state are equal. Your policy, culture, risk appetite and other aspects of your framework set the parameters on whether a path is good or not.
Plan
A plan defines actions, when they are going to be done, and who'll do them.
Processes and models
Processes, models and so on help make the decision-making activities that are going on at desks and in meeting rooms to be consistent, thorough and accountable.
Processes map sequences of actions, where one action depends on the success of the one before.
Models show the relationships between the entities in a system. For example, an organisation chart is a model of the positions in an organisation and how they're related to each other.
Position statements
A statement of the organisation’s position doesn’t describe actions or purpose but gives an unambiguous signal of its appetite and tolerance in relation to a specific matter. they're related to each other.
Continuous improvement
Building a framework specific to your needs is a sign that your risk maturity’s growing. Stay alert to what’s going on in your internal and external context and look for opportunities to refine it in response to change.
The RMB will help you steer a course through that change by helping you stay focussed on your goals and the requirements of the VGRMF.
Updated

