Please explore the topic and tools below. We then invite you to complete a short survey to submit your feedback.


The Victorian Government Risk Management Framework sets out the requirements for your organisation when it comes to managing risk. One of its requirements is that your organisation has a framework that is adequate for managing risks in its internal and external context.

The VGRMF also requires your  to attest to the adequacy of your organisation’s framework at the end of the financial year.

On this page

What is a risk management framework?

A risk management framework is a set of references and tools that decision makers rely on to make decisions about how to manage risk. It could include, for example, policies, strategies, plans, processes and models, and statements of your organisation’s position on risk.

What you have in your framework depends on two things:

  • the risks, threats and challenges in your internal and external context
  • your organisation’s risk maturity.

Who is responsible for building it?

The executive team and board of your organisation need to decide what mix of references and tools are fit for this purpose.

They will decide based on their agreed position on

  • the governance they want to see in the organisation
  • the culture of decision making
  • how dynamic or volatile they assess the risks to be in their internal and external context.

The person or team tasked with the organisation’s risk services works with the executive team to

  • analyse the internal and external environment which the organisation is operating in
  • produce a framework of references and tools to guide decision makers throughout the organisation—including themselves
  • communicate to decision makers about the framework and how it helps them do their work.

The responsible body endorses that the framework is of the right quality and adequate for the activities and functions of the organisation. At the end of the financial year, they will need to publicly attest that their framework is adequate, or that they have put in place measures to improve it.

The purpose of a framework is to give decision makers the knowledge and the tools to manage their organisation’s exposure to risk.

When does the work happen?

This work on your framework needs to be done

  • as soon as the organisation has defined its strategic objectives
  • whenever the organisation takes on or puts aside any functions or activities
  • annually as part of developing strategy and plans
  • whenever changes in legislation and regulations affect strategy or operations
  • as an outcome of audit and accreditation process
  • with a change in leadership.

What makes a framework adequate?

Whatever it includes, your framework must be fit for purpose. It should

  • equip decision makers to make good decisions in situations of uncertainty
  • make it easy for them to be accountable for their decisions
  • not encumber them with work that doesn’t increase the quality of the decisions.

Managing risk and making decisions about objectives, strategies and projects are one and the same activity. The references and tools that make up your risk management framework should be embedded into the governance framework of the organisation. See Embedding risk management below for more on that.

An auditor may also look for evidence that your framework is

  • aligned with the eight principles in the Risk Management Standard 31000
  • aligned with the VGRMF
  • used by decision makers across the organisation from the board to the frontline.

Examining your internal and external context

We recommend that you use an analytical tool like PESTLE [DOCX, 4.59MB] to understand the current events, plausible future scenarios, and risks to your organisation’s objectives that are in your external context.

For your internal context, we recommend PPRACKIF tool [DOCX, 4.6MB].

We also encourage you to use the process of identifying, analysing and evaluating risks to understand how changes in these contexts could affect the people, places and systems in your care. Look at the topic on Making decisions in situations of uncertainty, and What is risk? for more information.

Don’t restrict yourselves to these though. You may, for instance, need to carry out desktop or observational research to inform your analysis. The point is to thoroughly assess what’s going on in and outside the organisation in enough detail to make decisions about the framework you need.

Building your framework

Having examined your internal and external context you are now in a position to build your framework.

Begin by establishing your foundation-level risk management framework. Once you have developed your foundation-level framework, ask yourself two questions.

Important note

You are unlikely to need dedicated documents and tools for every risk. Take cyber threat, for example. Depending on your assessment of the risk and your risk appetite you could either

  • Prepare stand-alone documents devoted specifically to the risks; for example, a policy or a strategy on cyber threat, or
  • Add an explicit and well-considered section describing your policy on cyber threat to your organisation’s IT policy, for example, and so on in other key IT strategies and plans.

Policies, strategies, plans … making sure you have the right tool for the task

We have more on how you can decide whether you need a policy or a strategy, a plan or a process, here.

Keep hold of your supply chains

Most public sector organisations rely on a commercial or not-for-profit organisation to help them deliver some of their services. Though they blur the boundary between external and internal context, they still need to be assessed as a source of risk to your organisation and controls put in place. They do, after all, operate on different incentives to a public organisation—particularly the commercial organisations.

Check the Buyer’s guide to procurement on the website of the Victorian Government Purchasing Board, for an excellent overview from planning procurement to closing and reviewing a contract.

Embedding risk management into the organisation’s functions and activities

As noted earlier: managing risk and making decisions about objectives, strategies and projects are one and the same activity.

That means that the references and tools that make up your risk management framework should not be a siloed or parallel system, but instead part of the strategic and operational planning and reporting.

Your corporate strategy and business plans could refer explicitly to risk and show evidence that a thorough risk assessment has informed their content and that the actions described in the strategy and plans will manage those risks.

Other techniques for embedding risk management are making sure

  • all decision-making forums deliberate about risk
  • all risk management tools earn their keep by helping decision makers think and share the results of their deliberation in the organisation or with other stakeholders
  • decision makers have the time to identify, analyse and evaluate risks and do more research and analysis if necessary
  • decisions made in any forum are communicated to stakeholders who have a stake in the decision or will need to take action, whether that’s in or outside the organisation
  • new processes and governance aren’t put in place without checking whether there is something that can do the work already
  • the leadership model risk thinking.

Policies, strategies, statements, and governance

Those of you looking to embed and optimise your risk management framework may be interested in building it out with policies or strategies that deal with specific risks, or which lift your organisation’s maturity.

The language of management and governance can be vague, so it can be unclear, sometimes, whether you need a policy or strategy, for example. Being precise about the differences will help make sure your framework is fit for purpose.

The following section set out definitions and examples of different types of references and tools that you might put in place.


A policy states the organisation’s intent and guides decisions. It defines outcomes in definite and measurable terms. It can also have the imperative of an internal law for the organisation, including sanctions.

Importantly, a policy is something that can be implemented, whether that is through a strategy, or some sort of procedure or activity.

Example of a policy

Why you might choose to make it

A policy on managing shared risk

If your organisation wants to make sure decision makers are clear about the mandate on shared risk and the need to take the initiative.

A policy on innovation

If your organisation wants to take a positive stance to uncertainty, turning it into an opportunity for new services, technologies, modes of delivery that create value for people.

A policy on how the organisation will manage the risks produced for it by the events of climate change

If you want to make sure all the functions and activities deliver on the organisation’s obligations in relation to the State Government’s Climate Change Act.


A strategy defines how to get from where you currently are to where you want to be. For example, you might put together a strategy to carry out a policy.

Note that not all paths from where you are now to a future state are equal. Your policy, culture, risk appetite and other aspects of your framework set the parameters on whether a path is good or not.

Example of a strategy

Why you might choose to make it

A strategy to continuously improve how the organisation manages risk

If you want to improve particular aspects of your framework, processes and culture, particularly in the light of your RMA Online results.

A strategy to manage physical and transition risks for the agriculture sector

If your assessment of your internal and external context shows that your organisation must take an active role in protecting and creating value for the sector.


A plan defines actions, when they are going to be done, and who will do them.

Example of a plan

Why you might choose to make it

An improvement plan

To identify and assign resources and implement a continuous improvement strategy.

A plan to manage physical and transition risks in the agriculture sector

To identify and assign resources and implement a strategy to manage physical and transition risks in the agriculture sector.

A training plan

To ensure that your staff have knowledge and skills that will make a material difference to one of your risks; for example, risk of cyber attack, or misdiagnosis of a patient’s symptoms.

Processes and models

Processes, models and so on help make the decision-making activities going on at desks and in meeting rooms consistent, thorough and accountable.

Processes map sequences of actions, where one action depends on the success of the one before.

Models show the relationships between entities in system. For example, an organisation chart is a model of the positions in an organisation and how they are related to each other.

Example of processes and models

Why you might choose to make it

A process for assessing risks

If you want to make sure that decision makers are assessing risks thoroughly in order for them to manage it effectively.

A process for escalating risk

If you want to make sure risks are acted on with the appropriate urgency and resources.

A model of governance

If you want to make sure that vital information is shared and acted on in the appropriate forums, and that those with responsibilities for managing risk are accountable.

A model for collaboration

If you want to make sure that your people understand how to efficiently and effectively manage shared risk.

Position statements

A statement of the organisation’s position doesn’t describe actions or purpose but gives an unambiguous signal of its appetite and tolerance in relation to a specific matter.

Example of a statement

Why you might choose to make it

A statement on the desired culture of decision making in the organisation

If you want to control the risk of unwanted decision-making behaviour and poor relationships with other organisations and the public.

A statement on how it will manage public information to protect and create value

If you want to control the risk of confidential information being misused and make the most of opportunities to create value by sharing public data.


Provide feedback

Did the information on this page meet your needs?