Please explore the topic and tools below. We then invite you to complete a short survey to submit your feedback.  


The Victorian Government Risk Management Framework (VGRMF) requires all decision makers to assess risks to their strategies, business plans and projects. 

On this page

When do you need to do it?

You need to assess risks to your objectives when:

  • you’re working out your objectives
  • you’re developing strategies and setting up projects that will achieve those objectives
  • the environment you operate in changes 
  • your organisation changes.

These are example situations of uncertainty. In the first two examples, you’d be uncertain about the best course of action. In the last two, you’d be uncertain about how change will affect your plans.

Uncertainty can emerge from many different places and for many different reasons. Time also makes a difference—as what was once a risk of an event happening in the future becomes the actual event itself in the present, and new risks appear.

This makes risk dynamic. In a positive risk culture, decision makers are always ready to reassess the situation and their decisions. You can find out more about risk here.

Three steps to assessing risks

The quality of your risk assessment will make a critical difference to how you manage risk, and therefore to the success of your strategy or project.

risk management model

This graphic shows how central the process is in risk management. Feel free to use this graphic in your presentations. Download the image [PNG, 266KB].

1. Identify your risk

Describe the event that, if it happened, could affect your objectives, strategies or plans.

  • What type of risk would it pose to your objectives, strategies or plans?
  • What exactly in your context, both internal and external to your organisation, creates the uncertainty associated with this event?

Once you have properly assessed the risk and understood where the uncertainty is coming from in your internal and external context, you will be in a good position to decide what information and tools are needed to treat or control it.

2. Analyse your risk

Describe how the event would affect your objectives, strategies or plans, or the people, places and systems in your care.

  • What exactly would happen if this event occurred?
  • How severe would the impact be if it did?

Analyse the nature of the event itself

  • What are the causes of the event or the factors in its occurrence?
  • How likely is it that it would happen?

Finally, look at your internal context to understand your readiness and capability.

  • How effective are your current controls?

Understanding the causes and factors of an event, and how likely it is, will help you decide on the appropriate action to take to control the risk. Understanding how severe the damage could be if it happened will help you decide what you need to do to build resilience, if the event occurred.

Scenario planning is a useful way to analyse the events that may happen—especially those that emerge from complex or complicated systems—rather than focussing on the one that will happen. By analysing a range of plausible scenarios, you can make better decisions about how your organisations can act now to be more resilient. Watch this video for a short introduction to scenario planning.

To find out more about the definition of risk, see What is risk?

  • Example

    A great example of needing to assess a wide range of information about the severity and likelihood of an event could be managing risks associated with a changing climate.

    In this webinar from the Victorian Water and Climate Initiative in the Department of Environment, Land, Water, Planning, we see how a systems approach can help you work out what information you’ll need to make decisions about risk. The webinar also explores how the severity of the impact of an event can change, even though its likelihood remains the same—a good demonstration of these two key concepts, which together constitute risk. 

    This webinar will be particularly useful for decision makers in natural resource management or those working on the transition to net-zero emissions targets, though there is also value for other decision makers too.

  • Tools for analysing risk

    • PESTLE [DOCX, 4.59MB] analysis will help you to analyse risk as well as identify it
    • The PPRACKIF [DOCX, 4.6MB] will also help you analyse your internal context     
    • Use this table [DOCX, 941KB] to help you describe and rate the consequences and likelihood of a potential event

3. Evaluate your risk

Compare your analysis against your organisation’s risk appetite, whether that is expressed in a formal statement or discussed explicitly in the strategy or project meeting.

  • Is this a risk that your organisation can tolerate?
  • How will you treat this risk?
  • What controls will you put in place to reduce the risk?

Evaluating the risk brings it within the framework of your organisation’s risk management practices, making it transparent to others and also making you accountable for its management.

Risk assessment and treatment

Having assessed the risk, the next step is to treat it. A risk treatment is a planned action to minimise a risk and reduce its rating. Treatments, once implemented, become controls. Next time you assess the risk, you also assess the effectiveness of the controls.

Use this template [DOCX, 152KB] to capture all the details of your risk assessment and treatment plan.

Decisions that are defensible, transparent and accountable

Decisions need to be made known to others—they need to be transparent. Decision makers also be accountable for any commitments they make as a consequence of their risk assessment and also defend their assessment of risks when weighing up options for action.

These are the ethical dimensions of decision making in an organisation and vital for a positive risk culture.

This Ethics Centre decision-making guide for Directors gives a good overview of the issue and is useful for anyone, whatever their role in the organisation.

Formal or informal?

What do we mean by a formal or informal approach?

  • A formal approach to risk assessment will involve scheduling meetings specifically for the task, recording deliberations on time frames and monitoring, requesting resources for analysis and consultation, and reporting the details of the assessment to other decision makers in the organisation.
  • An informal approach will rely more on the implicit experience and know-how of relevant decision makers and be resolved in discussion, whether face-to-face or over email.

All risk assessments start informally. Deciding to adopt a formal approach will depend on the risk and its impact on the people, places and systems in your care.

Risk assessment is about slowing down your decision making. Make it a deliberate and conscious decision to remain informal in your approach. We also suggest that you have a variety of decision makers involved in the assessment to pool knowledge, test assumptions and build the relationships needed to manage the risk further down the track.

Whether you adopt a formal or informal approach, it’s important to remember you will be accountable for your decisions. Consider how the results of that informal assessment will be recorded, if not the whole assessment process, whether that is in emails, minutes or other meeting notes.

Next steps

Having assessed your risks we recommend you check whether you need to:

  • Update the risk register
  • Escalate to the appropriate business unit, management level, committee or the board
  • Prepare documentation for action on shared or state-significant risk
  • Communicate with those affected by the risk or the changes you’ve made in your strategy, plan or controls
  • Put in place treatments or adjust existing controls.

Provide feedback

Did the information on this page meet your needs?