Skip to content

On this page

You’ll need to manage a shared risk when

  • you depend on the cooperation of others to achieve your objectives
  • your efforts to control the risk depends on others or has consequences for them
  • achieving your objectives produces consequences for others.

The Victorian Government Risk Management Framework (VGRMF) requires organisations to identify and manage shared risks in cooperation with other organisations:

“shared risks are identified and managed through communication, collaboration and/ or coordination by the impacted agencies”

The VGRMF focusses on risks shared between organisations in the Victorian public sector. To fulfil the broader remit to create and protect value, an organisation may need to look at partnerships with organisations in other levels of governments and outside the public sector.

Also, many shared risks have state-significant consequences that are covered in the VGRMF.

Grasping the full effects of uncertainty in a highly connected world

Risk is the effect of uncertainty on our objectives.

Often, a risk is specific to an organisation. It’s a risk to your objectives. Most of our work to create and protect value for Victorians will depend on others and have consequences for them too.

As public service organisations, we also need to bear in mind that, although we may be on the staff of one organisation, we’re implementing the policies of the Victorian Government and creating and protecting value for all Victorians equally.

We’re also working in a sophisticated, interconnected economy, which means when you’re thinking about dependencies and impacts, you may need to look more widely than the Victorian public sector.

It may be better to assume that a risk is shared
  • Example: patient transfer

    Moving a patient from one healthcare facility to another carries risks. The more time it takes, the more likely something will go wrong. On top of that, if something does go wrong, health practitioners have fewer resources to deal with it.

    All healthcare facilities share an objective, the patient’s safety, which means they must collaborate on shared risks. To manage the risk, healthcare facilities involved in a transfer need to play their part in a single transfer process, which they all understand and are committed to. It needs to be followed consistently and standardised across the sector. Any interdependencies, such as communication of information about the patient, need to be mapped out, understood by all participants, and resourced so that anything critical to the patient’s safety is transferred with the patient.

    Healthcare organisations share an objective and their efforts to control the risks depend on others and have consequences for them. It’s a classic case of a shared risk.

  • Case study: family violence reform

    Family violence is a complex problem produced by complex causes. To implement the recommendations of the Royal Commission into Family Violence, eight major government departments must collaborate on controlling the risks to their objectives and managing the consequences of their work.

    This case study [PDF, 364KB] details some of the strategies used to manage this shared risk.

Collaborating on the management of shared risk

1. Start by identifying a risk as shared

As part of your risk assessment, you identify risks to your objectives and analyse their source and its causes, factors and likelihood.

That assessment should reveal where you depend on others to control a risk and where potential consequences would affect others.

We recommend you start with the assumption that a risk is shared and ‘prove’ that it’s not by working through your risk assessment.

Analyse your risk to find out if your

  • risk has its source in what another organisation is doing
  • ability to achieve your objective depends on another organisation doing something differently from before
  • achievement of your objectives produces a risk for another organisation
  • achievement of your objectives would actually impact another organisation in some way

Based on the risk assessment, look at how to control that risk. Again, look at whether

  • your ability to control this risk on your own depends on other organisations
  • the only way to control the risk is to cooperate with others.

Having uncovered a shared risk, don’t assume that the other organisations are managing it. Instead, start the conversation. Find out what they’re doing. If they haven’t identified this risk yet, work on getting buy in.

A shared assessment of likelihood and consequences?

Working with other partners and stakeholders to analyse a risk will very likely lead to a better analysis because you build a richer understanding of the consequences and a more accurate estimation of its likelihood.

Does this mean all the organisations must share the same evaluation of a risk?

Not necessarily. During the evaluation stage of the risk assessment, a risk is checked against the organisation’s risk appetite and tolerance—both are specific to an organisation.

So you might share the same analysis of the likelihood and consequences of the risk but differ in your evaluations.

The point is not about you having the same evaluation but your organisations agreeing that it’s significant and warrants shared risk management.

  • Tools

    This video on systems mapping by BehaviourWorks will help you to identify where you depend on others in a situation of uncertainty.

    Scenario analysis can help you to analyse consequences and their impacts. This technical supplement from the Taskforce on Climate-Related Financial Disclosures, even though it’s focussed on climate change, is a thorough description of the technique and is therefore useful for other risks.

    This guide from the Commonwealth Department of Finance has a useful diagram on page 2 which shows how no single stakeholder has a complete view of a complex shared risk. Use it to analyse the different stake that organisations, communities and individuals have in these risks.

    The following example illustrates what this means in relation to bushfire.

  • Example: Managing risk with a wide variety of stakeholders

    Bushfire risk is always present for Victorians. Everyone shares the same objective of keeping safe and resilient.

    Managing it requires collaboration between government agencies on planned bush burning, managing fuel and risks, and communication of planned burning information.

    It also involves collaboration and cooperation of people who live and work in areas exposed to the risk of bushfire—not just government organisations. The other parties may be homeowners and business people, informally organised community groups, small not-for-profit organisations dealing with local needs and Aboriginal Land Corporations.

    These are very different kinds of partners, with local knowledge and a high stake in the management of the risk. They should be involved in managing the shared risk but bear in mind they don’t have the resources and systems that formal organisations do. They also have different practices and cultures of self-management from the government sector.

    Your collaboration should keep this in mind. For example, if you

    • grant a large amount of money to a small community organisation, will they have the organisational skill to manage the change in their operations and governance?
    • consult with Aboriginal communities, how will you make sure it’s an equal collaboration?
    • are working with community groups during a period of economic transition in a Victorian region, then how will you balance the values and needs to create and protect value for the region?

    If you’re re-designing your services to move on to a self-service model, then how will you work with users on the design so that it’s an effective service for the wide range of users in the community?

2. Get buy-in

Once you’ve identified a risk as shared and analysed the dependencies and impacts, you’ll need to open discussions with organisations, communities, groups and individuals.

At this point, the quality of the relationships you have with other organisations and their leaders’ willingness to influence their peers and get ‘buy-in’ will often make the difference.

Open the discussion

Use the systems mapping technique again to identify all the participants and their influence.

Work out who

  • you need to talk to in the other organisations that might be part of this situation of uncertainty
  • in your own organisation is best placed to use their influence to get buy-in from others.

Now, apply your risk management skills to

  • define the objective of your communications with potential participants
  • assess the risks to the success of your communication with other organisations
  • plan your opening communications to increase your chances of getting buy-in.

The initial goal of these discussions with other organisations is to understand the amount and type of uncertainty you’re all facing and, potentially, agree to cooperate on a thorough assessment of the risks arising from that.

Talk about our situation of uncertainty rather than your risk

We recommend that when you start your conversations, speak about the uncertainty that has produced this risk for you rather than focus on the risks that it presents for your organisation specifically.

This way you’ll open up the discussion about something that should matter to them, rather than trying to get them to cooperate on something that matters to you. You’ll start to create a common language and a shared understanding of the risk.

Another benefit of this approach is you’ll get a richer picture of the uncertainty that’s producing this risk for you and how the consequences of a potential event could impact others.

It’s unlikely that any single organisation will fully grasp the uncertainty and its implications for their own objectives, let alone another organisation’s objectives, so this is a worthwhile exercise even if it doesn’t result in an agreement to share the management of risks.

It’s also an opportunity to talk frankly about where your interests and objectives diverge, or even conflict. In both cases, the differences will need to be managed.

Find the right level of influence

You don’t need to go straight to the top for your influencer. The system mapping technique will help you identify who the best people are to influence potential partners.

Use that influence well by assessing the risks thoroughly: both the shared risk and the risks associated with the initial discussions with potential partners. Go into your meeting with your potential influencer with a strategy and brief them well on your risk assessment and the opportunity to collaborate.

  • Case study: small organisations do have influence

    East Gippsland Water is a small organisation that depends on others to achieve its objectives in relation to climate adaptation, but also data security and public health and safety. This case study [PDF, 393KB] looks at how they’ve used their influence to reduce uncertainty, mobilise resources and create value for the sector.

The role of the executive

Executive team members have an important role in using their influence to get buy-in from others on sharing the management of risk.


Use these guides and templates to help you to identify and manage stakeholders

3. Commit to working together

If, because of your discussions, your organisations agree that they should collaborate to manage shared risk, then the next step is to commit resources to

  • a more detailed risk assessment
  • options for controlling the risk
  • frameworks and processes
  • governance.

A crucial decision at this point is to agree on which organisation will lead the partnership.

Every organisation has different frameworks, processes, governance and even language for managing risk, so we recommend that you concentrate on the culture of your collaboration to start with. This way, all the participants remain open to the work of managing the risks that emerge from this situation of uncertainty.

What about frameworks and processes?

Frameworks and processes are vital for risk management because they facilitate the flow of information and formalise responsibility and governance. They are also ‘scalable’ and consistent, which improves accountability and efficiency.

Whatever frameworks and processes you and your partner organisations design, they should help you to collaborate on shared risk

We have topics on designing processes and building frameworks, so we’ll focus here on the design criteria that you’ll need to bear in mind for the various aspects of collaboration on shared risks.

  • Communication

    Your frameworks and processes should help you to

    • facilitate deliberation to reach crucial decisions
    • communicate decisions
    • communicate the progress of work
    • consciously create the culture you want in the partnership
    • manage disagreement

  • Information

    Your frameworks and processes should help you to

    • seek subject matter expertise
    • share information and research outputs
    • keep information secure

  • Assessing risks

    Your frameworks and processes should help you to

    • watch the internal and external context for new risks
    • revise assessment of known risks
    • develop shared analysis of consequences and likelihood

  • Managing risks

    Your frameworks and processes should help you to

    • identify controls
    • map the various impacts if the consequences of the risk were to materialise
    • map stakeholders
    • decide on risk owners and control owners
    • determine performance indicators for shared management of risk
    • identify key risk indicators 
    • come to a decision on risk appetite and the various tolerances of your organisations

  • Monitoring

    Your frameworks and processes should help you to collect data on

    • key risk indicators, analyse and prepare reports
    • performance indicators, analyse and prepare reports

  • Making decisions

    During project setup, your frameworks and processes should help you to

    • reconcile different appetites for risks
    • agree who’ll supply the time and other resources to management actions
    • decide what existing frameworks, processes and decision-making bodies will be used to manage the risk
    • decide what new frameworks, processes and decision-making bodies will be set up

    At planned decision points, they should help you to

    • reconcile different appetites for risks
    • decide if resources need to be redirected to more effective controls

    In response to changes in your context, they should help you to

    • reassess risks
    • map impacts
    • map stakeholders
    • reconcile different appetites for risks
    • decide if resources need to be redirected to more effective controls

  • Accountability

    Your frameworks and processes should help you to

    • document commitments and actions taken
    • maintain a library of reports on risk and performance indicators
    • agree on the lead organisation that’ll be responsible for the shared risk
    • assign a person to be a risk owner
    • support the lead organisation and risk owner to perform their role
    • resolve any disagreements about roles and responsibility.

  • Tools

Even when you’ve established relationships, frameworks and processes …

Many of our examples show how important it is to identify a risk as shared and analyse it so that you can start the conversation with potential partners about the work that needs to be done and set up appropriate governance and resources to manage it.

Sometimes risk can fall off the table though, even when a partnership has a long history of working together and well-established practices.

  • Example: Delivering the Victorian Road Safety Strategy, 2021-2030

    The transport sector, for example, has a long history of multi-partner collaboration to develop and deliver strategy and projects to promote road safety, change behaviour and reduce road trauma.

    The current Victorian Road Safety Strategy, developed by Road Safety Victoria in collaboration with the Victorian Road Safety Partnership—itself a collaboration between the Transport Accident Commission (TAC), Victoria Police, the Department of Justice and Community Safety, and the Department of Health and Human Services—is an excellent example of this.

    TAC is responsible for delivering the strategy and relies on well-established frameworks and processes and the culture of collaboration in the sector.

    This reduces a lot of the uncertainty about delivering the projects, but even in this context, it’s important not to become complacent about risks.

    For example, TAC owns the risks associated with the objectives of the strategy while the other organisations own the controls and treatments.

    This could lead to a situation where the partners respond to different pressures and incentives as they focus on their part in the delivery of the strategy. Shared risk is the only way to unify those various pressures, incentives and short-term goals.

    What does this mean in practical terms? Partner organisations need to use the language of shared risk in all their communications about delivery, whether that’s in steering committee meetings or informal exchange.

    Their collaboration should be grounded in a shared risk policy specific to the partnership or a Memorandum of Understanding. Accountability should be secured with clear governance and reports to executives, Audit and Risk Committee and the Minister. VMIA can help by facilitating quarterly shared risk workshops.