Skip to content

On this page

Contributing to the identification and management of state significant risk

The Victorian Government Risk Management Framework (VGRMF) requires your organisation—if it’s covered by the Financial Management Act 1994—to contribute to identifying risks of state significance and managing them.

The thinking and techniques to identify and manage state significant risk are very much the same as for any other type of risk.

What’s different about state significant risk—more than any other type of risk—is that it demands that we step back and ask what value we’re trying to create and protect for Victorians, now, in the near future, and for future generations. These enduring or delayed consequences challenge us to think hard about what matters to us.

It also asks us to move beyond our usual definition of risk as something that affects a single organisation’s objectives and consider scenarios that present clusters of risks that may impact other people, places, and systems in our care. That presents unique problems when it comes to leadership, responsibility, governance, information sharing and collaboration, which we’ll address here.

A special type of risk?

The events at the heart of state significant risks often emerge from complicated and complex situations of uncertainty.

They may be sudden and chaotic, like a cyber-attack, or unfold over decades, like climate change. They may be recurrent, like the transfer of disadvantage through generations, or they can ‘creep up’ on us, like the consequences of inadequate education. They may also be embedded in the structure of society and demand that we change the way each one of us thinks as well as what a department and its agencies does, like family violence.

Some of these events—like climate change—may not be something we can fully prevent, although we may be able to reduce some of the impacts by adapting, building resilience, and making sure we can recover quickly from its consequences.

Others are difficult to respond to because their scale, breadth and complexity makes them difficult—intellectually and emotionally—to assess. Navigating complexity, will be a consistent challenge and will require a nuanced approach that includes a willingness to innovate, be agile and adopt a targeted risk-based approach.

As this shows, risks of significance to the whole state go beyond the objectives of a particular organisation, or even a single government.

So how do you, in your organisation, identify a risk as being of state significance and contribute to managing it?

Identifying a risk as being of significance to Victorians

As far as identifying the risk goes, the process for assessing risks applies here as for any other risk. Use these same skills and techniques to identify, analyse and evaluate risks.


The VGRMF states that all state significant risks are shared between agencies. The shared elements are where multiple agencies are impacted by the risk and/or effective management of the risk requires the efforts of multiple agencies.

If your risk assessment reveals that you depend on others to manage a risk or the potential consequence would affect others, consider whether the risk may be of state significance. We also recommend that you pay special attention to the scale, breadth, and complexity of the event at the heart of the risk to assess its significance.


When you’re scanning your context or analysing scenarios, you may identify some potential events with consequences that:

  • are shared by more than one agency
  • affect a very large number of people
  • are spread over a large geographic area
  • have extreme consequences in one aspect of life, for example, the economy or the environment
  • are statistically extreme
  • have a long tail of consequences past the timelines you usually consider and even into future generations.

If you analyse further, you may find that if the event happened it would destroy a large amount of public value. Whole systems—such as Victoria’s economy or environment—may be affected. Something that we value highly or simply cannot do without may be so severely damaged that it can’t recover.

The sheer scale of these consequences will be beyond the resources and responsibilities of your organisation alone to manage.

If you’re looking at a risk with large-scale consequences, it may be of state significance.


Scale is about how much of something is affected. Breadth looks at how those consequences are spread across a range of factors.

The PESTLE tool [DOCX, 4.59MB] offers one way to analyse those factors. You can use it to assess how the potential event might affect:

  • political structures or the effectiveness of governance
  • the quality and extent of the natural environment
  • social cohesion, opportunities, equality, and participation in life
  • technological capacity and infrastructures
  • legal safeguards and rule of law
  • local economies or the state as a whole.

State significant risks are often broad in their consequences, with consequences across a range of factors.


An event that produces a broad range of consequences is likely to have complex causes driving it.

You’ll discover this when you analyse the causes of the event. Rather than a single, simple cause, you’ll often find many factors interacting together to trigger the event, sometimes in unpredictable ways.

There may also be considerable uncertainty about the scale and breadth of consequences.

The complexity of the situation may make it hard to see the course of events, so what can start as a small-scale event, such as a pest escaping quarantine, becomes an epidemic that devastates the Victorian economy.

You may find that science and other research practices still have some way to go in understanding the causes and that we don’t have a ‘technology solution’ for it.

It may also be hard to calculate the event’s probability. In fact, you may need quantitative expertise to do that.

Consider them all together

Each one of these alone is unlikely to make a risk a state significant one. For example, a potential event may have a broad range of consequences, but overall, they’re small and well within the remit and scope of an agency’s responsibility. It’s also rare that any event of the kind that matters to us has a simple cause.

Climate change is a good example of a state significant risk. Climate change is beyond the scope and mandate of a single agency and is a risk that is shared across government, and more broadly by all governments. The effects of climate change are likely to impact the community, businesses and government and will have long-tail consequences which span across generations. This risk may also impact across several different areas including not only the environment, but our economic prosperity, social cohesion and have inter-connections with other state significant risks.

Escalating information about the risk you’ve identified

1. Within your organisation

One of the VGRMF’s requirements is that you bring identified state significant risks to the attention of decision-makers in a position to assess, prioritise and oversee the management of the risk you’ve identified.

We recommend that you put in place frameworks and processes within your organisation to make sure that any new or emerging risks you’ve identified—which you believe are of state significance—go to decision-makers in your organisation who can:

  • validate the assessment of the risk including its significance
  • consider whether this is a new risk or a contribution to a known state significant risk
  • refine the description
  • conduct further consultation and analysis in conjunction with other affected agencies, if relevant
  • consult appropriately about the shared nature of the risk
  • escalate to the appropriate person in your portfolio.

We recommend that this person has a senior role in the organisation, perhaps the chief risk officer or another senior executive with the appropriate responsibility. If you’re another kind of public service entity, it could be the commissioner or the head of the organisation. Your framework should describe their role and responsibilities and include the role of the Executive and Board.

The value of doing this work is that it’ll validate your assessment of the risk. It’ll also make sure the designated decision-makers is/are fully briefed and able to escalate the risk effectively if that’s needed.

It’ll also help you meet the VGRMF’s requirements.

2. Beyond your organisation

Frameworks and processes within your organisation should also provide guidance on the process of escalating any new or emerging risk beyond your organisation. This will assist the decision-makers designated with the role in your organisation of escalating the risk understand your organisation’s criteria and approach for escalating.

Once a risk is identified as shared and significant, it’ll be important for the decision-makers to open discussion with organisations, communities, groups, and individuals to gain a better understanding of the risk and find the right level of influence. This may include escalating the information to the portfolio department, Minister and/or the State Significant Risk Inter-Departmental Committee (Risk IDC).

Contributing to the management of state significant risk

The previous section was about contributing to the identification of a state significant risk and making sure the information is escalated within and beyond your organisation.

This section is about contributing to the management of a state significant risk.

The three Cs

Managing a state significant risk requires coordinated effort, communication, and collaboration between agencies. Your agency contributes to the management of state significant risk in all these ways.

Organisations are contributing now in exactly these ways to emergency management planning reform and strategies for cyber security and climate change. This experience has helped shape the approach we outline here.

Agencies impacted by a state significant risk should agree how they’ll coordinate activities to contribute to the management of the risk. This will make sure risk management activities are being coordinated efficiently. It’ll stop redundant effort, introduce consistency, and make sure actions are directed at priority objectives.

Establishing effective channels to communicate key responsibilities, information sharing, and governance is a key element to manage state significant risks. Agencies may be asked to share information relating to state significant risks. For example, your agency might be asked to provide information, participate in a risk assessment, identify and monitor risk indicators, reconsider its risk appetite, or carry out specific management actions.

Parameters for risk management activities may be set, so that when agencies decide to work together on managing a state significant risk, they can collaborate effectively. The shared risk guide will help you to contribute in a collaborative way.

How does it work?

Our topics below can help you set up frameworks, processes, and a culture of collaboration:

  • Managing shared risk discusses getting buy-in and setting up frameworks and processes.
  • Building frameworks emphasises a thorough scan of your context to make sure your framework is fit for purpose.
  • Designing processes looks at how to design processes that help you get things done rather than get in the way.

What frameworks and processes you put in place will depend on work to be done. Their design needs to reflect the significance of the risk and the size of the effort involved in managing it.

The work should be adequately resourced and involve people who can show leadership in situations of administrative and political uncertainty. All participants need to understand the value they’re creating and protecting through their work and be able to speak about it in concrete, relevant terms.


The responsibility for managing a state significant risk is shared by all the relevant agencies. It’s important to identify an agency to lead the coordinated response and to communicate the relative responsibilities.


An important part of the lead’s role is to make sure the activities that already contribute to the management of state significant risk are understood as the contribution that it is, rather than an agency simply managing risks to their own objectives.

With better awareness of risks and activities needed to manage them, contributing agencies will be in a better position to collaborate on other measures or stop working on measures that aren’t needed.

The role of a lead agency may include:

  • coordinating the cross-agency approach to manage the risk
  • identifying agencies who could contribute
  • facilitating the discussion on roles and responsibilities
  • requesting information from contributing agencies to manage the risk and carry out risk management work
  • initiating regular cross-agency communication and collaboration
  • reporting on the risk to governance forums such as the Risk IDC.


A co-lead may be identified when an agency has an important stake or subject matter expertise that needs to have a leadership rather than contributing role. In this case, they’ll be closely involved in assessing the risk, and designing and developing controls.

Both the lead and co-lead work together with contributing agencies to arrive at a consensus, so that they can show joint leadership. It is important to clearly identify the roles and responsibilities of the lead and co-lead to ensure there is an appropriate level of accountability for management of the risk.

Contributing agency

Contributing agencies should:

  • Carry out their own risk management initiatives
    Where applicable and as required, your agency should keep the lead agency informed about the status of any mitigation measures your agency is responsible for or contribute to, and any changes or new information relevant to the assessment of the risk and valuable for other organisations.

    You may need to work with the lead agency to make sure your initiatives line up with frameworks developed to coordinate risk management activities by other agencies.

  • Participate in cross-agency initiatives
    Cross-agency initiatives may be organised to identify and monitor the risk. In such situations, your agency may be asked to participate and contribute. Follow the model of shared risk here and keep the lead agency informed about any changes or new information so that they can monitor the risk and provide updates to Risk IDC.

State Significant Risk Inter-Departmental Committee (Risk IDC)

The Risk IDC takes a whole of government perspective on risk, with the responsibility to advise the Government (through the Assistant Treasurer) on state significant risks and the effectiveness of the VGRMF in helping agencies manage risk effectively. It also provides assurance that the most significant risks to the State are known, understood and actively managed.

The Risk IDC achieves its objectives by:

  • providing a forum for discussion and knowledge sharing
  • completing a regular scan of major shared and state significant risks
  • providing advice to departmental secretaries on emerging risks so they can better manage them in their departments
  • providing advice to the Victorian Secretaries Board and Cabinet (through the Assistant Treasurer) on options to address any substantial gaps identified.

The Risk IDC has a role in facilitating agencies with the coordination and management of state significant risks and includes senior executive representation from each department and VMIA.

Risks identified as state significant
A State Significant Risk Snapshot (Snapshot) is a list of risks confirmed by the Risk IDC as having potential consequences or impacts on the community, the Government and the private sector that are material at the state-wide level. These risks may have the potential to severely impact the ability of the Victorian Public Sector to provide effective services and public administration to the State and require a whole of government coordinated response.

The Snapshot is available through departmental Risk IDC members. Contact your portfolio’s department Risk IDC member or risk team for a copy.


VMIA has a role in providing support to agencies to identify and manage risks that affect the whole of the State. We provide general risk management training and advice, and work in partnership with lead agencies to develop programs of work for specific risks, for example, cyber or climate change.

As well as advice, we’ll help you in practical ways, for instance:

  • connecting you to the right people when you need to escalate or act
  • identifying opportunities for cross agency collaboration
  • facilitating workshops on state significant risks.

Showing that you’re contributing to the identification and management of state significant risk

Agencies have the obligations to identify and manage state significant risks under the VGRMF’s mandatory requirements for risk management. Your responsible body will need to attest that it’s satisfied that the organisation has played its part in identifying state significant risks.

When looking at your frameworks and processes, the executive team and responsible body—with the support and guidance of your enterprise risk lead—should address these questions:

  • Does our risk assessment process require decision-makers to scan the internal and external context for risks of state significance?
  • Do we have a procedure or governance for escalating risks that have been identified to the attention of the right person in our organisation?
  • What checks and balances do we have in place to make sure the executive and responsible body don’t commit the organisation to action that increases the exposure of the state to this risk?

Also, when looking at their organisation’s risk culture, they should make sure people:

  • give time to scanning the organisation’s context for state significant risks
  • think beyond the walls of the organisation when it comes to assessing risks, looking at supply chains and other relationships
  • take the lead when it comes to acting on information
  • take the perspective that they’re creating and protecting value for all Victorians equally.

Your framework and processes for managing risk will need to formally document how you’ll address questions like these.