Skip to content

On this page

The Victorian Government Risk Management Framework (VGRMF) requires all decision-makers within an agency to assess risks against their objectives. To do this, you need to first understand what risk is and how managing it can help you create and protect value for your organisation.

Defining risk

The VGRMF and the Australian and International Standard for risk management AS ISO 31000:2018 – Risk Management – Guidelines, defines risk as “the effect of uncertainty on objectives”.

That uncertainty is about how an event could disrupt our ability to meet our objectives. An example is how events associated with climate change could impact government infrastructure, and so undermine our objective to deliver services and support the Victorian economy.

We need to ask two questions. How likely is the event and, if it happened, what impact would it have on the people, places and systems in our care?

Likelihood of an event

For this, you need to look at causes, conditions and other factors that make an event more or less likely to occur.

When you're assessing a risk, you'll need to decide how much, and what kind of effort is needed when working out the likelihood of the event.

For example, you can be absolutely certain that the sun will come up tomorrow without weighing up its likelihood, but if you want to know how likely it is that solar weather will disrupt Victoria’s communications networks over the coming three years, then you’ll need to call in expertise.

By having a good understanding of the causes, conditions and factors that lead to events, you’ll be able to assess the likelihood of an event occurring. You’ll also be able to determine what needs to be done to control the risk of it occurring.

The impact of an event

To assess the impact of a possible event, treat the event as if it had happened and ask yourself what its consequences would be, if it occurred, for the people, places and systems in your care. As for your assessment of likelihood, you’ll need to decide how much time and resources to invest.

For example, to find out how a cyber attack from a known threat could damage your organisation’s ability to do its work, careful consultation with your IT and service delivery teams may be all that you need to do. To find out how the same cyber-attack would impact the people whose records you keep, or the other organisations that rely on those records, then you may need to carry out focus groups or other types of consultation.

Having a good grasp of the impact of a possible event can help identify what needs to change so that your organisation can be more resilient if the event were to happen. It will also help you identify the responsibility for risk and understand the cooperation and resources needed to control the risk of the event occurring. Is this risk specific to your agency? Is it shared with other agencies or organisations? Could the event impact the whole state if it were to happen?

For example, as rare events of heavy rainfall become more intense in the future, it may be necessary to work with infrastructure and water managers to adapt and build dams and other civil infrastructure to cope with these extreme events.

Risk assessment can guide you through these questions and help identify risks. Understanding more about making decisions in uncertain situations will guide you through decision making when you're assessing a risk.

Stay focused on events

When thinking about risk, we recommend you start by thinking about the events that, if they occurred, would disrupt your objectives. These are the ones that matter to you and your organisation. Analyse the likelihood and impacts of these potential events so that you can identify the source of the risk to your objectives. This will allow you to assess the risk of events to your objectives in a systematic rather than an ad hoc way.

Thinking positively about risk

We think of risk as the likelihood of an unwanted event, but the same analysis can be applied to events that are wanted or intended.

The Australian and International Standard for risk management AS ISO 31000:2018 treats risk in this way—as a neutral concept. It's about what could go wrong and it’s about opportunity.

In our guidance material, we refer to the more intuitive understanding of risk. However, we do encourage you to view risk with a positive perspective. Some questions could include:

  • What do I need to do to make sure things go right for this project or for the organisation?
  • What can we do with the unused resources that our risk assessment has shown and they do not protect value for our stakeholders?
  • How can we take advantage of uncertainty to purposely innovate and create value in other ways for our stakeholders?

Applying the concept of risk

You should apply the concept of risk when you’re:

Risk is understood and applied to:

  • descriptions of risk in the risk register that are nuanced, specific and focussed on potential events, rather than generic and vague
  • the earliest stages of developing objectives, strategy and business plans—any plan about the future
  • the risk appetite statement for your organisation that's demonstrably specific to your context and responsive to changes in your organisation or its environment
  • risk ratings that are more reliable, less variable from one assessment to the next
  • an optimal balance between risk retention and transfer 
  • a balanced assessment of the positive aspects of risk as well as negative (noting that positive refers to an outcome of taking or effectively managing a risk), evident in project and strategy documentation.