Risk Management

From Term 1 2017, Victorian government and Catholic schools will use the new Victorian Curriculum F-10. Curriculum related information is currently being reviewed and may be subject to change.

For more information on the curriculum, see:
The Victorian Curriculum F–10 - VCAA

Purpose of this policy

To ensure schools manage risk appropriately, to maximise their ability to deliver on their objectives, to make sound decisions, safeguard student and employee wellbeing and contribute to meeting the Victorian community and Government expectations for accountable and responsible use of public finances and resources.


Risk is the effect (positive or negative) of uncertainty on objectives. Risk management is:

  • the identification, analysis, assessment, and prioritisation of risks to the achievement of objectives
  • the coordinated allocation of resources to minimise, monitor, communicate and control risk likelihood and/or impact, or to maximise the realisation of opportunities, and
  • the coordination of activities to direct and control risks to the achievement of objectives.


School staff must ensure that risk management processes are integrated into all planning and implementation activities. For further policy information, see: the DET Risk Management Framework

For any queries or advice, schools should email: portfoliorisk@edumail.vic.gov.au

Risk management process

A risk management process will help to deliver objectives, promote sound decision-making, and prioritise resources. The process is outlined in the flowchart below.


The following table outlines the key steps in the risk management process.

1. Establish the context

Before you begin identifying risks:

  • establish the environment of your objectives. This context can be assessed using PESTLE analysis, which examines the political, economic, social, technological, legal and environmental factors that affect the way you operate
  • confirm the identity and concerns, issues and expectations of any related stakeholders.

See: PESTLE analysis (pdf - 101.76kb)

2. Risk Identification

Undertake a SWOT analysis to help identify risks and existing risk controls in your workplace. SWOT looks at internal and external factors, including the following:

  • Strengths: what your workplace does well.
  • Weaknesses: what it could do better.
  • Opportunities: what is going on around you and how that might be useful.
  • Threats: what might cause problems in the future.

See: SWOT Matrix (pdf - 113.86kb)

Then look at each risk in more detail and identify issues in the following areas.

  • Causes: what would cause it to go wrong?
  • Consequences: what are the effects if it does go wrong?
  • Opportunity: what can go right?
  • What existing controls are in place?
  • Each risk should be recorded in the risk register.

See: Example Articulation of a Risk

3. Risk analysis

Risk is analysed in terms of the following:

Existing controls

Any existing controls should also be identified and explored. A control effectiveness chart has been developed to help you assess your current risk controls.

See: Control Effectiveness Chart (pdf - 59.02kb)


What is the effect of risk? Effects (consequences) are measured using the following terms:

  • severe
  • major
  • moderate
  • minor
  • insignificant

See: Consequence Criteria (pdf - 501.23kb) which categorises educational outcomes, wellbeing, operational, financial, reputation and strategic factors by their level of significance.


How likely is the risk to occur? These are measured using the following descriptive terms

  • almost certain
  • likely
  • possible
  • unlikely
  • rare.

See:  Likelihood Criteria (pdf - 83.6kb) for help in assessing likelihood.

Once determined, the consequence and likelihood can be assessed within the rating matrix to determine the overall level of risk, called the ‘current assessment’.  See: Risk Rating Matrix (pdf - 56.93kb)

4. Evaluation

Risk evaluation involves comparing the current risk rating with risk acceptability criteria established by the Department. Risks rated:

  • low or medium do not necessarily require further treatments and are considered acceptable
  • high or extreme will require further treatment to reduce their level of risk to a more acceptable level. Risks in this category will require a reduction treatment, as outlined in the next step.

See: Acceptability Chart (pdf - 103.23kb)

5. Risk treatment

Risk treatment is based on the outcomes of your evaluation. Options include the following.

Share: if practical, share all or some of the risk with outsourced parties or insurers.

Terminate: cease the activity altogether.

Accept: this will require appropriate authority.

Reduce: apply additional treatments until the risk becomes acceptable.

Risk treatment is a cyclical process, starting with assessment, moving through to deciding if the risk levels are acceptable, and applying additional treatment options.Once your treatments are put in place, a second assessment is made to confirm the treatments will reduce the level of risk. This second round is called the ‘target assessment’ (after treatments) because that is where you hope the risk level will be once your treatments have been implemented. Once implemented they become existing controls.

6. Communication and ConsultationRelevant internal and external stakeholders should be consulted and updated throughout the process.
7. Monitor and ReviewMonitoring and review periods should be a planned part of the risk management process and should take place at intervals appropriate to the nature of the objective and the level of risk.

Related policies

Related legislation

  • Public Administration Act 2004 (Section 81, part 1b)

Department resources

The Risk and Decision Branch has developed the sample registers for the various areas of risk within your school operation. These registers need to be tailored to the context of your school and activity. Any controls or assessments provided are purely for demonstration and will need to be reviewed. The site includes Blank Risk Registers which allow schools to create their own risk register in Microsoft Excel. These can be imported into a new register and tailored to suit the school’s needs.

Includes the Consequence Criteria to evaluate the significance of risk, Likelihood Criteria to assess the probability of a risk event, Control Effectiveness to self-assess the effectiveness of controls, and the Acceptability Chart, which decides if the risk is acceptable.