Risk Management Process

The new Policy and Advisory Library (PAL) is now available. This page will be redirected to PAL from the start of Term 3. Make sure to update your bookmarks to the new PAL site.

On this page

Purpose of this topic

To outline the Department's risk management process.

Prerequisite policy

For any queries or advice, schools should email: risk.in.education@edumail.vic.gov.au

Risk management process

A risk management process will help to deliver objectives, promote sound decision-making, and prioritise resources. The process is outlined in the flowchart below.


The following table outlines the key steps in the risk management process.

1. Establish the context

Before you begin identifying risks:

  • establish the environment of your objectives. This context can be assessed using PESTLE analysis, which examines the political, economic, social, technological, legal and environmental factors that affect the way you operate
  • confirm the identity and concerns, issues and expectations of any related stakeholders.

See: PESTLE analysis (pdf - 101.76kb)

2. Risk Identification

Undertake a SWOT analysis to help identify risks and existing risk controls in your workplace. SWOT looks at internal and external factors, including the following:

  • Strengths: what your workplace does well.
  • Weaknesses: what it could do better.
  • Opportunities: what is going on around you and how that might be useful.
  • Threats: what might cause problems in the future.

See: SWOT Matrix (pdf - 113.86kb)

Then look at each risk in more detail and identify issues in the following areas.

  • Causes: what would cause it to go wrong?
  • Consequences: what are the effects if it does go wrong?
  • Opportunity: what can go right?
  • What existing controls are in place?
  • Each risk should be recorded in the risk register.

See: Example Articulation of a Risk

3. Risk analysis

Risk is analysed in terms of the following:

Existing controls

Any existing controls should also be identified and explored. A control effectiveness chart has been developed to help you assess your current risk controls.

See: Control Effectiveness Chart (pdf - 59.02kb)


What is the effect of risk? Effects (consequences) are measured using the following terms:

  • severe
  • major
  • moderate
  • minor
  • insignificant

See: Consequence Criteria (pdf - 501.23kb) which categorises educational outcomes, wellbeing, operational, financial, reputation and strategic factors by their level of significance.


How likely is the risk to occur? These are measured using the following descriptive terms

  • almost certain
  • likely
  • possible
  • unlikely
  • rare.

See:  Likelihood Criteria (pdf - 83.6kb) for help in assessing likelihood.

Once determined, the consequence and likelihood can be assessed within the rating matrix to determine the overall level of risk, called the ‘current assessment’.  See: Risk Rating Matrix (pdf - 56.93kb)

4. Evaluation

Risk evaluation involves comparing the current risk rating with risk acceptability criteria established by the Department. Risks rated:

  • low or medium do not necessarily require further treatments and are considered acceptable
  • high or extreme will require further treatment to reduce their level of risk to a more acceptable level. Risks in this category will require a treatment, as outlined in the next step.

See: Acceptability Chart (pdf - 103.23kb)

5. Risk treatment

Risk treatment is based on the outcomes of your evaluation. Options include the following.

Share: if practical, share all or some of the risk with outsourced parties or insurers.

Terminate: cease the activity altogether.

Accept: this will require appropriate authority.

Reduce: apply additional treatments until the risk becomes acceptable.

Risk treatment is a cyclical process, starting with assessment, moving through to deciding if the risk levels are acceptable, and applying additional treatment options.Once your treatments are put in place, a second assessment is made to confirm the treatments will reduce the level of risk. This second round is called the ‘target assessment’ (after treatments) because that is where you hope the risk level will be once your treatments have been implemented. Once implemented they become existing controls.

6. Communication and Consultation

Relevant internal and external stakeholders should be consulted and updated throughout the process.

7. Monitor and Review

Monitoring and review periods should be a planned part of the risk management process and should take place at intervals appropriate to the nature of the objective and the level of risk.

See: DET Risk Management Framework - Assessment Tools document, for a consolidated copy of the Consequence Criteria, Likelihood Criteria, Control Effectiveness, and Acceptability Charts.

Related policies

Related legislation

  • Public Administration Act 2004 (Section 81, part 1b)