Victoria’s New Risk Management Framework

Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)

Enterprise Risk Management (ERM) is considered an important management tool and part of good public sector governance in Australia. The Commonwealth of Australia and the states of Victoria and New South Wales have implemented ERM. In addition, the states of Tasmania and Western Australia have issued good governance frameworks which include risk management.  This piece will provide a historical overview of the risk management approach used by the Australian State of Victoria. It will then discuss the changes made in the 2020 revisions to its 2018 Victorian Government Risk Management Framework.

Risk Management in Victoria

In 2003, the Auditor-General’s Office conducted an audit of 61 public sector organizations to determine how well risk management was being implemented. The audit found that risk management was not well established in most agencies. It recommended that an enterprise wide approach to risk management be established.

In 2007, the Victorian Government Risk Management Framework was issued. The framework is based on the International Organization for Standards risk management guide, 31000.

Also, that year, the Auditor-General’s Office conducted another risk management audit. It examined how consistent 25 government organizations were in applying the framework.

The audit determined that there was a need for improvement. It recommended the following.

• Have central agencies issue Enterprise Risk Management (ERM) guidelines.
• Strengthen risk management practices by linking risk assessment with corporate goals.
• Apply risk management standards rigorously. (1)

As a result of the audit, the Victoria Managed Insurance Authority (VMIA) in conjunction with the Department of Treasury and Finance develop risk management guides and monitor their implementation.

In 2013 a follow up audit was conducted to determine how well the implementation process was progressing. While noting that agencies were generally complying with the requirement of the risk management framework, there were problems. Consequently, a number of recommendations were made. Several are listed below.

• The Department of Treasury and Finance work with the VMIA to update the Victorian Government Risk Management Framework to clearly articulate minimum requires that agencies need to meet to demonstrate they are effectively managing risks. This includes improving the coverage of interagency and statewide risk, updating attestation requirements, and better describe the frameworks intent and key risk concepts.
• Review the 2007 Audit recommendations to ensure they were addressed. Take action to address them.
• The Department of Treasury and Finance work with VMIA to develop, clearly communicate and monitor the effectiveness of a whole-of-government framework for managing interagency and statewide risks with the intended outcomes. (2)

As noted above, the Victorian Government Risk Management Framework (VGRMF) was updated in 2015 and 2018. Each revision has sought to improve the framework. The most recent revision in 2020 is no exception. But, before changes are reviewed, there are some items that were reinforced. These were:

• Each department and agency must provide an annual attestation of compliance with the requirements of the Financial Management Act 1994, which through a standing directive now includes incorporation of the Government Risk Management Framework.
• The Responsible Body is responsible for the accuracy and completeness of the attestation. The Responsible Body is either the Governing Body or the Responsible Authority if there is not governing body.
• Agency audit committee responsibility includes reviewing and providing oversight of the agency’s risk culture to ensure consistency with expectations of the agency’s responsible body. (3)

Thus, while the VMIA has responsibility for assisting with implementation and compliance, it is the specific responsibility of the Governing Body and the individual designated as the Responsible Authority who must attest to compliance. However, attestation of compliance with the 2020 VGRMF does not become effective until July 1, 2021. Until then, attestation is against the 2018 VGRMF.

Beginning with fiscal year 2021-22, there will be several changes.

Changes in the 2020 VGRMF

The revisions to 2020 VGRMF include several mandates. These are:

• The risk management framework in place must be consistent with AS ISO 31000:2018 Risk Management – Guidelines.
• The risk management framework is to be reviewed annually.
• The agency must demonstrate a positive risk management culture.
• The agency has a defined risk appetite.
• Shared risks are to be identified and managed through communication, collaboration and/or coordination with impacted agencies.
• Strategic and business planning and decision-making processes embed risk management and demonstrate consideration of the agency’s material risks. (4)

The changes required by the 2020 revision reinforce the need to follow the ISO 31000:2018 guidelines and review progress annually. It also identified some specific issues that need greater attention. These are the need to specifically define risk appetites, shared risks need to be identified and managed through collaborations and coordination. Finally, risk management needs to be imbedded in the agency’s strategic and business plans.

Analysis

For those public officials interested in implementing ERM, the state of Victoria’s experience is useful. It shows that Enterprise Risk Management, as guided by ISO 31000:2018, is being applied in a comprehensive manner. However, the application process is taking time. Despite an early start, Victorian state agencies are still having problems with implementation. Consequently, mandates have been issued to better facilitate ERM’s integration into the business and strategic planning process, the development and articulation of the agency’s risk appetite, and to identify and coordinate the management of interagency and statewide risks.

Thus, when starting out, it is best to specify as thoroughly a possible, in the ERM implementation framework, the minimum expectations, and requirements. It is also important to assign responsibility for implementation and for any annual attestation or report. This is to be followed up by a regular compliance audit, which ensures that the ERM implementation process is being followed.

The lessons learned from the Australian state of Victoria, should make the ERM implementation process easier.  It can also help improve the ability of the organization to anticipate and deal with risks that can adversely impact business plans and the meeting of strategic goals.

Endnotes

1. Victorian Auditor-General, 2007, Managing Risk Across the Public Sector Toward Good Practice, https://www.audit.vic.gov.au/sites/default/files/20070621-Public -Sector-Managing-Risks.pdf
2. .Victorian Auditor-General, 2013, Implementation of the Government Risk Management Framework, October, https://www.audit.vic.au/sites/default/file/20131030-Risk-Framework.pdf
3. Department of Treasury and Finance, 2020, Victorian Government Risk Management Framework, August, https://www.vic.gov.au/sites/default/files/document/Victorian%20Government%20Risk%20Management%20Framework%20
4. Victorian Management Insurance Authority, 2020, Key changes in the revised Victorian Government Risk Management Framework, August, https://www.vmia.vic.gov.au/-/media/Internet/content-Document-Documents/Risk/Tools-guide-kits/VGRMF-key-chanes-guide.ashx

BIO:

James J. Kline, Ph.D., CERM, is the author of numerous articles on quality in government and risk analysis. He is a senior member of the American Society for Quality and Six Sigma Green Belt with experience consulting for the private sector and local governments. His recent book, Enterprise Risk Management in Government: Implementing ISO 31000:2018, is available on Amazon. He can be reached at jeffreyk12011@live.com.