Skip to content

Victorian Government raises the bar on Risk Management. How will you rise to the occasion?

The Victorian Government’s Risk Management Framework (VGRMF) which applies to Victorian Government departments and public bodies covered by the Financial Management Act 1974 has had a facelift and relevant agencies have until 1 July this year to apply the revised framework.

Impacted Agencies must attest against the revised framework for the 2021-22 year.

The changes reflect an uplift to risk management practices and the Victorian Department of Treasury and Finance must be applauded for continuing to mature the framework in order to ensure continuous improvement in risk management practices across the public sector.

So what are the changes, what do they mean for impacted agencies, and what effort is required to meet the new mandatory requirements?

The key changes affect the following main elements of the Risk Management Framework (RMF):

  1. Risk Appetite
  2. Strategic Planning and Decision Making
  3. Risk Framework Ownership
  4. Risk Management Processes
  5. Risk Culture
  6. Risk Maturity

1. Risk Appetite

There is now a specific requirement that the agency defines its risk appetite and that the appetite must be reviewed at least annually.

Risk appetite is the type and amount of risk that an agency is prepared to accept in pursuit of its strategic objectives and business plan.

What does this mean to you?

  • A formal Risk Appetite Statement (RAS) must be developed and approved
  • The RAS must be reviewed and updated annually
  • The Risk Appetite Statement requires a well-defined risk taxonomy (key risks for which appetite must be set).

Get Protecht to help

  • Attend the Protecht / RMIA Risk Appetite: Statements and Frameworks 6-hour online course – Details below
  • Sign up for Protecht’s Risk Appetite Statement development package. This covers:
    • Internal Training of Agency staff in Risk Appetite Concepts and Methodology
    • Provision of a proforma Risk Appetite Statement and assistance in tailoring to the Agency’s specific situation and requirements to the final stage, ready for sign-off
    • Facilitation of Risk Appetite setting workshops covering the setting of qualitative and quantitative appetite using risk metrics
    • Assistance and advice on identifying relevant leading risk metrics to use in risk appetite and move your risk management to be more proactive.
  • Bring your Risk Appetite to life using the Protecht.ERM Risk Management System to track metrics, report against risk appetite and discover risk management opportunities.
Blog VGRMF - Image 1 - Risk Appetite Report Fig 1.Risk Appetite Report (Source Protecht.ERM system)

2. Strategic Planning and Decision Making

There is an increased emphasis on the focus of risk management as part of planning. Prior to this change, it was required that risk management be incorporated into the agency’s corporate and business planning process. The revised requirement is stronger, requiring that strategic and business planning processes embed risk management.

In addition, there is a new requirement that decision-making processes should embed risk management and in a particular demonstrate consideration of the material risks.

What does this mean to you?

  • Risk and Risk Management within the Agency must be directly linked to Agency strategy and objectives
  • Risk management must be an integral part of the Agency’s strategic planning process
  • Risk and Risk Management within the Agency must be directly linked to Agency strategy and objectives
  • Risk management must be an integral part of the Agency’s strategic planning process.

Get Protecht to help

  • Attend the Protecht / RMIA Strategic and Project Risk Management 6-hour online course. Details below
  • Use Protecht to develop/enhance your risk management methodology (Consisting of Risk Management Framework and Risk Management Policy) that fully integrates your risk management with your strategy and is aligned with the Principles and Guidelines of the ISO 31000:2018 standard, allowing you to achieve your risk management goals.
  • Use the Protecht.ERM system to record and link the planning process and objectives to their related risks and risk management to enable reporting against the strategic objectives. In addition, automate your Risk Management Policies and Procedures so that staff doesn't have to remember all the rules.

3. Risk Management Framework ownership

It is now explicitly stated that senior management at each agency must own and lead the engagement with the risk management framework.

What does this mean to you?

  • The responsibility for risk management is firmly placed with senior management rather than with a Risk Management Function or “Risk Manager”. The reflects that “whoever owns the objectives, owns the risk” i.e. Senior Management
  • Risk Management must be practiced across the agency as part of the day-to-day management and it must be recognised that everyone is a risk manager
  • Risk Management knowledge and capability must be spread across the Agency rather than concentrated in a specialist risk management department.

Get Protecht to help

  • Attend the relevant Protecht / RMIA 2021 online Risk Training courses – Details below
  • Use the Protecht.ERM system to bring your risk management framework to life by putting the tools and capabilities of risk management in the hands of agency management and staff and embedding it as part of the day to day management of the agency
  • Use Protecht’s consulting services to help you upgrade your Risk Management Framework and policies.

4. Risk Management Processes

There is much more detailed guidance on risk management processes that can be used to address the mandatory requirements. This includes specific guidance on:

  • Risk Evaluation
    Risk Evaluation is completed to support decisions including whether to accept the risk (particularly if it falls within the agency’s risk appetite) or whether to mitigate the risk through further treatment and prioritise those treatments
  • Key Risk Indicators
    Key Risk Indicators (KRIs) provide insight into the possibility of future adverse likelihood of risks and can identify potential events that may cause harm
  • Control Effectiveness Testing – “Control Effectiveness Guide”
    Control effectiveness testing involves regular reviews of an agency’s controls to ensure they are designed and operating effectively to minimise the risks they are intended to mitigate.

These techniques and processes must be applied on a fit-for-purpose basis reflecting the agencies’ size, resourcing, and risk exposures.

What does this mean to you?

Subject to the tailoring of these processes to be fit for purpose:

  • A formal process for risk evaluation should be implemented. This requires:
    • Ability to “measure” risk exposures
    • Comparison of risk exposures against risk appetite
    • Recognition of a range of responses depending on the evaluation of risk including:
      • Risk Acceptance
      • Risk mitigation using methods such as process re-engineering, control improvement, risk impact transfer, and avoidance
      • Reduction on controls where the cost of the control exceeds the benefit.
  • A formal key risk indicator process should be implemented. This requires:
    • Identification of the agency’s key risks
    • Identification of relevant risk metrics, focusing on strong leading indicators
    • Scaling of risk metric thresholds to reflect risk appetite
    • Collecting and evaluating risk metric data.
    • Reporting, escalating, and responding to indicator data.
  • A formal controls effectiveness testing process “Controls Assurance”.   This requires:
    • Identification of agency key controls
    • Effectiveness testing and evaluation methodology
    • Formal process to test controls on an ongoing basis, evaluate results and report and escalate as appropriate
    • Identification of control weaknesses and control gaps to remediate controls that do not test as effective.

Get Protecht to help

  • Attend the Protecht / RMIA 2021 Risk Metrics and Key Risk Indicators and Controls Design and Controls Assurance 6-hour online Training courses – Details below
  • Use the Protecht.ERM System for comprehensive coverage of Key Risk Indicators and Controls Assurance and report against your key risk exposures by consolidating your reporting through the Protecht Risk in Motion™ Dashboard reports (See Fig 1.Risk Appetite Report).

5. Risk Culture


A positive risk culture in the agency must now be “demonstrated”. Previously this focused on ensuring that the agency risk management framework supported the development of a positive risk culture.

The Accountable Officer for each agency is responsible for setting, owning, instilling and overseeing an appropriate risk culture. In addition, agencies are to identify the specific behaviours expected within the agency which are required to reinforce a positive risk culture as well as the audit committee now having a responsibility for reviewing and providing oversight of the risk culture.

Agencies are asked to consider how the following key culture principles work in practice:

  • Tone from the top;
  • Accountability;
  • Strategy;
  • Communication;
  • Awareness and recognition of positive risk culture;
  • Escalation of bad news;
  • Supporting tools, templates and mechanisms; and
  • Continuous improvement.

What does this mean to you?

  • The “demonstration” of risk culture requires evidence. Opinions and views not backed up by evidence will not suffice. “Demonstrating” implies the need to “measure” and “evidence” the risk culture.
  • The Agency must implement a management process for culture which includes:
    1. Understanding the agency’s current risk culture and having the ability to “measure” and “monitor” it
    2. Defining the desired risk culture. This needs to cover the day-to-day behaviours expected of staff includes such things as calling out bad and good news equally, having a speak-up culture, and creating and maintain a challenge culture
    3. Identifying any gaps between the current risk culture and desired risk culture; and
    4. Defining the approach to evolve the agency’s risk culture to close gaps over time.

Get Protecht to help

  • Attend the Protecht / RMIA 2021 Culture and Conduct Risk Management 6-hour online Training course – Details below
  • Use the Protecht.ERM system to track and measure your risk culture through the Risk Culture Dashboard (See Fig 2. Example of a Risk Culture dashboard) and conduct ongoing risk culture surveys (See Fig 3. Examples of survey).

Blog VGRMF - Image 2 - Risk Culture DashboardFig 2. Example of Risk Culture dashboard (Source: Protecht.ERM system)

Blog VGRMF - Image 3 - Risk Culture Survey Report

Fig 3. Examples of survey. (Source: Protecht.ERM System)


6. Risk Maturity

There is now a recommendation that agencies evolve their risk management over time.
Risk maturity refers to the agency’s risk capability and the level of sophistication in terms of its risk processes and procedures.

What does this mean to you?

  • Agencies should determine a required “Risk Maturity” as part of the agency’s overall strategic planning. This targeted maturity should be aligned to, and support the strategic objectives of the agency.
  • The current level of risk maturity needs to be assessed and measured.
  • The gaps between current and desired maturity should be identified with strategies out in place to bridge the gap.

Get Protecht to help

  • Use Protecht’s Risk Maturity Assessment Tool to provide ongoing assessment of maturity
  • Use Protecht’s complete suite of integrated assistance covering Systems (Protecht.ERM), Training, Advisory and Consulting to support you on your risk maturity journey

Risk Training

Protecht partners the Risk Management Institute of Australasia (RMIA) in delivering a range of risk management online training.

The 2021 course schedule for 2021 is:

Dates 2021
1. Risk and Control Self Assessment
Available pre-recorded online
2. Compliance and Compliance Risk Management
Available pre-recorded online
3. Controls Design and Controls Assurance
Available pre-recorded online
4. Incident Management
Apr 27,28
May 4,5
5. Risk Appetite: Statement and Frameworks
May 25,36
Jun 2,3
6. Root Cause and Bow Tie Analysis
May 11,12,18,19
7. Measuring and Managing Culture and Conduct Risk
Jun 16,17,22,23
8. Third Party Risk Management
Jul 21,22,28,29
9. Risk Metrics and Key Risk Indicators
Aug 10,11,17,18
10. Strategic and Project Risk Management
Sep 8,9,15,16
11. Operational Resilience and Stress Testing
Oct 12,13,19,20


  • All courses are 6-hours duration and are delivered online over four 90-minute sessions.
  • The cost is $720 + GST ($600 + GST for RMIA members).
  • Course details and links to the RMIA bookings page
  • All courses can be delivered in-house for your agency. Enquire with Protecht for this option