key changes in the revised victorian government risk
TRANSCRIPT
Key changes in the revised Victorian Government Risk Management Framework (VGRMF)
– VGRMF updated August 2020
– Effective from 1 July 2021
– First attestation year: 2021–2022
© State of Victoria 2020
Disclaimer: This document summarises the key changes to the VGRMF and helps agencies meet their risk obligations and accountabilities, including
ensuring risks are being managed effectively and efficiently. This document has been prepared in accordance with the VGRMF update released
in August 2020. This document is a reference guide only.
Contents The Victorian Government Risk Management Framework (VGRMF) ...................................................................................... 3
When does the revised VGRMF come into effect? 3
Mandatory requirements .................................................................................................................................................................... 4
Risk management requirements: What’s changed? 4
Insurance requirements: what’s changed? 5
Key changes by topic .......................................................................................................................................................................... 6
Risk management framework 6
Review of risk management framework/risk maturity 6
Risk culture 6
Risk appetite 7
Shared risk (formerly Interagency risk) 7
State significant risk 7
Strategic and business planning and decision-making processes 8
Insurance as a risk management tool 9
Risk management process 9
Risk evaluation 9
Key risk indicators 10
Control effectiveness testing 10
ISO 31000:2018 Risk Management Guidelines 10
Categories of risk 10
Risk management concepts 10
Other risk terms (p. 14) 10
Emergency management 10
Key changes in the revised Victorian Government Risk Management Framework (VGRMF) Page 3 of 10
The Victorian Government Risk Management Framework (VGRMF)
The Victorian Government Risk Management Framework* provides
a minimum risk management standard for the Victorian public sector.
The framework applies to departments and public bodies covered by
the Financial Management Act 1994.
The VGRMF is produced by the Department of Treasury and Finance. Additional guidance and risk management support is available from Victorian Managed Insurance Authority (VMIA).
The guide has been developed to summarise the key changes of the updated VGRMF. For more information and to access the full framework, visit the Department of Treasury and Finance (DTF) website.
When does the revised VGRMF come into effect?
The revised VGRMF comes into effect on 1 July 2021. The first year that agencies must attest against the revised VGRMF will be the 2021-2022 financial year.
* https://www.dtf.vic.gov.au/planning-budgeting-and-financial-reporting-frameworks/victorian-risk-management-framework-and-insurance-management-policy
Key changes in the revised Victorian Government Risk Management Framework (VGRMF) Page 4 of 10
Mandatory requirements
Risk management requirements: What’s changed?
March 2015 (updated July 2018) August 2020
The responsible body must be satisfied that:
• The agency has a risk management framework in place consistent with AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines
The agency has a risk management framework in place consistent with AS ISO 31000:2018 Risk Management –Guidelines
The risk management framework:
• is reviewed annually to ensure it remains current and is enhanced, as required; and
The risk management framework is reviewed annually to ensure it remains current and is enhanced, as required
• supports the development of a positive risk culture within the agency
A positive risk culture in the agency can be demonstrated
The risk management processes are effective in managing risks to a satisfactory level
The agency defines its risk appetite
It is clear who is responsible for managing each risk
It is clear who is responsible for managing each risk
Inter-agency risks are addressed, and the agency contributes to the management of shared risks across government, as appropriate
Shared risks (previously known as inter-agency risks) are identified and managed through communication, collaboration and/or coordination by the impacted agencies
The agency contributes to the identification and management of state significant risks, as appropriate
The agency contributes to the identification and management of state significant risks, as appropriate
Risk management is incorporated in the agency’s corporate and business planning processes
Strategic and business planning and decision-making processes embed risk management and demonstrate consideration of the agency's material risks
Adequate resources are assigned to risk management
Adequate resources are assigned to risk management
and the agency risk profile has been reviewed within the past 12 months
The agency risk profile and risk appetite must be reviewed at least annually
Removed
Key changes in the revised Victorian Government Risk Management Framework (VGRMF) Page 5 of 10
Insurance requirements: what’s changed?
March 2015 (updated July 2018) August 2020
The responsible body must be satisfied that:
As part of its annual insurance renewal process:
• determine the appropriate level of insurance in consultation with VMIA
Determine the most appropriate insurance products and levels of cover for the organisation's present and future risk exposures, in consultation with VMIA
• maintain a register of all insurance and indemnities and make this available to VMIA on request
Maintain appropriate deductibles for each insurance product that reflects the organisation's risk appetite and capability for retaining financial risk
Arrange all its insurance with VMIA, unless exempted by the responsible Minister or where VMIA cannot offer insurance for a specific risk
Arrange all its insurance with VMIA, unless exempted by the responsible Minister or where VMIA cannot offer insurance for a specific risk
Provide information on claims management capability, resources, structures and processes for any self-insured retained losses to VMIA, including the basis for valuation of self-insured retained losses
Ensure claims management practices for retained financial risks are in place and that the agency maintains relevant claims data, and have this information available to VMIA on request
In relation to managing below deductible claims:
• maintain adequate claims management capability and processes where the agency has opted to manage below deductible claims; and provide required below deductible claims data for self-managed claims to VMIA
Provide adequate claims management capability, resources, structures and processes for the management of retained financial risks
Work towards minimising exposure to insurable risk
Key changes in the revised Victorian Government Risk Management Framework (VGRMF) Page 6 of 10
Key changes by topic
Risk management framework
Mandatory requirement
Updated:
• The agency has a risk management framework in place consistent with AS ISO 31000:2018 Risk Management – Guidelines
Roles and responsibilities (p. 4)
Added:
• All agencies: Senior management at each agency own and lead engagement with their risk management framework.
Review of risk management framework/risk maturity
Mandatory requirement
• No change except it is now its own requirement, rather than combined with risk culture.
Guidance to support good practice risk management (p. 11)
New information:
• Definition of risk maturity
• Recommendation to evolve risk maturity over time so it supports agencies to achieve their objectives.
Risk culture
Mandatory requirement
Updated:
• A positive risk culture in the agency is able to be demonstrated.
Roles and responsibilities (p. 4)
Updated:
• All agencies: agencies are to identify the specific behaviours expected within the agency which are required to reinforce a positive risk culture
• Agency audit committee: responsibilities include reviewing and providing oversight of the agency's…risk culture to ensure it is consistent with the expectations of the agency's responsible body.
Guidance to support mandatory requirements (p. 9)
Updated:
• Definition and principles of positive risk culture
• Three step process for a prioritised focus on risk culture.
Resources
AS ISO 31000:2018
Overview of the standard and
changes in the 2018 version
Resources
Risk Maturity Self-assessment
(RMA Online)
Resources
Risk Culture Learning Pathway
Key changes in the revised Victorian Government Risk Management Framework (VGRMF) Page 7 of 10
Risk appetite
Mandatory requirements
New:
• The agency defines its risk appetite
• The agency risk profile and risk appetite must be reviewed at least annually.
Roles and responsibilities (p. 4)
Updated:
• All agencies: agencies should define their risk appetite considering their strategic objectives, risk profile, risk/reward trade off and risk management budget allocation
• Agency audit committee: responsibilities include reviewing and providing oversight of the agency's risk appetite…to ensure it is consistent with the expectations of the agency's responsible body.
Guidance to support mandatory requirements (p. 9)
Updated:
• Definition, purpose and high-level guidelines for using risk appetite.
Shared risk (formerly Interagency risk)
Mandatory requirement
Updated:
• Shared risks are identified and managed through communication, collaboration and/or coordination by the impacted agencies.
Guidance to support mandatory requirements (p. 7)
Updated:
• The purpose and value of managing shared risks
• Actions required to demonstrate management of shared risk
• Recommended approach to managing shared risks.
State significant risk
Mandatory requirement
• No change.
Roles and responsibilities (p. 5)
Updated:
• Victorian Secretaries’ Board: receives periodical reporting on state significant risks
• State Significant Risk Interdepartmental Committee (Risk IDC): The purpose of the Risk IDC is to support the identification of key shared and state significant risks, and the development, operation and effectiveness of the whole-of-government risk management frameworks related to those risks. The Risk IDC plays a vital role in the management of state significant risks and receives periodic reporting from all agencies
Resources
Articulate Risk Appetite & Tolerance
(Tool A6)
Risk Managemnet Tools Suite
Resources
Shared (Interagency)
Risk
Resources
Interagency and State Significant
Risk Practice Note
Provides information on this topic but
doesn’t yet reflect the revised wording
in VGRMF 2020.
Key changes in the revised Victorian Government Risk Management Framework (VGRMF) Page 8 of 10
to support the monitoring and reporting of state significant risks. DTF serves as the Risk IDC's Secretariat.
Guidance material to support mandatory requirements (p. 8)
Updated:
• Definition of state significant risk
• Agencies’ role in state significant risk management
• Recommended approach to managing state significant risk
Strategic and business planning and decision-making processes
Mandatory requirement
Updated:
• Strategic and business planning and decision-making processes embed risk management and demonstrate consideration of the agency's material risks.
Resources
Risk Management
Tools
Key changes in the revised Victorian Government Risk Management Framework (VGRMF) Page 9 of 10
Insurance as a risk management tool
Mandatory requirements
Updated:
The responsible body of an agency required to insure with VMIA (as defined by the VMIA Act) must:
• Determine the most appropriate insurance products and levels of cover for the organisation's present and future risk exposures, in consultation with VMIA
• Arrange all its insurance with VMIA, unless exempted by the responsible Minister or where VMIA cannot offer insurance for a specific risk
• Maintain appropriate deductibles for each insurance product that reflects the organisation's risk appetite and capability for retaining financial risk
• Provide adequate claims management capability, resources, structures and processes for the management for retained financial risks
• Ensure claims management practices for retained financial risks are in place and that the agency maintains relevant claims data, and have this information available to VMIA on request
• Work towards minimising exposure to insurable risk.
Guidance material to support mandatory requirement (p. 8)
Updated:
• The role of insurance in risk management
• Contextual factors to consider in the use of insurance
• Factors to consider in decisions about the level of insurance required
• The use of preventative and mitigative treatments for both insured and uninsured risk
• Guidance for agencies who manage their own claims.
Risk management process
Mandatory requirement
Removed:
• The risk management processes are effective in managing risks to a satisfactory level.
Risk evaluation
Guidance to support good practice risk management (p. 10)
New information:
• Purpose of risk evaluation
• Factors to use when evaluating a risk
• Decision options after evaluating a risk.
Resources
Insurance tools and templates
Victorian Managed Insurance
Authority Act 1996
“Insured risk needs preventative and mitigating treatments where appropriate to reduce the probability of occurrence or severity of the outcome of an adverse event, and to provide a cost benefit analysis of potential actions.
If the risk is not insurable, the agency’s risk management framework should set out an alternative response to address the risk.” VGRMF 2020, p. 8 This guidance aligns to the Financial Management Act 1994 and VMIA Act 1996 which require a department or public body to maintain a register of assets and develop, implement and keep under review a risk management strategy.
Key changes in the revised Victorian Government Risk Management Framework (VGRMF) Page 10 of 10
Key risk indicators
Guidance to support good practice risk management (p. 10)
New information:
• Definition of key risk indicators
• Purpose of key risk indicators
• Type and uses of key risk indicators.
Control effectiveness testing
Guidance to support good practice risk management (p. 11)
New information:
• Definition of control effectiveness and contexts where its use is beneficial
• The value of controls testing and validation
• Steps in developing an effective controls framework.
ISO 31000:2018 Risk Management Guidelines
The VGRMF no longer contains content from ISO 31000. Agencies should refer to the standard directly: ISO 31000:2018
Categories of risk
Appendix 1: Introduction to Risk Management (p. 13)
Updated:
• Interagency risk is now called shared risk
• The information on systemic risks has been removed.
Risk management concepts
Appendix 1: Introduction to Risk Management (p. 13)
Updated:
• Information on risk management responsibilities has been removed
• Information on risk maturity has been removed.
Other risk terms (p. 14)
Updated:
• Numerous updates to definitions of risk terms.
Emergency management
Appendix 2: Emergency management (p. 16)
Updated:
• Introduction to emergency management in Victoria
• Victoria’s emergency management governance structure.
Resources
Understanding & developing Key Risk Indicators (COMCOVER)
Resources
Control Effectiveness
Guide
Resources
AS ISO 31000:2018