This policy sets out the requirements for schools to identify and manage risks that might affect their students, staff or operations. Managing risk means considering the effect of uncertainty (whether positive or negative) on school objectives. Schools must proactively manage risks by following the department’s Risk Management Process for Schools set out in the Guidance tab. Managing risk involves: Managing risk is everyone’s responsibility, as explained in the department’s Three Lines of Defence
External Link model. Identifying and managing risk maximises schools’ ability to make sound decisions to: All schools must use the department’s Risk Management Process for Schools when assessing and documenting the risk(s) associated with: When assessing the risks listed above, schools must document the identified risks in a risk register. A template risk register is available in the Resources tab. Schools may also assess and document risks for: If a school is uncertain whether a risk assessment is required, they must contact the Planning, Risk and Governance Branch for
clarification and advice. Schools must monitor risks for those mandatory risk assessments outlined above. Schools may monitor identified risks by: Schools may report and escalate relevant risks to stakeholders, for example, school council, regional directors, Senior Education Improvement Leaders etc through appropriate channels. Principals/school leadership are responsible for: Risk register templates are available on the Resources tab to document identified risks and
their treatment and controls. Note that some templates include examples of controls or assessments which will need to be reviewed/updated to suit your specific context. School leadership teams (principals and business managers) can contact the Planning, Risk and Governance Branch for specific risk advice and risk training workshops. Printed copies of the Risk Management Process for Schools pocket guide (available in the
Resources tab) can also be ordered from the Branch. Objective Risk Risk management Risk management involves the coordinated allocation of resources to:
Risk management includes coordinated activities to direct and control risks to the achievement of an objective. Risk register Control Controls are methods or procedures that assist in achieving objectives, safeguarding assets, ensuring financial information is accurate and reliable and supporting compliance with all financial and operational requirements. Identifying current controls and their effectiveness is one of the most important aspects of risk management. It allows you to better understand the elements that are impacting the likelihood and/or consequence of a risk. Treatment
Relevant legislationPublic Administration Act 2004 (Vic) External Link (section 81, part 1b) GuidanceRisk Management Process for Schools – completing school risk registersThis Risk Management Process for Schools guide contains the following chapters:
OverviewOverviewThe Department’s Risk Management Process for Schools guides decision-making to help schools effectively manage risk and prioritise school resources in the context of the school’s operating environment. Use the Risk Management Process for Schools to identify, assess and review risk associated with:
DET School Risk Process flowchartDET School Risk Process flowchart DetailsThe 8 steps in the DET School Risk Process flowchart are as follows. 1 Establish the context
2 Risk identification
3 Risk analysis
4 Risk evaluationCompare level of risk with risk acceptability criteria as defined in the Acceptability Chart 5 Risk treatmentIdentify and implement treatment options including: Share/Terminate/Accept/Reduce 6 Communication and consultationWith all relevant internal and external stakeholders, during all stages of the risk management process 7 Monitoring and reviewAs a planned part of the risk management process that takes place at intervals appropriate to the nature of the objective and the level of risk 8 Recording and reportingOutcomes of the risk management process should be documented and reported through appropriate mechanisms PresentationEach step is presented in separate boxes. Steps 1 to 5 are presented in descending order with down arrows pointing from Step 1 to 2, 2 to 3, 3 to 4 and 4 to 5. Step 6 is positioned to the left of the flowchart and has double-sided arrows pointing to and from Steps 1 to 5. Step 7 is positioned to the right of the flowchart and has double-sided arrows pointing to and from Steps 1 to 5. Step 8 is positioned below all other steps. Download DET School Risk Process flowchart Step 1 — Establish the contextStep 1 — Establish the contextBefore identifying risks, first decide on the scope of the activity, including your objectives, and develop an understanding of your operating environment. Identify your stakeholders (both internal and external) and consider their concerns, issues and expectations. Examples of key stakeholders for schools are:
Step 2 — Risk identificationStep 2 — Risk identificationRisk identification means thinking about what could go wrong when you are delivering your objective. 2.1 Identify the risksUse the SWOT matrix analysis tool External Link to analyse the environment, establish current issues and consider future risks. The SWOT matrix analysis tool provides a structured way to consider internal and external strengths, weaknesses, opportunities and threats. Ask yourself ‘what can go wrong?’ Consider whether it would be beneficial to involve key stakeholders when conducting your SWOT analysis. 2.2 Consider causes, consequences and opportunitiesConsider each risk in more detail and identify:
2.3 Record your risksUse the school risk register templates in the Resources tab to record your risks and associated details (risk rating, controls and treatments). Review risks periodically and update the risk register accordingly. Step 3 — Risk analysisStep 3 — Risk analysisAssess each risk to determine the overall level of risk (the ‘risk rating’). This involves:
3.1 Existing controlsIdentify any existing controls and assess their effectiveness. Ask yourself 'what existing controls are in place?' Assess the current effectiveness of these controls. Use the Control Effectiveness Chart External Link (PDF 59.02kb) to help you assess your current risk controls. 3.2 ConsequencesConsider the consequences or impact (effect) of the risk if it was to occur. Consequences are measured using the following terms:
Use the Consequence Criteria Guide External Link (PDF 501kb) to assess the significance of the risk. This guide provides criteria for assessing risks in the categories of student outcomes, wellbeing and safety, operational, financial, reputation and strategic. 3.3 LikelihoodConsider how likely it is that the risk will occur. Likelihood is described using the following terms:
Use the Likelihood Criteria Chart External Link (PDF 83kb) to assess the likelihood that a risk will occur. 3.4 Overall level of risk (current assessment)Use the Risk Rating Matrix External Link (PDF 56kb) to determine the overall level of risk. Step 4 — EvaluationStep 4 – EvaluationEvaluate each risk to determine whether the level of risk is acceptable and the appropriate response to the risk. The levels of acceptability relate to the risk rating levels and are described as:
Risk acceptability chartThe department's risk acceptability chart is used to decide whether the risk is acceptable, based on the rating calculated. Extreme (must have principal, school council or regional office oversight)Immediately consider whether the activity associated with this risk should cease. Any decision to continue exposure to this level of risk should be made at principal, school council or regional office level, be subject to the development of detailed treatments, on-going oversight and high level review. High (with ongoing principal class officer review)Risk should be reduced by developing treatments. It should be subject to on-going review to ensure controls remain effective, and the benefits balance against the risk. Escalation of this level of risk to principal class officer level should occur. Medium (with frequent risk owner review)Exposure to the risk may continue, provided it has been appropriately assessed and has been managed to as low as reasonably practicable. It should be subject to frequent review to ensure the risk analysis remains valid and the controls effective. Treatments to reduce the risk can be considered. Low (with periodic review)Exposure to this risk is acceptable, but is subject to periodic review to ensure it does not increase and current control effectiveness does not vary. Step 5 — Risk treatmentStep 5 — Risk treatmentsA risk treatment is the way in which you respond to a risk. Options for risk treatments include:
The way you treat a risk will depend on the outcome of your evaluation:
Risk treatment is a cyclical process:
A treatment that reduces the risk level may become a new control. Step 6 — Communication and consultationStep 6 — Communication and consultationConsult and update relevant internal and external stakeholders throughout the risk management process. Report on risks that are shared with relevant stakeholders to provide assurance that the school is managing the risk appropriately. Step 7 — Monitoring and reviewStep 7 — Monitoring and reviewSchedule monitoring and review periods at intervals appropriate to the nature of the objective and the level of risk. Step 8 — Recording and reportingStep 8 — Recording and reportingHave a structured way to document and report the outcomes of the risk management process to relevant stakeholders. This ensures that risk exposures are understood and managed. ResourcesWhat five strategies for controlling risk are described in this course?Answer: The five risk control strategies presented in this text are defense, transference, mitigation, acceptance, and termination.
Which risk treatment strategy approach can also be referred to as an avoidance strategy?True. The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards is the protect risk treatment strategy, also known as the avoidance strategy.
What are the three common approaches to imple ment the mitigation risk treatment strategy?There are four common risk mitigation strategies. These typically include avoidance, reduction, transference, and acceptance.
Which of the following risk treatment strategies describes an Organizationâ s efforts to reduce damage caused by a realized incident or disaster?The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation is known as the mitigation risk control strategy.
|