This policy sets out the requirements for schools to identify and manage risks that might affect their students, staff or operations. Managing risk means considering the effect of uncertainty (whether positive or negative) on school objectives. Schools must proactively manage risks by following the department’s Risk Management Process for Schools set out in the Guidance tab. Managing risk involves: Managing risk is everyone’s responsibility, as explained in the department’s Three Lines of Defence
External Link model. Identifying and managing risk maximises schools’ ability to make sound decisions to: All schools must use the department’s Risk Management Process for Schools when assessing and documenting the risk(s) associated with: When assessing the risks listed above, schools must document the identified risks in a risk register. A template risk register is available in the Resources tab. Schools may also assess and document risks for: If a school is uncertain whether a risk assessment is required, they must contact the Planning, Risk and Governance Branch for
clarification and advice. Schools must monitor risks for those mandatory risk assessments outlined above. Schools may monitor identified risks by: Schools may report and escalate relevant risks to stakeholders, for example, school council, regional directors, Senior Education Improvement Leaders etc through appropriate channels. Principals/school leadership are responsible for: Risk register templates are available on the Resources tab to document identified risks and
their treatment and controls. Note that some templates include examples of controls or assessments which will need to be reviewed/updated to suit your specific context. School leadership teams (principals and business managers) can contact the Planning, Risk and Governance Branch for specific risk advice and risk training workshops. Printed copies of the Risk Management Process for Schools pocket guide (available in the
Resources tab) can also be ordered from the Branch. Objective Risk Risk management Risk management involves the coordinated allocation of resources to: Risk management includes coordinated
activities to direct and control risks to the achievement of an objective. Risk register ControlPolicy
Policy
Summary
Details
Assessing and documenting risk
Monitoring risks
Reporting risks
Communication of this policy
Templates
Support
Definitions
An objective is an aspirational, results-oriented statement describing what your school intends to achieve within the set timeframe, and describes what successful delivery would entail.
The effect (whether positive or negative) of uncertainty on objectives.
The identification, analysis, assessment and prioritisation of risks to the achievement of an objective.
A formatted list that records identified risks, assesses their impact and describes the actions (controls) to be taken to mitigate them. Typically, it describes the risk, the causes for that risk and the responsible person or group for managing it.
A control is any existing measure that modifies risk such as uniform policy or staff succession
plan.
Controls are methods or procedures that assist in achieving objectives, safeguarding assets, ensuring financial information is accurate and reliable and supporting compliance with all financial and operational requirements.
Identifying current controls and their effectiveness is one of the most important aspects of risk management. It allows you to better understand the elements that are impacting the likelihood and/or consequence of a risk.
Treatment
A risk treatment is an action you undertake to reduce a risk to an acceptable level, by adding new or improving/modifying existing controls.
- Buses – Owned, Hired or Chartered by a School
- Child Safe Standards
- Emergency and Critical Incident Management Planning
- Excursions
- OHS Management System (OHSMS) Overview
Relevant legislation
Public Administration Act 2004 (Vic) External Link (section 81, part 1b)
Guidance
Risk Management Process for Schools – completing school risk registers
This Risk Management Process for Schools guide contains the following chapters:
- Overview
- Step 1 — Establish the context
- Step 2 — Risk identification
- Step 3 — Risk analysis
- Step 4 — Evaluation
- Step 5 — Risk treatment
- Step 6 — Communication and consultation
- Step 7 — Monitoring and review
- Step 8 — Recording and reporting
Overview
Overview
The Department’s Risk Management Process for Schools guides decision-making to help schools effectively manage risk and prioritise school resources in the context of the school’s operating environment.
Use the Risk Management Process for Schools to identify, assess and review risk associated with:
- activities where a mandatory risk assessment is required under legislation (emergency management, child safety, occupational health and safety, excursions including overseas travel, bus safety)
- developing the Annual Implementation Plan (AIP)
- developing the School Strategic Plan (SSP)
- school operations (such as lesson planning)
- community events or activities that require approval by the school council, such as a school fete
DET School Risk Process flowchart
DET School Risk Process flowchart
Details
The 8 steps in the DET School Risk Process flowchart are as follows.
1 Establish the context
- The strategic context
- The organisational context
- The risk management context
- Identify internal and external stakeholders
2 Risk identification
- What are the causes?
- What are the consequences?
3 Risk analysis
- Determine existing controls
- Determine consequence
- Determine likelihood
- Establish risk rating
4 Risk evaluation
Compare level of risk with risk acceptability criteria as defined in the Acceptability Chart
5 Risk treatment
Identify and implement treatment options including: Share/Terminate/Accept/Reduce
6 Communication and consultation
With all relevant internal and external stakeholders, during all stages of the risk management process
7 Monitoring and review
As a planned part of the risk management process that takes place at intervals appropriate to the nature of the objective and the level of risk
8 Recording and reporting
Outcomes of the risk management process should be documented and reported through appropriate mechanisms
Presentation
Each step is presented in separate boxes. Steps 1 to 5 are presented in descending order with down arrows pointing from Step 1 to 2, 2 to 3, 3 to 4 and 4 to 5.
Step 6 is positioned to the left of the flowchart and has double-sided arrows pointing to and from Steps 1 to 5.
Step 7 is positioned to the right of the flowchart and has double-sided arrows pointing to and from Steps 1 to 5.
Step 8 is positioned below all other steps.
Download DET School Risk Process flowchart
Step 1 — Establish the context
Step 1 — Establish the context
Before identifying risks, first decide on the scope of the activity, including your objectives, and develop an understanding of your operating environment.
Identify your stakeholders (both internal and external) and consider their concerns, issues and expectations.
Examples of key stakeholders for schools are:
- regional offices
- the school community
- local councils or shires
Step 2 — Risk identification
Step 2 — Risk identification
Risk identification means thinking about what could go wrong when you are delivering your objective.
2.1 Identify the risks
Use the SWOT matrix analysis tool External Link to analyse the environment, establish current issues and consider future risks. The SWOT matrix analysis tool provides a structured way to consider internal and external strengths, weaknesses, opportunities and threats. Ask yourself ‘what can go wrong?’
Consider whether it would be beneficial to involve key stakeholders when conducting your SWOT analysis.
2.2 Consider causes, consequences and opportunities
Consider each risk in more detail and identify:
- Causes: what would cause it to go wrong?
- Consequences: what are the impacts if it does go wrong?
- Opportunities: what can go right?
2.3 Record your risks
Use the school risk register templates in the Resources tab to record your risks and associated details (risk rating, controls and treatments).
Review risks periodically and update the risk register accordingly.
Step 3 — Risk analysis
Step 3 — Risk analysis
Assess each risk to determine the overall level of risk (the ‘risk rating’).
This involves:
- identifying any existing controls
- considering the consequences (effect) if the risk eventuates, and
- the likelihood that the risk will occur
3.1 Existing controls
Identify any existing controls and assess their effectiveness. Ask yourself 'what existing controls are in place?'
Assess the current effectiveness of these controls. Use the Control Effectiveness Chart External Link (PDF 59.02kb) to help you assess your current risk controls.
3.2 Consequences
Consider the consequences or impact (effect) of the risk if it was to occur.
Consequences are measured using the following terms:
- insignificant
- minor
- moderate
- major
- severe
Use the Consequence Criteria Guide External Link (PDF 501kb) to assess the significance of the risk. This guide provides criteria for assessing risks in the categories of student outcomes, wellbeing and safety, operational, financial, reputation and strategic.
3.3 Likelihood
Consider how likely it is that the risk will occur.
Likelihood is described using the following terms:
- almost certain
- likely
- possible
- unlikely
- rare
Use the Likelihood Criteria Chart External Link (PDF 83kb) to assess the likelihood that a risk will occur.
3.4 Overall level of risk (current assessment)
Use the Risk Rating Matrix External Link (PDF 56kb) to determine the overall level of risk.
Step 4 — Evaluation
Step 4 – Evaluation
Evaluate each risk to determine whether the level of risk is acceptable and the appropriate response to the risk. The levels of acceptability relate to the risk rating levels and are described as:
- Extreme
- High
- Medium
- Low
Risk acceptability chart
The department's risk acceptability chart is used to decide whether the risk is acceptable, based on the rating calculated.
Extreme (must have principal, school council or regional office oversight)
Immediately consider whether the activity associated with this risk should cease. Any decision to continue exposure to this level of risk should be made at principal, school council or regional office level, be subject to the development of detailed treatments, on-going oversight and high level review.
High (with ongoing principal class officer review)
Risk should be reduced by developing treatments. It should be subject to on-going review to ensure controls remain effective, and the benefits balance against the risk. Escalation of this level of risk to principal class officer level should occur.
Medium (with frequent risk owner review)
Exposure to the risk may continue, provided it has been appropriately assessed and has been managed to as low as reasonably practicable. It should be subject to frequent review to ensure the risk analysis remains valid and the controls effective. Treatments to reduce the risk can be considered.
Low (with periodic review)
Exposure to this risk is acceptable, but is subject to periodic review to ensure it does not increase and current control effectiveness does not vary.
Step 5 — Risk treatment
Step 5 — Risk treatments
A risk treatment is the way in which you respond to a risk.
Options for risk treatments include:
- Share: if practical, share all or some of the risk with outsourced parties or insurers.
- Terminate: cease the activity altogether.
- Accept: this will require appropriate authority.
- Reduce: apply additional treatments until the risk is reduced to an acceptable level.
The way you treat a risk will depend on the outcome of your evaluation:
- Risks that are rated high or extreme require treatment to reduce risk to a more acceptable level. You may also choose to share or terminate the risk as long as that option will reduce the risk rating.
- Risks that are rated low or medium do not necessarily require further actions to reduce and are considered acceptable.
Risk treatment is a cyclical process:
- assess the risk
- decide whether the risk level is acceptable
- implement a treatment option
- conduct a second assessment to confirm that the treatment has reduced the risk to expected level. (This second evaluation is called the ‘target assessment’.)
A treatment that reduces the risk level may become a new control.
Step 6 — Communication and consultation
Step 6 — Communication and consultation
Consult and update relevant internal and external stakeholders throughout the risk management process.
Report on risks that are shared with relevant stakeholders to provide assurance that the school is managing the risk appropriately.
Step 7 — Monitoring and review
Step 7 — Monitoring and review
Schedule monitoring and review periods at intervals appropriate to the nature of the objective and the level of risk.
Step 8 — Recording and reporting
Step 8 — Recording and reporting
Have a structured way to document and report the outcomes of the risk management process to relevant stakeholders. This ensures that risk exposures are understood and managed.