A norma ISO 31000 aplicada ao SETOR PÚBLICO: um bom exemplo que vem da Austrália

Victorian Government Risk Management Framework March 2011

Victorian Government RiskManagement Framework, March 2011 1

This document reproduces parts of the AS/NZS ISO 31000:2099 Risk Management – Principles and Guidelines. Permission has been granted by SAI Global Ltd under licence 1008‐c101 to the Victorian Department of Treasury and Finance.

The Secretary Department of Treasury and Finance 1 Treasury Place Melbourne Victoria 3002 Australia Telephone: +61 3 9651 5111 Facsimile: +61 3 9651 5298 www.dtf.vic.gov.au Authorised by the Victorian Government 1 Treasury Place, Melbourne, 3002 Printed by Stream Solutions, Level 3, 157 Spring Street, Melbourne Vic. 3000 Printed on recycled paper. © Copyright State of Victoria 2011 This book is copyright. No part may be reproduced by any process except in accordance with the provisions of the Copyright Act 1968. ISBN 978‐1‐921831‐25‐6 Published April 2011 If you would like to receive this publication in an accessible format please telephone 9651 0909 or email [email protected].


Contents

Foreword.............................................................................................................................................. 3

1. Overview................................................................................................................................. 4

2. Introduction ............................................................................................................................ 5

3. Purpose ................................................................................................................................... 6

4. Coverage and application ....................................................................................................... 6

5. Accountability ......................................................................................................................... 7

6. Attestation ............................................................................................................................ 11

7. Adoption of a common risk management standard ............................................................ 12

8. Interagency and statewide risks ........................................................................................... 14

9. Risk management culture and capability ............................................................................. 17

10. Managing insurable risks ...................................................................................................... 18

11. Emergency management and response ............................................................................... 20

12. Related governance requirements ....................................................................................... 21

13 Glossary of key terms ........................................................................................................... 23

Appendix I: Categories of risks........................................................................................................... 25

Appendix II: Attestation template ..................................................................................................... 26

Appendix III: AS/NZS 31000:2009 – risk management principles, framework and process ............. 28

Appendix IV: References and links..................................................................................................... 33

Appendix V: Administrative inventory of key acts and policies......................................................... 35


Foreword Managing risk is an important component of public sector governance. Each year the Victorian State Government commits significant resources to sustain and improve services and infrastructure for the Victorian community. This requires sound governance processes that will enable the Government to minimise risks to development and delivery of services and infrastructure projects and optimise the allocation of resources.

An agency’s approach to risk management must be consistent with the Australian/New Zealand Risk Management Standard: AS/NZS ISO 31000:2009 or its successor, the directions issued under the Financial Management Act 1994 and the Victorian Government Risk Management Framework (the Framework). This provides for a minimum risk management standard across public sector agencies. An attestation by accountable officers in annual reports ensures that this requirement is built into annual corporate planning and reporting processes.

A key benefit of the Framework is that it brings together information on governance policies, accountabilities and roles and responsibilities for all those involved in risk management. It also provides a central resource with links to a wide range of risk management information sources.

The Framework, originally issued in 2007, has been updated to reflect current risk management approaches, applying them within the Victorian public sector. The update also includes additional information about risk management principles and culture.

The updating of the Framework does not represent a change in government policy but rather reflects continuous improvement in public sector governance.

The Framework has been updated in consultation with a broad range of stakeholders with accountabilities for risk management across the Victorian public sector. It is expected that this Framework will continue to be refined and developed through input from key stakeholders, in particular, by leveraging the expertise of pubic sector departments and agencies.

ROBERT CLARK MP Minister for Finance


1. Overview Risk can be defined as ‘effect of uncertainty on objectives’1. Risk is an inherent part of service delivery. Risk needs to be considered and addressed by everyone, whether positive (opportunities) and/or negative (threats). Although it is impossible to operate in an environment devoid of risk, risks can be managed.

Risk management is the combination of organisational systems, processes, procedures and culture that facilitate the identification, assessment, evaluation and treatment of risk in order to protect the organisation and assist in the successful pursuit of its strategies and performance objectives.

The Government is committed to managing the State’s finances and risks prudently. Agencies (i.e. departments and public bodies) must ensure that risk is managed appropriately and effectively. They play a key role in the delivery of services to the Victorian community. Agency heads are accountable to Portfolio Ministers for delivery of services on behalf of the Victorian Government.

Heads of agencies including Boards, Chief Executive Officers and departmental Secretaries are responsible for the development and implementation of risk management frameworks and processes in their organisation. They should ensure the agency has a risk management policy and framework that clearly describes its overall approach and intention with respect to risk management.

An agency’s approach to risk management must be consistent with the Australian/New Zealand Risk Management Standard: AS/NZS ISO 31000:2009 (the AS/NZS Standard) or its successor, the directions issued under the Financial Management Act 1994 (FMA) and the Victorian Government Risk Management Framework (the Framework). This represents the minimum risk management standard for the Victorian public sector.

The AS/NZS Standard provides a generic, internationally accepted process for identifying, analysing, evaluating and treating risks after establishing, and having regard to, the external and internal strategic and operating context.

Effective risk management is regarded as essential for the development and delivery of quality services. By documenting the requirement for agencies to adopt a recognised standard, the Government seeks to embed risk management into planning, delivery and reporting processes within and across public sector entities.

Agency heads are required to attest in annual reports that:

• agencies have risk management processes in place consistent with the AS/NZS Standard (or its successor);

• these processes are effective in controlling risks to a satisfactory level; and • a responsible body or audit committee verifies that view.

In addition to managing agency risks, the Framework also emphasises the need to address interagency and statewide risks when developing and implementing risk management frameworks and processes. Increasingly the public sector is operating in an environment of shared accountabilities to achieve outcomes that cut across specific departmental responsibilities. In this context it is important that risks with the potential to impact across agencies or at a whole of government level are communicated or escalated to potentially affected agencies to enable a coordinated, effective and timely approach to risk management.

1 ISO13000, 2.1


2. Introduction Risk needs to be considered and addressed by everyone, whether positive (opportunities) and/or negative (threats). Management of risk should be an integral part of an organisation’s culture, reflected in the various policies systems and processes used to ensure sound financial management and efficient and effective service delivery.

Risks may affect only one agency, multiple agencies or whole of government. Thus agencies need to include appropriate risk management strategies to address risks at agency, interagency and whole of government levels. An example of how risks may be categorised is provided in Appendix I.

A systematic approach to risk management is of increasing importance as the public sector moves to a more sophisticated approach to development and delivery of services. A traditional approach to addressing risks as individual hazards is no longer appropriate. Risks need to be managed in the context of achieving organisational goals and objectives. Risk management should be an integrated part of strategic planning, performance management and governance across the public sector.

The Framework has been developed in line with best practice and good corporate governance.

Governance is the manner in which an organisation is managed and governed in order to achieve its strategic and operational objectives2. It is generally understood to encompass authority, stewardship, leadership, direction and control. Governance refers to the process by which organisations are directed and held to account.

Sound corporate governance practice requires integration of risk management principles and processes into strategic planning, reporting, performance measurement and day‐to‐day operations.

Key elements of effective governance include2:

• establishing clear roles and responsibilities throughout the organisation (and ensuring these roles and responsibilities are understood by everyone);

• constructive relationships and accountabilities based on these roles; • an effective governing body; • effective monitoring arrangements, including internal audit and an audit committee; • effective communication; • transparency through good external reporting; and • maintaining a systematic and integrated risk management system.

The Good practice guide on governance for Victorian public sector entities, a website‐based resource developed by the State Services Authority, gives further information on governance.

Management of risks for all aspects of agency operations is required under existing legislation, but broader risk applications − in addition to the traditional management of financial and emergency risks − should receive equal attention in government policy and compliance frameworks. This Framework seeks to promote continuous improvement in public sector governance.

2 Victorian Auditor‐General’s Office, Principles of Corporate Governance in the Public Sector: Taking Care of Business, 6 June 2003


3. Purpose The Framework has been developed to support good practice in Victorian public sector risk management. Specifically, the Framework provides a minimum common risk management standard for agencies and attestation by accountable officers that risk management frameworks and processes are consistent with that standard in annual reports.

The Framework provides links to a variety of risk management information resources. It also adds clarity to roles and responsibilities, both for those developing and administering risk management policies and frameworks, and those responsible for implementing risk management processes.

The Framework also promotes best practice risk management at agency, interagency and whole of government levels.

The development and implementation of the Framework in collaboration with agency representatives will improve communication and consultation of risk information and lead to improved coordination and effectiveness of risk management processes across the public sector.

4. Coverage and application All agencies should adopt the Framework as part of good governance and corporate planning processes. However, application of the Framework is required by departments and those agencies that report in the annual Financial Report for the State of Victoria (AFR).


5. Accountability Roles and responsibilities The Victorian governance and risk management model shown in Figure 5.1 is based on the core principle of entity responsibility.

Figure 5.1 Victoria’s governance and risk management model

Ministers and Cabinet

Ultimate responsibility for risk management on behalf of the State of Victoria rests with individual Ministers and, collectively, with the Premier and the Cabinet.

The principal decision making body of the State of Victoria is Cabinet, chaired by the Premier. Cabinet considers all important questions of policy and administration and the Government’s legislative program. Cabinet consists of all Ministers of the Crown and the Parliamentary Secretary of Cabinet (also known as the Cabinet Secretary). Ministers administer and are responsible to Parliament for their department.


Departments, public bodies and administrative offices

The Public Administration Act 2004 establishes the Victorian public service including departments and administrative offices and establishes values to guide conduct and performance in the public sector. It provides for the operation of agencies and sets out governance principles including the roles, responsibilities and accountabilities of agency heads. These principles and behaviours inherently affect the way risks are managed across the public sector.

Boards, Chief Executive Officers, Secretaries and agency heads are primarily responsible for the development and implementation of risk management frameworks and processes for managing risk at agency level. However, risk is also the responsibility of each individual in an organisation.

The AS/NZS Standard provides guidance about risk management responsibilities associated with various roles and functions, including3:

• identifying risk owners that have the accountability and authority to manage risks; • identifying who is accountable for the development, implementation and maintenance of the

framework for managing risk; • identifying other responsibilities of people at all levels in the organisation for the risk

management process; • establishing performance measurement and external and/or internal reporting and escalation

processes; and • ensuring appropriate levels of recognition.

An awareness of, and commitment to, risk management at senior management levels is important. This may be achieved by4:

• defining and endorsing the risk management policy, which is a statement of the overall intentions and direction of an organisation related to risk management;

• ensuring that the organisation's culture and risk management policy are aligned; • determining risk management performance indicators that align with performance indicators of

the organisation; • aligning risk management objectives with the objectives and strategies of the organisation; • ensuring legal and regulatory compliance; • assigning accountabilities and responsibilities at appropriate levels in the organisation (which

includes accountabilities for risks, controls and risk treatments); • ensuring that the necessary resources are allocated to risk management; • communicating the benefits of risk management to all stakeholders; and • ensuring that the framework for managing risk continues to be appropriate by the setting of

organisational performance goals, measurement and review5.

Coordinating entities Key legislation underpinning risk management processes for the Victorian public sector include:

• Victorian Managed Insurance Authority Act 1996; • Financial Management Act; 1994; and • Public Administration Act 2004.

The following agencies play a key role in monitoring, reporting and advising government in relation to compliance with risk management requirements under existing legislation, and risks that impact more broadly across the public sector.

3 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, p11, clause 4.3.3 4 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, p9, clause 4.2 5 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, p22, clause A.3.1


The Victorian Managed Insurance Authority (VMIA)

The key functions of the VMIA relating to risk management (as defined under section 6 of the VMIA Act) are:

• to assist departments and participating bodies to establish programs for the identification, quantification and management of risks;

• to monitor risk management by departments and participating bodies; • to provide risk management advice to the State; • to provide risk management advice and training to departments and participating bodies; and • to act as insurer for, or provide insurance services to, departments and participating bodies.

VMIA also plays a key role as an adviser for agencies in relation to non‐financial, insurable and non‐insurable risks. Its Guide for Developing and Implementing Your Risk Management Framework supports agency level implementation of the Framework and better practice in risk management.

In order to fulfil its legislative mandate the VMIA currently provides the following services:

• provision of advice to government on statewide risks; • development of a statewide risk register; • a rolling program of reviews to ensure risk management frameworks are in place and to identify

opportunities to improve and develop frameworks; • provision of products and services that support development and improvement of risk

management frameworks; and • training and seminars to increase the knowledge and capability across government in risk

management and insurance practices.

State Services Authority (SSA)

The SSA promotes high standards of governance, accountability and performance in the Victorian public sector. It produces guidance materials to support effective public sector governance. This includes the Good Practice Guide on Governance for Victorian Public Sector Entities, which outlines the pivotal role of public entity boards in ensuring appropriate risk management policies and practices. The SSA also produces guidelines and toolkits to support effective management of public sector workforce, integrity and reputation risks. These include materials and advice to support public sector bodies in areas such as:

• workforce planning and development including addressing succession risks; • complying with public sector employment standards and codes of conduct; • workplace ethics; • avoiding and addressing conflicts of interest; • gifts, benefits and hospitality policies and practices; and • tackling bullying and developing conflict resilient workplaces.

Department of Premier and Cabinet (DPC)

DPC plays a pivotal role in statewide risk management through coordination of the Cabinet process and support of the Premier on government wide issues, as well as in his portfolio of ministerial responsibilities. Implicitly, this includes mitigating risk through:

• advising the Premier on policy issues, with briefings typically including advice on key risks in relation to an issue (including the risks of action or inaction);

• analysing whole of government issues around governance and risk; • coordinating whole of government positions and policy; and • providing checks and balances through the Cabinet cycle, ensuring a high standard in the quality

of final policy advice.

Department of Treasury and Finance (DTF)

DTF’s main focus is on the financial implications of insurable and non‐insurable statewide risks for the budget and the State’s balance sheet.


DTF supports the Treasurer, the Minister for Finance and the Assistant Treasurer in administering the Financial Management Act. This includes the maintenance of appropriate compliance and risk management frameworks for capturing, monitoring and reporting on financial risks, having regard to financial risks relating to:

• governance and administrative processes, systems and practices; • general government sector debt; • ownership of public non‐financial corporations and public financial corporations; • changes in the structure of the Victorian tax base; • financial market uncertainty; • management of state assets and liabilities; and • procurement.

DTF also plays a key role in advising the Treasurer, the Minister for Finance and the Assistant Treasurer about risks to service delivery through regular reporting against delivery of departmental outputs, whole of government performance reports, developing and maintaining a suite of governance frameworks, and providing support to the Budget and Expenditure Review Committee of Cabinet (BERC).

DTF supports the Minister for Finance in an administrative capacity by maintaining and updating the relevant frameworks to ensure they continue to be aligned with best practice.

Victorian Auditor‐General’s Office (VAGO)

VAGO provides assurance to Parliament on the accountability and performance of the Victorian public sector, including public sector governance and risk management. VAGO periodically reviews and reports on the level of compliance of public sector entities with the State’s legislative and administrative governance frameworks.


6. Attestation Boards and heads of agencies to whom the Framework applies, are required to provide an attestation in annual reports (as part of the report of operations) stating that agencies understand, manage and control key risk exposures consistent with the Standard (or its successor), and that a responsible body or audit committee verifies that view. This is a requirement under the Minister for Finance Standing Directions 4.5.5.

To ensure that risks are being managed effectively, agency heads are required to attest in annual reports that:

• agencies have risk management processes in place consistent with the Standard (or its successor); • these processes are effective in controlling risks to a satisfactory level; and • a responsible body or audit committee verifies that view.

The VMIA has developed a number of overarching principles and a range of guidance material in support of the attestation process for agencies. This material is available on the VMIA website.

The principles are intended to guide an agency along the path to attestation maturity and include:

• attestation is intended to provide ‘assurance’ or demonstrate ‘performance’ – it should not be merely a box‐ticking exercise;

• keep the attestation framework and process as pragmatic and relevant as possible; • the agency’s risk maturity, size, complexity and risk appetite needs to be considered, because

‘attestation is relative to maturity’; and • a strategic or top‐down attestation model, similar to the Australian Stock Exchange’s ‘if not, why

not’ reporting style should be used.

If an agency cannot attest for some reason, it must explain why this is the case and what it plans to do about its risk management framework and process, and control system over the coming year.

A sample attestation is in Appendix II.


7. Adoption of a common risk management standard The use of a common standard ensures that a generally accepted method of risk management is being applied across the public sector, one which adopts a balanced and widely accepted approach to risk identification, analysis and risk reporting.

Most agencies have already adopted risk management frameworks and processes consistent with the AS/NZS Standard (or its predecessor AS/NZS 4360).

A common risk management process supports the sharing of risk management information at agency, interagency and whole of government levels. It also provides opportunities for coordination of training and knowledge management across the public sector and supports quality comparisons and shared learning around risk management strategies.

Defining risk management Risk can be defined as the ‘effect of uncertainty on objectives’.6 Risk management is the combination of organisational systems, processes and culture which facilitate the identification, assessment, evaluation and treatment of risk to protect the organisation and assist the successful pursuit of its strategies and performance objectives.

Risk management involves managing to achieve an appropriate balance between realising opportunities for gains while minimising losses. It is an integral part of good management practice and an essential element of good corporate governance.7

Risk management frameworks should cover a broad range of risk categories that may impact on the ability of an agency and the State to deliver their organisational objectives.

Risk management principles All risk management frameworks and processes should, as a minimum requirement, be consistent with the following principles for managing risk as described in the AS/NZS Standard (or its successor):

• creates and protects value – helps to achieve the objectives and improve performance of the organisation;

• is an integral part of all organisational processes – becomes a part of the main activities and processes of the organisation and the responsibility of all levels of management;

• is part of decision making – facilitates making informed choices and prioritising actions; • explicitly addresses uncertainty – takes account of the nature of the uncertainty and how it can be

addressed; • is systematic, structured and timely; • is based on the best available information – seeks input from a comprehensive range of

information sources and takes into account any limitation of the data; • is tailored – aligns with the organisation’s operating environment and risk profile; • takes human and cultural factors into account – recognises the human capabilities and limitations; • is transparent and inclusive – involves all stakeholders and decision makers in a timely and

appropriate manner; • is dynamic, iterative and responsive to change – requires regular monitoring and review of risks

and operating environment and making changes as required; and • facilitates continual improvement of the organisation – develops and implements strategies to

achieve this.

6 ISO13000, 2.1 7 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, p iv, Introduction


Risk management framework The success of risk management in agencies will depend on the effectiveness of the risk management policy and framework for implementing risk management.

The risk management framework is a ‘set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation’.8 It is the instrument through which the responsible body broadly describes the nature of risks which are acceptable and not acceptable to the agency; and the detailed structure and mechanisms through which the organisation manages risk.

The risk management framework assists the agency in managing risks effectively through the application of the risk management process at varying levels and within specific contexts of the agency. It also ensures that information about risk derived from the risk management process is adequately reported and used as a basis for decision making and accountability at all relevant levels.9

A risk management policy and framework should:

• describe the agency’s understanding of risk in the context of its operations, legislation and strategies;

• describe its overall approach, intention and procedures used to identify, analyse, evaluate and treat risks;

• outline the approach and rationale for managing risk within the agency and how risks will be measured and assessed;

• describe clearly the roles and responsibilities of the accountable officer, responsible body, members of staff with management responsibilities, and relevant committees (such as an Audit Committee, or Risk Committee) in relation to managing risk;

• broadly describe the boundaries which define acceptable and unacceptable levels of risk; • describe how the agency’s performance in managing risk is to be monitored and evaluated; and • show how the agency’s risk management procedures are integrated with other relevant

procedures of the agency applicable across the Victorian public sector, such as those relating to budgeting, strategic planning, business continuity, information management and information security, and compliance with risk management requirements.

The responsible body should ensure that the risk management policy and framework are reviewed at least annually to ensure they remain current.

Further details on risk management principles, framework and process contained in the AS/NZS Standard are provided in Appendix III.

An agency’s risk management policy and framework constitute its risk management strategy. This information should be provided to the Victorian Managed Insurance Authority (VMIA) when requested.

8 ISO Guide 73:2009, definition 2.1.1 9 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, p8, clause 4.1


8. Interagency and statewide risks A risk may affect a government agency, multiple agencies or the State as a whole, including the Government, the community and the private sector.

Agencies need to consider and understand the broader business of government and how risk that affects more than one agency can arise.

In addition to agency level risks, agencies need to identify and communicate interagency and statewide existing risks and potential risks. This is increasingly important under a system of joined‐up government where the focus is on outcomes which may require a whole of government approach to risk management. For example, strategies to address road safety risks may include driver and cyclist skills (licensing standards and education programs), changes to enforcement of driver behaviour (police) and improved road conditions (road authorities).

Interagency risks Risks and/or management strategies that apply to one agency can impact others, and in some cases the flow‐on effects will require intervention strategies across multiple agencies or across government. The key point is that risk management planning processes should take into account an awareness of the potential impacts of risks and strategies on other areas of government and include effective consultation and communication of potential impacts through appropriate channels to relevant agencies.

Agencies have a range of internal executive forums and committees in place to discuss and recommend solutions or approaches to address both agency and interagency risks. Most risks are likely to be managed through informal processes at agency and interagency level without the need for central intervention. To the extent that a formal arrangement involving other agencies is required, there are a number of forums where cross agency issues are considered on a regular basis by senior agency representatives.

Risk management policies and plans of agencies should also specify how interagency risks (risks identified by two or more agencies) can be assessed and treated as part of their respective individual risk management process but coordinated and reported on jointly. Interagency risks should also be documented in the agencies’ risk registers when the level of risk meets the pre‐established risk criteria.

Statewide risks Statewide risks can be characterised as:

• risks of state significance, where the potential consequences or impacts of these risks on the community, the Government and the private sector are so large as to be of state significance; or

• systemic risks, being widespread risks that impact all or a significant part of the Government’s operations, requiring high levels of management and coordination of risk beyond the boundaries of a single agency.

Statewide risks may be immediate risks or longer‐term risks.

Systemic risks include such areas as project management risk, procurement risk, people risks, and intellectual property risks that require a whole of government response.

Risks of state significance include catastrophic events such as a health pandemic or severe flooding, which need a whole of government response in partnership with the community and the private sector. Figure 9.1 shows the potential sources of state significant risks.


Figure 9.1 Potential sources of state significant risks

State significant risks know no boundaries. The private sector plays a major role in the provision and management of community assets and services, increasingly in partnership with government. The identification of risks of significance to the State is therefore irrespective of the public or private ownership of these risks.

Statewide risks can also be characterised by type. They can be event risks (e.g. pandemics), recurrent risks (e.g. road trauma), creeping risks (e.g. obesity) and emerging risks (e.g. asbestosis).

Whole of state risk planning Risk management policies and plans of agencies should also include consideration of statewide risks. Statewide risks should be documented in the agencies’ risk registers and supplied to the VMIA for consideration in developing the VMIA’s statewide risk register. Agencies continue to maintain their risk registers and manage the risks.

The VMIA statewide risk register is intended to help government and its agencies to achieve their objectives by providing a whole of government view of statewide risks.

Whole of government coordination Existing whole of government processes for managing risk and machinery of government arrangements are aligned with legislative requirements, so that oversight of financial, insurable and non‐financial risks is undertaken at the whole of government level by the DTF, DPC and VMIA.

The management of statewide risks requires a collaborative approach across government. Similar to the management of agency level risks, statewide risks also require a structured and systematic approach. Accordingly, the management of all identified statewide risks will require the nomination of a lead agency or coordinating body to ensure clear accountability from a whole of government perspective.

Interdepartmental Committees (IDCs) are established on an ‘as needs’ basis with senior officer level representation and terms of reference agreed by the members of the committees. These committees often play a critical advisory and consultative role on major whole of government issues and are an important part of the Government’s decision‐making process.

Two committees that provide representation at a senior level across government departments are the State Coordination and Management Council (SC&MC) and the Deputy Secretaries Leadership Group (formerly known as the Public Service Strategic Workforce Development Group).


SC&MC comprises the Secretaries of departments, the Chief Commissioner of Police and the Commissioner for Public Employment. SC&MC meets monthly in a forum that is chaired by the Secretary of the DPC and supported by DPC. SC&MC works towards solving policy and implementation challenges across portfolios. It also facilitates the coordination of policy initiatives across the public sector and promotes leadership and information exchange across the Victorian public service.

The Deputy Secretaries Leadership Group’s charter is to:

• develop operational solutions to whole of public service policies and initiatives on behalf of SC&MC;

• provide guidance, knowledge and experience to project leaders in developing whole of public service/sector policies; and

• act as a clearing house for information and ideas in innovation of public administration.


9. Risk management culture and capability The effective management of risk should be an integral part of an organisation’s culture, and be reflected in the various systems and processes used to ensure sound financial management and efficient and effective service delivery.

Culture can be defined as ‘the way we work around here’. It is the collective way of doing things, through accepted values, behaviours and processes. A risk management culture specifically refers to the way risk management is applied to the way people work in an organisation. It is about the accepted ways of thinking and doing with regards to risk and risk management. Risk culture involves how people recognise and respond to risk and how risk is considered in making decisions.

The risk culture of an organisation influences the behaviour and decisions of management and employees. One element of risk culture is the degree to which individuals understand that organisation policies and procedures apply to everyone. Equally important is the need to ensure that employees share a common understanding of the organisation and its business purpose.

For risk management to be effective it is necessary to support the policies and frameworks with an organisational culture where employees do the right thing regardless of the circumstances. Culture is intrinsic to risk management. The accepted behaviour or norms around ‘maximising potential opportunities whilst managing adverse effects’ determines how embedded risk management is in an organisation. Hence to have an effective risk management process or framework in place means also having an appropriate culture that works for your organisation. If risk management is not working, a change in culture may be necessary.

For a risk function to be effective it should be adequately resourced with appropriately qualified and skilled staff. Ongoing training and education is essential to maintain individual and professional standards. In support of this, VMIA offers a range of training, education sessions and professional forums.

The role of risk managers varies considerably from agency to agency. This variability often reflects the risk maturity of an organisation.


10. Managing insurable risks Insurance as a risk management tool The community expects a high degree of efficiency from government in its use of resources and assets. In this regard it is essential for agencies to make best use of resources and assets and minimise loss to the community and consolidated revenue.

Insurance is one of a number of risk management tools to manage and transfer risks. The use of insurance should be considered in the light of:

• the nature of the risks; • the availability of alternative risk management and minimisation strategies; and • the financial consequences for choosing not to insure.

The purchase of insurance transfers the financial risk of loss, contractually, from the insured to the insurer. However, sometimes not all risk can be transferred nor is it always cost beneficial to do so.

Most insurance policies specify a minimum value of loss or self‐retention per claim (a ‘deductible’, ‘retention’ or ‘excess’) that the insurer will not pay. A higher deductible will usually reduce the premium but expose the insured to a larger loss if the risk materialises.

When to use insurance For each risk identified under a risk management plan, the two key questions relating to insurance are is the risk insurable; and if so, should it be insured?

In practical terms, the level of insurance obtained should be based on consideration of the agency’s risk profile and objectives, past claims experience, the availability and cost of insurance, and the type and scale of risks that the agency is prepared to accept.

All agencies10 are required to obtain their insurance from VMIA and should consult with VMIA for their insurance requirements. VMIA can advise on appropriate insurance programs taking into account the client’s risk profile, historical claims experience and financial strength.

If an agency chooses not to insure an insurable risk, that agency is liable to meet the consequential financial impacts from its existing resources and cannot expect to receive financial supplementation from consolidated revenue.

All agencies are required to account for the risk of self insured and under‐deductible losses appropriately, including providing quarterly claims data to VMIA on under‐deductible claims.

If the risk is not insurable, the agency’s risk management plan should specify an alternative response to address the risk.

The fact that a risk is insurable does not necessarily mean that it should be insured.

If a risk is insurable, the agency risk management plan should specify whether preventative measures can be undertaken to reduce the probability of occurrence or severity of the outcome of an adverse event, and provide a cost‐benefit analysis of possible actions.

Insurance should be considered where an adverse event would mean that the agency concerned would be required to commit significant resources to overcome the impact of the event.

10 As defined under the VMIA Act, including participating bodies.


In assessing when to use insurance, the following principles on insurance risks should be considered:

• insurance is generally only recommended for pure risks, not speculative risks; • the insured should have an economic interest or a legal insurable interest in the subject of

coverage; • the policy should cover specific events that may occur in the future; • the likelihood of loss should be reasonably predictable (even though the timing of the loss

occurring is unpredictable); • the loss should be financially measurable; • the loss should be accidental; • the underwriting conditions, including but not limited to exclusions, endorsements, definitions,

limits and memoranda set by the insurer, need to be understood and evaluated in the context of the risks that need cover;

• as a general rule, insure against large or catastrophic losses and set an appropriate deductible level to cover small losses;

• broad coverage is likely to provide better value than narrow coverage; and • the purpose of insurance is clear i.e. protection from substantial loss, even out costs over time or

other purposes.

For more information, refer to the Insurance Management Policy and Guidelines for the General Government Sector. It is available on the DTF website www.dtf.vic.gov.au.


11. Emergency management and response Emergency management Victoria’s emergency management systems are an example of a structured approach to multiagency cooperation and coordination. The Government has established a multiagency framework with respect to emergency management. This enables the exercise of roles and responsibilities, and the capacity to adapt to new or changed circumstances, in a systematic framework.

Risk management in the emergency management context follows the Australian/New Zealand Risk Management Standard processes. It is about managing the likelihood and/or potential consequences of risk, when no emergency is occurring. In the emergency context, risks are examined that have the potential to become emergencies, if realised. Emergencies can negatively impact on the State’s objectives for safety, sustainability and economic prosperity.

There are a number of statewide groups and offices that support the emergency management framework including a State Emergency Mitigation Committee that supports the work of the Office of the Emergency Services Commissioner, the Central Government Response Committee, and Cabinet’s Security and Emergencies Committee.

Central Government Response Committee (CGRC) CGRC is an example of a purpose specific interdepartmental committee. This is a standing committee set up to deal with emergency management for high impact risks that need an immediate and coordinated response across government. The purpose of CGRC is to coordinate the whole of government response to extreme incidents in Victoria that have or may have an extreme impact, or have impacts cutting across departmental portfolio responsibilities. CGRC is chaired by the Secretary of DPC and comprises a senior representative of each relevant department at Deputy Secretary level, a Deputy Commissioner from Victoria Police, the State Emergency Recovery Coordinator (if different from the Department of Human Services representative) and the Emergency Services Commissioner (if different from the Department of Justice representative). It is supported by DPC and supports the Security and Emergencies Committee.

Security and Emergencies Committee (SEC) SEC is the supreme Victorian decision making body in the event of a major incident (including a terrorist related incident) requiring whole of government coordination. Its functions are:

• to provide direction and policy development and oversee the implementation of strategies and programs affecting security and extreme emergency mitigation, including the supply and security of essential services;

• management and coordination of the whole of government response to major incidents. SEC will ensure all necessary actions are taken across government in a consistent, coordinated and timely way. In doing so, it will consider advice on legal issues, including the powers under which emergency actions are undertaken, and the processes necessary to ensure those powers are properly exercised; and

• communication – SEC will approve and coordinate public communication in response to a major incident, and coordinate intergovernmental communication if required.


12. Related governance requirements Apart from Standards Australia’s corporate governance standards, departments and agencies should also take note of the following standards (partial listing):

• AS 3806:2006 ‐ Compliance Programs • AS/NZS 5050:2010 ‐ Business continuity ‐ Managing disruption‐related risk • AS/NZS ISO 9001:2008 ‐ Quality Management Systems ‐ Requirements • AS/NZS ISO/IEC 38500:2010 ‐ Corporate Governance of Information Technology • AS/NZS 3745: 2010 – Planning for emergencies in facilities • AS/NZS 4801:2001– OHS Safety Management Systems • HB 167:2006 ‐ Security Risk Management • HB 203:2006 ‐ Environmental Risk Management ‐ Principles and Process • HB 205:2004 ‐ OHS Risk Management Handbook • HB 231:2004 ‐ Information Security Risk Management Guidelines • HB 254:2005 ‐ Governance, Risk Management and Control Assurance • HB 296:2007 ‐ Legal Risk Management • HB 327:2010 ‐ Communicating and Consulting About Risk • HB 408:2006 ‐ Corporate Governance Culture

Applicable Acts include:

• Occupational Health and Safety Act 2004 • Information Privacy Act 2000 • Financial Management Act 1994 • Public Administration Act 2004

Applicable Victorian Government policies:

• Whole of Victorian Government ICT Policy (2005) • Emergency Management Manual Victoria

Business continuity, security, and emergency management plans In 2004, SC&MC mandated that all government agencies have a Business Continuity Plan in place by 30 September 2004. These plans were based on the Australian/New Zealand Standards Handbook of Business Continuity Management (HB 221: 2003).

Following the publication of risk management standard AS/NZS 5050:2010 Business continuity – Managing disruption‐related risk in June 2010, many agencies are reviewing their business continuity plans.

In 2006, CGRC endorsed the Victorian Government Escalation Protocol, which requires all agencies to be able to scale up their security plans if the threat environment changes.

In February 2007, CGRC endorsed the Victorian Human Influenza Pandemic Plan which commits every agency to the development of a pandemic plan. Each department has appointed a pandemic manager to coordinate all issues as they relate to pandemic planning and response. This role is incorporated into the agencies’ business continuity management.

In addition, as part of occupational health and safety requirements, all agencies are required to have on‐site emergency plans and comply with the Occupational Health and Safety Act 2004 and have requirements such as processes consistent with AS/NZS 3734‐2010 and other relevant standards.


Disaster recovery and information security Information is an important government asset. Information security risk management is therefore an integral part of risk management for government agencies. The two relevant standards are Disaster Recovery and Information Security policies and standards. These standards are applied to the ‘inner budget sector’ comprising government departments and four agencies: VicRoads, Victoria Police, the Environment Protection Authority and the State Revenue Office.

In addition, under the Information Privacy Act 2000, the Government has a requirement to actively manage the risk of breaches to a citizen’s privacy.

The Government Services Division (GSD) provides services aimed at a more integrated government focus on information and communication technology. Standing Direction 3.2.3 issued under the Financial Management Act 1994 concerns the security of information management systems, and states that ‘On at least an annual basis, a formal assessment must be performed of whether financial management information that is sensitive to the public sector agency and stakeholders is appropriately controlled and secured’.

Further information about relevant policies and standards can be found on the DTF website.


13. Glossary of key terms

Agency A department or public body.

Financial Report for the State of Victoria. (AFR)

Annual financial results for budget and non‐budget sectors audited by the Auditor‐General and published annually by 15 October.

Agency‐level risks Risks that have the potential to impact the outputs or organisational objectives of a specific agency.

Audit committee The Standing Directions of the Minister for Finance state that an audit committee is appointed to oversee and advise the department or agency on matters of accountability and internal control. This committee is a subset of the Responsible Body (or Board) which has been formulated to deal with issues of a specific nature.

Australian/New Zealand Risk Management Standard

AS/NZS ISO 31000:2009. The Standard provides principles and generic guidelines about risk management, and can be applied to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.

General government The largest sector, comprising government departments, offices and other government bodies engaged in providing public services free of charge or at prices significantly below the cost of production.

Interagency risks Risks which if not treated by one agency, become risks for other agencies, including risks that require management and coordination by more than one agency.

Public body An entity that is controlled by the Victorian Government as defined in FMA. Sector classifications used in the AFR include general government, public non financial corporations and public financial corporations.

Public financial corporations Entities primarily engaged in the provision of financial services. (For example, Treasury Corporation Victoria, Transport Accident Commission, Rural Finance Corporation, State Trustees).

Public non financial corporations

Provide goods and services (of a non financial nature) within a competitive market. (For example, water and port authorities, cemetery trusts, waste management groups or Federation Square Pty Ltd).

Responsible body For a department, the accountable officer is the responsible body. For other agencies, it is the board or the person or body with ultimate decision making authority.

Risk ‘Effect of uncertainty on objectives’.11

Risk criteria Terms of reference against which the significance of a risk (2.1) is evaluated.12

11 ISO Guide 73:2009, definition 1.1 12 ISO Guide 73:2009, definition 3.3.1.3


Risk management Coordinated activities to direct and control an organisation with regard to risk.13

Risk Management Framework

Set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation.14

Risk Management Plan Scheme within the risk management framework specifying the approach, the management components and resources to be applied to the management of risk.15

Risk Management Policy Statement of the overall intentions and direction of an organisation related to risk management.16

Risk Management Process Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.17

Stakeholder Person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or activity.18

Statewide risks Risks that have the potential to cause state significant impacts, requiring high levels of management and coordination of risk beyond the boundaries of a single agency.

13 ISO Guide 73:2009, definition 2.1 14 ISO Guide 73:2009, definition 2.1.1 15 ISO Guide 73:2009, definition 2.1.3 16 ISO Guide 73:2009, definition 2.1.2 17 ISO Guide 73:2009, definition 3.1 18 ISO Guide 73:2009, definition 3.2.1.1


Appendix I: Categories of risks Risks may be categorised in many ways. The diagrams below provide two examples of how risks may be categorised.



Appendix II: Attestation template Template for attestations in annual report of operations To ensure that risks are being managed in a consistent way, departments, and category 1, 2 and 3 public bodies are required to attest in annual reports that:

• agencies have risk management processes in place consistent with the Australian/New Zealand Risk Management Standard (AS/NZS ISO 31000‐2009 or its successor);

• these processes are effective in controlling risks to a satisfactory level; and • a responsible body or audit committee verifies that view.

Attestation of compliance should be made annually in the report of operations and the person making the attestation, usually the chief executive officer or accountable officer, should not make the attestation unless the audit committee or responsible body (for example, the board of a statutory authority) agrees that such an assurance can be given.

Department I, [Accountable Officer] certify that the [name of department] has risk management processes in place consistent with the Australian/New Zealand Risk Management Standard (AS/NZS ISO 31000:2009 or its successor) and an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures. The audit committee verifies this assurance and that the risk profile of the [name of department] has been critically reviewed within the last 12 months.

Statutory Authority and other relevant agency I, [Chair of Board] certify that the [name of agency] has risk management processes in place consistent with the Australian/New Zealand Risk Management Standard (AS/NZS ISO 31000:2009 or its successor) and an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures. The [responsible body] verifies this assurance and that the risk profile of the [name of agency] has been critically reviewed within the last 12 months.

NOTE:

There may, however, be reasons why a department or agency may wish to modify the sample attestation wording. Reasons may include the risk maturity of the department or agency, the progress being made towards implementation of a risk framework, incomplete coverage of organisation units, divisions or risk types or the inability to adequately determine the level of ‘satisfaction’ over controls or risk exposure.

This list is not exhaustive nor is it provided to enable organisations to avoid their attestation requirements. It is provided to ensure that departments and agencies understand that the requirement to attest is not a tick box exercise. It is intended to provide a level of assurance over an organisation’s risk management framework and process that will evolve over time.

If a department or agency chooses to modify the sample attestation wordings, an explanation as to why such modification is required should be made. VMIA proposes a model similar to the Australian Stock Exchange’s ‘if not, why not’ reporting style. This means that if the department or agency cannot attest for whatever reason, they should explain why not and what they are planning to do about their risk management framework and process, and control systems over the coming year.


Appendix III: AS/NZS 31000:2009 – risk management principles, framework and process

AS/NZS ISO 31000:2009 In November 2009, Standards Australia replaced the former AS/NZS 4360 Risk Management Standard with AS/NZS ISO 31000:2009 Risk Management Standard. The key differences are the definition of risk and the inclusion of a set of risk management principles.

The Standard provides principles and generic guidelines about risk management. It can be used by any public, private or community organisation, association, group or individual, and is not specific to any industry or sector. The Standard can be applied throughout the life of an organisation, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. It can be applied to any type of risk, whatever its nature, whether having positive and/or negative consequences.

Risk management should be embedded in all an agency’s practices and processes in a way that is relevant, effective, efficient19 and adequate.20 The process should be an integral part of management, embedded in the agency’s culture and practices, and tailored to the agency’s processes.21

The design and implementation of risk management plans needs to take into account the varying needs of an organisation, its objectives, context, structure, operations, processes, functions, projects, products, services, assets and specific practices employed.

The Standard consists of three major sections (as shown in Figure 7.1):

• 11 principles for managing risk; • framework for managing risk; and • a process for managing risks.

19 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, p11, clause 4.3.4 20 ISO Guide 73:2009, definition 3.8.2.6 21 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, p13, clause 5.1


Figure 7.1: Relationships between the risk management principles, framework and process 22

Risk management principles For risk management to be effective, agencies should comply with the following principles at all levels, which state that risk management:

• creates and protects value; • is an integral part of the agency’s processes; • is part of decision making; • explicitly addresses uncertainty; • is systematic, structured and timely; • is based on the best available information; • is tailored; • takes human and cultural factors into account; • is transparent and inclusive; • is dynamic, iterative and responsive to change; and • facilitates continual improvement of the agency.23

Public sector agencies wanting to manage risk more effectively can also refer to the following optional attributes of enhanced risk management:

• continual improvement in risk management and organisational performance; • full accountability for risks, controls and risk treatments; • application of risk management in all decision making, whatever the level of importance and

significance; • continual communication and consultation with stakeholders; and • full integration of risk management in the agency’s governance structure.24

22 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, Figure 1, pvi 23 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, pp7,8, clause 3 24 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, pp22,23, Annex A


Figure 7.2: Relationships between the components of the framework for managing risk 25

The key elements of the risk management framework are as follows:26

• Mandate and commitment – Agencies require a strong and sustained commitment by management to ensure the ongoing effectiveness of risk management in their organisation. This commitment should foster a risk management culture, where management of risk is embedded in employee behaviour throughout the organisation.

• Design of framework for managing risk – Agencies require a systematic approach in designing a risk management framework that is relevant, effective, efficient and adequate. The framework should be supported by an organisation‐wide risk management policy and plan, effective governance arrangements and risk management accountabilities for all employees.

• Implementing risk management – The risk management process is applied through a risk management plan at all relevant levels and functions of the department or agency as part of its practices and processes. Investment in resources and capabilities should enable an organisation to effectively and efficiently apply its risk management activities.

• Monitoring and review of the framework – Agencies should continually ensure that risk management is effective and supports organisational performance.

• Continual improvement of the framework – Based on results of monitoring and reviews, decisions should be made on how the risk management framework, policy and plan can be improved. Furthermore, independent assurance of risk management controls and practices can assist in continuous improvement initiatives.

25 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, Figure 2, p9 26 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, pp. 8‐13, clause 4


Risk management process The risk management process consists of activities as shown in Figure 7.327.

Figure 7.3: Risk management process

The key elements of the risk management process are as follows:28

• Communication and consultation – communication and consultation with external and internal stakeholders should take place during all stages of the risk management process. This ensures that those accountable for implementing the risk management process and stakeholders understand the basis on which decisions are made, and the reasons why particular actions are required.

• Establishing the context – establish the external, internal, and risk management context in which the rest of the risk management process will take place. By establishing the context, the organisation articulates its objectives, defines the external and internal parameters to be taken into account when managing risk, and sets the scope and risk criteria for the remaining process.

• Risk assessment – risk assessment is the overall process of risk identification, risk analysis and risk evaluation. IEC/ISO 31010:2009 Risk Management ‐ Risk Assessment Techniques provides further guidance on risk assessment techniques.

• Risk identification – the aim is to generate a comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of objectives.

• Risk analysis – risk is analysed by determining consequences and their likelihood, and other attributes of the risk. It provides an input to risk evaluation, decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods.

27 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, Figure 1, pvi 28 Standards Australia, ‘Australian/New Zealand Risk Management Standard : AS/NZS ISO 31000: 2009’, pp7,8, clause 3


• Risk evaluation – involves comparing the level of risk with risk criteria and making decisions about

which risks need treatment and the priority for treatment implementation. • Risk treatment – risk treatment involves selecting one or more options for modifying risks, and

implementing those options. When implemented, treatments provide or modify the controls. • Monitoring and review – risks and the effectiveness of controls and risk treatments need to be

monitored, reviewed and reported to ensure changing context and circumstances do not alter priorities.


Appendix IV: References and links

Owner Reference Location

Department of Treasury and Finance

Asset management www.dtf.vic.gov.au

Asset management in the Victorian public sector

Department of Treasury and Finance, Commercial Division

Project management www.dtf.vic.gov.au

Gateway reviews and best practice guidelines

Department of Treasury and Finance, Government Services Division

Procurement guidelines www.dtf.vic.gov.au

Services to government

Government procurement


Information Communication and Technology (ICT) Policies and Standards

www.dtf.vic.gov.au

Services to government

ICT services


Information technology – Security policy and standards

www.dtf.vic.gov.au/cio

Information Security Policy and Standards

Information security


Disaster recovery policy and standards www.dtf.vic.gov.au/cio

Information Security Policy and Standards

Disaster recovery

Department of Premier and Cabinet

The Terrorism (Community Protection) Act 2003

www.dms.dpc.vic.gov.au

Victorian Statute Book

2003

Department of Premier and Cabinet

Victorian Framework for the Protection of Critical Infrastructure from Terrorism

www.dpc.vic.gov.au/

Key word Search

Emergency Services Commissioner (Office of)

Emergency management manual www.oesc.vic.gov.au

Institute of risk management Risk management www.theirm.org

Privacy Commissioner (Office of)

Information privacy principles www.privacy.vic.gov.au

Risk Management Institution of Australasia

Risk management www.rmia.org.au


Owner Reference Location

Standards Australia Risk management standard (AS/NZS ISO 31000:2009)

http://infostore.saiglobal.com

Standards Australia Risk management standard (AS/NZS 5050:2010 Business continuity – Managing disruption‐related risk)


Standards Australia Risk management guide HB 327:2010 Communicating and consulting about risk (Companion to AS/NZS ISO 31000:2009)


State Services Authority Public sector governance www.ssa.vic.gov.au

Public sector governance

Victorian Auditor‐General’s Office

Good Practice Guide to Risk Management

www.audit.vic.gov.au

Reports and publications

Reports by year ‐ 2004

Managing risk across the public sector

Victorian Managed Insurance Authority

Risk management (insurable, non financial)

www.vmia.vic.gov.au

Victorian WorkCover Authority

Leading the way – improving health, safety and return to work in government workplaces

www.worksafe.vic.gov.au

UK Government’s Risk Assessment

National Risk Assessment (NRA) www.cabinetoffice.gov.uk/content/risk‐assessment


Appendix V: Administrative inventory of key acts and policies

This inventory is intended as a guide to legislation and governance frameworks related to risk management administered by central agencies. Sector coverage is indicative of requirements, but a number of guidance frameworks are recommended best practice for all public sector entities. For example, Gateway reviews have been undertaken for a number of public non‐financial corporations and procurement policies and tools are widely used across government. It should be noted that departments and agencies with responsibility for oversighting risk management processes may also require compliance with industry specific policies or legislation (including Ministerial Standing Directions under the Financial Management Act 1994 (FMA)) in addition to those listed here.

Current government framework Sector coverage

Public financial

corporations

(PFCs)

Public non‐

financial

corporations

(PNFCs)

General

government

(GG)

Legislation

Financial Management Act 1994

FMA Ministerial Standing Directions (section 8) √ √ √

Part 7 Accountability and reporting requirements √ √ √

Requirements for asset register and risk management strategy (section 44B)

√ √ √

Requirement for SOEs to prepare annual report (section 53A)

√ (a)

Part 7A – Supply management and Victorian Government Purchasing Board

√

Borrowing and Investment Powers Act 1987

Parts 2 and 3 – Borrowing and investment powers √ (b) √ (b)

Treasury Management Guidelines √√ (c)

Budget Sector Treasury Management Policy √

Application to the Granting and Use of Borrowing/Investment Powers for State Entities (September 2001)

√

Public Administration Act 2004

Part 5 – Operation of public entities, governance √ √ √

Victorian Managed Insurance Authority Act 1996

Requirement to provide assistance with establishing risk management programs. Monitoring processes and training and advice (section 6)

√ [d] √ [d] √ [d]

Requirements for asset register, risk management strategy (section 23)

√ [d] √ [d] √ [d]



Public financial

corporations

(PFCs)

Public non‐

financial

corporations

(PNFCs)

General

government

(GG)

Requirement to arrange insurance with VMIA (section 24)

√ [d] √ [d] √[d]

Audit Act 1994

Authorities to be audited annually (section 8) √ √ √

Information Privacy Act 2000 √ √ √

Terrorism (Community Protection) Act 2003

Part 6 – Essential Services Infrastructure Risk Management

√ √ √

Guidelines

Victorian Government Risk Management Framework √√ √√ √√

Guarantee Policy (incorporating Guarantee Charge and FAL) 2003

√ √

Indemnities and Immunities Policy √ √ √

Prudential Statement for Public Sector Investments √√

Prudential Statements ‐ Investment Powers of Councils (1998)

Local councils only

Prudential Insurance Standard √√

Contingent Liabilities Management Framework (April 1998) √ √

Prudential Supervision Policy Treasury Corporation of Victoria (TCV)

TCV only

Prudential Supervision Policy Rural Finance Corporation (RFC)

RFC only

Prudential Risk Management Framework for State’s Financial Markets Activities

√ √ √

Financial Leasing Policy √ √

GBE Corporate Governance Guidelines √ √

Asset Management Guidelines √ √ √

Gateway Reviews and Best Practice Guidance Recommended best practice

outside of general government √

Contingent liabilities Management Framework √ √ √

Australian Standards Handbook of Business Continuity Management (HB 221: 2003)

√ √ √

Information Security Management Policy √

ICT Disaster Recovery Policy √

Insurance Management Policy for General Government sector

√



Public financial

corporations

(PFCs)

Public non‐

financial

corporations

(PNFCs)

General

government

(GG)

Victorian Framework for the Protection of Critical Infrastructure from Terrorism

Owners/operators of critical infrastructure as advised by DPC.

University Borrowing Guidelines Higher Education Sector only

Office Accommodation Guidelines All government owned and leased property and buildings

Office Building Standards Guidelines All government owned and leased property and buildings

Security in Construction Design Guide All government owned and leased property and buildings

Key to table

√ Policy applies.

√√ Policy applies and attestation required.

(a) Applies to state‐owned corporations within the meaning of Corporations Act or bodies declared by Governor in Council. Other sections of the Financial Management Act 1994 do not apply to entities required to report to Parliament under section 53A.

(b) Applies to bodies listed in Schedule 1 of the Act (mainly Public Financial Corporations and Public Non‐Financial Corporations).

(c) Applies to Public Non‐Financial Corporations whose power to invest is governed by the Borrowing and Investment Powers Act 1987.

(d) Victorian Managed Insurance Authority clients and/or designated participating bodies.