Risk Management – Schools

Policy

This policy sets out the requirements for schools to identify and manage risks that might affect their students, staff or operations.

Summary

Managing risk means considering the effect of uncertainty (whether positive or negative) on school objectives.

Schools must proactively manage risks by following the department’s Risk Management Process for Schools set out in the Guidance tab.

Managing risk involves:

• identifying and assessing risks and controls
• documenting risks in a risk register (or equivalent)
• implementing actions and treatments to manage identified risks
• monitoring risks, including regularly reviewing risk registers
• reporting on risks.

Managing risk is everyone’s responsibility, as explained in the department’s Three Lines of Defence model.

Identifying and managing risk maximises schools’ ability to make sound decisions to:

• deliver the best possible outcomes for the school and the community
• meet Victorian community and government expectations for accountable and responsible use of public finances and resources
• safeguard student and staff wellbeing.

Details

Assessing and documenting risk

All schools must use the department’s Risk Management Process for Schools when assessing and documenting the risk(s) associated with:

• Emergency and Critical Incident Management Planning
• Child Safe Standards
• OHS Management System (OHSMS) Overview
• Excursions
• Buses – Owned, Hired or Chartered by a School

When assessing the risks listed above, schools must document the identified risks in a risk register. A template risk register is available in the Resources tab.

Schools may also assess and document risks for:

• development and review of the school’s Annual Implementation Plan (AIP)
• development and review of the school’s School Strategic Plan (SSP)
• community events such as school fetes, concerts and science fairs
• school projects/programs such as infrastructure builds
• lesson planning associated with higher risk activities such as science experiments or food technology classes.

If a school is uncertain whether a risk assessment is required, they must contact the Planning, Risk and Governance Branch for clarification and advice.

Monitoring risks

Schools must monitor risks for those mandatory risk assessments outlined above.

Schools may monitor identified risks by:

• including a standing item to review the school’s current and emerging risks on the school leadership meeting agenda
• undertaking a review of all risks associated with delivery of the AIP and the SSP at least once every 6 months
• reviewing all risk registers as necessary or when advised.

Reporting risks

Schools may report and escalate relevant risks to stakeholders, for example, school council, regional directors, Senior Education Improvement Leaders etc through appropriate channels.

Communication of this policy

Principals/school leadership are responsible for:

• providing staff with relevant training opportunities to support staff to manage risks at an operational level
• ensuring that all school staff follow departmental policies and processes, as risk management is integrated into other policies and processes.

Templates

Risk register templates are available on the Resources tab to document identified risks and their treatment and controls. Note that some templates include examples of controls or assessments which will need to be reviewed/updated to suit your specific context.

Support

School leadership teams (principals and business managers) can contact the Planning, Risk and Governance Branch for specific risk advice and risk training workshops. Email: risk.in.education@education.vic.gov.au

Printed copies of the Risk Management Process for Schools pocket guide (available in the Resources tab) can also be ordered from the Branch.

Definitions

Objective
An objective is an aspirational, results-oriented statement describing what your school intends to achieve within the set timeframe, and describes what successful delivery would entail.

Risk
The effect (whether positive or negative) of uncertainty on objectives.

Risk management
The identification, analysis, assessment and prioritisation of risks to the achievement of an objective.

Risk management involves the coordinated allocation of resources to:

• minimise, monitor, communicate and control risk likelihood and/or impact, or
• maximise the potential presented by opportunities.

Risk management includes coordinated activities to direct and control risks to the achievement of an objective.

Risk register
A formatted list that records identified risks, assesses their impact and describes the actions (controls) to be taken to mitigate them. Typically, it describes the risk, the causes for that risk and the responsible person or group for managing it.

Control
A control is any existing measure that modifies risk such as uniform policy or staff succession plan.

Controls are methods or procedures that assist in achieving objectives, safeguarding assets, ensuring financial information is accurate and reliable and supporting compliance with all financial and operational requirements.

Identifying current controls and their effectiveness is one of the most important aspects of risk management. It allows you to better understand the elements that are impacting the likelihood and/or consequence of a risk.

Treatment
A risk treatment is an action you undertake to reduce a risk to an acceptable level, by adding new or improving/modifying existing controls.

Related policies

• Buses – Owned, Hired or Chartered by a School
• Child Safe Standards
• Emergency and Critical Incident Management Planning
• Excursions
• OHS Management System (OHSMS) Overview

Relevant legislation

Public Administration Act 2004 (Vic) (section 81, part 1b)

Risk Management Process for Schools – completing school risk registers

This Risk Management Process for Schools guide contains the following chapters:

• Overview
• Step 1 — Establish the context
• Step 2 — Risk identification
• Step 3 — Risk analysis
• Step 4 — Evaluation
• Step 5 — Risk treatment
• Step 6 — Communication and consultation
• Step 7 — Monitoring and review
• Step 8 — Recording and reporting

Overview

The department’s Risk Management Process for Schools guides decision-making to help schools effectively manage risk and prioritise school resources in the context of the school’s operating environment.

Use the Risk Management Process for Schools to identify, assess and review risk associated with:

• activities where a mandatory risk assessment is required under legislation (emergency management, child safety, occupational health and safety, excursions including overseas travel, bus safety)
• developing the Annual Implementation Plan (AIP)
• developing the School Strategic Plan (SSP)
• school operations (such as lesson planning)
• community events or activities that require approval by the school council, such as a school fete.

Step 1 – Establish the context

Before identifying risks, first decide on the scope of the activity, including your objectives, and develop an understanding of your operating environment.

Identify your stakeholders (both internal and external) and consider their concerns, issues and expectations.

Examples of key stakeholders for schools are:

• regional offices
• the school community
• local councils or shires.

Step 2 – Risk identification

Risk identification means thinking about what could go wrong when you are delivering your objective.

2.1 Identify the risks

Use the SWOT matrix analysis tool (PDF) to analyse the environment, establish current issues and consider future risks. The SWOT matrix analysis tool provides a structured way to consider internal and external strengths, weaknesses, opportunities and threats. Ask yourself ‘what can go wrong?’

Consider whether it would be beneficial to involve key stakeholders when conducting your SWOT analysis.

2.2 Consider causes, consequences and opportunities

Consider each risk in more detail and identify:

• Causes: what would cause it to go wrong?
• Consequences: what are the impacts if it does go wrong?
• Opportunities: what can go right?

2.3 Record your risks

Use the school risk register templates in the Resources tab to record your risks and associated details (risk rating, controls and treatments).

Review risks periodically and update the risk register accordingly.

Step 3 – Risk analysis

Assess each risk to determine the overall level of risk (the ‘risk rating’).

This involves:

• identifying any existing controls
• considering the consequences (effect) if the risk eventuates
• the likelihood that the risk will occur.

3.1 Existing controls

Identify any existing controls and assess their effectiveness. Ask yourself 'what existing controls are in place?'

Assess the current effectiveness of these controls. Use the control effectiveness chart (PDF) to help you assess your current risk controls.

3.2 Consequences

Consider the consequences or impact (effect) of the risk if it was to occur.

Consequences are measured using the following terms:

• insignificant
• minor
• moderate
• major
• severe.

Use the consequence criteria guide (PDF) to assess the significance of the risk. This guide provides criteria for assessing risks in the categories of student outcomes, wellbeing and safety, operational, financial, reputation and strategic.

3.3 Likelihood

Consider how likely it is that the risk will occur.

Likelihood is described using the following terms:

• almost certain
• likely
• possible
• unlikely
• rare.

Use the likelihood criteria chart (PDF) to assess the likelihood that a risk will occur.

3.4 Overall level of risk (current assessment)

Use the risk rating matrix (PDF) to determine the overall level of risk.

Step 4 – Evaluation

Evaluate each risk to determine whether the level of risk is acceptable and the appropriate response to the risk. The levels of acceptability relate to the risk rating levels and are described as:

• Extreme
• High
• Medium
• Low.

Risk acceptability chart

The department's risk acceptability chart is used to decide whether the risk is acceptable, based on the rating calculated.

Extreme (must have principal, school council or regional office oversight)

Immediately consider whether the activity associated with this risk should cease. Any decision to continue exposure to this level of risk should be made at principal, school council or regional office level, be subject to the development of detailed treatments, on-going oversight and high level review.

High (with ongoing principal class officer review)

Risk should be reduced by developing treatments. It should be subject to on-going review to ensure controls remain effective, and the benefits balance against the risk. Escalation of this level of risk to principal class officer level should occur.

Medium (with frequent risk owner review)

Exposure to the risk may continue, provided it has been appropriately assessed and has been managed to as low as reasonably practicable. It should be subject to frequent review to ensure the risk analysis remains valid and the controls effective. Treatments to reduce the risk can be considered.

Low (with periodic review)

Exposure to this risk is acceptable, but is subject to periodic review to ensure it does not increase and current control effectiveness does not vary.

Step 5 – Risk treatments

A risk treatment is the way in which you respond to a risk.

Options for risk treatments include:

• Share: if practical, share all or some of the risk with outsourced parties or insurers.
• Terminate: cease the activity altogether.
• Accept: this will require appropriate authority.
• Reduce: apply additional treatments until the risk is reduced to an acceptable level.

The way you treat a risk will depend on the outcome of your evaluation:

• Risks that are rated high or extreme require treatment to reduce risk to a more acceptable level. You may also choose to share or terminate the risk as long as that option will reduce the risk rating.
• Risks that are rated low or medium do not necessarily require further actions to reduce and are considered acceptable.

Risk treatment is a cyclical process:

• assess the risk
• decide whether the risk level is acceptable
• implement a treatment option
• conduct a second assessment to confirm that the treatment has reduced the risk to expected level. (This second evaluation is called the ‘target assessment’).

A treatment that reduces the risk level may become a new control.

Step 6 – Communication and consultation

Consult and update relevant internal and external stakeholders throughout the risk management process.

Report on risks that are shared with relevant stakeholders to provide assurance that the school is managing the risk appropriately.

Step 7 – Monitoring and review

Schedule monitoring and review periods at intervals appropriate to the nature of the objective and the level of risk.

Step 8 – Recording and reporting

Have a structured way to document and report the outcomes of the risk management process to relevant stakeholders. This ensures that risk exposures are understood and managed.

Resources

Risk register templates

Use the appropriate risk register template to document identified risks and existing risk management strategies (controls) and new risk management strategies (treatments).

All schools must assess their own school specific risks and fill in the register according to their own specific environment. The templates provide example risks with example of existing and new risk management strategies (controls and treatments) however these need to be reviewed or updated to suit your specific context.

• Child safety risk register (with examples) (DOCX)
• Risk assessment for local excursions (DOCX) (staff login required) – template for compulsory risk assessment for local excursions
• Excursions risk register and emergency management plan template (DOCX) – risk register template mandatory for all day, overnight, adventure activities, interstate, overseas excursions or travel by air or water. This includes examples and a template for the emergency management plan
• Hosting visits from overseas sister school risk register (with examples) (DOC) (staff login required)
• Registered bus operator risk register (with examples) (DOC) (staff login required)
• School Risk Register (with examples) (DOC) (staff login required) – general purpose risk register for a school documenting risks associated with objectives in annual implementation plan and school strategic plan as well as risks relating to school operations
• School risk register (DOC) (staff login required) – blank and template only

Risk management framework

For more information about the overarching framework of risk management in the department, refer to the department’s Risk management framework (DOCX) (staff login required) which:

• provides a structured and consistent approach for recognising, understanding and responding to risk
• embeds the practice and implementation of risk management as part of transparent, objective and considered decision making and strategic planning
• assists in the delivery high quality service under a duty of care
• supports compliance with government statutory regulations including requirements relating to occupational health and safety, emergency management and the Public Administration Act 2004 (Vic).

This Risk Management — Schools policy is a component of the department's risk management framework.

Tools to support schools undertake a risk management process

The following resources are available to support schools undertake a risk management process:

• Risk management process for schools pocket guide (PDF) – containing the following tools to support the risk management process:
  • DET school risk process flowchart
  • DET risk process – explaining the 7 step school risk management process
  • Consequence criteria guide
  • Control effectiveness chart
  • Likelihood criteria guide
  • Risk rating matrix
  • Risk acceptability chart
  • School cycle – where schools should use risk management
  • PESTLE analysis – used to establish the risk context
  • SWOT matrix analysis tool – used in risk identification
• Managing project risks in schools (DOCX)