School operations

Risk Management – Schools


This policy sets out the requirements for schools to identify and manage risks that might affect their students, staff or operations.


Managing risk means considering the effect of uncertainty (whether positive or negative) on school objectives.

Schools must proactively manage risks by following the department’s Risk Management Process for Schools set out in the Guidance tab.

Managing risk involves:

  • identifying and assessing risks and controls
  • documenting risks in a risk register (or equivalent)
  • implementing actions and treatments to manage identified risks
  • monitoring risks, including regularly reviewing risk registers
  • reporting on risks.

Managing risk is everyone’s responsibility, as explained in the department’s Three Lines of DefenceExternal Link model.

Identifying and managing risk maximises schools’ ability to make sound decisions to:

  • deliver the best possible outcomes for the school and the community
  • meet Victorian community and government expectations for accountable and responsible use of public finances and resources
  • safeguard student and staff wellbeing.


Assessing and documenting risk

All schools must use the department’s Risk Management Process for Schools when assessing and documenting the risk(s) associated with:

When assessing the risks listed above, schools must document the identified risks in a risk register. A template risk register is available in the Resources tab.

Schools may also assess and document risks for:

  • development and review of the school’s Annual Implementation Plan (AIP)
  • development and review of the school’s School Strategic Plan (SSP)
  • community events such as school fetes, concerts and science fairs
  • school projects/programs such as infrastructure builds
  • lesson planning associated with higher risk activities such as science experiments or food technology classes.

If a school is uncertain whether a risk assessment is required, they must contact the Planning, Risk and Governance Branch for clarification and advice.

Monitoring risks

Schools must monitor risks for those mandatory risk assessments outlined above.

Schools may monitor identified risks by:

  • including a standing item to review the school’s current and emerging risks on the school leadership meeting agenda
  • undertaking a review of all risks associated with delivery of the AIP and the SSP at least once every 6 months
  • reviewing all risk registers as necessary or when advised.

Reporting risks

Schools may report and escalate relevant risks to stakeholders, for example, school council, regional directors, Senior Education Improvement Leaders etc through appropriate channels.

Communication of this policy

Principals/school leadership are responsible for:

  • providing staff with relevant training opportunities to support staff to manage risks at an operational level
  • ensuring that all school staff follow departmental policies and processes, as risk management is integrated into other policies and processes.


Risk register templates are available on the Resources tab to document identified risks and their treatment and controls. Note that some templates include examples of controls or assessments which will need to be reviewed/updated to suit your specific context.


School leadership teams (principals and business managers) can contact the Planning, Risk and Governance Branch for specific risk advice and risk training workshops. Email:

Printed copies of the Risk Management Process for Schools pocket guide (available in the Resources tab) can also be ordered from the Branch.


An objective is an aspirational, results-oriented statement describing what your school intends to achieve within the set timeframe, and describes what successful delivery would entail.

The effect (whether positive or negative) of uncertainty on objectives.

Risk management
The identification, analysis, assessment and prioritisation of risks to the achievement of an objective.

Risk management involves the coordinated allocation of resources to:

  • minimise, monitor, communicate and control risk likelihood and/or impact, or
  • maximise the potential presented by opportunities.

Risk management includes coordinated activities to direct and control risks to the achievement of an objective.

Risk register
A formatted list that records identified risks, assesses their impact and describes the actions (controls) to be taken to mitigate them. Typically, it describes the risk, the causes for that risk and the responsible person or group for managing it.

A control is any existing measure that modifies risk such as uniform policy or staff succession plan.

Controls are methods or procedures that assist in achieving objectives, safeguarding assets, ensuring financial information is accurate and reliable and supporting compliance with all financial and operational requirements.

Identifying current controls and their effectiveness is one of the most important aspects of risk management. It allows you to better understand the elements that are impacting the likelihood and/or consequence of a risk.

A risk treatment is an action you undertake to reduce a risk to an acceptable level, by adding new or improving/modifying existing controls.

Relevant legislation

Public Administration Act 2004 (Vic)External Link (section 81, part 1b)

Department policy outlining the requirements for schools to identify and manage risks that might affect their students, staff or operations

Reviewed 12 May 2023

Policy last updated

11 May 2023


  • Schools
  • School councils


Planning, Risk and Governance Branch

Was this page helpful?