vic_logo
education.vic.gov.au

Risk Management — Schools

Policy last updated

15 June 2020

Scope

  • Schools
  • School councils

Contact

Planning, Risk and Governance Branch


Date:
January 2020

Policy

Policy

This policy sets out the requirements for schools to identify and manage risks that might affect their students, staff or operations.

Summary

Managing risk means considering the effect of uncertainty (whether positive or negative) on school objectives.

Schools must proactively manage risks by following the Department’s Risk Management Process for Schools set out in the Guidance tab.

Managing risk involves:

  • identifying and assessing risks and controls
  • documenting risks in a risk register (or equivalent)
  • implementing actions and treatments to manage identified risks
  • monitoring risks, including regularly reviewing risk registers
  • reporting on risks

Managing risk is everyone’s responsibility, as explained in the Department’s Three Lines of Defence model.

Identifying and managing risk maximises schools’ ability to make sound decisions to:

  • deliver the best possible outcomes for the school and the community
  • meet Victorian community and government expectations for accountable and responsible use of public finances and resources
  • safeguard student and staff wellbeing

Details

Assessing and documenting risk

All schools must use the Department’s Risk Management Process for Schools when assessing and documenting the risk(s) associated with: 

When assessing the risks listed above, schools must document the identified risks in a risk register. A template risk register is available in the Resources tab.

Schools may also assess and document risks for:

  • development and review of the school’s Annual Implementation Plan (AIP)
  • development and review of the school’s School Strategic Plan (SSP)
  • community events such as school fetes, concerts and science fairs
  • school projects/programs such as infrastructure builds
  • lesson planning associated with higher risk activities such as science experiments or food technology classes

If a school is uncertain whether a risk assessment is required, they must contact the Planning, Risk and Governance Branch for clarification and advice.

Monitoring risks

Schools must monitor risks for those mandatory risk assessments outlined above.

Schools may monitor identified risks by:

  • including a standing item to review the school’s current and emerging risks on the school leadership meeting agenda
  • undertaking a review of all risks associated with delivery of the AIP and the SSP at least once every 6 months
  • reviewing all risk registers as necessary or when advised

Reporting risks

Schools may report and escalate relevant risks to stakeholders, for example, school council, regional directors, Senior Education Improvement Leaders etc through appropriate channels.

Communication of this policy

Principals/school leadership are responsible for:

  • providing staff with relevant training opportunities to support staff to manage risks at an operational level
  • ensuring that all school staff follow Departmental policies and processes, as risk management is integrated into other policies and processes

Templates

Risk register templates are available on the Resources tab to document identified risks and their treatment and controls. Note that some templates include examples of controls or assessments which will need to be reviewed/updated to suit your specific context.

Support

School leadership teams (principals and business managers) can contact the Planning, Risk and Governance Branch for specific risk advice and risk training workshops.

Printed copies of the Risk Management Process for Schools pocket guide (available in the Resources tab) can also be ordered from the Branch.

Definitions

Objective
An objective is an aspirational, results-oriented statement describing what your school intends to achieve within the set timeframe, and describes what successful delivery would entail.

Risk
The effect (whether positive or negative) of uncertainty on objectives.

Risk management
The identification, analysis, assessment and prioritisation of risks to the achievement of an objective.

Risk management involves the coordinated allocation of resources to:

  • minimise, monitor, communicate and control risk likelihood and/or impact, or
  • maximise the potential presented by opportunities

Risk management includes coordinated activities to direct and control risks to the achievement of an objective.

Risk register
A formatted list that records identified risks, assesses their impact and describes the actions (controls) to be taken to mitigate them. Typically, it describes the risk, the causes for that risk and the responsible person or group for managing it.

Control
A control is any existing measure that modifies risk such as uniform policy or staff succession plan.

Controls are methods or procedures that assist in achieving objectives, safeguarding assets, ensuring financial information is accurate and reliable and supporting compliance with all financial and operational requirements.

Identifying current controls and their effectiveness is one of the most important aspects of risk management. It allows you to better understand the elements that are impacting the likelihood and/or consequence of a risk.

Treatment
A risk treatment is an action you undertake to reduce a risk to an acceptable level, by adding new or improving/modifying existing controls.

Relevant legislation

Contact

Planning, Risk and Governance Branch


Guidance

Risk Management Process for Schools — completing school risk registers 

This Risk Management Process for Schools guide contains the following chapters:

  • Overview
  • Step 1 — Establish the context
  • Step 2 — Risk identification
  • Step 3 — Risk analysis
  • Step 4 — Evaluation
  • Step 5 — Risk treatment
  • Step 6 — Communication and consultation
  • Step 7 — Monitor and review

Overview

Overview

The Department’s Risk Management Process for Schools guides decision-making to help schools effectively manage risk and prioritise school resources in the context of the school’s operating environment.

Use the Risk Management Process for Schools to identify, assess and review risk associated with:

  • activities where a mandatory risk assessment is required under legislation (emergency management, child safety, occupational health and safety, excursions including overseas travel, bus safety)
  • developing the Annual Implementation Plan (AIP)
  • developing the School Strategic Plan (SSP)
  • school operations (such as lesson planning)
  • community events or activities that require approval by the school council, such as a school fete

Step 1 — Establish the context

Step 1 — Establish the context

Before identifying risks, first decide on the scope of the activity, including your objectives, and develop an understanding of your operating environment.

Identify your stakeholders (both internal and external) and consider their concerns, issues and expectations.

Examples of key stakeholders for schools are:

  • regional offices
  • the school community
  • local councils or shires

Step 2 — Risk identification

Step 2 — Risk identification

Risk identification means thinking about what could go wrong when you are delivering your objective.

2.1  Identify the risks

Use the SWOT matrix analysis tool to analyse the environment, establish current issues and consider future risks. The SWOT matrix analysis tool provides a structured way to consider internal and external strengths, weaknesses, opportunities and threats. Ask yourself ‘what can go wrong?’

Consider whether it would be beneficial to involve key stakeholders when conducting your SWOT analysis.

2.2  Consider causes, consequences and opportunities

Consider each risk in more detail and identify:

  • Causes: what would cause it to go wrong?
  • Consequences: what are the impacts if it does go wrong?
  • Opportunities: what can go right?

2.3  Record your risks

Use the school risk register templates in the Resources tab to record your risks and associated details (risk rating, controls and treatments).

The Example Articulation of a Risk animation demonstrates how to describe a risk in the risk register.

Review risks periodically and update the risk register accordingly.


Step 3 — Risk analysis

Step 3 — Risk analysis

Assess each risk to determine the overall level of risk (the ‘risk rating’).

This involves:

  • identifying any existing controls
  • considering the consequences (effect) if the risk eventuates, and
  • the likelihood that the risk will occur

3.1  Existing controls

Identify any existing controls and assess their effectiveness. Ask yourself 'what existing controls are in place?'

Assess the current effectiveness of these controls. Use the Control Effectiveness Chart (PDF 59.02kb) to help you assess your current risk controls.

3.2  Consequences

Consider the consequences or impact (effect) of the risk if it was to occur.

Consequences are measured using the following terms:

  • insignificant
  • minor
  • moderate
  • major
  • severe

Use the Consequence Criteria Guide (PDF 501kb) to assess the significance of the risk. This guide provides criteria for assessing risks in the categories of student outcomes, wellbeing and safety, operational, financial, reputation and strategic.

3.3  Likelihood

Consider how likely it is that the risk will occur.

Likelihood is described using the following terms:

  • almost certain
  • likely
  • possible
  • unlikely
  • rare

Use the Likelihood Criteria Chart (PDF 83kb) to assess the likelihood that a risk will occur.

3.4  Overall level of risk (current assessment)

Use the Risk Rating Matrix (PDF 56kb) to determine the overall level of risk.


Step 4 — Evaluation

Step 4 — Evaluation

Evaluate each risk to determine whether the level of risk is acceptable and the appropriate response to the risk. The levels of acceptability relate to the risk rating levels and are described as:

  • Extreme
  • High
  • Medium
  • Low

Use the Risk Acceptability Chart (JPG) to determine the appropriate response for a risk.


Step 5 — Risk treatment

Step 5 — Risk treatments

A risk treatment is the way in which you respond to a risk.

Options for risk treatments include:

  • Share: if practical, share all or some of the risk with outsourced parties or insurers.
  • Terminate: cease the activity altogether.
  • Accept: this will require appropriate authority.
  • Reduce: apply additional treatments until the risk is reduced to an acceptable level.

The way you treat a risk will depend on the outcome of your evaluation:

  • Risks that are rated high or extreme require treatment to reduce risk to a more acceptable level. You may also choose to share or terminate the risk as long as that option will reduce the risk rating.
  • Risks that are rated low or medium do not necessarily require further actions to reduce and are considered acceptable.

Risk treatment is a cyclical process:

  • assess the risk
  • decide whether the risk level is acceptable
  • implement a treatment option
  • conduct a second assessment to confirm that the treatment has reduced the risk to expected level. (This second evaluation is called the ‘target assessment’.) 

A treatment that reduces the risk level may become a new control.


Step 6 — Communication and consultation

Step 6 — Communication and consultation

Consult and update relevant internal and external stakeholders throughout the risk management process.

Report on risks that are shared with relevant stakeholders to provide assurance that the school is managing the risk appropriately.


Step 7 — Monitor and review

Step 7 — Monitor and review

Schedule monitoring and review periods at intervals appropriate to the nature of the objective and the level of risk.


Resources

Resources

Risk Register Templates

Use the appropriate risk register template to document identified risks and existing risk management strategies (controls) and new risk management strategies (treatments).

All schools must assess their own school specific risks and fill in the register according to their own specific environment. The templates provide example risks with example of existing and new risk management strategies (controls and treatments) however these need to be reviewed or updated to suit your specific context.

Risk Management Framework

For more information about the overarching framework of risk management in the Department, refer to the Department’s Risk Management Framework (login required) which:

  • provides a structured and consistent approach for recognising, understanding and responding to risk
  • embeds the practice and implementation of risk management as part of transparent, objective and considered decision making and strategic planning
  • assists in the delivery high quality service under a duty of care
  • supports compliance with government statutory regulations including requirements relating to Occupational Health & Safety, Emergency Management and the Public Administration Act 2004 (Vic)

This Risk Management — Schools policy is a component of the Department's Risk Management Framework.

Tools to support schools undertake a risk management process

The following resources are available to support schools undertake a risk management process:

  • Risk Management Process for Schools pocket guide — containing the following tools to support the risk management process:
    • DET School Risk Process flowchart
    • DET Risk Process — explaining the 7 step school risk management process
    • Consequence Criteria guide
    • Control Effectiveness Chart
    • Likelihood Criteria guide
    • Risk Rating Matrix
    • Risk Acceptability Chart
    • School Cycle — where schools should use risk management
    • PESTLE Analysis — used to establish the risk context
    • SWOT matrix analysis tool — used in risk identification
  • Example Articulation of a Risk (login required) — animation video to demonstrate how to describe a risk in the risk register

Reviewed 16 March 2020