Victorian Auditor-General's Office

Managing State-significant Risks

Tabled: 27 June 2024

Audit snapshot

What we examined

We examined if agencies are working collaboratively to identify and manage state-significant risks (SSRs) and if the Department of Treasury and Finance (DTF) provides confidence to the Assistant Treasurer and Treasurer on how well agencies manage them.

We examined the 10 portfolio departments and the Victorian Managed Insurance Authority (the Insurance Authority). We also examined 2 cross-agency groups – the State-Significant Risk Interdepartmental Committee (the Risk Committee) and the Victorian Secretaries' Board (the Secretaries' Board).

Why this is important

SSRs can disrupt Victoria's community, economy and environment. Victorians have already experienced the consequences of some of these risks, including a pandemic, bushfires and cyber-crime.

To reduce serious potential impacts in the future, government agencies need to work together to identify relevant SSRs and manage them appropriately.

We conducted audits in 2003, 2007 and 2013, and found agencies were not working together to do this.

What we concluded

Departments are working together to identify SSRs. But there are gaps in how they work together to manage shared SSRs and they do not know if this work is effective.

DTF's Victorian Government Risk Management Framework (the Framework) does not explain key responsibilities for SSRs. Addressing this would help fill gaps in agencies' coordination.

DTF could improve its advice to the Assistant Treasurer and Treasurer on the Framework and its operation, particularly with regard to:

  • how effectively agencies manage SSRs 
  • how SSRs link to Victoria's funding priorities. 

What we recommended

We made recommendations to DTF and the Insurance Authority about:

  • the Framework's design
  • advice to government 
  • the process to identify SSRs.

→ Full recommendations

Video presentation

Video transcript

Key facts

Key facts is an infographic that says state-significant risks include cyber incidents and statewide emergencies, such as pandemics. The Framework is Victoria's guide for managing these risks. 22 state-significant risks were identified by the Risk Committee in 2023.

Source: VAGO.

Back to top

Our recommendations

We made 5 recommendations to address 3 issues. The relevant agencies have accepted our recommendations in full or in principle.

Key issues and corresponding recommendationsAgency response
Issue: The Victorian Government Risk Management Framework's design and guidance does not explain all agency responsibilities for state-significant risks

Department of Treasury and Finance

 

1

 

Work with the Department of Premier and Cabinet to revise the Victorian Government Risk Management Framework and its associated guidance to clarify responsibilities for state significant risks, including for:

  • lead and contributing agencies
  • central agencies and cross-agency committees
  • agencies and committees to coordinate reports and advice to government (see Section 2).

Accepted in principle

 

 
Issue: Agencies' advice to government on state-significant risks does not meet all obligations
Department of Treasury and Finance2Establish and implement a process to assess how effectively the Victorian Government Risk Management Framework addresses state significant risks and advise the Assistant Treasurer (see Section 3).Accepted in principle 
3Establish and implement a process to identify the implications of all state-significant risks for the state Budget and advise the Treasurer and Assistant Treasurer (see Section 3).Accepted in principle 
Victorian Managed Insurance Authority4Establish and implement a process to monitor risk management maturity at statewide level for state-significant risks and advise the Assistant Treasurer (see Section 3).Accepted 
Issue: The process to identify state-significant risks lacks key information

Department of Treasury and Finance

 

5

 

Revise the process to identify state-significant risks to include:

  • criteria to assess and describe risks
  • whole-of-government objectives
  • a risk appetite statement (see Section 4).

Accepted in principle

 

 

Back to top

What we found

This section summarises our key findings. The numbered sections detail our complete findings, including supporting evidence.

When reaching our conclusions, we consulted with the audited agencies and considered their views. The agencies’ full responses are in Appendix A.

Why we did this audit

State-significant risks (SSRs) are risks that can materially disrupt Victoria's community and economy.

The Department of Treasury and Finance (DTF) is the central agency that supports the Assistant Treasurer to manage Victoria's budget, finances and performance.

DTF established the Victorian Government Risk Management Framework (the Framework) to:

  • set the minimum requirements for agencies to manage risk effectively
  • provide statewide responsibilities and guidance for managing SSRs, including agency roles for coordinating cross-agency responses.

We conducted 3 audits of public sector risk management between 2003 and 2013. We found a progressive improvement in how agencies managed their own risks.

But we found the Framework lacked clarity on arrangements for managing shared risks and SSRs. And that agencies were not working together to manage them effectively.

 

Our key findings

Our findings fall into 3 key areas:

1The Framework does not include key elements to explain agencies' responsibilities to manage SSRs. 
2DTF, the Victorian Managed Insurance Authority (the Insurance Authority) and the State Significant Risk Interdepartmental Committee (the Risk Committee) have not met all their obligations to advise the government on SSRs.
3The way departments identify SSRs lacks rigour and they do not coordinate how they manage SSRs at the statewide level. 

 

Key finding 1: The Framework does not include key elements to explain agencies' responsibilities to manage SSRs

Guidance on roles and responsibilities

The Framework explains that an agency is responsible to its ministers for risks it is exposed to, including SSRs. It includes requirements and guidance to manage risks.

But it does not sufficiently explain:

  • what individual agencies should do to manage SSRs they share with others, including expectations for the lead and contributing agency roles
  • what key central agencies need to do to fulfil their roles for SSRs.

DTF did not design the Framework to include guidance on what agencies need to do to demonstrate how they address SSRs in their own risk management frameworks.

DTF told us that it designed the Framework to:

  • set minimum requirements for agencies to manage risks
  • give agencies flexibility in how they meet these requirements.

But agencies have told the Risk Committee that they need clearer expectations, more guidance and examples to support them to manage SSRs.

As a result, there are gaps in how agencies work together on SSRs they share.

To bridge these gaps, the Department of Families, Fairness and Housing (DFFH) has developed comprehensive guidance on managing SSRs. But the other 9 departments have not done this.

DTF, the Insurance Authority and the Risk Committee have not fulfilled all their responsibilities for advising the Assistant Treasurer.

 

Arrangements to evaluate the Framework's effectiveness

DTF is responsible for maintaining and updating the Framework and advising the Assistant Treasurer on its effectiveness.

The Risk Committee is also responsible for advising the Assistant Treasurer on the Framework's effectiveness.

But the Framework does not: 

  • detail these aspects of DTF's role
  • explain how DTF's and the Risk Committee's advising responsibilities relate to each other.

DTF and the Risk Committee review the Framework periodically. But they have not evaluated its effectiveness or established a process to do this.  

 

Communicating to the government and the community

Under the Framework, agencies are responsible for managing SSRs and reporting them to the Risk Committee and the Victorian Secretaries' Board (the Secretaries' Board).

The Risk Committee coordinates an annual report for the Assistant Treasurer on the Victorian Government risk environment. But the report does not include information on the status and maturity of risk management arrangements for each SSR, including if they are effective. 

The Framework does not explain which agency or agencies are responsible for coordinating information about SSRs for the community, so the community is not informed about all SSRs. 

 

Key finding 2: DTF, the Insurance Authority and the Risk Committee have not met all their obligations to advise the government on SSRs

DTF's advice on SSRs' financial implications

DTF advises the Treasurer and Assistant Treasurer on budget priorities and financial implications for the state’s financial and resource management considerations. 

But it does not link this advice with the Risk Committee's information about the financial impacts of SSRs. This is a missed opportunity. 

 

Agencies' advice to the Assistant Treasurer on SSRs

DTF advises the Assistant Treasurer on how current the Framework is but not on how effective it is.

The Insurance Authority largely meets its advice obligation under the Victorian Managed Insurance Authority Act 1996 (the Insurance Authority Act). It advises the Assistant Treasurer on risk management directly and on SSRs through the Risk Committee.

It told us that it would advise separately on SSRs if it had a differing view to DTF, but that this has not occurred.

The Insurance Authority does not advise the Assistant Treasurer on the maturity of the public sector's arrangements to manage SSRs, even though it can access this information.

The Risk Committee provides the Assistant Treasurer with an annual update on SSRs. But the Risk Committee does not advise the Assistant Treasurer on SSR management and how effectively agencies coordinate this at the statewide level. 

 

Key finding 3: The way departments identify SSRs lacks rigour and they do not coordinate SSRs at statewide level

The departments' process to identify SSRs

Departments collaborate through the Risk Committee to identify and describe SSRs.

But the Risk Committee's process lacks rigour. It does not define:

  • whole-of-government objectives
  • criteria to determine which risks are state-significant.

Without these, departments cannot demonstrate that the risks the Risk Committee includes on its SSR list are of greatest significance to the state.

The Risk Committee also does not have a clearly defined statewide risk appetite statement. This means the advice departments provide to their ministers on SSRs does not consider the level of risk the state is willing to accept.

The Risk Committee does not guide departments on how to describe SSRs. Because of this, departments have not clearly or consistently communicated what the risks are.

 

The departments' approaches to managing SSRs

All 10 departments are working to manage their individual agency risks and meet their own responsibilities.

But only DFFH has checked whether it is appropriately managing the statewide implications of all the SSRs it leads.

The other departments that lead SSRs have missed the opportunity to confirm if their existing risk management arrangements appropriately address statewide implications.

Departments do not coordinate any consolidated information on the progress or effectiveness of risk management across all SSRs.

This means departments have also missed the opportunity to develop a shared understanding of how well they collectively manage the state's risk profile of all SSRs. 

Back to top

1. Context

The Framework sets out minimum requirements and guidance for individual agencies to manage their own risks. It also sets out the arrangements for agencies to manage risks they share with others, including SSRs.

The Framework describes SSRs and agency roles and responsibilities for coordinating their responses. It sets out the roles and responsibilities for 2 cross-agency coordinating groups ‒ the Risk Committee and the Secretaries' Board. 

The Framework

SSRs

The Framework describes SSRs as risks that can have material impacts at statewide level on the:

  • community
  • government
  • private sector.

It explains that all SSRs are shared between multiple agencies. 

In 2023, the Risk Committee identified 22 SSRs (see Appendix D). These form the state's risk profile.

Victoria has already experienced some of these risks at statewide level. 

SSRs in the last 5 years such as …Have had economic implications for Victoria including …
the COVID-19 pandemic between 2020 and 2022the government borrowing $31.5 billion to fund its COVID 19 response (reported in DTF's 2023 Victorian Budget 2023‒24 Doing what Matters: COVID Debt Repayment Plan).
the 2019‒20 Black Summer bushfiresan estimated $2.1 billion in economic costs to Victoria, for example, through infrastructure damage and international tourism losses (reported in DTF's June 2021 article in Victoria’s Economic Bulletin: Volume 5 on 'The economic impacts of the 2019‒20 bushfires on Victoria)'.
cyber incidents, such as the 2023 breach of Court Services Victoria’s dataan estimated $8.7 billion a year in costs to the state's finances and economy for all cyber incidents (noted by the Department of Government Services (DGS) in the Risk Committee's 2023 State Significant Risk Scan report).

The Framework explains that identifying and managing SSRs is important to provide confidence to the government and the community that:

  • these risks are being managed
  • there is a clear line of sight over them.

 

Purpose of the Framework

The Framework focuses on 2 levels of risk management, as Figure 1 shows. It:

  • sets statewide guidance for all agencies to manage shared risks and SSRs
  • requires all agencies to establish individual frameworks to manage their own risks.

Figure 1: The Framework's focus

This is an infographic showing that the Framework includes 2 levels of risk management: state-significant risks and individual agency risks. State-significant risks sets the minimum requirement to effectively manage SSRs, and explains responsibilities and expectations for coordinating and managing SSRs at the statewide level. Individual agency risks (280 agencies) sets minimum requirements to effectively manage agency risks and explains responsibilities and expectations for an agency's risk management framework and approach.

Source: VAGO, based on the Framework.

In the Framework's foreword, the Assistant Treasurer sets the expectation that agencies' whole of government approach to SSRs will be 'the hallmark of joined-up service delivery'.

In 2023, the Framework applied to around 280 agencies.

 

Roles and responsibilities

The Framework's foreword says that it sets clear directions on the management and responsibility of shared risks and SSRs. These include:

  • requiring greater interagency collaboration and coordination
  • allocating coordination roles to the Risk Committee and Secretaries' Board for these risks.

 

Relevant legislation 

Financial Management Act 1994

The Financial Management Act 1994 sets the public sector's financial management accountability, reporting and administration obligations.

It requires each agency to develop, implement and keep a risk management strategy under review.

The Standing Directions 2018 under the Financial Management Act 1994 (2018 Directions) support the Financial Management Act 1994. Together these form the core of the state's financial management framework.

The 2018 Directions establish: 

  • the standards of financial management expected of agencies
  • DTF as the central agency to support the Treasurer and Assistant Treasurer on whole-of-state financial administration and performance.

The 2018 Directions require agencies to comply with 3 supporting frameworks that set further obligations. These are the: 

  • Framework
  • Asset Management Accountability Framework
  • Resource Management Framework.

The 2018 Directions also require agencies to report on material compliance deficiencies through their annual reports. 

 

Victorian Managed Insurance Authority Act 1996

The Insurance Authority Act sets up the Insurance Authority to support the Assistant Treasurer. 

It also details the Insurance Authority's responsibilities to:

  • monitor, advise and train departments and participating bodies in risk management
  • provide insurance and support to departments and participating bodies
  • advise the state on risk management.

The Insurance Authority considers that the state includes the Assistant Treasurer and its insurance clients. 

Back to top

2. SSR responsibilities under the Framework

The Framework does not sufficiently explain what individual agencies need to do to manage SSRs they share with others. It lacks detail on what they should include in their own risk management frameworks and what they need to do when they take a lead role for an SSR.

The Framework does not clarify what the Risk Committee and the Secretaries' Board need to do to support agencies or to advise government on SSRs. It also does not explain what DTF, the Department of Premier and Cabinet (DPC) and the Insurance Authority need to do for SSRs.

The Framework's guidance on agencies' roles and responsibilities is unclear

Individual agency responsibilities

The Framework says that each agency:

  • has a mandatory requirement to contribute to identifying and managing SSRs as appropriate 
  • should clearly demonstrate in its risk management framework how it addresses SSRs relevant to its operations.

But the Framework does not provide guidance on what agencies need to do to achieve this. 

DTF told us that it designed the Framework to set minimum requirements and give agencies flexibility in how they meet the requirements.

This means the approximately 280 agencies the Framework applies to, consistent with the Financial Management Act 1994, must individually interpret its requirements.

In a 2022 Risk Committee survey, agencies said they needed clearer expectations, more guidance and examples to support them to manage SSRs.

As the central agency responsible for the Framework, DTF has not addressed this need. 

The Insurance Authority released guidance in 2023 on techniques for managing SSRs. The Risk Committee planned to provide further guidance and tools in 2023, but it has yet to do so.

Of 10 departmental risk registers, only the Department of Education (DE) and the Department of Environment and Climate Action (DEECA) identify all their lead and contributing roles for managing SSRs, as Figure 2 shows.

Figure 2: How the 10 departments apply SSRs in their risk registers

Department risk register elementDepartments with this element (out of 10 departments)
Includes SSRs9
Links SSRs to the department's strategic risks6
Identifies all its lead and contributing roles for SSRs2
Identifies portfolio agencies that contribute to or are affected by SSRs0

Source: VAGO, from departments' information.

Of the 10 departments, only DFFH has fully considered how to incorporate all the SSR requirements into its own risk management framework. DFFH's framework has all the elements in Figure 3.

The other 9 departments' guidance does not consistently describe how to identify and escalate SSRs. Their guidance also does not describe how the departments fulfil the lead and contributing roles for an SSR, as Figure 3 shows. 

Figure 3: How the 10 departments explain SSRs in their guidance to their staff

Department risk management framework elementDepartments with this element (out of 10 departments)
Refers to SSRs10
Explains how to identify potential SSRs1
Shows how to escalate potential SSRs to senior managers and the Risk Committee5
Describes how to fulfil both the risk lead and contributing agency roles1

Source: VAGO, from departments' information.

During our audit, 6 departments acknowledged the gaps in their risk management frameworks that we identified and had started or committed to addressing them. These are:

  • DE
  • DEECA
  • the Department of Health (DH)
  • the Department of Justice and Community Safety (DJCS)
  • the Department of Jobs, Skills, Industry and Regions (DJSIR) 
  • the Department of Transport and Planning (DTP).

 

Lead agency responsibilities

The Framework sets out individual agencies' responsibilities to coordinate risk responses to SSRs. 

It says agencies need to contribute to identifying and managing SSRs as appropriate and agree on:

  • which of them will lead each SSR 
  • the lead agency's responsibilities
  • the responsibilities of other contributing agencies. 

But the Framework does not provide sufficient guidance on what agencies need to do in these roles.

The Framework …But it does not explain …
indicates a lead agency will have added responsibilities for managing SSRswhat this involves, particularly because the Framework makes each agency responsible for managing its own risks.
requires each agency to define and review its risk appetite at least annually, which helps it to target resources to risks it is not prepared to accepthow agencies determine the state's risk appetite for SSRs when each contributing agency may have a different appetite.
what the lead agency's role is for this.

DTF told us it intentionally did not design the Framework to describe whole-of-government arrangements for coordinating, managing and overseeing SSRs or to make the Framework prescriptive.

It said this allows agencies to consider risks from their own complexity, size and risk profile rather than from a shared, statewide level. 

But the Risk Committee has observed this can: 

  • create uncertainty for agencies about who is accountable and who has authority to act across agency responsibilities 
  • slow or prevent agencies from adopting a truly whole-of-government perspective on SSRs. 

As a result, agencies work through their own individual risk management frameworks. And there are gaps in how they work together at a statewide level to manage SSRs. We discuss this further in Sections 3 and 4.

  

Key agency roles and responsibilities

The Framework identifies the key agency roles for DTF, the Insurance Authority and DPC.

But the Framework does not detail how these roles relate to SSRs.

The Framework states that …But it does not …

DTF:

  • maintains and updates the Framework to ensure that it aligns with best practice
  • advises the government on policies relating to risk management and insurance 
  • fills the role of the Risk Committee’s secretariat. 

describe how DTF’s central agency role set out in the 2018 Directions relates to SSRs, including its responsibility to advise the:

  • Assistant Treasurer on how current and effective the state's financial management framework is 
  • Treasurer and Assistant Treasurer about statewide financial and resource management issues, risks and strategies.

the Insurance Authority:

  • acts as an insurer
  • monitors agencies’ risk management maturity and capability 
  • advises the Victorian public sector and the government on risk management.

explain how the Insurance Authority's role relates to SSRs, including to:

  • provide insurance to the Victorian public sector 
  • monitor risk management maturity and capability 
  • advise the government on risk management.
DPC has a pivotal role in managing SSRs by supporting the Premier on government-wide issues.explain how DPC’s role to support the Premier on government wide issues relates to SSRs.

 

DTF fulfils its responsibilities to maintain and update the Framework and be the Risk Committee's secretariat. But it does not meet its obligations to advise the Assistant Treasurer.

We discuss what advice the Assistant Treasurer receives on SSRs in Section 3.

 

The Risk Committee's role

The Risk Committee supports agencies to coordinate information, action and advice on SSRs. But it has not fulfilled all of its responsibilities.

During our audit, DTF acknowledged that the Framework's explanations of some Risk Committee responsibilities are not appropriate and could be reviewed. 

The Framework and the Risk Committee's 2018 terms of reference explain that the Risk Committee has 4 key responsibilities to:

1. support agencies to identify key shared risks and SSRs
2. support agencies to develop and operate effective whole-of-government risk management frameworks related to those risks
3. determine the lead agency for an SSR when individual agencies have failed to do so
4. advise the government (through the Assistant Treasurer) on the effectiveness of the Framework and arrangements to manage SSRs.

The Risk Committee supports agencies to identify SSRs, including preparing an annual report to the Assistant Treasurer that describes the identified SSRs.

But it has not fulfilled its other 3 roles.

In Section 4 we discuss the Risk Committee's support to develop whole-of-government frameworks. In Section 3 we discuss how it advises the government on the Framework and SSRs.

The Risk Committee has concluded it does not have authority to direct agencies to take a lead role for SSRs. So it has not determined a lead agency for one SSR where agencies have failed to do so. 

 

The Secretaries' Board's role

The Framework is not clear on how the Secretaries' Board's role relates to SSRs.

The Framework says the Secretaries' Board:

  • oversees the public sector's risk
  • supports effective coordination, collaboration and communication between agencies
  • receives periodical reports on SSRs. 

But departments, the Risk Committee and DPC as the Secretaries' Board's secretariat, do not have consistent views on how the Secretaries' Board's role relates to SSRs.

DPC told us that the Secretaries' Board does not oversee the Risk Committee's work on SSRs because the Risk Committee is not one of the board's subcommittees.

Despite this, the Secretaries' Board oversees aspects of the Risk Committee's work. It has:

  • approved the Risk Committee's recommendations on individual SSRs
  • endorsed the Risk Committee's risk scan reports, proposed restructure and proposals for in depth assessments on individual SSRs
  • noted the Risk Committee's briefings about its actions related to SSRs.

The Secretaries' Board oversees some individual SSRs that departments lead.

The Secretaries' Board supports agencies to coordinate, collaborate and communicate on SSRs by providing a forum for discussion. 

 

The Framework does not say who is responsible for evaluating its effectiveness

Arrangements for evaluating the Framework's effectiveness

The Framework says that DTF is responsible for maintaining and updating it to make sure it aligns with best practice.

But the Framework does not say who is responsible for evaluating its effectiveness.

In practice, DTF and the Risk Committee are each responsible for evaluating the Framework’s effectiveness because:

  • the 2018 Directions include a role for DTF to advise the Assistant Treasurer on this
  • the Risk Committee's terms of reference say it will advise the Assistant Treasurer on this.

But the Framework does not refer to either role.

DTF and the Risk Committee have reviewed the Framework periodically. And DTF monitors agencies' information about whether they comply with the Framework's mandatory requirements.

But this work has not evaluated the Framework's effectiveness for guiding agencies to identify and manage SSRs. 

 

The Framework does not explain agencies' responsibilities to communicate SSR arrangements to the government and the community

Reporting arrangements within government

The Framework says:

  • an agency is responsible for reporting on its individual and shared risks to its minister
  • an agency's approach for managing SSRs should include appropriate monitoring and reporting to the Risk Committee and the Secretaries' Board.

We found that departments report to their ministers, the Risk Committee and the Secretaries' Board on SSRs.

The Risk Committee is responsible for reporting annually to the Assistant Treasurer on the Victorian Government risk environment.

Its terms of reference do not explain what this could include. They refer to the Risk Committee advising on:

  • the status of SSRs
  • how agencies manage SSRs
  • if this is mature and effective
  • ways to address any gaps identified.

We found the Risk Committee reports on the risk environment, including key actions to manage SSRs. But it does not include information on maturity, effectiveness or how to address the mitigation gaps that departments identify for SSRs. We discuss this in Section 3.

 

Informing the community

The Framework says that identifying and managing SSRs is important to provide confidence to the community that:

  • agencies are managing these risks
  • agencies have a clear line of sight over them.

But the Framework does not say which agencies are responsible for communicating to the community about SSRs. This could include information such as what the SSRs are and their oversight, coordination and management.

DTF told us that it was never the Framework's intent to explain to the community what Victoria's SSRs are and what the state is doing to manage them.

It said each lead agency is responsible for determining how they communicate with the community on the individual risks they lead.

Some agencies do communicate about the individual risks they lead in a coordinated way.

For example, DJCS is the lead agency for the statewide emergency SSR. In 2020 it published its third Emergency risks in Victoria report. This reports on the results of the state-level emergency risk assessment and the arrangements in place to manage them.

Agencies do not coordinate whole-of-government communications to inform the community about all SSRs.

Back to top

3. Advice on SSRs to relevant ministers

DTF does not link its budget advice to the Treasurer and Assistant Treasurer with the financial implications of SSRs. Only DGS and DPC have linked their budget submissions to SSRs since 2019. This is a missed opportunity to inform government of SSRs' implications for Victoria.

DTF has not met its obligation to advise the government on the Framework's effectiveness. And the Risk Committee has not advised on the status, maturity and effectiveness of risk management arrangements for SSRs. The Insurance Authority does not inform the government on the maturity of Victoria's SSR management arrangements.

Advice arrangements

The Framework and Risk Committee's terms of reference establish how DTF, the Insurance Authority and departments (through the Risk Committee) give advice on SSRs to their relevant ministers.

But DTF, the Insurance Authority and the Risk Committee do not meet all their advice obligations for SSRs, which Figure 4 shows. 

Figure 4: Advice obligations related to SSRs

Figure 4 is an infographic. It shows that DTF provided advice on the Framework's currency to the Assistant Treasurer but did not provide advice on the Framework's effectiveness. The Insurance Authority largely provided advice on public sector risk management to the Assistant Treasurer. The Risk Committee provided advice on current SSRs to the Assistant Treasurer and the Secretaries' Board. But it did not provide advice on the status and maturity of SSR arrangements or the effectiveness of the Framework and managing SSRs to the Assistant Treasurer or the Secretaries’ Board. Departments provided advice on managing individual SSRs to Ministers.

Note: The blue arrows connecting the Insurance Authority and departments to the Risk Committee represent their roles as committee members. Members contribute information that the Risk Committee uses to form its advice. But they do not have specific responsibilities to advise the Risk Committee.
Source: VAGO, based on responsibilities in the Framework, 2018 Directions and the Risk Committee's terms of reference.

 

DTF does not advise the Assistant Treasurer and Treasurer on budget priorities and financial implications of SSRs

DTF's advice on the financial implications of SSRs

DTF advises the Assistant Treasurer and Treasurer on budget priorities and financial implications for the state’s consideration.

But it does not link this advice and the Risk Committee's information, which shows all SSRs in 2023 had potential financial implications for the state. This is a missed opportunity.

The 2018 Directions say DTF is the central agency that supports the Assistant Treasurer and Treasurer on the state's financial management. This includes advising them about statewide financial and resource management issues, risks and strategies.

DTF says it provides financial advice related to SSRs through the state's budget process rather than through the Risk Committee.

The budget process requires agencies to assess risks relating to their budget requests. But these risks usually refer to anticipated concerns from stakeholders. Not how the budget submission responds to an SSR.

DTF does not ask agencies to highlight SSRs in their budget submissions. And DTF does not advise the Treasurer and Assistant Treasurer on the implications that all SSRs have for the state Budget.

Departments are also not all linking their budget bids and submissions to SSRs. Only DGS and DPC linked their budget submissions to an SSR between 2019 and 2023.

This means the Assistant Treasurer and Treasurer are missing key information to guide their policy and investment decisions.

 

DTF, the Insurance Authority and the Risk Committee do not meet all their obligations to advise the Assistant Treasurer on SSRs

The Insurance Authority's advice on Victoria's risk management

The Insurance Authority Act says the Insurance Authority is responsible for advising the government on risk management.

The Insurance Authority largely meets this obligation.

We looked at the general risk management advice the Insurance Authority provides. Its regular meetings with the Assistant Treasurer include general risk management advice related to risk prevention, although they focus more on insurance.

We also looked at its advice on SSRs.

We examined the Insurance Authority's advice on …Because …
SSRsthe Insurance Authority is on the Risk Committee and supports agencies to manage SSRs.
the maturity of agencies' arrangements to manage SSRsthe Framework says the Insurance Authority will monitor maturity, which includes capability.

The Insurance Authority advises the Assistant Treasurer about SSRs through its work with, and advice to, the Risk Committee. It told us that it would directly advise the Assistant Treasurer on SSRs when it has a differing view to DTF, but that this has not occurred.

It has not told the government how mature Victoria's risk management arrangements are to identify and manage SSRs, even though it can access this information.

The Insurance Authority monitors risk management maturity. It does this by providing an online, voluntary self-assessment tool for agencies to assess their maturity.

There are limitations to this data, so the Insurance Authority converts it into an overall maturity index. But it does not extract maturity information specific to SSRs.

 

DTF's advice on the Framework

As the central agency responsible for the Framework, DTF advises the government on how current the Framework is.

But it does not say how effective the Framework is as the statewide risk management framework for Victoria.

DTF last advised the Assistant Treasurer on how current the Framework is when it sought their approval to update it in 2020. DTF amended the Framework to highlight the need for more cross-agency collaboration and coordination. 

The amended Framework referred to the Risk Committee for the first time, even though the Assistant Treasurer established it in 2012. It also introduced the role of a lead agency for individual SSRs.

DTF does not evaluate the Framework's effectiveness, as we discuss in Section 2. DTF says it fulfils its obligation to advise the Assistant Treasurer on the Framework's effectiveness through its Risk Committee secretariat role.

But the Risk Committee does not provide this advice either.

DTF and the Risk Committee review the Framework periodically and DTF monitors agencies' compliance with it.

But they have not evaluated the Framework’s effectiveness for guiding agencies to identify and manage SSRs. For example:

  • the Framework asks agencies to collaborate, coordinate and communicate to manage SSRs. But DTF has not checked if this is happening
  • consistent with the findings in our 2013 audit, reported compliance with the Framework gives the government a false sense of security about SSRs. This is because compliance is not a good indicator of how well agencies identify and manage these risks. 

 

Departments' advice to the Assistant Treasurer through the Risk Committee

DTF is the Risk Committee secretariat and chair. But it has not made sure the Risk Committee fulfils its obligations to advise the government on SSRs.

The Risk Committee's terms of reference say the Risk Committee will advise: 

  • the government on the Framework's development, operation and effectiveness
  • the Assistant Treasurer on the most significant risks to present to Cabinet for discussion at least annually. 
The Risk Committee's terms of reference say its advice will focus on …Which includes …

SSRs and how agencies manage them from a whole-of-government perspective

 

  • escalating SSR matters where appropriate
  • reporting any substantial gaps in arrangements for managing and reducing SSRs
  • engaging with the Secretaries' Board about ways to reduce SSRs where the Risk Committee identifies these gaps.

the status and maturity of risk management arrangements across the public sector

 

  • if agencies have appropriate, effective whole-of-government risk management frameworks and policies for SSRs
  • if agencies regularly review the risk environment to identify where further action is required
  • if lead agencies effectively coordinate SSR management. 

As the Risk Committee secretariat, DTF has not made sure the Risk Committee's annual reporting to the Assistant Treasurer on SSRs provides this advice.

The reports describe: 

  • each SSR
  • its rating
  • the agencies that share the risk
  • key risk control actions and mitigation gaps for each SSR. 

But they do not advise how effectively agencies manage SSRs and the need for further action. For example, in its 2023 State Significant Risk Scan report, the Risk Committee:

  • rated 11 of the 22 SSRs as having the highest risk rating 
  • identified that over half of the SSRs had increased in significance since 2021
  • classified all 22 SSRs as needing additional focus, work or oversight. 

DTF did not advise the Assistant Treasurer about aspects such as if: 

  • the risks that rated significant or had a rating increase are being managed appropriately 
  • any SSR needed further action, including to address the mitigation gaps listed for each risk
  • agencies have effective, whole-of-government risk frameworks, policies and arrangements in place to manage SSRs.

Back to top

4. Identifying and managing SSRs

Departments collaborate through the Risk Committee to identify and describe SSRs. But the processes departments use to determine SSRs lack rigour.

All departments have programs and reforms to manage their organisational risks and responsibilities. This includes coordinating with other agencies on shared risks. But only DFFH has checked that its work appropriately manages the statewide implications of the SSRs it leads.

Departments collaborate through the Risk Committee to review the arrangements for managing SSRs each year. But they do not coordinate any information on the implementation or effectiveness of risk management across all SSRs.

 

Departments collaborate to identify SSRs

Departments' approach to identifying risks

All departments have processes in place to identify and assess risks to their own objectives.

Only DE, DEECA and DFFH could show they considered how the Risk Committee's list of SSRs influenced the way they identified their own risks.

 

Departments' process to collaborate with other agencies

Departments collaborate through the Risk Committee to identify SSRs and prepare an annual risk scan report. This includes a:

  • list of all SSRs departments identify and priority SSRs
  • description of each SSR 
  • heatmap comparing SSR ratings based on their likelihood and consequence ratings. 

The Risk Committee agrees to a list of SSRs each year. As Figure 5 shows, the process involves reviewing SSRs from the previous year and considering new emerging risks. The Risk Committee also updates risk descriptions and ratings.

DTF, the other Risk Committee members and their agencies have roles to support this work.

Figure 5: Risk Committee approach to agreeing on the annual SSR risk scan

Figure 5 is an infographic. It shows a circular flow of the Risk Committee’s approach. It identifies emerging risk, reviews existing SSRs, agrees the current list of SSRs, and agrees the risk descriptions and rating for the risk scan report. The flow then returns to the Risk Committee identifying emerging risks. After agreeing the current list of SSRs, the Risk Committee works with the lead departments, which update or develop the risk description and ratings.

Source: VAGO, based on Risk Committee information.

As the Risk Committee secretariat, DTF has continually improved the Risk Committee’s annual risk scan process. This includes involving the Insurance Authority and departments more in identifying emerging risks since 2022.

 

The process departments use to determine and describe SSRs lacks rigour

Whole-of-government and statewide objectives

The Risk Committee has not identified which whole-of-government or statewide objectives SSRs relate to.

The Framework does not define statewide objectives to help agencies identify and assess if risks to achieving those objectives are state-significant.

DTF considers that the development of statewide objectives is inconsistent with the current legislated model of risk management, which allocates responsibility for managing risks to individual agencies.

Without defined whole-of-government objectives, agencies do not have a shared basis to identify potential SSRs. Instead, they identify and assess SSRs according to their own objectives.

This is despite the Insurance Authority guidance highlighting that SSRs go beyond the objectives of a particular organisation or even a single government.

The Insurance Authority guides agencies on how to identify and evaluate their risks. The first step is to identify objectives, as Figure 6 shows.

Figure 6: Process to identify risks
 

Figure 6 is an infographic showing a linear process to identify risks. The 4 steps are: identify objectives, identify event that could affect the objective, analyse risk (event’s cause, consequence and likelihood), evaluate risk (determine if risk is within your appetite and tolerance/evaluate risk control options).

Source: VAGO, based on the Insurance Authority's guidance.

 

Risk appetite at the whole-of-government level

The Risk Committee and lead agencies have not defined the risk appetite for each or all SSRs at the whole-of-government level.

The Framework requires each agency to define and review its risk profile and risk appetite at least annually.

It says that agencies should define their risk appetite by considering their strategic objectives, risk profile, and risk and reward trade-offs.

But the Framework does not explain how agencies should define the risk appetite for each or all SSRs at the whole-of-government level.

The ISO 31000:2018 Risk Management – Guidelines (the Risk Standard) and Insurance Authority guide organisations to use risk profiles and appetites to:

  • understand the level of risk they are willing to accept
  • identify the best risk response options.

One department told us that without a clearly defined and communicated statewide risk appetite statement, it cannot demonstrate how it has considered the risk appetite requirement for its shared SSRs.

 

Criteria to determine what an SSR is

DTF, as the central agency responsible for the Framework, and the Risk Committee have not set criteria to determine when a risk becomes an SSR.

The Insurance Authority and representatives for Risk Committee members developed criteria to guide their 2021 assessment of which risks were state-significant. The Insurance Authority's 2023 guide Contributing to state significant risk includes these criteria.

But the Risk Committee has not adopted the criteria.

DTF told us that the Risk Committee considers existing and emerging risks of state-significance to identify SSRs. And that the Risk Committee relies on its members and their agencies' input and judgement.

But DTF could not show us the basis for the Risk Committee's judgements or how it selected SSRs for its list in 2023.

 

Describing SSRs

The Risk Committee's template to describe SSRs lacks rigour because it does not require departments to consistently identify the elements involved in describing a risk.

The Risk Standard guides agencies on the different elements of a risk description, as Figure 7 shows. These include the risk source, event and likelihood, and consequence.

Organisations can respond by introducing controls to reduce a risk's likelihood or the severity of its consequence. 

Figure 7: Risk description elements
 

Figure 7 is an infographic. It shows a linear flow from risk source, to risk event and its likelihood, to risk consequence. After risk source, there is an input to control to reduce a risk’s likelihood. After risk even and its likelihood, there is an input to control to reduce a risk’s consequence severity.

Source: VAGO, based on the Risk Standard.

The SSRs on the Risk Committee’s list are a mix of risk events, risk sources and failures of risk controls. This makes it difficult for agencies that share SSRs to:

  • understand the SSR and its implications
  • identify opportunities to manage them
  • evaluate if controls are effective. 

 

Only DFFH checks if it appropriately manages the statewide implications of all SSRs it leads 

Departments' approaches to managing SSRs they lead

All departments are working to manage their organisational risks and to meet their organisational responsibilities.

This work includes programs, reforms and, where appropriate, arrangements to coordinate with other agencies. Some of this work relates to risks that are on the Risk Committee’s SSR list.

But only DFFH has checked if it appropriately manages the statewide implications of all the SSRs it leads.

DFFH formally reviewed how it manages 2 of its strategic risks that are also the 2 SSRs it leads or co-leads. It aimed to confirm if it appropriately manages its own strategic risks and the SSRs' statewide risk implications. It involved or consulted with other affected departments during these reviews.

DFFH found opportunities to improve how it manages the SSRs' statewide implications through better cross-agency coordination and risk controls.

The Framework does not explain lead agencies' responsibilities for SSRs, including determining how effective management arrangements are.

DFFH has acted despite this lack of guidance. The other departments that lead SSRs have missed the opportunity to confirm if their arrangements for managing SSRs are appropriately addressing statewide risk implications.

 

Departments do not have a shared understanding of how well they are managing all SSRs

Departments' coordination at statewide level for all SSRs

Some departments coordinate monitoring of SSRs they lead.

In April 2024, DFFH shared with the Risk Committee its review of the SSRs it leads. The review included information on its risk controls' effectiveness and the progress of risk treatments.

The other 8 departments that lead SSRs do not coordinate any information through the Risk Committee on how well they are managing SSRs.

This means they have missed the opportunity to develop a shared understanding at a statewide level of whether their risk management arrangements are working effectively.

Back to top

Appendix A: Submissions and comments

Download a PDF copy of Appendix A: Submissions and comments.

 

Download PDF

Download Appendix A: Submissions and comments

Back to top

Appendix B: Abbreviations, acronyms and glossary

Download a PDF copy of Appendix B: Abbreviations, acronyms and glossary.

 

Download PDF

Download Appendix B: Abbreviations, acronyms and glossary

Back to top

Appendix C: Audit scope and method

Download a PDF copy of Appendix C: Audit scope and method.

 

Download PDF

Download Appendix C: Audit scope and method

Back to top

Appendix D: Victoria's 2023 list of SSRs

Download a PDF copy of Appendix D: Victoria's 2023 list of SSRs.

 

Download PDF

Download Appendix D: Victoria's 2023 list of SSRs

Back to top