Each DEECA agency is responsible for developing and implementing a risk management process that:

  • is tailored to its purpose, functions and powers
  • complies with its risk management obligations and good public sector governance practice.

Victorian Government Risk Management Framework

The Victorian Government Risk Management Framework (VGRMF) sets out the minimum risk management requirements, including insurance requirements, for the Victorian public sector.

The framework is legally binding on DEECA agencies that are subject to the Financial Management Act 1994 (FMA). Most major DEECA agencies are subject to the FMA*.

Even if your agency is not subject to the FMA it is good public sector governance practice to apply the risk management requirements in the framework.

* An agency that is subject to the FMA must submit an annual report that is tabled or reported in Parliament and comply with the financial management obligations, including risk management obligations in the Standing Directions 2018 and related Instructions issued under the FMA.

Key risk management duties

Some key risk management duties under the framework include:

  • Your agency must have a risk management policy and related documentation in place that is consistent with the framework
  • Your agency must demonstrate that it is managing risk effectively, including having processes in place to address inter-agency and state significant risk
  • Your agency’s risk management process must be integrated into its corporate (strategic) and business (operational) planning processes
  • As part of financial management compliance, the board of the agency must attest in its annual report that the agency manages its risks in accordance with the framework.

Australian and New Zealand Standard

The framework adopts Australian and New Zealand standard AS/NZS ISO 31000:2009: Risk Management – Principles and Guidelines.  Your agency’s risk management approach should be consistent with this standard and include:

  • Communication and consultation with internal/external stakeholders during risk assessment and treatment
  • Identifying the risk
  • Analysing the risk
  • Evaluating the risk
  • Treating the risk
  • Ongoing monitoring and review of risk exposure and of the effectiveness of risk controls.

Assistance from VMIA

To assist public sector agencies to understand and comply with their risk management obligations and good practice, the Victorian Managed Insurance Authority (VMIA) offers a range of free resources, including:

Practice Guide

The free VGRMF Practice Guide includes a practical explanation of key risk management concepts and practical tips on how to improve capability and align with the Australian and New Zealand Standard ( AS/NZS ISO 31000:2009 ).  Your agency can adapt the guide to suit its needs.

Practice notes

Free practice notes, for example:

  • Incorporating risk into your agency’s planning process
  • Interagency and state significant risks
  • Risk culture
  • Attestation practice.

Templates and guides

Free templates and guides, including:

  • Risk – e.g. Risk management, Risk assessment and treatment, Risk register
  • Insurance – e.g. Insurance register, Indemnities register, Incident and claims register, Incident notification form, and Guide to managing indemnities.
  • eLearning module

    A free online learning module on the Victorian Government Risk Management Framework.


Free workshops and seminars for those agencies which are insured with VMIA:


Board members and staff of your agency can arrange to attend VMIA’s standard seminars and workshops


In addition, DEECA may be able to arrange with VMIA for a free seminar or workshop that is tailored to your agency’s needs – e.g. relevant case studies.
Contact your usual DEECA relationship team to ask if this service is currently available.

For those DEECA agencies which are not insured with VMIA but are interested in VMIA workshops, seminars or other training, please contact your agency’s DEECA relationship team.

Other guidance and resources

Managing climate change risk

DEECA has issued a guidance note on Managing Climate Change Risk – Guidance for Board members and Executives of Water Corporations and Catchment Management Authorities.

The guidance note assists board members of Victoria’s water corporations and catchment management authorities (‘water entities’) to understand the scope of their responsibilities in relation to climate change. It is also useful for senior executives who report to those boards.

ISBN - Managing Climate Change Risk - Guidance - Water Entities (DOCX, 6.7 MB)

ISBN - Managing Climate Change Risk - Guidance - Water Entities (PDF, 1.2 MB)

Useful links

Below are direct links to this topic on external websites:

Background Information

Risk appetite

An agency’s risk appetite is the amount and type of risk an organisation is willing to accept in delivering its mandate. An agency’s risk appetite statement should take into account:

  • the agency’s purpose, functions and powers,
  • its legal and other obligations,
  • government expectations, and
  • other relevant factors in the agency’s internal and external environment.

For example, your agency’s risk appetite statement might include:

  • low tolerance for risks that may compromise its Code of Conduct
  • zero tolerance for fraudulent and corrupt behaviour.

Risk management requirements

Risk management requirements include:

Page last updated: 30/04/24