Managing risk

A risk can be defined as an event or circumstance that has not yet happened but has the potential to impact the project (for example, the risk of cost overruns as a result of the increased price of raw materials). Types of risk vary from project to project.

Risk management is a process in which you identify, assess and put in place actions to reduce risks to an acceptable level. Appropriate risk management will help achieve a project’s objectives.

Project definition, funding and approvals

When defining the project and applying for funding and approvals, you will need to estimate an appropriate level of budget to assist in managing budget risk for the project, including risks that are likely to arise over the delivery phase.

You should establish a risk register at this stage, which can be updated and reviewed at regular intervals to ensure the risk register is accurate and relevant.

You will need to consider how potential risks may impact the project budget (it may be useful to hold workshops with key project stakeholders to develop the project risk register), and quantify these risks to estimate the required contingency funding allocation.

For medium complexity and HVHR projects, you may wish to carry out a risk quantification workshop in addition to the project risk identification workshop. Inputs gathered as part of this risk quantification workshop may feed into complex financial modelling where the cost impact of the risk is assessed against the likelihood and probability of the risk occurring. This will allow you to calculate the level of contingency (which is sometimes referred to as the risk adjustment) that should be included in the funding proposal.

In particular, for some medium complexity and HVHR projects, you may need to consider developing a risk-adjusted reference project which represents the most efficient means of delivering the project.

Procurement

When undertaking procurement, you may need to consider developing a risk-adjusted project cost. This will set a benchmark cost to compare and evaluate value-for-money responses from tenderers.

Delivery

If risks eventuate during construction, you may need to draw on the contingency budget. Depending on the project’s governance structure, this may require approvals from the project steering committee before the funds can be accessed.

The Victorian Government Risk Management Framework (VGRMF) describes the minimum and mandatory risk management requirements TAFEs are required to meet, to demonstrate that they are managing risk effectively.

Under Financial Management Act Standing Direction 3.7.1 (risk management framework and processes), the VGRMF applies to TAFEs which are covered by the Financial Management Act 1994.

The Victorian Managed Insurance Authority (VMIA) plays an important role in supporting TAFEs in the implementation of the VGRMF, by providing risk guidelines, training and support, risk maturity assessments and learning and development strategies.

Mandatory risk management requirements, as set out in the Victorian Government Risk Management Framework, ensure:

• the TAFE has a risk management framework in place consistent with AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines
• the risk management framework
  • is reviewed annually so that it remains current and is enhanced, as required, and
  • supports the development of positive risk culture within the TAFE
• risk management processes are effective in managing risks to a satisfactory level
• it is clear who is responsible for managing each risk
• the TAFE contributes to the identification and management of state-significant risks, as appropriate
• risk management is incorporated in corporate and business planning processes, and
• the TAFE’s risk profile has been reviewed within the past 12 months.

Insurances are a key part of appropriate risk management practices. There is a range of mandatory insurance requirements that TAFEs must address as detailed in the Victorian Government Risk Management Framework.

Appropriate project-specific insurances will also need to be held by all specialised consultants.

The key elements of the risk management framework, outlined in the Victorian Government Risk Management Framework, are as follows:

• Mandate and commitment: Requires a strong and sustained commitment by TAFE management to ensure ongoing effectiveness of risk management. This commitment should support the development of a positive risk culture.
• Design of framework for managing risk: Requires a systematic approach in designing a risk management framework that is relevant, effective, efficient and adequate. The framework should include:
  • appropriate risk management strategies
  • a risk management policy and plan
  • effective governance, communication and reporting arrangements
  • resource requirements, and
  • risk management accountabilities.
• Implementing risk management: A risk management process is applied through a risk management plan at all relevant TAFE levels and functions, as part of its practices and processes. Investment in resources and capabilities should enable a TAFE to effectively and efficiently apply its risk management activities.
• Monitoring and review of the framework: TAFEs should continually ensure that risk management is effective and supports organisational performance. Under the mandatory requirements, the risk management framework is to be reviewed annually and enhanced as required.
• Continual improvement of the framework: Based on the results of monitoring, reviews, and any independent assurance of risk management controls and practices, decisions can be made on how the risk management framework, policy and plan can be improved.

Project reporting

Regular project reporting is an important way to inform key stakeholders of the project's progress against risks. Reporting on project risks should include tracking against the identified risks and any changes to the likelihood or consequence of the risk eventuating. Project reporting should also identify new risks and whether the risk treatment or tolerance needs to be refined or escalated through the project’s governance structure.

During the delivery phase, the risks identified by the TAFE, the contractor and specialised consultants should be consolidated and regularly reported to the OTCD. Typically, the project manager should include the following information for each risk:

• risk title/status
• risk rating
• description of the risk, and
• proposed treatment of the risk.

For reporting purposes (including regular status reporting and annual reporting), it is also important to maintain the project risk register. The project risk register is a document that identifies, analyses and evaluates project risks and presents treatment options to manage the risk.

The risk register should be shared between project stakeholders. This allows those involved in the project to understand their responsibilities and the required mitigation actions for the risks identified.

Risk register templates may be found via the Victorian Managed Insurance Authority (VMIA). As project risks and issues can be entered into the risk register by the contractor and specialised consultants, the project manager (or equivalent) should ensure that the risk register is consolidated and maintained through the whole project delivery and the defects liability period.

Organisational reporting

Under Ministerial Standing Direction 5.1.4 (financial management compliance attestation), TAFEs must provide an annual attestation of compliance with applicable requirements of the Financial Management Act 1994, the Standing Directions (incorporating the VGRMF framework) and the Instructions, and disclose all material compliance deficiencies.

Further information on annual reporting is available.