Enterprise Risk Management

Version Number


Implementation Date





Ensures that risk management assessments and decisions are based on a consistent approach and a common language is used and understood across the department.​


Risk is the effect (either positive or negative) of uncertainty on business objectives. Risk management is the coordination of activities that direct and control the department with regard to risks (AS/NZS ISO 31000:2009 Risk management). Risk management involves managing adverse effects as well as realising opportunities. Risk management refers to the deliberate actions that we take to identify, understand and deal with risks to achieving objectives.


Responsibilities are detailed in the department’s Enterprise Risk Management Framework (DET employees only). 


Risk Management Process

Step 1: Establish context

What is it?

  • the environment in which we operate
  • our approach to risk management.
Why we do it?
  • to understand what may influence our ability to achieve outcomes 
  • to set boundaries in which risk management will operate ​
  • to define criteria to assess the significance of risks and ensure risks are assessed consistently.

How we do it

  • strategic risks – through strategic planning 
  • corporate risks – divisional and regional operational planning and portfolio and program planning 
  • operational risk – operational planning for work units and schools and project planning.
Step 2: Identify risks
What is it?
  • finding and recognising risks 
  • describing risks 
  • categorising risks. 

Why we do it?

  • to generate a comprehensive list of threats and opportunities based on events that might enhance, prevent, degrade, accelerate or delay achieving outcomes. 
  • to provide information about risks so that we can analyse, evaluate, treat, monitor and report on them.

​How we do it

Step 3:​ Analyse risks

What is it?

  • interpreting the risk 
  • determining the level of risk exposure.
​Why we do it?
  • to understand the level of exposure should controls fail
  • to help to identify ineffective controls
  • to understand the level of exposure with controls in place 
  • to inform decisions as to whether the controlled risk is acceptable or not and, if required, guide risk treatment.
How we do it
Step 4: ​Evaluate risks

What is it?

  • comparing the controlled risk with the risk tolerance.

Why we do it?

  • to determine whether the controlled risk is acceptable 
  • to determine whether the controlled risk needs further treatment 
  • to prioritise risk treatment.
How we do it
Step 5: Treat risks

What is it?

  • choosing option(s) for modifying the risk 
  • reassessing risk levels with controls and treatments in place. 
​Why we do it?
  • to identify treatments for risks that do not meet acceptable tolerance level
  • to understand the level of risk with controls and treatments in place 
  • to prioritise risks for monitoring and review.
How we do it
Risk registers:
​​Step 6: Monitor and review

What is it?

  • re-examining the context and reviewing performance 
  • determining whether the risk profile has changed and whether new risks have emerged​
  • checking control effectiveness and progress of treatments.
​​​Why we do it?
  • to keep risk information current 
  • to identify emerging risks 
  • to maintain current understanding of inherent, controlled and treated risks 
  • to provide feedback on efficiency and effectiveness of controls 
  • to identify any necessary changes to treatments 
  • to reassess priorities 
  • to identify any necessary changes to the risk management context 
  • to capture lessons from failures, near-misses and success. 
How we do it
  • ​Governance Strategy and Planning (GSP) will report to EMB on: 
    • ​​Strategic risks – quarterly 
    • Corporate risk - in June and December 
  • as part of this reporting process, GSP will request risk owners to review strategic and corporate risks 
  • business areas to review their operational risks twice annually as part of operational planning and review processes.
Step 7: Communicate and Consult

What is it?

  • sharing information with stakeholders. 
Why we do it?
  • to help to establish the context 
  • to help make sure we understand and consider stakeholders’ interests 
  • to help make sure all risks are identified and assessed 
  • to make sure staff and stakeholders understand decisions and actions required 
  • to share lessons with those who can benefit from them.

Online Resources

Review Date

Attribution CC BY
The Enterprise Risk Management Framework​ (DET employees only) provides an explanation for key terms consistent with the terms used in AS/NZS ISO 31000:2009 risk management – Principles and guidelines.