Enterprise Risk Management

Direction and guidance to support efficient and effective risk management across the department to achieve our objectives.

Changes since previous version

2022 Oct 17 - updated the policy statement and the Enterprise Risk Management Framework to more closely align to ISO31000:2018 Risk Management Guidelines.

Document history

2021 May 07 - updated policy in line with international standard ISO31000:2018 and NSW Treasury TPP-20-08 Internal Audit and Risk Management Policy for the General Government Sector. Updated to clarify the risk hierarchy and reporting cadence.

Removed implementation document: Enterprise Risk Management Procedures, which was replaced by: Enterprise Risk Management Framework.

2019 Aug - made typographical changes and updated contact details to policy statement.

2019 Jun - updated reference to the new Strategy and Delivery division and deputy secretary as well as to the revised risk standard ISO31000 (no significant changes).

2017 Jun update:

  • improved clarification of roles and responsibilities and included requirement to use the risk matrix to ensure consistency in risk ratings across the department
  • simplified and shortened procedures, and simplified risk matrix.

Previous title: Enterprise Risk Management in the Department of Education and Communities.

Superseded documents

Enterprise Risk Management Procedures - 7/5/21

Risk Management Policy, 91/090 (S.062), 24/4/91

  1. Policy statement
    1. The department's vision is to build the best education system in Australia, from early childhood through to vocational and tertiary learning. The department is committed to achieve this by:
      • building confidence in effectively and proactively managing our risks and delivering better outcomes through risk-informed decision-making
      • ensuring sufficient resources are available to manage our risks
      • increasingly embedding a risk mindset and enhanced risk governance
      • fostering innovation and efficiencies in our operations and strengthening our resilience.
    2. The following principles outlined in the enterprise risk management framework must be incorporated in day-to-day processes to enable the department to manage the effects of uncertainty on its objectives:
      • Risk management must be integrated in all the department's activities.
      • The department must take a structured and comprehensive approach to risk management to achieve consistent and comparable results.
      • Risk management framework and process must be customised to the department's needs and its internal and external context.
      • Risk management framework and process must be inclusive of relevant stakeholders' knowledge, views and perceptions in managing risks.
      • Risk management process must be dynamic where changes are considered and actioned in an appropriate and timely manner.
      • Risk management process must be based on the best available information where all historical, current and future information is considered and available to relevant stakeholders to support timely decisions.
      • Human and cultural factors significantly influence risk management across the department and must be considered at all stages of the risk management process.
      • Risk management must continually be improved through learning and experience.
    3. All employees must identify, assess, manage, monitor and escalate risks within their area of operations and in accordance with this policy and the enterprise risk management framework to support risk-informed decision-making.
  2. Audience and applicability
    1. All department employees.
    2. An employee is defined in the Code of Conduct as any person, whether remunerated or not, employed on an ongoing, temporary or casual basis, contractors, consultants, volunteers, committee members and public officials. Everyone in the department has responsibility for managing risks.
    3. This policy applies to the department from early childhood, schools through to vocational and tertiary learning.
  3. Context
    1. This policy adopts relevant core requirements (1.1 and 1.2) of the NSW Treasury Policy TPP20-08 Internal Audit and Risk Management Policy for the General Government Sector.
    2. The ISO31000:2018 outlines the guiding principles and characteristics of effective and efficient risk management framework and processes.
    3. This policy should be read in conjunction with any other related policy, frameworks and procedures including but not limited to, the enterprise risk management framework and procedures, code of conduct, business continuity management, child protection, fraud and corruption control, insurance, internal controls, legal compliance, IT, cyber, finance, project management, work health and safety and policy management.
  4. Responsibilities and delegations
    1. Secretary:
      1. has ultimate responsibility and accountability for the department's risk management
      2. must establish and maintain a risk management framework that is appropriate for the department and consistent with ISO31000:2018 Risk management - Guidelines.
    2. Chief Risk Officer:
      1. has designated responsibility for designing and maintaining the department's enterprise risk management framework.
    3. The Chief Risk Office:
      1. provides advice, challenge and support on risk-related matters
      2. has designated responsibility for oversighting activities associated with coordinating, maintaining and embedding the framework.
    4. Divisions/directorate/business units along with risk and control owners:
      1. have accountability for owning and managing risks and controls, and effectively embedding the Enterprise Risk Management policy and framework into their day-to-day processes and practices.
    5. All staff:
      1. must manage risks in their day-to-day roles, including carrying out their roles in accordance with policies and procedures, identifying risk and inefficient and ineffective controls and reporting these to the appropriate level of management
      2. must take practical steps to identify, assess, manage, monitor and report risks and controls within their work area and within their sphere of authority so that they are efficient and effective. They must escalate risks, where appropriate
      3. understand at all levels the importance of managing risk as part of each employee's daily activities. Everyone has responsibility for managing risk and the decisions they take
      4. must be familiar with the department's Enterprise Risk Management policy and framework to support risk-informed decision-making within their operations.
  5. Monitoring and review
    1. The Executive Director, Chief Risk Officer monitors the implementation of this policy, regularly reviews its contents to ensure relevance and accuracy, and updates it as needed.
  6. Contact
    Executive Director, Chief Risk Officer
    02 7814 0303
Return to top of page Back to top