Explore Victorian Governance Framework
Governance Framework
96 nodesContext Filter
Contract Disclosure
Contract Disclosure Record
Contract Management Plan
Contract Management Plan
Evaluation Plan
Evaluation Plan
Local Jobs First Plan
Local Jobs First Plan
Market Approach Documentation
Market Approach Documentation
Probity Plan
Probity Plan
Procurement Plan
Procurement Plan
Sourcing Strategy
Sourcing Strategy
Value for Money Assessment
Value for Money Assessment
AMAF
Asset Management Accountability Framework
Gateway / HVHR
Gateway Review Process and High Value High Risk Framework
Infrastructure Procurement Framework
Victorian Infrastructure Procurement Framework
PROV
Public Record Office Victoria — Records Management Standards
PV Requirements
Partnerships Victoria Requirements 2016
Partnerships Victoria
Partnerships Victoria
VAGO
Victorian Auditor-General's Office
VGRMF
Victorian Government Risk Management Framework
VPDSF
Victorian Protective Data Security Framework
VPSC Integrity
Public Sector Integrity Framework
Instruction 4.2.1
Instruction 4.2.1 — Acquisition of Assets, Goods and Services
Audit Act
Audit Act 1994
FM Regulations
Financial Management Regulations 2024
FMA
Financial Management Act 1994
FMA Part 7A
FMA Part 7A — Supply Management (VGPB)
FOI Act
Freedom of Information Act 1982
GE Act
Gender Equality Act 2020
IBAC Act
Independent Broad-based Anti-corruption Commission Act 2011
LJF Act
Local Jobs First Act 2003
Modern Slavery Act
Modern Slavery Act 2018 (Cth)
OHS Act
Occupational Health and Safety Act 2004
Ombudsman Act
Ombudsman Act 1973
PAA
Public Administration Act 2004
PDCMA
Project Development and Construction Management Act 1994
PDP Act
Privacy and Data Protection Act 2014
PID Act
Public Interest Disclosures Act 2012
PRA
Public Records Act 1973
Complexity Policy
VGPB Policy 2: Complexity and Capability Assessment
Contract Management Policy
VGPB Policy 5: Contract Management and Disclosure
Fair Jobs Code
Fair Jobs Code
Governance Policy
VGPB Policy 1: Governance
LJF
Local Jobs First
Market Analysis Policy
VGPB Policy 3: Market Analysis and Review
Market Approach Policy
VGPB Policy 4: Market Approach
Overlay Policies
Procurement-Related Overlay Policies (21 policies)
Professional Services Guidelines
Administrative Guidelines on Engaging Professional Services and Labour Hire
SPF
Social Procurement Framework
VGPB Policies
VGPB Supply Policies — Overview
AWS SPC
Amazon Web Services
Banking SPC
Banking and Financial Services
Career Management SPC
Career Management Services
Cyber Security SPC
Cyber Security
EUCE SPC
End User Computing Equipment and Associated Services
EV Charging SPC
Public Charging of Fleet Electric Vehicles
Electricity Large SPC
Electricity Contract: Large Sites
Electricity Small SPC
Electricity Contract: Small Sites
Energy Performance SPC
Energy Performance Contracting
Fleet Disposals SPC
Fleet Disposals
Fuel SPC
Fuel and Associated Products
Gas Large SPC
Natural Gas Contract: Large Sites
Gas Small SPC
Natural Gas Contract: Small Sites
Geospatial SPC
Geospatial Data and Analytics Panel
Google SPC
Google Australia
Legal Services SPC
Legal Services Panel
MAMS SPC
Master Agency Media Services (MAMS)
MFD & Printers SPC
Multifunction Devices and Printers
Mail & Delivery SPC
Mail and Delivery Services
Media Monitoring SPC
Media Monitoring Services
Microsoft EA SPC
Microsoft Enterprise Agreement
Microsoft LSP SPC
Microsoft Licensing Solution Provider
Motor Vehicles SPC
Motor Vehicles
Office Telephony SPC
Victorian Office Telephony Services
Oracle SPC
Oracle Systems
Print Management SPC
Print Management and Associated Services
Professional Advisory SPC
Professional Advisory Services
Recruitment Advertising SPC
Recruitment Advertising Services
SAP SPC
SAP
Salesforce SPC
Salesforce
Security Services SPC
Security Services
ServiceNow SPC
ServiceNow
Staffing Services SPC
Staffing Services
Stationery SPC
Stationery and Workplace Consumables
Telecom SPC
Telecommunications Services
Travel SPC
Travel Management Services
eProcurement SPC
eProcurement Platform
Construction Directions
Ministerial Directions and Instructions for Public Construction Procurement
FRD 12
FRD 12 — Disclosure of Major Contracts
SD 3.3
Direction 3.3 — Financial Authorisations
SD 3.5
Direction 3.5 — Fraud, Corruption and Other Losses
SD 3.7
Direction 3.7 — Managing Risk
SD 4.2.1
Direction 4.2.1 — Acquisition of Assets, Goods and Services
SD 4.2.2
Direction 4.2.2 — Discretionary Financial Benefits
SD 4.2.3
Direction 4.2.3 — Asset Management Accountability
SD 4.2.4
Direction 4.2.4 — Public Construction Accountability
SD 4.2.5
Direction 4.2.5 — Landholding Accountability
SD 5.1
Direction 5.1 — Financial Management Compliance
SDs
Standing Directions 2018 — Overview
Requirements
Evidence: Documented risk management framework referencing ISO 31000:2018 principles and processes
Evidence: Annual framework review records, version history, update logs
Timeframe: annual
Evidence: Risk culture assessment outcomes, staff awareness activities, tone-from-the-top evidence
Evidence: Approved risk appetite statement, risk tolerance levels documented
Evidence: Risk register with named risk owners for each risk, delegation of risk management responsibilities
Evidence: Shared risk register entries, inter-agency coordination records, lead agency assignments
Evidence: Corporate plan referencing risk management, evidence of risk consideration in business cases and major decisions
Evidence: Risk management resourcing plan, dedicated staff, funding allocation, tools and systems
Evidence: Risk profile review report dated within prior 12 months, updated risk register, risk appetite review records
Timeframe: annual
Evidence: Insurance coverage review, VMIA consultation records, insurance adequacy assessment
Evidence: Insurance schedule arranged through VMIA, ministerial exemption documentation if applicable
Evidence: Deductible schedule aligned to risk appetite, annual deductible review
Evidence: Claims management procedures, dedicated claims staff or arrangements, retained risk management processes
Evidence: Claims management practices documentation, claims data records, VMIA data provision capability
Evidence: Risk minimisation strategies, loss prevention initiatives, trend analysis of insurable risk exposure
Evidence: Annual report attestation statement, audit committee endorsement of attestation, supporting compliance evidence
Timeframe: annual
Applies to
Department, Public Body — All categories
Detail
Victorian Government Risk Management Framework (VGRMF)
Summary
The VGRMF sets the minimum risk management requirements for departments and public bodies covered by the Financial Management Act 1994. It adopts AS ISO 31000:2018 as the risk management standard and establishes 16 mandatory requirements across risk governance, risk processes, maturity, attestation, and insurance.
Mandated via Standing Direction 3.7.1. The current version (September 2025) contains minor amendments removing references to state significant risks, following the Minister for Finance's April 2025 approval dissolving the State Significant Risk IDC in response to VAGO's June 2024 performance audit.
VMIA (Victorian Managed Insurance Authority) supports implementation through risk maturity benchmarking, advisory services, and government insurance programs.
16 Mandatory Requirements
The mandatory requirements (section 3.1) are organised into two groups, plus an attestation obligation. Each applies to all entities subject to the Standing Directions.
Risk Management Requirements (1–9)
Nine requirements the responsible body must be satisfied are met: (1) framework consistent with ISO 31000:2018; (2) framework reviewed annually; (3) positive risk culture demonstrated; (4) risk appetite defined; (5) clear risk ownership for each risk; (6) shared risks managed through inter-agency collaboration; (7) planning and decision-making embed risk management; (8) adequate resources assigned to risk management; (9) risk profile and risk appetite reviewed at least annually.
Insurance Requirements (10–15)
Six requirements for agencies required to insure with VMIA: (10) determine appropriate insurance products and coverage levels in consultation with VMIA; (11) arrange all insurance with VMIA unless exempted; (12) maintain appropriate deductibles reflecting risk appetite; (13) adequate claims management capability for retained financial risks; (14) claims management practices in place with data available to VMIA on request; (15) work towards minimising exposure to insurable risk.
Attestation (16)
Under SD 5.1.4, departments and agencies must provide an annual attestation of compliance with the FMA, Standing Directions (incorporating the VGRMF), and Instructions, disclosing all material compliance deficiencies. The responsible body is responsible for accuracy and should utilise audit committees to support the attestation.
Roles and Responsibilities
The VGRMF assigns specific roles to four entity types: all agencies (comply with SD 3.7.1, senior management own and lead the framework); agency audit committees (oversight of risk profile, insurance, framework effectiveness, compliance monitoring, risk culture); DTF (maintain and update the VGRMF, monitor compliance through attestation); and VMIA (support implementation through risk maturity benchmarking, advisory services, insurance programs, training).
Other entities with risk management roles include the Victorian Secretaries Board (strategic oversight of shared risks), DPC (coordination through Cabinet process), VPSC (governance guidance for public entity boards), and PSAC (senior leaders forum for shared and agency-specific risks).
Guidance (Non-Mandatory)
Section 3.3–3.4 provides guidance on shared risks, insurance as a risk management tool, risk culture (tone from the top, accountability, communication, escalation), risk appetite, risk evaluation, key risk indicators, risk maturity (agencies should develop strategies to improve maturity), and control effectiveness testing. These are not mandatory requirements but support agencies in meeting the mandatory requirements.
Compliance and Attestation
Entities must: 1. Self-assess against all 16 minimum requirements 2. Gather evidence of compliance for audit committee review 3. Audit committee verifies compliance and recommends attestation (partial or full) 4. Responsible body attests in the annual report 5. Where deficiencies are identified, remediation plans must be established
Standing Direction 5.1.4 requires the responsible body (or a member) to attest annually. For departments, the accountable officer is the responsible body; for other entities, it is the board or person with ultimate decision-making authority.
Relevance to Procurement
- Risk assessment is a fundamental requirement for all procurement activities (Instruction 4.2.1 s1.1(f))
- PV Contract Management Guide references VGRMF as the baseline risk framework
- Risk registers, risk allocation, and risk management plans are core procurement and contract management documents
- Risk appetite and tolerance settings directly influence procurement risk thresholds
- VMIA provides insurance risk advice relevant to procurement and contract insurance requirements