Enterprise risk management policy

Version number 3.0 | Version effective 14 July 2025

Audience

Department-wide

Purpose

This policy supports the Department of Education's (the department) obligations to have an effective system for risk management to support the department to achieve its strategic and service delivery objectives.

Policy statement

The department is committed to balancing risk with opportunity to deliver high quality outcomes for children, students, our workforce and Queensland communities. Everyone in the department is responsible for risk management, including identifying and reporting risks as part of part of day-to-day activities. Risk management is integrated into all decision-making processes to support continuous improvement and deliver outcomes to meet the department’s objectives. The department’s approach to risk management supports how it plans, manages and delivers its services.

Principles

Principle	What this means for the department
Creates value	The department’s decision-making creates and protects value, in pursuit of its strategic objectives.
Transparent and inclusive	The department has a strong risk culture where all are responsible for risk management. The department engages, collaborates and communicates with diverse stakeholders to inform and understand the department’s risks. Human rights are considered to ensure actions and decisions are compatible with human rights.
Integrated	Risk management is integrated into the department’s governance, systems, processes and practices, including planning and decision-making.
Structured, systematic and timely	The department applies a structured risk process which is communicated to all staff. Risks are identified, assessed and monitored through a regular reporting cycle.
Continuous improvement	The department proactively reviews and reports risks to create a positive risk culture that is capable, innovative and accountable.

Requirements

The department is required under section 61(b) of the Financial Accountability Act 2009 (Qld) to establish and maintain a system for risk management. The department's approach and system for managing risk includes this policy, the Enterprise risk management procedure, processes, and supporting information, and is represented through the Enterprise risk management framework.

The department's approach and system of managing risk is based on the Australian Standard AS ISO 31000:2018 Risk management – guidelines.

Risk is integrated in all decision-making activities, and embedded within planning, performance and service delivery considerations. The department's risk management process is detailed in the Enterprise risk management procedure, and its approach is guided by the following elements:

1. Risk environment

The department seeks to understand the risks external to and within its operating environment in order to deliver its strategic priorities. Sources of potential risks may arise from strategy development and implementation, service delivery, and natural disasters or events beyond the department's control.
The operating environment includes risks that have a significant impact on the department’s strategic objectives (strategic objective risks) and tactical risks.

2. Risk appetite

The department will accept a certain level of risk to achieve its objectives and priorities. The department's risk appetite helps guide opportunities to create value and meet objectives and ensures we always consider our areas of lowest risk appetite (enterprise risks) when making decisions.

3. Performance

Risk management is integrated with planning processes to support continuous improvement and meet performance outcomes.

4. Assurance

The department’s systems and processes are designed to integrate risk management as part of decision-making processes to achieve outcomes aligned to objectives. This includes effective assurance of risks which is provided across three assurance lines:
- first line: day-to-day compliance and monitoring
- second line: corporate oversight and review
- third line: independent assurance.
Assurance of the department’s enterprise risks is demonstrated through the integrated assurance maps (DoE employees only).

5. Governance

The department takes a risk-based approach when organising and prioritising its people and resources to achieve its strategic objectives, with risk management an integral element of good governance.
The department’s strategic governance committees have the relevant information to oversee and manage risks that have a significant impact on our strategic objectives.
Portfolio, program and project boards implement the required level of governance to manage risks throughout the project lifecycle.
Risks are reported and escalated in line with local governance and accountability arrangements in schools, regions and divisions.

Definitions

Term	Definition
Enterprise risks	These are risks to the department’s areas of lowest appetite which are: child and student protection and safety workplace health and safety security of confidential and personal information (information security) our integrity (fraud and corruption). Enterprise risks are risks within the strategic objective risk group.
Enterprise risk management framework	The department's approach and system of managing risk including policies, procedures, processes, and supporting information, and is represented through the Enterprise risk management framework document.
Risk	The chance of something happening that will impact the department’s ability to achieve its objectives. Risk is measured in terms of consequences and likelihood.
Risk appetite	Level of risk or opportunity the department is willing to accept in achieving its objectives.
Risk management	Coordinated activities to direct and control the department’s risks.
Strategic risks	Risks to the achievement of the department’s strategic objectives as determined by the executive leadership team. Strategic risks are risks within the strategic objective risk group.
Tactical risks	Operational, business unit and portfolio/program/project risks.

Legislation

Education (General Provisions) Act 2006 (Qld)
Financial Accountability Act 2009 (Qld) Part 4, Section 61 (b)
Work Health and Safety Act 2011 (Qld) Part 2, Division 1, Section 17
Financial and Performance Management Standard 2019 (Qld) Division 4, Section 23
Human Rights Act 2019(Qld) Division 4, Section 58

Delegations/Authorisations

Other resources

Enterprise risk management tools

Enterprise risk assessment plan template (DoE employees only)
Enterprise risk matrix - consequence and likelihood tables (DoE employees only)
Enterprise risk resource guide (DoE employees only)
Department of Education risk appetite statement
Integrated assurance maps (DoE employees only)

Related resources

Governance framework
Strategic governance committees (DoE employees only)
Health, safety and wellbeing management system(DoE employees only)
Continuity, disaster and emergency management framework (DoE employees only)
A Guide to Risk Management, The State of Queensland (Queensland Treasury) June 2020
Australian Standard AS ISO 31000:2018 Risk management – guidelines
Strategic plan
Enterprise portfolio and planning (DoE employees only)
Curriculum activity risk assessment

Superseded versions

Previous seven years shown. Minor version updates not included.

2.0 Enterprise risk management

Review date

14 July 2030

Keywords

Policies and procedures in this group

Enterprise risk management policy (current page)

Enterprise risk management procedure

SocialMedia_BottomRight