Skip to main content.

Updating risk management in the Victorian Civil and Administrative Tribunal

A PDF of this case study can be downloaded here


The Victorian Civil and Administrative Tribunal (VCAT) provides Victorians with low cost, accessible, efficient and independent dispute resolution. Its goal is to be an outstanding civil and administrative tribunal, as articulated in the Building a Better VCAT: Strategic Plan 2014-17, launched in March 2014.

VCAT comprises four divisions: the Civil, Administrative, Residential Tenancies and Human Rights Divisions. In addition to the judges who lead the tribunal and the tribunal Members, VCAT comprises a Registry that manages documents flowing into and out of the tribunal, and an administrative team. In mid-2014, the administrative functions of Victoria’s courts moved from the control of the Department of Justice, which has very wide and diverse responsibilities, into the recently-formed Court Services Victoria.

Improved governance arrangements, and in particular a sound risk management capability and an internal compliance, audit and evaluation program, were a key focus area in Strategic Direction 4 (Improving Efficiency) of VCAT’s Strategic Plan. As part of this commitment, Broadleaf was asked in mid-2014 to review and improve VCAT's organisational risk management process.


One of the key objectives of the project was to bring VCAT’s risk management process into line with the standard, ISO 31000, and to put in place measures that ensured risk was adequately captured across the whole organisation. The existing risk register met departmental compliance requirements, however VCAT asked for a best-practice regime that gave senior decision-makers more input into the risk register, and its senior advisory board a shared understanding of VCAT's risk profile and appetite for risk. VCAT also asked that the identification and ownership of risks be integrated more effectively with annual business planning priorities and budget allocation.

VCAT wished to develop, among its most senior personnel, a comprehensive view of the risks it must manage across all its operations, recognising it was crucial that the leadership of VCAT own the risk management process as well as its documented outputs.



Following the standard (Figure 1), a program of three workshops was planned. The first workshop was used to establish the context, the second to identify, analyse and evaluate risks, and the third to develop risk treatments.

Figure 1: ISO 31000 operational implementation

Establishing the context

A deliberate decision was made to involve senior personnel closely in establishing the context. A draft context statement was prepared in consultation with the Director of Corporate Services and VCAT’s Chief Executive Officer. This was issued with a briefing note to participants prior to the context-setting workshop, where it was reviewed and edited.

The President of VCAT chaired this meeting, with Broadleaf facilitating and recording.

The resulting context document summarised:

  • The scope of the risk assessment;
  • Internal and external forces that could affect VCAT’s success;
  • Major stakeholder groups and their concerns;
  • Scales for describing the consequences of risks, the likelihood of those consequences being felt, the effectiveness of existing controls and the overall risk rating corresponding to each combination of consequence and likelihood, all of which constitutes an expression of VCAT’s risk appetite; and,
  • A set of key elements, topics to be used as a structure for risk identification and analysis.

The workshop not only forged an agreed view of VCAT’s risk management context but also provided a neutral forum in which differences of opinion could be expressed and reconciled. It brought about a lot of valuable communication between the three main teams within VCAT: the Members, the Registry, and the administration.

The context statement provided a shared foundation for risk identification and analysis, which was the subject of the second workshop.

Risk assessment

Existing information about risks was gathered and senior personnel were invited to submit further risk descriptions during preparation for the risk assessment workshop. This information was compiled into a draft risk register and issued with a briefing note to participants prior to the workshop.

The draft register was reviewed in the workshop, which was facilitated and recorded by Broadleaf. The wording of risks, their causes, impacts and existing controls were all confirmed or revised as necessary. Some of the draft risk descriptions were discarded and some risks identified during the brainstorming were added to the list. All the risks were rated to describe, for each risk:

  • The effectiveness of existing controls;
  • Characteristic consequences;
  • The likelihood of experiencing those consequences; and,
  • The potential exposure associated with the risk, the largest consequences that could be expected if all the controls failed.

Seventeen risks were documented and analysed. The risks encapsulated a lot of information as each one included several causes, impacts, and existing controls. The structure of the risk descriptions is illustrated in Figure 2. As in the context-setting workshop, the process encouraged alternative views to be raised and discussed dispassionately.

Figure 2: Risk description structure

No extreme risks were identified but there were many rated high.

Detailing cause and effect relationships, with attention to controls and control effectiveness, allowed participants to describe the mechanisms by which uncertainty could affect VCAT in practical terms that were meaningful to them. For example, the challenges of managing the Registry were described in terms of, among other things, the need for specialist knowledge in some parts of the Registry’s work and the fact that some areas of expertise were confined to a small number of personnel. The impacts of this were described in terms of the service levels that could be delivered, the accuracy of advice provided to the public and a negative effect on stress and morale within the Registry.

The results of the analysis were used to identify:

  • The high risks (Figure 3);
  • Priority areas for risk treatment action, where the risk rating is high and the control effectiveness is low (Figure 4); and,
  • Control assurance targets, where the risk rating is medium or low and the potential exposure is high (Figure 5).

The Extreme and High risks (Figure 3) were considered to ensure that they do not represent anything unacceptable.

Figure 3: Extreme and High risks

Risks with Extreme or High ratings and low controls effectiveness (Figure 4) are the first priority for the exploration of risk treatments.

Figure 4: Risk treatment priority

Risks with Medium or Low rating and high potential exposure (Figure 5) are priorities for control assurance effort.

Figure 5: Control assurance priority

As well as confirming long-standing concerns about some matters, the workshop provided an opportunity for the participants to discover, after analysis, that some risks were not as bad as had been thought.

Risk treatment

In parallel with this work, VCAT was developing plans to address a range of business tasks, many of which had a bearing on the risks. The relationship between the business priorities and the risks was mapped and documented in a briefing note for a risk treatment workshop.

The treatment workshop was attended by most of the personnel who had been at the risk assessment workshop. It was prepared, facilitated, recorded and analysed by Broadleaf.

The planned business activities, which were already funded but not yet implemented, were considered as treatments for relevant risks. Where additional treatment options were identified they were added during the workshop. As in the earlier workshops, the process encouraged a valuable exchange of views on the root causes of the challenges facing VCAT and how these could be addressed.

The outcome of the treatment workshop was a summary of work in hand and proposed new actions to treat each risk. The intent of the existing and proposed actions was to enhance VCAT’s performance by attention to risks. A successful outcome was defined as the achievement of the objectives set out in the current strategic plan.


This review and update of risk management in VCAT delivered several significant outcomes:

  • A documented analysis of risks, treatments and control assurance priorities that is aligned with VCAT’s strategic plan and business priorities and can be used to guide strategic management in VCAT;
  • Recognition that some of the risks absorbing management attention are not as serious as had been thought, allowing this valuable resource to be refocused in areas where it can have the greatest effect;
  • A process framework for maintaining the currency of VCAT’s risk management;
  • The adoption of a single view of risk across VCAT that draws together the concerns of the Members, the Registry and the administration; and,
  • Strong engagement of senior personnel accompanied by valuable communications between them about the uncertainties facing VCAT and the risk management context within which they operate.

This was achieved as a result of:

  • The exercise having the support of the President and CEO;
  • An in-house champion who understood the process, the Director of Corporate Services, and managed the interface with VCAT’s senior personnel;
  • Use of the standard, ISO 31000, as the basis of the exercise; and,
  • Careful preparation and independent facilitation of each of the workshops, followed up with comprehensive reports confirming to the participants the outcomes of the effort they had invested in the exercise.

The Chief Executive Officer of VCAT summarised the outcome by saying

There is now a very tangible link between risk, business planning and budget allocation. We have essentially integrated risk management into our planning cycle and I think, from my perspective, this is a significant outcome.

Victorian Civil and Administrative Tribunal (VCAT)
November 2014
Public sector and government business
Services included:
Risk assessment and risk treatment
Risk management framework development
Risk assessment