Asset Publisher

Risk and Business Continuity Management Policy


1. Policy statement

The Department of Education (the Department) maintains robust risk management and business continuity practices that are an integral part of decision making and support the proactive identification, assessment and management of risks.  Business continuity management ensures the Department is able to prepare for and respond to the impact of any major disruptions in order to recover and return to normal operations as soon as possible.

2. Policy rules

2.1 Risk Management

All employees will:

  • review activities and key objectives to identify and assess risks;
  • develop treatment plans to manage the impact of risks (where necessary);
  • record and monitor risks; and
  • inform line managers of significant risks.

Line managers and Principals will communicate risks to employees, to assist them in understanding risks, the basis on which decisions are made and the reasons why particular actions are required.


Please refer to the Risk Management Guidelines for school and non-school site processes (staff only).

Further information on risk management is available on Ikon.

2.2 Business Continuity Management

Where the continuity of operations is not covered by other Department plans such as the incident management plan for schools, line managers and principals will, as appropriate:

  • conduct and document a business impact analysis;
  • review the business impact analysis at least every 12 months;
  • for any critical business activities, document business continuity plans that include:
    • strategies, requirements and procedures for continuity of the critical activities; and
    • business resource requirements to support the continuity of the critical activities;
  • review and update any business continuity plans at least every 12 months; and
  • conduct exercises on a regular basis to test or validate any business continuity plans.


Please refer to the Business Continuity Management Guidelines for school and non-school site processes (staff only).

Further information on business continuity management is available on Ikon.

3. Responsibility for implementation and compliance

Principals and line managers are responsible for implementing this policy.
Executive Directors and Directors are responsible for compliance monitoring.

4. Scope

This policy applies to all employees.

5. Definitions

A process to ensure the timely resumption and delivery of critical business activities, in the event of a major disruption, by maintaining the business resources required to support delivery of those services.

Documented processes that guide the Department to respond, recover, resume and restore to a pre-defined level of operation following a major disruption.

The process of assessing the potential consequences of an outage to the Department’s business activities over varying periods of time, and establishing the maximum acceptable outage time, in which any critical activities must be resumed following a major disruption.

An employee responsible for a discrete area. 

The chance of something happening that will have an impact on objectives. The impact may be positive or negative.

The process used to understand the impact of risks and estimate the level of risk.

The measures currently in place that reduce the impact of risks.  A risk may have more than one control.

The process of finding and describing the nature, sources and causes of risks.

Risk management encompasses the culture, processes and structures that are used to effectively manage risks.

A periodic assessment of risks to determine the continuing effectiveness of risk controls and treatments.

A process to select one or more treatments to avoid, reduce, transfer or share a risk. 

6. Related documents

Incident Management Manual (staff only)

7. Contact information

Policy manager:           

Director Risk and Assurance

Policy contact officer:  

Program Manager, Risk
T: (08) 9264 0094

8. History of changes

Effective date Last update date Policy version no.
18 May 2010 1 August 2012 1.2
Amended an erroneous numeral 4 that appeared at the head of the third column of the Risk Rating table at Appendix C.4 as per D12/0470346.
18 May 2010 25 June 2015 1.3
Updated contact details D15/0198137
18 May 2010 29 September 2015 1.4
Updated references to Public Sector Commissioner’s Circular and Treasurer’s Instruction TI 825. D15/0394179
18 May 2010 31 August 2018 1.5
Minor updates to contact information to reflect organisational changes D18/0388673.
18 May 2010 18 March 2021 1.6
Minor changes to update content D21/0145764
21 February 2023 2.0
Major review. D22/0621687 Approved and signed by the DG on 21 November 2022

9. More information

Supporting content

No supporting content found.

Policy review date

21 February 2026