Our client operates in a complex regulatory and operational environment. As an independent statutory authority, the agency balances industry sustainability with compliance and enforcement.
In late 2025, the Executive identified the need to review and refresh how the agency undertakes Enterprise Risk Management to ensure it remained contemporary, practical and aligned to:
- The Public Governance, Performance and Accountability Act 2013 (PGPA Act)
- The Commonwealth Risk Management Policy and Framework
- Their unique operational priorities and challenges
Leaders sought stronger integration between strategic risk, operational risk, regulatory decision-making and performance reporting. The objective was to embed better traceability between risk appetite and day-to-day operational matters so the executive had oversight without creating additional administrative burdens on operational staff.
What we delivered
To assess the current state and find opportunities to improve risk management, we:
- Conducted structured stakeholder engagement across executive, corporate and operational levels to understand current risk practices, behaviours and pain points
- Assessed the design and effectiveness of the risk management framework, including risk registers, controls, escalation pathways and governance structures
- Evaluated integration across functions (safety, security, legal, compliance) to determine how risks are identified, communicated and managed enterprise-wide
- Analysed alignment between risk, performance and decision-making, including how risk informs strategy, operations and regulatory obligations
- Benchmarked organisational risk maturity and defined a target state, identifying gaps, improvement opportunities and a clear uplift roadmap
At the conclusion of the assessment we delivered refined risk appetite and tolerance statements, an improved risk register structure and templates, a governance and escalation model (RACI, committees and workflows), and a revised suite of policies, procedures and guides to help staff at all levels contribute to the enterprise risk management process.
Outcome
The agency established a contemporary Enterprise Risk Strategy and Risk Management Plan that strengthened executive alignment on risk appetite, clarified escalation and governance reporting pathways, and better integrated enterprise risk with operational compliance decision-making.
The framework enhanced confidence in PGPA compliance and defensibility while remaining practical and proportionate to a specialist, science-informed regulator. Importantly, it repositioned enterprise risk management as a strategic leadership capability directly linked to sustainability outcomes, regulatory credibility and public trust.
Frequently asked questions
What does good enterprise risk management look like in a Commonwealth agency?
Effective enterprise risk management aligns with the PGPA Act and Commonwealth Risk Management Policy, clearly articulates risk appetite, integrates with strategy and performance frameworks, and is embedded in governance and executive decision-making rather than operating as a standalone compliance exercise.
How is risk appetite defined and applied in practice?
Risk appetite should translate into clear tolerance levels and escalation thresholds that guide executive judgement, regulatory decisions and operational activities, rather than remaining high-level statements.
How can enterprise risk be integrated with operational and compliance functions?
Enterprise risk should connect directly to frontline regulatory, program or service delivery activities, ensuring that strategic risks are informed by operational realities and that operational risks are visible at the enterprise level.
How often should an enterprise risk strategy and plan be reviewed?
Better practice suggests a formal review every 2 to 3 years, with annual refreshes aligned to corporate planning cycles, or earlier where significant legislative, environmental or operational changes occur.
How can a risk framework remain proportionate for a small or specialist agency?
A proportionate framework reflects the agency’s size, mandate and risk profile, prioritising clarity, usability and governance assurance over unnecessary complexity or administrative burden.