Our client operates in a complex regulatory and operational environment. As an independent statutory authority, the agency balances industry sustainability with compliance and enforcement.

In late 2025, the Executive identified the need to review and refresh how the agency undertakes Enterprise Risk Management to ensure it remained contemporary, practical and aligned to:

• The Public Governance, Performance and Accountability Act 2013 (PGPA Act)
• The Commonwealth Risk Management Policy and Framework (ISO 31000)
• Their unique operational priorities and challenges.

Leaders sought stronger integration between strategic risk, operational risk, regulatory decision-making and performance reporting. The objective was to embed better traceability between risk appetite and day-to-day operational matters so the executive had better oversight without creating additional administrative burdens on operational staff.

What We Delivered

To assess the current state and find opportunities to improve how risk management was undertaken in the organisation, we:

• Conducted structured stakeholder engagement across executive, corporate and operational levels to understand current risk practices, behaviours and pain points
• Assessed the design and effectiveness of the risk management framework, including risk registers, controls, escalation pathways and governance structures
• Evaluated integration across functions (safety, security, legal, compliance) to determine how risks are identified, communicated and managed enterprise-wide
• Analysed alignment between risk, performance and decision-making, including how risk informs strategy, operations and regulatory obligations
• Benchmarked organisational risk maturity and define target state, identifying gaps, improvement opportunities and a clear uplift roadmap

At the conclusion of the assessment we undertook the following activities:

• Refined Risk Appetite / Tolerance statements
• Improved risk register structure or templates
• Governance and escalation model (RACI, committees and workflows)
• A revised suite of policies, procedures and guides to assist staff at all levels within the organisation contribute to the enterprise risk management process.

Outcome

The agency established a contemporary Enterprise Risk Strategy and Risk Management Plan that strengthened executive alignment on risk appetite, clarified escalation and governance reporting pathways, and better integrated enterprise risk with operational compliance decision-making.

The framework enhanced confidence in PGPA compliance and defensibility while remaining practical and proportionate to a specialist, science-informed regulator. Importantly, the engagement repositioned enterprise risk management as a strategic leadership capability directly linked to sustainability outcomes, regulatory credibility and public trust.