Element 1: Embedding risk management

Risk management must be embedded into the decision making activities of an entity.

Case Study


This information sheet is intended to assist Commonwealth officials at the Specialist and Executive levels to understand:

  • how to effectively embed risk management within typical public sector operations and programs, with a particular focus on the procurement process,
  • practical examples and strategies for recognising and successfully embedding risk management in an entity’s decision-making and tender process, and
  • the benefits that exist when an entity integrates and embeds risk management within its day-to-day operations.

This case study can be useful to newly created entities or entities wanting to incorporate risk and/or a risk-based approach into their procurement process in order to help them achieve their business and strategic objectives.

At a glance

The following example provides information on how to successfully embed risk management within an entity’s enterprise wide business activities and ensure that risk information is used to inform decision making in the procurement process. This approach enables risk to be managed in a repeatable way when designing, implementing and delivering government outcomes.

In 2017, The Western Sydney Airport Co Limited (WSA Co) were tasked with the responsibility to build and operate Sydney’s new airport. The risk landscape that WSA Co were exposed to was particularly complicated and involved a heavy planning, design, construction and eventually an operational phase. WSA Co’s systematic approach to establishing a risk management framework, and embedding risk management thinking into the process of conducting procurement and stakeholder engagement illustrates how to successfully involve and align risk management within an entity’s strategic objectives.

What are the benefits of embedding risk management?

Ensuring that risk management is prominent throughout an entity’s day-to-day activities can create an environment where there is a common understanding amongst stakeholders around the threats, vulnerabilities and potential opportunities the business faces. It allows for a more proactive response to mitigating and responding to the challenges an entity is presented with. Whilst it also facilitates informed business decisions that are aligned to and more accurately reflect the organisation’s landscape and strategic objectives.

When procuring and partnering with external service providers, the utilisation of risk-based thinking and assessment allows an entity to position itself with providers who are at similar risk maturity levels, alike in system establishment and implementation, as well as identifying the risks associated with the services to be delivered and by whom identified risks will be owned and controlled.


Given the constantly changing nature of the project, WSA’s strategy for risk management centred on:

  • The early embedding of risk management into day-to-day business as usual
  • A focus on core risk principles to align with the stage of the project
  • Educate the organisation (human capital) to bring the business on the risk journey
  • Resilience: Anticipating and planning for the long-term.


Governing your entity:


In order to effectively embed risk management into an entity’s operations from the beginning, WSA Co firstly established and implemented a successful fit-for-purpose Enterprise Risk Management Framework. Instead of targeting certain aspects of the project/company, WSA Co’s Framework set out the basic steps of Risk Management – Identification, Evaluation, Treatment, Monitoring and Reporting. By aligning their framework to core risk principles, this ensured that it could be easily adopted by the business regardless of the stage of the project.

The early establishment of these foundational risk Frameworks (See Diagram 1A) and subsequent targeted education and awareness of their principles allowed risk to be embedded as Business as Usual (BAU). The easier the process and the more it is integrated through training and awareness programs, the more likely employees will engage and incorporate risk management into their work. In this way, there was a greater level of consistency across the project and company with employees ‘speaking the same language’. Through this focus on education and risk-related training, WSA were able to change the perspective of risk management seen as predominately compliance-based. Thereby, laying the foundation for risk to be seen as essential to informing and shaping business decisions.

evaluation methods

Diagram 1.A

Governing your entity:

When undertaking the essential business activity of the procurement of contractors, WSA incorporated a series of risk management requirements (cost, interface management, time, scope and safety) into the tender process. These aligned with WSA’s established frameworks and the ISO31000 requirements. This can be necessary to standardise and prioritise the approach to quality assurance in relation to procuring contractors used on the project, further assisting with the management of interface risk and ensuring consistent reporting regimes. Due to the significant level of procurement activities and related risks, WSA implemented a variety of controls to mitigate these risks. For example, this approach paved the way for a Probity advisor to be included and on-boarded as part of the procurement process, thereby safeguarding the business against any potential negative consequences arising out of engaging contractors.

As part of the evaluation process for a number of the main works package procurements, WSA held assurance and risk-based ‘interactives’ with principal contractors, which focused on safety as a primary risk topic. These sessions would involve holding a meeting with the leadership team as well as project directors and construction managers to discuss and formulate responses to risk-based scenarios. This process helped illicit frank and fearless discussions surrounding risk and assurance activities, whilst also helping WSA assess their alignment and compatibility with contractors.

Governing your entity:


Throughout this project, WSA has always ensured that risk remains prevalent when informing decision-making at the executive level, as well as the day-to-day operational level. A business case process was established to help inform commercial decisions that affect future operations. This process incorporated the assessment of risk and alignment of consequence outcomes with the organisations defined risk appetite statements. This allowed management and the Board to be presented with the relevant risk and consequence models associated with key business decisions. As a result of the risk-focused mentality of the entity, this process has continually been refined as the business matures and can be utilised for future commercial decisions.


Through these key steps:

  • Establishing strong risk-based foundations
  • Embedding risk from the beginning
  • Working with and educating the business
  • Implementing strong governance.

WSA Co were able to achieve a state of ‘business with a risk mindset’. Despite only being established for 4 years, they have successfully awarded all main works contracts, adapted to COVID-19, maintained continuity of operations, achieved their safety targets and are forecasted to be on-time and on-budget. In 2020, an ANAO performance audit of WSA’s procurement processes presented no recommendations or adverse findings, highlighting the maturity of their risk management capability. All of this can be heavily linked to building a strong risk culture and embedding risk into their operations, as a risk mindset has been fully demonstrated and embraced by the organisation.

Did you find this content useful?