Turning compliance into capability: practical use of the NSW Risk Management Toolkit

New South Wales Treasury’s updated Risk Management Toolkit, released on 29 May 2025, offers a clear and practical framework to help public sector agencies uplift their risk maturity and embed the principles of ISO 31000. But for many departments and agencies – already navigating tight budgets, competing priorities, and increasing scrutiny – the challenge is not understanding the importance of risk management. It is operationalising it.

Through our combined experience across financial services, legal governance, and public sector advisory, we have observed that risk management frameworks often falter not from lack of intent but from a failure to embed them into the rhythm of decision-making. The new Toolkit provides a timely opportunity to break that cycle – if applied with strategic focus.

1. Start with what you have: resource-aware implementation

A key strength of the Toolkit lies in its modularity. Agencies are not expected to adopt a wholesale transformation overnight. Instead, we encourage leaders to begin by:

• Starting with the basics: The Risk Management Framework, Risk Appetite Statement, the CRO reporting structure, and the base governance structure. Investment in these fundamental structures will pay dividends over time.

• Working on the principle that capabilities will, and should, evolve over time. Risk Appetite should be defined as the desired appetite, not what is possible today. Doing this will allow the work and a realistic timeframe to be sized to achieve the desired risk appetite.

• Mapping existing processes and artifacts to the Toolkit's structure. Many controls, committee structures, and reporting lines will likely already be aligned with the principles outlined.

• Prioritising high-impact, material risks, particularly those tied to government priorities, legislative obligations, and critical service delivery outcomes. Include emerging risks (cyber, climate, workforce) that could disrupt core functions.

• Nurture, not nature: Good risk frameworks include performance monitoring and feedback loops for continuous improvement and timely issue resolution.

• Embedding risk conversations into existing governance forums, rather than creating new ones.

An effective, resource-conscious risk program focuses less on volume of activity and more on strategic alignment. The mantra should be focused on outcomes: “We stopped trying to catalogue every risk and started asking which ones, if realised, would cause us to fail our mandate.”.

2. Cross-sector insights: lessons from the private sector

Leading organisations across banking, infrastructure, energy, and telecommunications have invested heavily in risk maturity. Their practices, battle-tested through regulatory scrutiny and market pressures, offer proven blueprints for public sector transformation:

• Proactive stakeholder engagement: Effective frameworks are co-designed with their users. Engage risk owners, control operators, and report recipients during development to ensure risk categories reflect operations, appetite statements use meaningful metrics, and reporting meets decision-makers' needs.

• Clarity of risk ownership: Leading institutions make risk a business problem, not just a compliance one. This means line managers are empowered, and accountable, for managing risk in their domain.

• Tiered risk appetite frameworks: Rather than a generic statement, appetite is broken down into operational parameters (eg., thresholds for cost overruns, data loss events) that guide frontline decisions.

• Use of risk as a design lens: Risk isn’t only about avoidance, it’s a key input into business decisions, acquisitions, capital deployment, project planning, transformation programs, and partnerships.

• Evolution not revolution: Good risk practices are continually evolving in response to advancements in tools, techniques, and changes in the operating environment. The Risk Management Framework should adapt accordingly.

Agencies that adopt these practices avoid the “paper tiger” trap and build risk maturity that drives performance, not just paper compliance.

3. Elevating risk as an organisational enabler

The most successful risk leaders position the function as a source of foresight, not just compliance. Here’s how we see the Toolkit enabling that shift:

• Scenario thinking and stress testing: Using the risk process to explore uncertainty in areas like the impact of a pandemic, climate risk, workforce challenges, cyber breaches, and digital transformation allows agencies to anticipate rather than react. Reinforce and embed these lessons with targeted crisis scenario exercises to develop the requisite muscle memory.

• Data-informed risk insights: Even in resource-limited environments, agencies can use existing data (eg. complaints, project delivery metrics, audit findings) to uncover systemic patterns.

• Cultural reinforcement: When executives model risk-aware behaviour – seeking risk advice early, rewarding transparent reporting, it builds a culture of trust and accountability.

4. Legal considerations and governance guardrails

From a legal and governance standpoint, the Toolkit provides departments and agencies with guidance and tools in various aspects of risk management to assist them in meeting their legislative obligations under the GSF Act, and to inform their other policies (such as procurement policies), daily operations and decision-making processes of the organisation generally. We encourage risk leaders to work hand in glove with their legal counterparts to:

• Ensure alignment between risk processes and statutory obligations;

• Use risk documentation to support defensible decision-making in audit, integrity, or funding reviews; and

• Embed proactive risk review clauses into contracts, especially for high-risk vendors or joint delivery models.

• And most importantly, use the legal function to support the work being undertaken in relation to in risk management.

These overlays are not a burden, they’re a way to protect organisational legitimacy and public trust.