This policy (PCY135) outlines our commitment to ensuring risk based decision making is based on a consistent application of corporate methodology.

Policy statement

The Corporation recognises the direct relationship between effective risk management and the achievement of objectives within the Corporate Strategy. In order to proactively anticipate, assess, and manage all threats and opportunities to achieving its vision to ‘drive greater value for our customers, community and owner by ensuring that our operations are safe for all, and at the lowest environmental impact and lowest total cost’, the Corporation has committed to the ongoing implementation of a whole of organisation Risk Management Framework.

The Risk Management Framework is consistent with International Standard ISO AS 31000:2018 Risk Management - Guidelines and is an integral component of the Corporation’s Corporate Governance. The standards based, whole of organisation approach to embedding risk management drives risk based decision making through all levels of the Corporation and supports consistent application of the Corporate methodology.

As a baseline set of principles to be complied with, it is expected that all planning, executing/operating, and responding/recovering activities must:

  1. Apply a risk-based approach referencing the Corporation’s Corporate Risk Assess Criteria.
  2. Be appropriately prioritised and managed in-line with the relevant standards, legislative and regulatory requirements.
  3. Be performed in a clear, transparent, consistent, integrated and documented manner.


The purpose of this Policy is to clearly describe the Corporation’s approach to anticipating and managing the risks involved in all aspects of its activities within the parameters of the risk appetite set by the Board. The Policy provides a principles-based approach to guide professional judgement, promote consistent and transparent decision-making; and ensure risk based decisions are evidenced for future reference.

The Corporation will apply assertive and competent leadership to affect risk management and the resolution of incidents under the Corporate Risk Framework.

The objectives of this policy are:

  • That risk management forms an integral part of all decision making and is adopted throughout the Corporation as a prudent management practice.
  • To ensure that all employees, contractors and partners are made aware of the need to manage risk, and to promote a culture of participation in the process.
  • To set the standard for the risk management process and subsequently the management of risk.
  • To direct effective organisational resilience related practices including Incident Management, Emergency Management, Crisis Management, and Business Continuity Management.


This policy applies to Water Corporation Process Owners and Managers, line managers, project managers, employees, contractors and partners. All parties have a significant role in ensuring effective risk management in their area of business activity.

Corporate Risk Assessment Criteria - Terms of reference against which the significance of a risk is evaluated. It provides for a consistent measurement of risk that will be used by all areas of the business allowing for meaningful comparisons.

Crisis Management - 
Development and application of the organisational capability to deal with crisis (BS 11200:2014).

Corporate Incident Management - 
Combination of facilities, equipment, personnel, procedures and communications operating within a common organisational structure with responsibility for management of assigned resources to effectively prepare for, and then dynamically direct and control the ‘response’ to an incident, with an identifiable command, control and coordination structure. Corporate Incident Management, within the Corporation’s context is typically inwardly focused.

Resilience - 
Expression of a system’s ability to withstand, react and adapt to disruption, and to achieve a stable state where its purpose and priority objectives can be achieved (AS/NZS 5050:2020).

Risk - 
Effect of uncertainty (either positive or negative) on objectives or desired/expected outcome.

Risk Assessment -
 The overall process of risk identification, risk analysis and risk evaluation (ISO AS 31000:2018)

Risk Management - 
The culture, processes, and structures that are directed towards the effective management of potential opportunities and adverse effects.

The application of this Policy is designed to deliver:

  • A Framework for the management of all risks across the Corporation.
  • A consistent terminology, methodology and process for the management of risk.
  • The integration of risk management into decision making processes, and
  • Assurance to the Board, Audit & Risk Committee and Executive that risks are identified and managed, and responded to in an effective and approved manner once they are realised and become an incident

All risk management activities must be conducted in accordance with the methodology and assessment criteria established under the Framework. If there is need to deviate from the corporate process, this must be referred to the Risk & Assurance Business Unit for consultation and assessment. Non-adherence to the Corporate Risk Management Framework impacts on the consistency and adequacy of business decisions.

All organisations face internal and external factors that create a level of uncertainty which will influence the achievement of their objectives. The effect this uncertainty has on the objectives of a business is defined as “risk”.

While risk management is implicit in all activities undertaken by entities (individuals, groups or the Corporation) this policy provides the formal compliance statement with regard to the management of risk, in all of its various contexts, across all product, services and business streams, and the approach to all resilience related practices including Incident Management, Emergency Management, Crisis Management and Business Continuity Management.

The Corporation has identified the following key principles to embed risk management through the business:

  • Protection and preservation of life always has primacy.
  • Under the Accountability Framework, Process Owners in conjunction with Process Managers have full accountability and authority to manage a risk in relation to their process. Risks raised outside of a manager’s accountability will be considered and allocated to the applicable area in accordance with accountability principles.
  • The Executive and Senior Management Team shall lead and embed a risk culture that continuously matures to enable risk management to be an integral core element of the Corporation’s processes, and that is transparent and inclusive to enable the timely, accurate flow of information amongst all stakeholders.
  • A full review of corporate and business risk profiles is conducted annually at a minimum, and also upon detecting a relevant change in the internal or external operating environment of the Corporation, such as incident or process disruption.
  • All risk assessments (corporate, business or project) within the Corporation will be assessed using the Corporate Risk Assessment Criteria and will be recorded in the Corporate Risk Information System or a formally recognised risk register.
  • Crisis Management, Business Continuity Management, Incident Management and Emergency Management will be implemented and integrated to achieve disruption resilience, and to protect the Corporation’s reputation and standard of service delivery from the impacts of significant and unplanned events.
  • Incident Management and Emergency Management will be conducted in accordance with Incident Management and Emergency Management standards.
  • Robust risk reporting processes will be delivered through the Corporation’s Governance forums to provide oversight of the effectiveness of the Risk Management Framework, internal and external emerging risk issues, and opportunities to improve internal risk culture and process.

The Corporate Risk Management process is coordinated and monitored by the Risk & Assurance Business Unit.

Process Managers

Under the Water Corporation Accountability Framework, Process Owners in conjunction with Process Managers are fully accountable for identifying and managing risk from the internal and external environment for their process, within the parameters of the Risk Appetite Statements endorsed by the Board.

Line Managers

 Business Unit and Regional and Alliance Managers are accountable for identifying risks from the internal and external environment which will impact on activities and objectives. They are then accountable to advise the relevant Process Manager where these risks impact on process. They also are encouraged to identify and manage risks at a regional level which originate from the execution of business processes. Regional or Business Unit risk assessments form a fundamental component of ensuring that all risks have been identified and assessed.

Project/Program Managers

Project and Program Managers will use the Corporate Risk Assessment Criteria and identify and assess project risks throughout the project life cycle. Project risks are assessed within the context of their Financial Consequence criteria which is adjusted to the Corporate Financial Consequence criteria as required.

External references

  • Standards Australia AS ISO 31000:2018 Risk management – Guidelines
  • British Standard BS 11200:2014 Crisis management: Guidance and good practice
  • Standards Australia AS/NZS 5050:2020 Managing disruption-related risk

Corporate references

  • S389 Corporate Risk Assessment Criteria
  • S110 Incident Management
  • S050 State Emergency Management Framework- Water Corporation Support
  • Risk Management Guidelines
  • Incident Command and Control Guidelines