This policy (PCY135) outlines our commitment to ensuring risk based decision making is based on a consistent application of corporate methodology.

Policy statement

The Water Corporation has a holistic, integrated Risk Management Framework consistent with the International Standard 31000:2018 Risk Management - Principles and Guidelines (AS ISO 31000:2018), which is integral to corporate governance, strategic and business planning processes and optimising operations. With this approach, the Corporation ensures that risk based decision making is based on a consistent application of the Corporate methodology.


The principles of the Corporation’s approach is to manage the risks involved in all aspects of its activities to a tolerable level by achieving a balance between acceptable levels of risk and reward through the effective and efficient use of resources.

The objectives of this policy are:

  • that risk management forms an integral part of all decision making to ensure risk management is adopted throughout the Corporation as a prudent management practice
  • to ensure that all employees, contractors and partners are made aware of the need to manage risk, and to promote a culture of participation in the process
  • to set the standard for the risk management process and subsequently the management of risk.


This policy applies to Water Corporation Process Owners and Managers, line managers, project managers, employees, contractors and partners. All parties have a significant role in ensuring effective risk management in their area of business activity.

Risk - the potential for an event occurring - including opportunities or adverse effects - that will impact upon the Corporation’s purpose and objectives. It is measured in terms of consequence (impact on outcomes) and likelihood (probability or frequency).

Risk attitude - the approach to assess and eventually pursue, retain, take or turn away from risk. Understanding risk attitude is a complex task which requires balancing of many views. Some elements can be quantified but ultimately it is a question of judgement.

Risk management- coordinated activities to direct and control an organisation regarding to risk.

Risk management process -  the systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk.

The application of this policy aims to deliver:

  • A Framework for the management of all risks across the Corporation
  • A consistent terminology, methodology and process for the management of risk
  • The integration of risk management into decision making processes
  • Assurance to the Board, Audit & Compliance Committee and Executive that risks are identified and managed.

All risk management activities should be conducted in accordance with the methodology and assessment criteria established under the Risk Management Framework. If there is need to deviate from the corporate process, this must be referred to the Risk & Assurance Branch for consultation and assessment.

Non-adherence to the Risk Management Framework impacts on the consistency and adequacy of business decisions.

Organisations of any kind face internal and external factors that create a level of uncertainty which will influence the achievement of their objectives. The effect this uncertainty has on the objectives of a business is defined “risk”.

While risk management is implicit in all activities undertaken by entities (individuals, groups or the Corporation) this policy provides the formal compliance statement in regards to the management of risk – in all of its various contexts – and across all product, services and business streams.

This policy along with the Corporation’s Risk Management Framework has been developed, reviewed and implemented in accordance with the International Standard for Risk Management AS/NZS ISO 31000:2009.

The key principles are:

  • Corporate and process risk profiles are reviewed annually (desktop or workshop).
  • Under the Accountabilities Framework, Process Owners in conjunction with Process Managers have full accountability and authority to manage a risk in relation to their process.
  • Risks raised outside of a manager’s accountability will be considered and allocated to the applicable area in accordance with accountability principles.
  • All risk assessments (corporate, business or project) within the Corporation will be assessed using the Corporate Risk Assessment Criteria and will be recorded in the Corporate Risk Information
  • System or a formally recognised risk register.
  • Risk assessments are carried out within a context of the type of risks being identified and the associated objectives.
  • Identification of controls to manage risk and the effectiveness rating of those controls form a baseline for the assessment of residual risk ratings. Clarity around a control rating of ‘operating as intended’ should be clearly articulated by the control owner.

Extreme and high risks and associated mitigation plans are escalated and reported regularly to the Risk Management Committee, Audit & Risk Committee and the Board.

The risk management process is coordinated and monitored by Risk & Assurance Branch.

Process Managers

Under the Water Corporation Accountabilities, Process Owners in junction with Process Managers are fully accountable for identifying and managing risk from the internal and external environment for their process.

Line Managers

Business Unit, Regional and Alliance Managers are accountable for identifying risks from the internal and external environment which will impact on activities and objectives. They are then accountable to advise the relevant Process Manager where these risks impact on process. They also are encouraged to identify and manage risks at a regional level which originate from the execution of business processes. Regional or Business Unit risk assessments form a fundamental component of ensuring that all risks have been identified and assessed.

Project/Program Managers

Project and Program Managers will use the Corporate Risk Assessment Criteria and identify and assess project risks throughout the project life cycle. Project and Alliance risks are assessed within the context of their Financial Consequence criteria which is adjusted to the Corporate Financial Consequence criteria as required.

External references

  •  Standards Australia: Risk Management – Principles and Guidelines AS ISO 31000:2018

Corporate references

  • Risk Management Guidelines
  • S389 Risk Assessment Criteria