Skip to main content.

Strategic risk assessment for a regulator


The Provincial Resources Regulator (PRR) regulates resource exploration, extraction and processing so that resource companies are accountable and take responsibility for their business and so that safety and the environment are not compromised. The regulator aims to attract investment in the sector while protecting the government’s interests in the recovery of resources and associated royalties. The PRR also gathers and provides geological and scientific information to both the private sector and other government agencies to support decisions about land use and resource exploration.

The PRR’s organisational structure is based on:

  • A small number of divisions that reflect the main functions of the organisation, which is where the main performance indicators are set
  • Programs within the divisions, each with its own manager.

Previous risk assessments had been conducted for all programs across the PRR, with a focus on risks to the business objectives and the relevant performance indicators for the function with which each program was associated. Rather than an integrated approach, program managers were responsible for the implementation of risk treatments in each program individually. As a result, there was no over-arching corporate process to link each program area with other programs or to assess whether there were common risks that might impact significantly on the organisation as a whole.

In addition, inconsistencies emerged through time as programs adopted different approaches to implementing treatments and reporting their current risks. Some programs identified new risks that had evolved since the original assessments, while others only reported when treatments had been completed and their risks had been addressed.


The PRR identified that the risk management process required more rigour, and that an organisation-wide approach was needed to identify and treat high-level risks to the PRR itself, risks that required the attention at the executive level or risks that encompassed more than one division or functional area.

Broadleaf was asked to assist in extending the risk assessment to cover matters that spanned divisions and programs. The specific objectives were to:

  • Highlight major risks for attention by the executive
  • Identify risks affecting multiple performance areas
  • Encourage divisional managers to treat the risks using cross-functional teams with members from different programs and divisions
  • Provide assurance to the executive that the major organisational risks had been identified in a way that would allow the PRR to formulate and agree action plans for effective risk treatment.


The approach to the risk management activity was based on ISO 31000, Risk management – Principles and guidelines. Two risk assessment workshops were planned, with context preparation beforehand.

Preparation incorporated a review of relevant documentation, including annual reports, corporate plans, internal risk reporting documents and the earlier risk assessments, as well as interviews with key PRR personnel. The objectives of this preparatory work were to familiarise Broadleaf with the kinds of risks the PRR faced, to obtain agreement with PRR on key elements and criteria, and to populate an initial risk register.

Establishing the context

The stakeholders who needed to be taken into account are those that could affect the business outcomes of the PRR. They are listed in Table 1, with notes on their main objectives.

Table 1: Stakeholders




Provide relevant information and advice to the Minister

Attract exploration and development investment

Protect resources

Collect royalties

Maintain documentation of titles, leases and permits

Provide accurate geological and scientific information

Protect field officers and other staff

Protect public safety and the environment

Protect the reputation of the resource sector


Keep up-to-date on relevant issues about resources

Present a fair and equitable image to the community and industry

Protect the reputation of the province in relation to the resource sector

Attract investment to the province

Community and interest groups

Preserve the environment

Preserve traditional land ownership

Be involved in decisions through consultation

Resource industry

Make an appropriate return on investment

Operate safely

Be seen as responsible community citizens through responsible exploitation of resources

Holders of titles

Retain entitlements

Other government agencies

Maintain access to land for other uses

Preserve the environment

Renewable energy advocates

Promote renewable energy as an alternative to fossil fuels

Reduce greenhouse gas emissions

The criteria for the assessment, listed in Table 2, were based on the objectives of the stakeholders. These were used to develop scales for describing the consequences of risks.

Table 2: Criteria




Safety includes both acute (short-term) and chronic (long-term) impacts on staff, contractors, industry employees and the public

Reputation and image

Covers loss of government, industry or community support


Includes budget and revenue losses, as well as lost opportunities


Covers regulatory and approvals violations that result in inappropriate releases of material

Regulation and compliance

Includes the industry’s regard and respect for regulations

Core capabilities

Covers internal processes, systems, personnel and organisational capabilities as well as technical aspects

The key elements for structuring the assessment were based on the main functions of the PRR, with the addition of elements relating to external factors such as global and government issues and influences from external stakeholders.

Risk identification: first workshop

Risk identification focussed on risks that encompassed more than one division, risks that might require attention at the executive level, and high-level risks common to more than one division. Accordingly it provided a broad overview of high-level risks rather than going into detail for each element.

A brainstorming approach was used for identification, structured around the key elements; this generated 46 risks. At this stage the workshop participants had not seen the initial risk register developed earlier. The 63 risks in the initial register were then reviewed and added to the list, recognising there were some overlaps and duplications.

Consequences for each risk were rated using a scale linked to the criteria in Table 2, the likelihood of that level of consequence was rated on a five-point scale, and the two ratings were combined to generate a level of risk.

Risk assessment: second workshop

Collectively, 109 risks had been identified and analysed by the conclusion of the first risk workshop. The workshop participants considered that the 109 risks constituted a significant corporate risk register with an extensive breadth, but the number of risks was too large to attempt to address with an appropriate focus.

Prior to the second workshop, the risks were grouped and consolidated to a small number of ‘headline’ risks with wide scopes. The original 109 risk descriptions were retained to assist in describing the broader headline risks.

During the second workshop, the number of headline risks was reduced to six (Table 3). Each of the six headline risks had a set of risks within it, describing in more detail the relevant aspects of the major risk. At this stage the risks were reanalysed in terms of the consequence criterion most severely affected, to obtain an agreed risk priority. The results indicated priorities for the six headline risks, with priorities for each of the sub-risks within each main headline.

Table 3: Headline risks


Risk description


The PRR fails to obtain the support of government for a policy and approval framework that supports exploration and extraction activities and fails to obtain adequate funding


Inter-agency relations are inadequate to achieve support for PRR objectives


Poor communication and relations with the community and other parts of government (e.g. due to the role of the PRR being misunderstood) undermines the achievement of corporate goals


The PRR fails to meet OH&S, environmental, resource management and other policy expectations of government, other agencies, industry stakeholders and the community


Failure to form effective working relationships between key functions, and poor project management skills, lead to inadequate delivery of major project outcomes


Loss of corporate knowledge and skills due to accelerated loss of staff and inadequate documentation

Risks A, B and C are external risks, where the PRR needs to work with external parties to retain influence and financial resources. Risks D, E and F are internal risks that relate to how the PRR can improve its internal performance. Table 4 shows examples of an external (C) and an internal (E) headline risk and the detailed risks within them.

Table 4: Headline and detailed risks example


Risk description



Poor communication and relations with the community and other parts of government (e.g. role of the PRR is misunderstood) undermines the achievement of corporate goals



Inadequate communication with stakeholders especially the public and other government agencies


Lobbyists or other agencies succeed in removing part of the PRR’s jurisdiction over consents and planning


Deficiencies in legislation, particularly environmental, constrain the actions PRR can take


The PRR fails to have an adequate role in developing legislation, environmental standards and policies


The PRR fails as a regulator and as a protector of resources because a resource company fails in its duties to consult with the community, comply with conditions and meet environmental considerations


Targeted attack by special interest groups on the PRR’s environmental management practices and environmental legislation


Failure to form effective working relationships between functions and poor project management skills lead to inadequate delivery of major project outcomes



Lack of knowledge or awareness of the PRR database leads to incomplete or incorrect advice, duplication of effort, proliferation of similar databases and sub-optimal use of available information because of incomplete integration of databases


No disaster recovery plan for IT systems


Inadequate coordination of procedures between the environment unit and other internal functions and units

Of the detailed risks (below the headline level), there were six risks rated as extreme, 44 as high, and one as medium. It is evident from these numbers that only the significant risks were identified in the assessment process and that all of them need attention in terms of risk treatment.

The extreme risks were:

  • Decisions moved to other agencies due to the PRR being perceived as lacking expertise (B.5)
  • Failure to inform the Minister adequately on a major sensitive issue before an election (D.11)
  • No disaster recovery plan for IT systems (E.2)
  • Loss of corporate knowledge and skills due to accelerated loss of staff and inadequate documentation (F)
  • PRR staff numbers falling below a critical mass becomes unacceptable to government, with the result that PRR is subsumed by or merged with another government agency (F.1)
  • Loss of corporate knowledge due to a combination of loss of workforce and poor information management (e.g. records management, IT systems, lack of database integration, lack of procedures) (F.2).

Risk treatment

The assessment results indicated priorities for the six headline risks, with internal priorities for each of the individual risks within them. Processes and templates were provided to the PRR to develop risk treatment strategies and associated treatment plans that intersected or cut across functions and program areas. The agreed headline risks, and their subsets, were to be addressed at corporate level over the following 12 months.

Processes were established to allow risks, their current controls and the status of treatment plans to be monitored regularly in management meetings, to understand any increase or decrease in levels of risk as plans were implemented or as circumstances changed.

The remaining risks were assigned to business units for inclusion in their business plans.


The risk assessment described here is a combination of:

  • Bottom-up assessment, based on the risks identified in the earlier risk assessments, summarised in an initial risk register developed during the preparation activity
  • Top-down assessment in the structured brainstorming workshops.

Both approaches are valuable, and the integrated perspective taken here contributed to a risk register that was agreed to have good coverage of the main risks to the PRR.

The headline risk structure provided a useful summary for the executive team. However, it was at a very high level, and a set of only six headline risks may be too small for some organisations.

  • In this case the small number of headline risks meant that some of them contained quite disparate individual risks that were only loosely related (such as headline risk C in Table 4, for example). As a consequence, detail had to be addressed through the specific detailed risks within each headline item.
  • In contrast, we have worked with companies where a similar approach was used to group large numbers of risks from business units into sets of between 20 and 30 headline risks that formed the corporate risk registers. The larger number of headline risks in these cases meant that each was more internally coherent. This facilitated more coherent and targeted discussions amongst key decision makers and easier tracking of the status of risk treatment activities at the headline level. The detailed risks were used for detailed selection of treatment options and action planning.

The explicit search in the first workshop for cross-functional risks, those relating to more than one program or division, was a useful approach. The facilitation process was designed to encourage participants to think quite broadly about what might affect the PRR as a whole, where interactions might arise and where common matters might be important. This facilitation approach is always important when identifying risks in a corporate or organisation-wide context.

Government regulator for the resource sector
Public sector and government business
Mining and minerals processing
Oil and gas
Services included:
Risk assessment and risk treatment