1. Introduction

Defence’s current approach to capability acquisition is not fit for purpose … Defence must move away from processes based around project management risk rather than strategic risk management … Mechanisms put in place to manage risk in Defence acquisitions do not serve us well in the current strategic environment. They are burdensome and misguidedly risk-averse (Houston & Smith, 2023, pp. 20, 93).

The observations of the Defence Strategic Review (DSR) cited above are the latest in a long line of similar critiques. There has been persistent criticism, from multiple sources and over a sustained period of time, regarding Defence’s ability to manage risk during capability acquisitions (Department of Defence, 2017, pp. 3, 4; Department of Defence, 2018; Kinnaird, 2003, pp. 9, 12, 48; Peever, 2015, pp. 34, 83). Since its first report in 2008, the annual reviews of the Australian National Audit Office (ANAO) into Defence major projects have consistently raised concerns relating to risk management, including failures to remediate known issues (ANAO, 2009, pp. 37–39; ANAO, 2011, p. 40; ANAO, 2014, pp. 16, 115; ANAO, 2017, pp. 25–27; ANAO, 2020, pp. 30–33). Over 15 years ago, the Pappas Review identified, as one of only two ‘major classes of risk’ for Defence procurements, the risk that ‘strategic requirements and procurement priorities are not aligned … The chief form of this risk is that … platform[s] will either not deliver or over deliver on what is required to meet strategic objectives’ (Pappas, 2009, p. 48). In 2012, a Senate Committee review into procurement procedures for Defence capital projects found risk management to be a ‘dominant issue’ requiring rectification (Department of the Senate, 2012, pp. 8, 249).

Looking to the future, the National Defence Strategy (NDS) calls for ‘simplifying and accelerating Defence’s acquisition processes to deliver capability more quickly … includ[ing] embracing greater levels of risk’ (Department of Defence, 2024c, p. 55). And the Defence Industry Development Strategy (DIDS) urges Defence to accept greater levels of risk and have an increased risk appetite in relation to capability acquisitions (Department of Defence, 2024b, pp. 20, 33, 41, 61). This paper will argue that a defining feature of Defence’s current risk management approach, and the root cause of the issues identified in multiple previous reviews including those cited above, is a mindset which drives a disconnection between project-level and strategic-level contexts, resulting in a failure to deliver meaningful capability at the right time.

Given the current and trending strategic context, the need for Defence to change how it manages acquisition risk has arguably never been more important. Will the strategic environment itself be a trigger for change? Perhaps, but Defence cannot afford to take a passive stance and allow change to be driven by increasingly bleak external circumstances. Here, I seek to answer what can be done, in the face of the multiple claims that Defence is incapable of change. Defence must actively and aggressively pursue a change in risk management mindset which will propel the cultural and procedural changes needed to address persistent concerns. I interpret a passage of the DSR on acquisition risk management to identify and then examine two opposing risk management mindsets: a project risk management mindset and a strategic risk management mindset. I argue that Defence has embodied a tactically focussed project risk management mindset. On the contrary, I then propose ways for risk managers at all levels to adopt a strategic risk management mindset to best ensure acquisition risks are managed in support of the timely delivery of relevant capability.

2. An interpretation of the DSR’s observation on acquisition risk management

Under a heading of ‘capability acquisition, risk and accountability’, the DSR noted that ‘Defence must move away from processes based around project management risk rather than strategic risk management. It must be based on minimum viable capability in the shortest possible time’ (Houston & Smith, 2023, p. 20). This observation is interpreted in the paragraphs below.

The phrase ‘project management risk’ refers to a means of managing risk which focusses on the applicable project in isolation to the broader strategic context. Risk is managed in a tactical-level vacuum. There is little or no consideration given to the operational or strategic drivers for the project, and decisions regarding risk are not weighed against broader opportunity benefits. Consequently, there is a bias towards conservatism. Risk is managed through the imposition of limitations and controls.

The phrase ‘strategic risk management’ refers to a means of managing risk with the strategic context front of mind. Risk is managed in light of the broader strategic context, not simply the localised project context. Risk to project outcomes is assessed against potential operational and strategic opportunity benefits. There is a bias towards accommodating project risk, where doing so offers a calculated opportunity benefit in the form of creating strategic advantage. The purpose of this advantage is to deliver minimum viable capability (MVC) in the shortest possible time period to support strategic objectives including deterrence and ‘impactful projection’ (Hellyer, 2022).

The phrase ‘[i]t must be based on’ in the last sentence of the DSR quote above (Houston & Smith, 2023, p. 20) means ‘risk management must be based on’. This sentence follows on immediately from the observation concerning how risk should be managed, and therefore implies the best, if not the only, way to deliver MVC in the shortest possible time is to manage risk with the strategic context in mind.

3. Examining two risk management mindsets

The two means by which risk is managed (project and strategic) do not simply constitute different processes. They are enabled by different mindsets, which cause the processes to manifest. The interpretation above allows the characteristics and results of managing risk with a project risk management mindset to be contrasted with those of a strategic risk management mindset.

3.1. The project risk management mindset

Managing risk with a project risk management mindset means the broader context is generally ignored. Risks are identified by looking only inwards and downwards into the project itself. Because risk is managed in a vacuum, the broader opportunity benefits of doing something tend to be ignored. Rather, risk is ‘managed’ by applying conservatism, limitations and controls to minimise or eliminate project risks. Options and opportunities may be constrained by deliberately prohibiting or limiting the undertaking of things. This approach means it is not likely that strategic advantage can be created. It follows that a project management mindset will be unlikely to deliver MVC in the shortest possible time.[1]

If a project risk management mindset is adopted, the primary focus for managers is to control hazards to project cost, scope and schedule. This means, for example, a tendency to define very prescriptively the full scope of materiel capability being delivered so that project cost and schedule can be estimated with apparent precision. Uncertainty is viewed as a hazard. Managers will likely seek to demonstrate they have control over uncertainty by showing they can deliver project outcomes to a defined budget and schedule. This mindset prevents consideration of the broader context, such as whether or not such certainty of outcomes at an early stage of the project life is strategically wise. Managers are unlikely to be concerned with whether the capability being delivered is fit for purpose towards the end of the project’s life. Further, managers are predisposed to ignore the wealth of research, and Defence acquisition experience, that shows cost and schedule forecasts are likely to be flawed, perhaps deeply flawed, because of inherent biases such as the misplaced belief that future events can be predicted and controlled with precision and accuracy (Bernstein, 1996; Kahneman, 2012; Taleb, 2008; Williams, 2012). Instead, the focus in and down on project risk and the significant effort expended in estimating project cost, scope and schedule likely reinforce the sense of confidence in the accuracy and correctness of estimates. Finally, because project risk is not linked to its operational and strategic context, managers are unable to identify the opportunity benefits of taking a calculated risk to create strategic advantage. Under the project risk management mindset, even if project-level objectives such as budget and schedule are achieved, the delivery of an MVC in the shortest possible time is likely to be compromised.

While Defence may not like to admit it, the DSR makes clear that the system that drives acquisition risk management decision-making is firmly entrenched in a tactically focussed, risk-averse project risk management mindset. This begs the question ‘why?’ The DSR does not provide an answer; however, it would be a serious misjudgement to assume that the root cause relates to individual risk managers themselves. Defence attracts highly competent people and provides them with high-quality professionalisation and training opportunities. The real cause is likely related to the nature of the military organisation itself. Several studies have identified that Western military institutions favour highly disciplined, structured processes; seek precise solutions driven by quantitative rather than qualitative inputs; and strive to control the environment through elaborate governance and reporting mechanisms and a deference to rank and positional status (Cohen & Gooch, 2006; Laloux, 2014; Mansoor & Murray, 2019; Wong & Gerras, 2015). Ignoring the inherent falsehoods of these approaches when applied to complex or chaotic environments (which, paradoxically, are precisely the environments that the military is immersed in), it is self-evident that these attributes will drive a reductionist ‘inwards and downwards’ approach to identifying risk; ignore the unquantifiable complexity of the broader environment; avoid risk and uncertainty through the imposition of constraints and controls; and become naturally self-censoring even when weaknesses in the risk management approach are known by risk managers. Further, the organisation may attract and, once recruited, reward individuals who are motivated towards and perpetuate entrenched behaviours (Dixon, 1994). Finally, like other bureaucratic organisations, the military will resist change where it requires the relinquishment of power and control, or reduces stability (Heifetz et al., 2009, pp. 17–18; Laloux, 2014, pp. 18–23, 36; McChrystal et al., 2015; Schmidt, 2000). Change is viewed as a threat, and it translates very naturally to the project risk management mindset which views uncertainty as a hazard. The obvious conclusion is that adopting a strategic management mindset will be resisted not because it is an inferior approach but because it threatens the foundations of the system itself, even if those foundations are inherently unsound. Practical ways to address these issues are discussed later in this paper.

3.2. The strategic risk management mindset

Managing risk with a strategic risk management mindset means the strategic environment is accounted for by looking outwards and upwards into the strategic realm. This enables the identification of potentially significant opportunity benefits through doing things. Risk is managed by reducing conservatism, limitations and controls, which may increase project-level risk where a deliberate decision is made to accommodate a strategic opportunity. Under a strategic risk management mindset, creation of strategic advantage is more likely because project risk is weighed against strategic reward, and opportunities are pursued where doing so is judged to represent an optimum balance in overall risk versus reward. This mindset will be more likely to deliver an MVC in the shortest possible time.

If a strategic risk management mindset is adopted, managers focus on both project-level and strategic contexts and recognise that the former must be informed by the latter. Managers may identify, for example, that a dynamic strategic environment exists in which capability needs should evolve in response to both swiftly advancing adversary capabilities and rapidly evolving technology. In this case, managers would recognise that capability needs and solutions may change quickly, and in ways not able to be predicted. At the project level, this means that defining prescriptively the full scope of materiel capability up front is counterproductive, because there is a higher risk of delivering obsolete capability. Certainty is viewed as a hazard. Managers will accept that project cost, scope and schedule must be defined to some degree to allow for investment decisions to be made. They will, however, limit such definition to enable flexibility in decision-making as the project executes. Managers will seek to demonstrate they can adapt capability outcomes to the evolving strategic environment, thereby creating strategic advantage. While this necessitates the acceptance of risk relating to project cost, scope and schedule, managers will recognise that if such risk is realised they can, for example, trade scope to deliver more meaningful capabilities in response to emerging technology or adversary capabilities, bring forward funding from future years to capitalise on short term procurement opportunities, or hand back funds unable to be committed or expended. Managers recognise the risk relating to cost, scope and schedule is worth taking because there is greater, strategic risk associated with delivering late or obsolete capability. By retaining flexible capability delivery, managers are more likely to realise strategic opportunity through delivering MVC in the shortest possible time.

4. Embodying the strategic risk management mindset

How does Defence evolve to embody the strategic risk management mindset called out by the DSR, noting the potential for systemic resistance? First, there must be an acceptance that the root problem is mindset, not process. Often, organisational change is attempted by changing process or structure, probably because they are relatively simple to do, and also because they can be easily exhibited as changes for apparent good. A more cynical, but equally credible, argument is that changes to process and structure are pursued because they can be enacted in ways that do not disrupt the ingrained mindset and culture which serves senior leadership (Zweibelson, 2015). The First Principles Review into Defence identified that ‘there have been over 35 significant reviews and many more supplementary reviews of Defence’ since 1973, but that the ‘consistent and recurring themes’ identified by these reviews focussed on procedural and structural factors such as ambiguity in roles and responsibilities, inadequate governance and performance monitoring, and poor planning (Peever, 2015, pp. 13–14, 91–92). While these themes are important, it is clear the multitude of reviews into Defence have not identified mindset as the most fundamental driver of organisational change. The problem is that undertaken in isolation, structural or procedural changes are among the least effective methods to institutionalise lasting change. While changing mindset is both harder to do and less directly observable, it can create far more fundamental and longer lasting change in organisations (Kotter, 1995; Murphy, 2022; Rinne, 2023). Cultural, structural and procedural changes then follow organically.

Defence must place more emphasis on identifying and rewarding traits associated with the strategic management mindset when recruiting and promoting risk managers. Defence requires risk managers who are naturally strategic as opposed to tactical in their outlook, and leaders who are calculated revisionists. Leaders and risk managers must be able to cope with complexity but recognise that focussing in and down on the minutiae will draw their attention in the wrong direction. Defence needs risk management professionals who have a more open-minded, optimistic and less risk-averse predisposition so that strategic opportunity can be pursued. These traits conform to Isaiah Berlin’s prototypical ‘fox’ who ‘knows many things’ and ‘accepts that he can only know many things … the unity of reality must escape his grasp’, rather than the ‘hedgehog’ who ‘will not make peace with the world. He … cannot accept that he knows only many things. He seeks to know one big thing [that] give[s] reality a unifying shape’ (Berlin, 2013, pp. ix-xi, 2–3).

The association between foxes and good risk management is grounded in research which suggests that hedgehogs are more conservative, pessimistic, closed-minded and risk-averse, while also more likely to be overconfident in their own abilities. This means they are more likely than foxes to suffer from availability bias, denominator neglect and loss aversion, all of which tend to induce an in and down approach to risk management. In contrast to hedgehogs, foxes are more likely to ‘think the right way’ and hence ‘get decisions right’ (Kahneman, 2012, pp. 137–145, 283–286, 328–331; Tetlock, 2006, pp. 2, 7–23). It is also likely that hedgehogs focus on reducing risk rather than seeking opportunity through their fondness of what economist John Kenneth Galbraith termed ‘the conventional wisdom’. This concept describes the predisposition of certain individuals to seek the safety and comfort of the status quo in thought and action. In doing so, they sacrifice opportunities for ‘acceptable ideas’ which are always based on what is best understood and hence most familiar. The fundamental problem with this approach is that acceptable ideas have great stability, but they neither describe the world as it actually is nor do they apply to a world that constantly changes:

the conventional wisdom accommodates itself not to the world that it is meant to interpret, but to the audience’s view of the world. Since the latter remains with the comfortable and the familiar, while the world moves on, the conventional wisdom is always in danger of obsolescence (Galbraith, 1998, p. 11).

In the context of risk management, the obvious problem with a mindset driven by the conventional wisdom is that strategic opportunities, unfamiliar by their very nature, will be avoided. In addition, actions taken to manage risk may also be flawed, because the strategic context always changes. Berlin’s work implies foxes are less prone to favouring the conventional wisdom. Seminal literature on judgement and forecasting offers a range of cognitive tests that can be used to identify the fox-like traits more conducive to strategic risk management (Tetlock, 2006; Tetlock & Gardner, 2016). Cognitive testing could be adopted to aid selection of risk managers in a manner similar to the testing undertaken to select aircrew candidates. Defence could also lobby professional bodies like the Australian Institute of Project Management to include such tests for Defence personnel seeking risk management accreditation, and then identify this tailored accreditation as a desirable or essential prerequisite for specified risk management roles. Defence could also include testing as part of internal professionalisation programs for risk managers.

The mindset held by senior leaders is most important because they have the ability to shape the mindset of individuals below them and hence the culture of their organisations writ large. If senior leaders hold a project risk management mindset, it will be difficult to create a culture in which subordinates embody a strategic risk management mindset because the former will impose constraints preventing the latter thriving. To enable change, the current promotion system could be amended to reflect the value of a strategic risk management mindset by requiring performance reports to provide evidence of the mindset in action, including specific examples where calculated risks have been taken in pursuit of opportunities for strategic advantage. Leadership roles in acquisition projects should be filled not simply based on project management skills and experience, but on strategic acumen and a demonstrated understanding of how current strategic issues apply to Defence capability acquisitions. Senior leadership positions within acquisition projects are typically filled by engineers. Opening these positions to other specialisations would provide a diversity of mindset to challenge traditional, conservative risk management practices.

To assist changing the mindset of risk managers and senior leaders, current training programs could be adapted to focus on the importance of a strategic risk management mindset. Risk management training should begin by exploring contemporary strategic issues and emphasise that these issues must be accounted for in acquisition risk management. Professional military education programs which expose risk managers at all levels to strategic issues affecting Defence acquisitions should be encouraged and rewarded. Defence personnel eligible to post to acquisition projects after courses such as the Australian Command and Staff Course, the Capability and Technology Management Program and the Defence and Strategic Studies Course could be allocated a major research project relating to the study of risk management and the importance of taking a strategic perspective as part of their studies. To further support senior leaders making the transition from a project to a strategic risk management mindset, and avoid the pitfalls of decisions made on the basis of the ‘highest paid person’s opinion’ (HIPPO) (Marr, 2017), controls could be introduced to inoculate against risk adversity and escalated decision making. For example, similar to Defence Chief of Service (O9 level) letters provided to O5(E) and O6(E) Commanders, Heads of Defence acquisition organisations[2] could provide letters to key project leadership positions at O5(E) and O6(E) levels, encouraging them to manage risk with a strategic risk management mindset and providing them explicit authority to make certain specified decisions. These letters should be complemented by letters to more senior executives at O7(E) and O8(E) levels, expressly prohibiting them from making decisions in the same areas. This initiative does not disempower senior leaders in any way because leadership relates to influence, not the giving of orders. Rather, it would help prevent any tendency of senior leaders to feel compelled to focus in and down to manage project risk, and it would allow them to focus on their primary responsibility of establishing and maintaining an environment which enables their subordinate project staff to succeed.

Arguably, the healthy mindset and culture underpinning Defence’s health and safety risk management framework has become counterproductive in capability acquisition, having been adopted to manage non-safety related risks. While Defence has a moral and legal duty to ensure risks to the health and safety of personnel are eliminated or otherwise minimised So Far As Reasonably Practicable (SFARP) (Department of Defence, 2021b; Department of Defence, 2022b), many project acquisition risks do not relate to safety and hence the ‘eliminate or reduce SFARP’ obligation does not strictly apply. Defence has rightly embodied James Reason’s concept of ‘chronic unease’ (‘wariness to risk’) in the safety environment (Fruhen et al., 2013; Reason, 2016). However, in the acquisition risk management environment, Defence should adopt a complementary concept that could be described as ‘attentive optimism’ (alertness to opportunity). Doing so will ensure risk management is viewed as the means to evaluate both risk and reward, enabling MVC to be delivered in the shortest possible time. Adopting this approach will also address the inherent paradoxes of risk management which go unnoticed if the inwards and downwards project risk management mindset is adopted. These paradoxes include that controls focussed only on enhancing the safety of a system can also bring about its destruction; drives to decrease safety risk can actually increase it by encouraging new risks to be taken; and adapting to the environment, rather than consistency, can treat risks most effectively (Adams, 1995; Bernstein, 1996, pp. 335–336; Reason, 2010).

Little change is needed in terms of policy. For example, the risk management policy of Defence’s principal acquisition organisation (Capability Acquisition and Sustainment Group [CASG]) already reflects best practice as articulated by the International Organization for Standardization (ISO) 31000:2018 risk management standard (Department of Defence, 2021a). At an operating level, CASG policy requires the risk context to be established, including identification of ‘the strategic, internal and external[3] contexts within which risk management activities are undertaken’ (Department of Defence, 2021a). The problem is simply that those with a project risk management mindset will not likely identify external (strategic) factors as part of the identified context: almost by definition, individuals with a project risk management mindset will assume no relevant ‘context’ outside the project itself exists. Once a strategic risk management mindset is adopted, this problem evaporates. Only two important gaps between CASG policy and the ISO standard require closing. The first is that during the risk identification step, ISO 31000 is explicit that both risks and opportunities should be identified (ISO, 2018, p. 11), whereas CASG policy focusses only on risk. The second is that during the risk treatment step, International Organization for Standardization (ISO) 31000 (Risk management – ISO) recommends consideration of ‘taking or increasing the risk in order to pursue an opportunity’ (ISO, 2018, p. 13). CASG policy is silent on any kind of risk–reward calculation. These considerations should be embodied in CASG policy in support of managers adopting a strategic risk management mindset, and ensuring project risk is weighed against strategic opportunity.

CASG risk management policy guidance (Department of Defence, 2022a) is also generally appropriate, but should be amended to include explanatory information on the two mindsets explored in this paper, and that best practice risk management can only be undertaken by adopting a strategic risk management mindset which accounts for both risk and opportunity. The definition of ‘risk’ itself should also be better explained. While CASG defines ‘risk’ identically to the ISO 31000 standard, the former does not adopt the latter’s acknowledgement of the relationship between risk and opportunity, as part of a note immediately following the definition of risk: ‘[i]t can be positive, negative, or both, and can address, create or result in opportunities and threats’ (ISO, 2018, p. 1). To further assist risk management practitioners, CASG policy guidance should be updated to discuss how to identify relevant strategic factors during the context establishment step, and how to undertake an opportunity–benefit analysis as part of the risk analysis, evaluation and treatment steps through which options and opportunities to achieve strategic advantage can be explored. Finally, the problematic traits of hedgehogs (identified previously) should be described, with guidance on how to establish testing and procedural rules which guard against these human traits, for example the construction of ‘broad frames’ to avoid loss aversion (Kahneman, 2012, pp. 334–341).

The necessary changes at the procedural level will follow once a strategic risk management mindset is adopted. Consistent with current CASG policy, the current tool (Predict![4]) used by CASG to manage risk supports a project risk management mindset by identifying only the requirement to evaluate ‘the seriousness of the consequences (impacts) should the risk event occur’, rather than also assessing the value of potential opportunities should they be realised (Department of Defence, 2021a). This is reinforced by requiring controls to be identified and their effect on risk measured. There is no requirement whatsoever to consider opportunities and undertake trade-off studies between risk and reward (Department of Defence, 2021a). To facilitate a strategic risk management mindset, a set of questions could be introduced into Predict!, such as ‘what strategic context relates to the specific risk?’; ‘how could eliminating or minimising the risk through imposing controls affect the creation of strategic advantage?’; ‘what opportunities exist through which risk could be retained in a calculated manner, in order to achieve strategic advantage?’; ‘how does the opportunity benefit analysis affect risk management options?’; ‘do risk management controls delay MVC being delivered and if so, are they justifiable?’; and ‘what strategic risks could be realised if MVC is not delivered in the shortest possible time?’[5]

Other, complementary procedural activities could be undertaken in support of embodying a strategic risk management mindset within Defence acquisition projects. For example, while good communication and collaboration often occurs between CASG as a delivery organisation and representatives from the Capability Manager (e.g., the three Defence Services), CASG risk management activities themselves do not always involve direct input from operators who may have a broader contextual perspective on managing risk. Operators should be involved in risk management activities, including the risk assessment process prescribed in Predict! As part of the CASG Balanced Matrix,[6] Functions could be charged with promoting the strategic risk management mindset, professionalising the CASG workforce to enable adoption of the mindset, and developing supporting policy and procedures. Finally, governance and assurance mechanisms including CASG Independent Assurance Reviews and Contestability Division could be tasked with ensuring risk managers adopt a strategic risk management mindset and that CASG culture supports managing risk to enable MVC in the shortest possible time.

5. Conclusion

This paper has examined two risk management mindsets. While the paper takes a critical view of Defence’s current project risk management mindset, the more important message is one of optimism and opportunity. If Defence adopts a strategic risk management mindset in which acquisition risks are managed with reference to the broader strategic context, it can more easily work to achieve the recommendations of the DSR and NDS and deliver MVC in the shortest possible time. It is important to recognise that there are complicating factors within the strategic context, some of which Defence does not control. Defence acquisition projects are often highly complex undertakings, meaning that risk management is by nature difficult, akin more to an art than a science (Bennett, 2010; Helmsman, 2009). Furthermore, because Defence projects are often high cost, long duration and high profile, there will necessarily be limitations on how far calculated risks can be taken before bureaucratic and political influences impose constraints. Nevertheless, the DSR’s observations about acquisition risk management are clear, and have been reiterated in more recent policy including the NDS and DIDS. These strategic papers are clearly reflective of Australia’s current strategic environment, and Defence can and should do more to balance its ingrained aversion to risk by adopting a mindset that evaluates calculated risk taking against potential strategic rewards. Adopting a strategic risk management mindset is the key to that endeavour. While this article focusses on acquisition risk management, the principles articulated can be applied to managing Defence’s business more generally, especially in removing management processes which stifle or slow down Defence activities and work against the delivery of effective outcomes. For example, the Defence Culture Leadership Companion recognises Defence must undergo ‘significant improvement’ in ‘streamlining and reforming the current … systems of governance, decision-making, and management’ and ensure leaders embody a ‘mindset … [of] letting go of existing or long-standing practices and habits and being the person who has traditionally known “everything”’ (Department of Defence, 2024a, pp. 67–68). The need for a strategic risk management mindset applies even to the most fundamental Defence activities. As a raft of influential literature has acknowledged, defence planning itself is all about risk management (Frühling, 2016; Gray, 2014; Houston & Smith, 2023, p. 50).


  1. In some domains, Defence is seeking to introduce risk management activity at a ‘Program’ level, that is, for a logical grouping of several projects. This initiative will not resolve the problems identified in this paper for two reasons. Firstly, it will not eliminate the need to manage risk at the project level (this will ‘feed’ the program level risk management activity). Secondly, it does nothing to resolve the mindset required to manage risk with the strategic context in mind.

  2. These positions are also typically staffed at the O9(or Equivalent) level.

  3. Emphasis added by the author.

  4. Predict! is a Risk Management software developed by Risk Decisions (https://www.riskdecisions.com/)

  5. These questions are examples only. A larger set should be constructed to assist managers, comprising both open and closed questions to balance the need for descriptive responses (which require additional effort) and yes/no answers which aim to provoke thought and prompt respondents to apply the right mindset.

  6. The CASG Balanced Matrix is an organisational structure that allocates all members of the CASG workforce into business and functional lines. The business lines, known as ‘Domains’, are responsible for delivering capability. The functional lines, known as ‘Functions’, enable capability by connecting individuals to professional communities specialising in one function/discipline. All CASG staff belong to both a Domain and a Function.