ALL CASE STUDIES

Enterprise Risk Management as a Service

January 2026 PRINT

SUMMARY

Sydney Desalination Plant (SDP) is a critical water security asset for New South Wales, providing a guaranteed source of drinking water to Greater Sydney during droughts, peak demand periods, or water quality events. As an “always on” facility and a trusted partner to Sydney Water, SDP plays an essential role in safeguarding the resilience and reliability of Sydney’s metropolitan water supply system.

Metropolis Advisory has partnered with SDP to deliver Enterprise Risk Management as a Service (ERMaaS), an outsourced model that provides the equivalent of an in-house enterprise risk function, while retaining the depth, independence, and flexibility of a senior consulting team.

This model ensures that risk management is not only adequately resourced, but embedded as a business-as-usual capability, continually refreshed and aligned to SDP’s evolving strategy, operating environment, and regulatory obligations.

CLIENT'S CHALLENGE

SDP’s leadership team recognised the importance of a mature enterprise risk management function but faced several practical barriers:

Limited internal capacity to resource and sustain a dedicated ERM function.

The need for ongoing access to senior-level risk expertise that would otherwise be cost-prohibitive

Difficulty keeping risk frameworks current in the face of regulatory change, governance expectations, and increasing business complexity.

Inconsistent risk ownership, reporting, and assurance practices across the organisation

Competing operational and strategic demands on internal teams, resulting in gaps in monitoring and oversight.

The key challenge was how to maintain a leading, credible risk capability, one that met Board, regulator, and stakeholder expectations without increasing permanent headcount or creating reliance on fragmented, short-term advisory support.

OUR APPROACH

Metropolis Advisory ERMaaS was designed as an embedded, integrated service tailored to SDP’s unique “always on” operating environment and governance context.

Embedded Partnership

Metropolis effectively acted as SDP’s enterprise risk function, working closely with the CEO, CFO, Risk Champions, and the Board. Our consultants integrated seamlessly with internal teams, building strong contextual knowledge and continuity across reporting cycles, while maintaining an independent line of sight to support effective governance and challenge.

This embedded model ensured risk management was practical, trusted, and directly connected to decision-making at both operational and strategic levels.

Senior Expertise on Demand

ERMaaS provided SDP with on-demand access to senior consultants with deep in-house and advisory experience across critical infrastructure, governance, and regulatory risk. This ensured the right expertise was available when required, whether developing and refreshing frameworks, preparing and facilitating risk assessments, supporting strategic initiatives, or advising on obligations under the SOCI Act and related regimes

Structured and Flexible Delivery

The scope, effort, and focus of ERMaaS were flexed over time to respond to emerging priorities, such as regulatory change, critical supplier risks, and strategic reviews. This approach delivered operational efficiency and cost savings by avoiding recruitment, onboarding, and ongoing internal resourcing overheads, while ensuring continuity and responsiveness.

Integrated Assurance and Reporting

ERMaaS delivered consistent, high-quality risk and assurance reporting to the Audit & Risk Committee and the Board. This included independent challenge of risk data, integration with SOCI Act reporting requirements, and alignment with assurance activities undertaken by external auditors.

Key activities included:

Quarterly independent reviews of enterprise risk assessments and reporting.
Annual deep-dive risk workshops aligned with SDP’s strategic planning cycle.
Regular updates to the Risk Appetite Statement to maintain alignment with Board priorities.
Targeted resilience testing, including business continuity and crisis management exercises, and operator risk reviews.
Ongoing training and coaching for internal risk champions and new starters.

FROM OUR CLIENT

“Enterprise Risk Management as a Service has been instrumental in how we manage risk. Rather than relying on limited internal resources, we have a flexible model supported by senior experts who understand our business and operating context.
Management and the Board have confidence in the quality of our risk reporting and assurance, and we can adapt quickly to emerging and strategic priorities.”
Phillip Narezzi, CEO

VALUE-ADDS & CLIENT OUTCOMES

Through ERMaaS, SDP achieved tangible and sustained benefits:

Cost Efficiency

For the cost of a single internal FTE, SDP accessed a multidisciplinary team of senior consultants across risk, governance, resilience, and regulatory domains.

Flexibility

Resourcing was scaled to match shifting priorities, including SOCI compliance, resilience exercises, and Board-driven initiatives.

Independent Assurance

The Board gained confidence that key risks, controls, and treatments were being objectively reviewed, tested, and challenged.

Capability Uplift

Coaching, onboarding materials, and targeted training built sustainable internal ownership of risk and resilience practices.

Resilience and Preparedness

Regular business continuity and operational resilience testing, operator reviews, and integration with corporate strategy strengthened SDP’s readiness for disruption.

Strategic Alignment

Risk appetite, reporting, and assurance activities were directly linked to corporate strategy, stakeholder expectations, and long-term expansion planning.

The benefits extend well beyond compliance and reporting cycles:

Board Confidence: Risk information presented was concise, independent, and actionable, enabling stronger oversight and informed decision-making.
Cultural Shift: Risk discussions became embedded in strategic and operational planning, rather than treated as a compliance exercise.
Future-Proofing: ERMaaS enabled SDP to respond to regulatory change, new operating requirements, and emerging ESG expectations without expanding internal teams.
Sustainability: The model supported continuous improvement, with practices embedded, tested, and refined year-on-year.

At Metropolis Advisory, ERMaaS is not simply an outsourced service. It is an embedded partnership that delivers confidence, efficiency, and sustainability, enabling organisations like SDP to focus on their core mission while we safeguard their risk management foundations.