Risk frameworks your auditor will recognise — and your supervisors will actually use.
We build practical enterprise risk systems aligned to ISO 31000: register, controls, treatment plans, and the audits that prove they’re working. Written in plain English so your operations team and your board can read the same document.
Risk management consulting
Why this matters
Most risk registers fail at the same point.
The framework looks impressive on paper. The register is colour-coded. The board signs off. Then nothing changes on the ground because the people running the controls don’t know they exist, or were never shown how to use them.
Queon designs risk systems backwards from that failure point. We start with the supervisor or front-line manager who has to actually do the work, then build the register, controls and reporting around what they can realistically maintain. The result is a system that survives an audit because it’s real, not because it looks tidy.
What you’ll receive
Four deliverables, tailored to your organisation.
01
Enterprise risk strategy
A written risk strategy aligned to your organisational objectives, board appetite and regulatory environment.
Risk appetite statement
Governance structure and reporting lines
Annual risk calendar
Board-ready summary deck
02
Risk register design and review
A working register that reflects how your operation actually runs — not a template lifted from somewhere else.
Risk identification workshops with your team
Likelihood and consequence calibration
Risk owner assignment and escalation paths
Quarterly review templates
03
Treatment plans and controls
For each material risk, a documented treatment plan with controls assigned to named owners and tested for effectiveness.
Control design and documentation
Owner accountability matrix
Testing schedule and evidence requirements
Residual risk reporting
04
Internal risk audits
Independent reviews of how your risk system is performing — and what to fix before an external audit finds it.
Pre-audit readiness reviews
Control effectiveness testing
Findings report with prioritised remediations
Follow-up review at six months
Standards we work to
Recognised frameworks, applied with judgement.
We’re fluent in the standards your regulators reference. We don’t bolt them on as decoration, we use what fits.
PRIMARY
ISO 31000:2018
The international standard for risk management. The backbone of every framework we design.
SECTOR SPECIFIC
AS/NZS standards
Where Australian and joint AU/NZ standards apply — WHS, quality, information security — we map them in.
REGLATORY
ASQA, NDIS, councils
For regulated sectors, frameworks are calibrated to the audits and assessments you actually face.
How long does a risk engagement typically take?
For a register and treatment plan in a mid-sized organisation, allow four to eight weeks of part-time engagement. A full enterprise framework with audit support runs three to four months. We give you a fixed timeline in the proposal — if we miss it, that’s on us
Do we need to be ISO-certified for this to be useful?
No. Most of our clients aren’t pursuing certification. We use ISO 31000 because it’s the most widely recognised framework, but the deliverables work whether you’re seeking certification, preparing for a regulatory audit, or simply want a system that holds up if something goes wrong.
How is your work priced?
Fixed fee, agreed in writing before any work starts. We don’t bill by the hour for scoped engagements because it puts our incentives in the wrong place. For ongoing advisory or audit work, we offer monthly retainers.
Will we end up with documents we can actually maintain?
Yes — that’s the entire point. Every register, plan and procedure is designed to be updated by your team, not by us. We’ll train the people who’ll own each document before we leave, and we’re available for a light-touch review at six and twelve months.
Do you work on site, remotely, or both?
Both. Workshops, interviews and audits work better in person. Drafting, reviews and follow-ups are usually faster online. We’ll propose the mix that suits your team.
What if we just need a one-off audit, not a full engagement?
We do that often. A pre-audit readiness review or a control effectiveness audit is usually a two- to three-week engagement with a written findings report at the end. Get in touch and we’ll scope it.
Frequently asked questions
Most risk work needs training to land.
Closely related
A control without trained people is a finding waiting to happen. See how Queon’s training practice supports every risk engagement.
A 30 Minute conversation, no obligation
Tell us what you’re carrying. We’ll tell you whether we can help — honestly — and what a sensible engagement would look like.
