Modernising risk management in the public sector isn’t just about implementing new software—it’s about culture, strategy, and enabling better decisions. In a recent webinar, we spoke to Andy Gilroy, head of performance management (retired) at the Royal Air Force (RAF) about how they transformed their risk processes and how your organisation can learn from their experience.

What Prompted the RAF to Change Its Approach to Risk Management?

Public sector organisations face a range of challenges, including demanding stakeholders, tight budgets, and ambitious strategic targets. Defence sector organisations like the RAF face further, more intense pressures from national security considerations.

The RAF had been using a bespoke risk management system since 2007. While innovative at the time, it has become increasingly complex, costly to modify, and difficult to use. The system was flooded with data – they had over 14,500 controls – which made it challenging to prioritise resources and budgets where they were most needed.

The RAF needed to integrate its traditional risk and project management approaches to help drive strategic performance. To accomplish this, it needed to retire its obsolete system and adopt a more technologically advanced solution that could connect data and insights from across departments.

“Everyone wants to try and keep pace with a changing technological world, but the answer is not just to buy new software. A holistic approach is required to deliver change across a number of lines of activity.”

– Andy Gilroy, Royal Air Force

Gilroy stressed the importance of organisations setting a straightforward strategy and clear objectives, mapping out risk and control frameworks, and cleaning up their data. Only then can they look for the right platform to digitise and automate their risk processes and reporting outputs. Because the RAF had thoroughly mapped the foundations up front, it was able to implement an integrated approach to performance, risk and strategy.

Connecting Strategy, Performance, and Risk Data for Actionable Insights

The RAF first sought to link performance data to risk management and strategic planning, which would produce insightful data to drive better-informed decisions. Rather than treating risk as a check-the-box activity, they adopted a more thorough approach that directly tied risks and controls to strategic objectives and ongoing projects.

By clearing what Gilroy described as the “data fog” (superfluous controls, ununified views, inconsistent legacy data, etc), the RAF could see clearer connections between operational actions, potential risks, and organisational goals. It could stop simply reacting to risks and begin continuously optimising strategy. With better visibility now established, the RAF could cultivate an agile decision-making culture capable of adapting strategies “in flight” as lessons emerged from real-world operations.

The Role of Leadership and Culture

Modern risk management succeeds only when leadership integrates it into strategic conversations to support informed decision-making. In this case, the RAF’s executive committee played an active role in shaping the risk framework, metrics, and reporting tools. This direct participation increased their confidence in the data once the system went live.

To ensure data integrity and lasting adoption, the RAF would not only need top-down buy-in, but bottom-up buy-in as well. To ensure the data remained credible, staff needed to understand how their input influenced risk decisions and why it was crucial to input data accurately. The RAF invested not only in tailored training programmes, but a complete cultural shift and sense of shared risk and control ownership. In this transparent and jointly accountable atmosphere, staff feel free to report both positive and negative outcomes without fear of backlash. Data is trusted, and risk conversations are routine at every level.

Laying the Groundwork Before Software

When they undertook this journey, the RAF was keenly aware that it would be a mistake to jump straight into implementing a new risk management system. Instead, it wisely took the time to define a clear risk management strategy and thoroughly cleanse and standardise its data.

Map out a clear strategy: The RAF outlined its strategic objectives by identifying the projects, tasks, and actions necessary to deliver them. Through this process, they gained clarity on how these risks affected operational performance and where mitigation would have the greatest impact.

Cleanse and simplify data: Decades of siloed reporting meant the RAF was manageing more than 14,500 individual controls across departments. Many were duplicates or outdated, making it challenging to identify and manage the most critical controls. Through a process of cleansing and corporate streamlining, they reduced this to just 900 key controls that the organisation could actively manage and link back to objectives. This step ensured the software implementation would reinforce good practice rather than simply replicating old inefficiencies.

Engage leadership on data requirements: Rather than working in isolation, the risk team engaged leadership early to understand what information the executive committee needed to make better strategic and operational decisions. These insights have shaped what data they capture and how they present it.

Codify processes: After clarifying goals, cleaning data, and aligning with leadership, the RAF codified its processes into a system to ensure consistency, enable automation, and generate insights through reports and dashboards.

This disciplined preparation yielded a framework that linked strategy, performance, and risk in a clear and repeatable manner — laying the groundwork for successful digitisation.

Choosing the Right Software to Digitise Risk Management

As it digitised its risk management, the RAF faced a critical decision: should they build another fully customised solution in-house or adopt a commercial platform and configure it to its needs?

A bespoke solution might have addressed every user requirement initially, but the RAF had learned from experience how quickly such systems can become expensive, inflexible, and difficult to maintain. On the other hand, choosing an off-the-shelf platform required some compromises, but offered the opportunity for further spiral development (continuous iterative upgrades), in addition to greater flexibility and sustainability as the organisation evolved.

“We were really faced with a key choice of either pursuing a further customised tool set that would try to nail as many of our key user requirements as possible, or choose a commercial software set that allowed us to achieve the majority of the organisational requirements at the outset. In the end, we went with a willingness to compromise on our initial configuration requirements and then work forward from there.”

– Andy Gilroy, Royal Air Force

Working with a software vendor avoided the pitfalls of being locked into a rigid, bespoke system, while still offering vital functionality such as online forms, workflows, automated reporting, and centralised dashboards to manage risk at scale as their needs matured.

Once implemented, the software made an immediate impact. Empowered by trustworthy data and enhanced reporting, the executive committee could now cut through their previous data overload and focus squarely on the risks that threatened their business objectives.

Navigating Internal Barriers to Change

The RAF also faced many change-management obstacles along its risk transformation journey, most notably stemming from staff turnover and capacity constraints. By selecting a risk management platform that was easy to use and offered workflow automation, it reduced onboarding and training while making the most effective use of staff time.

The RAF encouraged acceptance and even embrace of change by strategically selecting departmental champions to collabourate with the implementation teams. These ‘willing adopters’ helped promote widespread software adoption by ensuring that their departments’ requirements and reporting needs were seen to during the implementation. By showing how each team’s work contributed to strategic goals – and fostering a more collabourative culture – the RAF reduced friction and strengthened both leadership participation and data ownership.

Demonstrating Measurable Results

With the system in place, the RAF gained operational efficiencies and strategic success. Its strategy is now a living, trackable plan linked to key objectives. It can now access dashboards and standardised reports, providing visibility into strategic risks for cross-enterprise insight and faster escalation.

By rationalising 14,500 unique risk controls into 900 key controls, management can now allocate budget and resources to reducing risk in the most critical areas.

Staff can see how their actions impact the organisation’s objectives through dashboards, reports, and KPIs. This approach shifted conversations from manageing risks reactively to proactively addressing strategic priorities, driving both cultural and behavioural change.

The RAF’s journey shows that effective risk modernisation starts with strategy and planning—clarifying objectives, cleansing and standardising data, and aligning stakeholders before digitisation begins. By taking this disciplined approach, organisations can implement technology that delivers meaningful insights, consistent metrics, and smarter, more confident decision-making.

“The executive committee started to have real confidence in the data and knew that they were making more effective decisions and resolving some of the key challenges.”

– Andy Gilroy, Royal Air Force

To learn more about how the RAF transformed their processes and risk culture, request a demo or watch the full webinar.