How we reduced risk along the Service Design journey

Catalina Bonavia | 20 June 2023


A leading Australian university's Risk & Compliance team wanted to improve the services they provide internally. Collaborating with them, we took a holistic and people-centred approach. This not only enabled the uni to manage their risks and compliance with ease, our approach also minimised risk at each step along the journey.

It was June 2022, I was sitting in my home office and received a booking through our website system from someone to talk about a project. To be honest, this was surprising, as most of our new clients are people who have been referred to us by a previous client and they either email or call us directly. This was exciting!

A few days later Sally, the new client, and I met for the first time through a Zoom call and she told me about her challenge. She was partnering with the Risk and Compliance (R&C) team from her university to help them improve the services they provide internally.

The main issue? People leading compliance changes across the University weren’t feeling supported enough to do it properly and the same was happening with those managing and reporting risks. The Risk and Compliance team was too small to provide personalised support, and therefore they were like a duck gliding on water: Appearing calm on the surface, but actually reacting and running as fast as possible.

This was not unfamiliar to us. We worked with lots of teams that, regardless of their industry or the role they play (internal or externally focused), they just don’t have the time or resources to stop and improve their services to make their own lives as well as their customers’ lives easier. But that didn’t mean it wasn’t exciting; the challenge was big but the reward was going to be even bigger.



We took a highly collaborative approach to engage with the R&C team, their stakeholders, and their customers. This allowed us to not only understand the problem but also focus on solutions that would stick: what can be done to help this team deliver a better service in the short term, and what comes after that? How did this look like?

  • First, we facilitated a kick-off workshop with the Risk and Compliance team to understand the expectations, pain points and delight points – basically what’s working, what’s not, but very importantly, what have they tried and what did they believe customers were going to say (understanding assumptions, biases, and previous experiences is essential to change management)
  • Then we talked to their customers and stakeholders, whether they engaged with the R&C team on a regular basis or once in a blue moon. After all, this needed to work for everyone
  • We then brought those insights back to the team with a customer journey story. This allowed us to create empathy and engaged them into the next phase… designing lasting solutions!


How did we reduce risks in this step? By ensuring we saw the whole picture and ecosystem and that we were engaging with ALL the RIGHT PEOPLE. We understood the problem from different angles, hearing different needs and perspectives, not just the loud voices or one or the other side.



  • Once we knew what the problem was, we looked into what the future could look like. As my team would say, “I love a framework” and that’s what we did. We designed a very simple framework taking into consideration the complexity and frequency of those enquiries. This matrix enabled us to then design the services, but it also set up the R&C team for making their own decisions in the future
  • Using the framework, we categorised the services into 3 groups: Self-Service, Self-Service with support, and Partnership Approach
  • Then we designed the structure of those 3 service offerings. Having a similar structure across them enabled us to create consistency, regardless of the type of service or level of complexity / frequency. Why was this important? To ensure that both staff and customers knew what to expect or do next – always!


How did we reduce risks in this step?  By co-designing with those that will need to deliver the services and those that will require the services. In this case the services this team provides is not a service that people choose to use or are ‘eager’ to use. Ensuring projects are compliant and that risks are mitigated are often seen as the boring part of projects. These skills are not usually in the wheelhouse of the customers, making it essential to make it extra easy and ensuring we are talking the same language and presenting things in an intuitive way.

Co-designing and testing gives you that extra layer of involvement and refinement that is often overlooked and can make such a difference in reducing the risks of getting it wrong.


Finally, we MADE IT STICK:

Making it stick is a process that starts from the very beginning. It can’t be an afterthought (though it usually is). While we had been working on engaging stakeholders and preparing for the change at all levels, from executives to ground staff, there are certain additional steps we took to remove any implementation blockers that could arise:

  • Developed the materials and implemented those, including restructuring the intranet and creating the forms in the exact way the Service Now developers needed them. Before we left the engagement, those forms where live!
  • Creating supporting materials such as templates, change and comms plans
  • Designed an operating rhythm to create a culture of continuous improvement. When we checked in with the client a couple of weeks after, they had embedded new agenda items to their standard meetings and changed KPIs, as well as other changes that strengthened their approach to a customer-centred Risk and Compliance team


How did we reduce risk in this step? By engaging with those that needed to implement and by designing for implementation. I personally think that quite often, service designers fail to design for things to happen, not because they don’t want to, but because they are not used to how process and tech people work and therefore deliverables stay up in the air and miss key details. In this case, designing for implementation meant a couple of things for us:

  • Involving developers: what can they do? What are their capabilities? How do they usually work? What can we do to make it easier for them?
  • Involving the staff: How do we make this process easier for them? How can we make it less time-consuming? What are their needs and frustrations? How can we provide them with support so that they come onboard?
  • Involving the customers: How can we make it easier for them as well? How do they think about risk and compliance?


Overall, taking this holistic and people-centred approach enabled us to go from problem to implementation in a couple of months and make a real impact for this university that can now manage their risks and compliance with ease, and at the end of the day that means they’re protecting their students, their staff, and their community.


Need help improving your services while minimising risk? Contact us below or email us at