CyberCX has warned Australian organisations that advanced Artificial Intelligence (AI) tools such as Anthropic’s Claude Mythos Preview could sharply accelerate the discovery and exploitation of software vulnerabilities. The concern is not only that AI may find flaws faster. It is that AI can potentially connect weaknesses, map pathways and turn small control gaps into larger exposure at a speed many organisations are not ready to match. CyberCX’s warning was that organisations should not wait for access to defensive AI as a “silver bullet”, because similar capabilities may soon be available more broadly, including to criminals.

For boards and management teams, the deeper issue is not the technology headline. It is whether the organisation can clearly evidence how it understands its systems, suppliers, critical processes, data pathways, control environment and escalation triggers.

Transparency and clarity are not optional

Australia’s largest cybersecurity firm has issued an urgent warning about a powerful new artificial intelligence tool that can find and exploit flaws in software at unprecedented speed and scale, and which experts fear could trigger the next wave of major data breaches. CyberCX told Australian businesses, banks and infrastructure operators they had a closing window to shore up their defences before the technology, or copies of it, reach the hands of criminals.

For business leaders, the danger is rarely only the visible event. The deeper issue is where software vulnerability resides with the ever changing threat landscape and what this reveals about ownership, dependency mapping, control design, escalation, communication and assurance.

Risk management is about ‘eyes wide open’ and knowing with full clarity your processes and business activities

The risk is rarely only the visible incident. The bigger issue is often what the incident reveals.

These questions are not technical detail for someone else. They are core governance questions.

Risk management should be about operating with eyes wide open. That means knowing, with practical clarity, the processes, systems, suppliers and business activities that matter most — and understanding what sits behind each entry point into the organisation.

A mature organisation should be able to explain not only what systems it has, but why they matter, what they connect to, who owns them, how they are monitored and how quickly decisions can be made when the threat environment changes.

The assurance gap leaders need to see

Traditional assurance cycles often move quarterly, half-yearly or annually. AI-enabled threats may move in hours or days. That gap matters.

The board question is not simply, “Are we secure?”

A better question is:

This is where many organisations discover the difference between activity and maturity.

A policy is activity.
A dashboard is activity.
A committee is activity.
A checklist is activity.

Maturity is being able to show clear ownership, tested controls, current dependency mapping, timely escalation, practical assurance and management decisions based on evidence rather than assumption.

Practical test for Risk Teams

Risk teams should avoid becoming the group that only says, “be careful.”

The stronger role is to help the organisation take better risk by turning uncertainty into better questions, better evidence and better decisions.

For this event, risk teams should consider asking:

• Can we map the business process behind each critical system?
• Not just the application name, but the service, data, supplier, user group and business outcome it supports. Do we know where external entry points exist?
• APIs, portals, cloud platforms, third parties, shared services, identity pathways and remote access arrangements. Do we have clear ownership across the full chain?
• Business, technology, cyber, procurement, legal, compliance, risk, suppliers and executive decision-makers. Do our monitoring triggers change when the external threat environment changes?
• A new AI capability, new exploit pattern, supplier issue or regulator warning should trigger more than passive awareness. Can assurance test the real-world outcome?
• Not only whether a control is designed, but whether it works under pressure and across handoffs.

Understanding your maturity

The real maturity test is not whether the organisation has a cyber framework. Most do.

For this type of AI-driven threat, maturity should be assessed.

Assurance that matters

The continual evolution of AI and its integration into key systems should change the assurance conversation.

Boards and executives should ask:

• What assurance work would identify where a “door could be opened” from outside the organisation?
• Are we testing design, operating effectiveness and real-world outcomes?
• Are supplier and technology dependencies tested deeply enough?
• What evidence should be added to the assurance plan because AI has changed the threat speed?
• Is management comfort based on current evidence or historical confidence?

If assurance cannot keep pace with material changes in threat, technology and dependency, it becomes a comfort mechanism rather than a decision tool.

Failure Signal to Control Evidence

alue-adding risk management starts with a signal.

A warning from CyberCX.
A vulnerability alert.
A supplier incident.
A regulator concern.
A change in AI capability.
A near miss.
A failed control test.

The question is whether the organisation can convert that signal into action.

Leaders should ask:

• What are the earliest visible warning signs?
• Which controls would detect, prevent or escalate the issue?
• What evidence shows those controls are working?
• Who sees the signal first?
• Who decides whether the issue is material?
• How quickly can the organisation act?
• Is management comfort based on evidence or assumption?

Ownership Across the Chain

Many failures do not occur because no one cared.

They occur because ownership was blurred.

Business teams assumed technology owned the issue.
Technology assumed cyber owned the risk.
Cyber assumed procurement owned the supplier.
Procurement assumed legal reviewed the contract.
Risk assumed the business owned the control.
Executives received the issue only after the window to act had narrowed.

That is the messy middle where operational resilience is often tested.

Boards and management should ask:

• Who owns the outcome end to end?
• Where are the handoffs or blurred accountabilities?
• Which forums have authority to intervene quickly?
• What decisions can be made without waiting for the next committee cycle?
• Would a clearer RACI or decision-right model improve responsiveness?

What a maturity assessment could show

A useful risk maturity assessment should not simply ask whether a framework exists. It should help leaders explore whether the organisation can evidence how risk is understood, governed, challenged and acted on across the lifecycle.

Having policies, committees and checklists is useful. But the better test is whether the organisation can show consistent decisions, clear ownership, practical controls, current evidence and enough challenge to support confidence.

The risk management question

he lesson is not “AI is dangerous.”

The better lesson is that AI is changing the speed, scale and complexity of risk events. That means organisations need stronger maturity in ownership, dependency mapping, assurance, escalation and responsiveness.

Boards and executives should not wait for the next incident to ask these questions.

They should ask now:

Can our organisation evidence how it responds to events like this, particularly in the age of AI?

Innovation of Risk provides risk maturity and assessment tools to help organisations have better internal risk, governance and assurance discussions. This post is general information only and is not legal, regulatory, audit or professional advice.

The post The world is changing at a rapid speed. Is your organisation mature enough to respond? appeared first on Innovation of Risk.

Why it matters in plain English is that a cyber event can become a trust event very quickly. If people do not know who is responsible, how to complain, or what happens next, the organisation may end up dealing with avoidable escalation, confusion and reputational damage.

Two simple questions are worth asking:

Boards and executives should want assurance on notification pathways, complaint triage, contractual obligations, regulatory contacts and response timeframes. They should also want to know whether the organisation’s obligations change depending on whether it is covered by the Privacy Act, a state privacy regime, or both.

Risk managers play a critical role here. They connect cyber, privacy, legal, communications and operational teams so the response is coordinated rather than reactive. They should be testing the quality of evidence, the strength of escalation ownership, and whether lessons from incidents are feeding back into controls and governance.

The practical next steps are clear: review your incident playbooks, map third-party dependencies, test complaint handling, and lift the maturity of your evidence and reporting. If you cannot show who did what, when, and why, you have a governance gap as well as a cyber gap.

Innovation of Risk helps organisations do exactly that through maturity assessments, AI-enabled risk tools and targeted consulting support. The focus is on identifying gaps quickly, sharpening board-ready reporting, and prioritising uplift where it will reduce risk fastest without defaulting immediately to a large consulting program.

Clear signal:

vendor cyber incidents are now a test of privacy readiness, not just technical resilience.

The post Regulator statement lifts the bar on privacy response readiness appeared first on Innovation of Risk.

AI is no longer just a tool that waits for a human to type a prompt. Increasingly, AI systems can take action: retrieve information, trigger workflows, draft responses, analyse data, interact with systems, call APIs, and even make decisions. These are often described as AI agents, systems that can perform tasks with a degree of autonomy on behalf of a person, team, function or organisation.

In the past, most organisations managed identity risk by focusing on people: employees, contractors, administrators and privileged users. But AI changes that. An AI agent may operate through a service account, a bot account, a third-party platform, an integration, or an automated workflow. It may not look like a person, but it can still access data, influence decisions, create records, trigger actions and affect customers.

That is non-human identity risk.

The real issue is leadership

The practical issue is visibility.

Why transparency and ethics sit at the centre

AI ethics is often discussed in broad terms: fairness, accountability, privacy, explainability and human oversight.

Those principles only become real when the organisation can see what is happening.

Transparency allows leaders to ask the right ethical questions:

• Are customers aware AI influences this process?
• Could the AI produce unfair, misleading or harmful outcomes?
• Does a human remain accountable for the decision?
• Is the organisation using customer, employee or sensitive data in a way people would reasonably expect?
• Can the organisation explain the outcome if challenged?
• Can it prove who or what accessed the data?
• Can it stop the AI-enabled process quickly if something goes wrong?

What business leaders should challenge

Business leaders do not need to become data scientists. But they do need to ask better questions.

They should challenge whether AI use is connected to business outcomes, customer impact, accountability and evidence.

Key questions include:

• Which AI use cases are currently active, including those embedded in third-party platforms?
• Which of those use AI agents, automated workflows, bots, service accounts or other non-human identities?
• Who owns the use case after it moves from trial to business-as-usual?
• What data, systems and decisions can the AI-enabled process access or influence?
• What would make the use case unacceptable, even if it improves efficiency?
• How would the organisation know if the AI-enabled process started producing poor, unfair, inaccurate or unreliable outcomes?
• What changes if the AI capability sits inside a vendor platform rather than an internally built tool?
• Who can pause, change or retire the use case if the risk profile changes?

What risk managers should evidence

Risk managers should avoid becoming the team that only says “be careful”.

The stronger role is to help the organisation take better risk.

That means turning AI governance into practical evidence that supports decision-making.

Risk managers should be able to evidence:

• a current inventory of AI use cases, including material third-party AI capabilities;
• identification of AI agents, bots, service accounts, integrations and other non-human identities connected to AI-enabled processes;
• clear criteria for materiality, customer impact, operational dependency and risk level;
• approval, challenge and risk acceptance at the right level;
• controls tailored to the use case, not generic statements about responsible AI;
• access controls, logging and monitoring for non-human identities;
• review triggers when models, vendors, data, permissions, use cases or operating conditions change;
• assurance activity that tests whether the governance process works in practice.

AI governance and decision rights

Risk assessment, testing and assurance

Data, privacy, security and technology controls

The final question…

Can your organisation evidence how AI agents and non-human identity risk are identified, assessed, approved, monitored and challenged across the lifecycle — including where AI is embedded inside third-party platforms?

If not, the issue is not just AI risk.

It is a transparency, accountability and ethics risk hiding in plain sight.

Innovation of Risk provides AI maturity and risk assessment tools to help organisations have better internal risk, governance and assurance discussions. This post is general information only and is not legal, regulatory, audit or professional advice.

The post AI Agents, Non-Human Identity Risk, and the Transparency Problem Leaders Cannot Ignore appeared first on Innovation of Risk.

The 30-second take

Shadow AI and uncontrolled staff usage is not a narrow technology issue. It is a leadership test of whether the organisation can connect AI use to decisions, customers, operations and accountability.

Why this matters

Shadow AI and uncontrolled staff usage is not just another AI governance label. It is a practical test of whether leaders can see how AI is changing decisions, accountabilities, customer outcomes, operational dependencies and assurance expectations.

Current AI governance and assurance signals continue to point in the same direction: organisations are expected to move from broad principles to practical evidence of how AI is identified, assessed, approved, monitored and challenged. One source monitored for this post reinforces that shift.

For business leaders, the danger is not simply that AI creates new risks. The danger is that AI changes existing risks quietly. Customer fairness, privacy, cyber security, operational resilience, outsourcing, model risk, conduct, records management, accountability and assurance can all be affected before the organisation has named the use case as an AI use case.

AI risk management is not about protecting the organisation from progress. It is about helping the organisation use progress well.

The real issue for leaders

The practical issue is visibility. If leaders cannot see where AI is being used, they cannot make informed decisions about risk appetite, investment, controls or assurance. If risk managers cannot see how AI is being used in third-party tools, they cannot properly challenge whether the organisation understands the dependency. And if assurance teams cannot see the evidence trail, they cannot give meaningful comfort that controls are working.

That is why the topic of Shadow AI and uncontrolled staff usage should be treated as a business risk conversation, not simply a technology conversation. The organisation needs to understand what decision or process is changing, who owns it, what could go wrong, what would be unacceptable, and what evidence would show the control environment is working.

Good AI governance is not a policy on a shelf. It is the ability to explain a real use case, the decision it supports, the risk it creates and the evidence that controls are working.

What business leaders should challenge

Business leaders do not need to become data scientists to ask better questions. They do need to insist that AI use is connected to business outcomes, customer impact, accountability and evidence.

• Which AI use cases are most connected to this issue?
• Who owns the use case after it moves from trial to business-as-usual?
• What would make the use case unacceptable, even if it appears efficient?
• How would the organisation know if the AI-enabled process started producing poor, unfair or unreliable outcomes?
• What changes if the AI capability sits inside a third-party platform rather than an internally built tool?

What risk managers should evidence

Risk managers should avoid becoming the team that only says “be careful”. The stronger role is to help the organisation take better risk. That means turning AI governance into practical evidence that supports decision-making.

• A current register or inventory of AI use cases, including material third-party AI capabilities.
• Clear criteria for classifying materiality, customer impact and risk level.
• Evidence of approval, challenge and risk acceptance at the right level.
• Controls that are specific to the use case, not generic statements about responsible AI.
• Monitoring and review triggers when models, vendors, data, use cases or operating conditions change.
• Assurance activity that tests whether the governance process is working in practice.

What mature assessment should show

A useful AI maturity and risk assessment should not just ask whether a framework exists. It should help leaders explore whether the organisation can evidence how AI risk is understood, governed and challenged across the lifecycle. That includes the human side: whether business owners understand their accountability, whether risk teams are involved early enough, and whether assurance can test what matters.

The assessment should also help distinguish between activity and maturity. Having a policy, committee or checklist is useful, but it is not the end point. The better test is whether the organisation can show consistent decisions, clear ownership, practical controls and enough evidence to support confidence.

The risk management question

Can your organisation evidence how this AI risk issue is identified, assessed, approved, monitored and challenged across the lifecycle — including where AI is embedded inside third-party platforms?

Innovation of Risk provides AI maturity and risk assessment tools to help organisations have better internal risk, governance and assurance discussions. This post is general information only and is not legal, regulatory, audit or professional advice.

The post Shadow AI and uncontrolled usage is not leveraging AI appeared first on Innovation of Risk.

That is why APRA’s recent letter matters. It is a clear reminder that AI needs more than enthusiasm. It needs mature governance, quality risk assessment, strong assurance and evidence that controls are actually working.

The core message is clear:

AI adoption is accelerating, but governance, risk management, assurance and operational resilience practices are not always keeping pace.

APRA has observed that regulated entities are moving from experimentation into more embedded and customer-facing AI use cases, while governance maturity, board challenge, contingency planning and assurance practices remain uneven.

That matters because AI is no longer a side experiment sitting in an innovation team. It is increasingly embedded in business processes, third-party platforms, software tools, cyber capabilities, customer service models, data analytics, decision support, development environments and operational workflows.

This creates real opportunity. It also creates risk that may not be obvious until something fails.

The real issue is not AI. It is unmanaged AI.

AI can improve efficiency, decision-making, customer experience, risk analysis and operational insight. It can help organisations identify patterns faster, test scenarios more effectively, review evidence, support control assessments and improve the quality of risk conversations.

But the benefits do not remove the need for discipline.

In fact, the more powerful and embedded AI becomes, the more important mature governance becomes. Organisations need to know where AI is being used, what it is being used for, what data it relies on, what decisions it influences, what controls exist, what assurance has been performed and what happens if the AI-enabled service fails or changes.

This is not just a technology issue. It is a governance issue, a risk management issue, a third-party risk issue, an operational resilience issue and an accountability issue.

“The vendor has it covered” is not a risk assessment

One of the biggest traps with AI is assuming that a third party, software provider or platform vendor has already dealt with the risk. This is where organisations need to be more demanding.

It is not sufficient to ask whether a provider uses AI and accept a broad assurance statement or evidence they want to provide, including they use it elsewhere. Organisations need to understand the quality of the provider’s risk assessment. They need to see evidence. They need to know what has actually been tested, what assumptions have been made, what controls are in place and whether the assurance is strong enough for the importance of the service.

That means asking practical questions:

• Where is AI used in the product or service?
• What customer, operational, security or confidential data is exposed to the AI model?
• How are model changes governed?
• What controls prevent inappropriate, biased, insecure or unreliable outputs?
• How is the service monitored?
• What assurance has been completed?
• What evidence supports the provider’s claims?
• What contingency plans exist if the AI service fails, is compromised or materially changes?
• How does the organisation know the provider’s AI risk assessment is fit for purpose?

Trust may be part of a commercial relationship. But trust is not a control.

Boards and executives need enough literacy to challenge

APRA also highlighted that boards often have strong interest in the benefits of AI and a desire to see it happen, but may not yet have the real information needed to effectively challenge management on AI-related risks.

Boards and executives do need enough understanding to ask better questions. They need to be able to challenge whether AI is being adopted safely, whether risks are being assessed consistently, whether assurance is meaningful and whether management has visibility over the most material AI dependencies.

Good AI governance should help leaders understand:

• which AI use cases are material;
• which business processes rely on AI;
• which third parties are critical;
• what could go wrong;
• what controls are relied upon;
• what evidence supports the risk position;
• what risk appetite applies; and
• whether current oversight is strong enough.

AI governance cannot sit only in technology. It needs to be connected to strategy, risk appetite, procurement, operational risk, cyber security, data governance, privacy, compliance, internal audit and business ownership.

Risk professionals should not sit on the sidelines

There is another important point: this is not only a defensive issue for risk professionals. AI is also an opportunity.

Risk teams should be embracing AI responsibly. Used well, AI can help improve the quality, speed and depth of risk maturity assessments. It can help identify gaps, structure evidence, compare practices against standards, support scenario analysis, improve board reporting and make risk conversations more accessible to business teams.

The risk function should not be the team that simply says “no” to AI.

Mature AI risk assessment is now essential

A mature AI risk assessment process should not be a one-off checklist. It should be part of how the organisation governs change, technology, third parties and operational resilience.

At a minimum, organisations should be able to demonstrate:

• an inventory of AI use cases, including embedded third-party AI;
• clear ownership and accountability;
• risk assessments based on materiality and use case;
• evidence of controls and assurance;
• consideration of data, privacy, cyber, operational, conduct and resilience risks;
• board and executive reporting for material AI exposures;
• contingency planning for critical AI-enabled services;
• ongoing monitoring, not just approval at implementation.

The key word is evidence.

Policies are useful. Frameworks are useful. Governance forums are useful. But if the organisation cannot show the evidence behind the risk position, it will struggle to demonstrate that AI is being managed in a mature and controlled way.

Where we are focused

At Innovation of Risk, we are doing a lot of work on how AI can be used to support better risk maturity and risk assessment practices. That includes using AI to help organisations explore maturity, identify gaps, structure evidence, assess governance practices, support regulatory self-assessments and make risk insights more practical for boards, executives and business teams.

The goal of AI in risk is not to replace judgement. It is to improve the quality of the assessment process and make risk conversations more useful.

The organisations that get this right will move with discipline

The answer is not to blindly trust AI. It is also not to block it out of fear.

The organisations that perform best will be the ones that adopt AI with discipline. They will understand where AI is being used, assess the risks properly, challenge third-party assurances, demand evidence, monitor changes and make sure boards and executives have enough visibility to govern effectively.

APRA’s message is timely.

AI is moving quickly. Risk governance needs to move with it.

And for risk professionals, this is a moment to step forward.

The post APRA calls for a step-change in AI-related risk management and governance appeared first on Innovation of Risk.

What is Greenwashing, and Why Does it Matter?

‘the practice of misrepresenting the extent to which a financial product or investment strategy is environmentally friendly, sustainable or ethical’

Australian Securities and Investments Commission

Greenwashing refers to the deceptive practice of exaggerating or falsely advertising the environmental friendliness or ethical nature of a financial product or investment strategy. Companies may overstate their sustainability merits to attract eco-conscious investors, taking advantage of the growing demand for ESG (Environmental, Social, and Governance) assets.

ESG assets more than doubled between 2019 and 2022 and are projected to exceed US$53 trillion by 2025. Much of the asset flow has come from retail investors wanting to make a positive difference to the planet and society.

The Risk of Bluewashing and Greenhushing

While Greenwashing is a major concern for ASIC (Australian Securities and Investments Commission), companies should also be aware of “Bluewashing.” This involves misrepresenting the extent to which a business or investment respects human rights, particularly concerning issues like modern slavery and Indigenous rights.

Greenhushing is another deceptive practice where companies respond to increased regulatory scrutiny by ceasing voluntary ESG disclosure. ASIC considers this as another form of Greenwashing.

Managers have also responded to increased investor demand for sustainable investment options by repurposing existing conventional funds. Greenwashing could be seen to straddle this growing trend and attract more investors whose interest in environmental and climate issues is reaching new peaks.

Recent Examples of Greenwashing and ASIC’s Focus

Instances of Greenwashing have led to significant repercussions for companies. For example, DWS, an asset management firm, faced allegations of overestimating its sustainable investments and using misleading language to describe its funds. As a result, DWS’s reputation suffered, and its share price plummeted.

In a groundbreaking case, ASIC sued Mercer Super for misleading its members about excluding carbon-intensive fossil fuel companies. This sent shockwaves through the Superannuation industry and highlighted emerging legal risks surrounding ESG commitments.

How to Prevent Greenwashing and Bluewashing

ASIC considers Greenwashing a concern because:

• It distorts relevant information that a current or prospective investor might require in order to make informed investment decisions.
• It can erode investor confidence in the market for sustainability-related products; and
• It poses a threat to a fair and efficient financial system.

To prevent Greenwashing and Bluewashing, ASIC has released a set of questions that superannuation and managed funds should consider:

1. Ensure your product aligns with its sustainability label.
2. Avoid vague terminology and clearly define sustainability terms.
3. Avoid potentially misleading headline claims.
4. Explain how sustainability factors influence investment decisions and stewardship activities.
5. Disclose your investment screening criteria and any exceptions or qualifications.
6. Accurately describe your level of influence over the benchmark index for sustainability-related products.\
7. Explain how you use metrics related to sustainability.
8. Establish reasonable grounds for sustainability targets and explain how they will be measured and achieved.
9. Make relevant information easily accessible to investors.

Tips and Reminders for Regulatory Compliance

To avoid regulatory intervention from ASIC, legal, compliance, and marketing teams should verify ESG-related statements for accuracy and reasonable basis before publication. Conduct ongoing assurance exercises to test statements against actual practices and mitigate regulatory exposure or litigation risk.

The Future of Sustainability Reporting

With two new international standards for sustainability reporting (IFRS S1 and S2) set to apply in Australia from January 2024, companies should prepare for mandatory sustainability reporting and ensure compliance.

In Conclusion

As the “Green” economy continues to evolve, maintaining transparency and authenticity in sustainability strategies is paramount. Preventing Greenwashing and Bluewashing not only protects investors but also contributes to a fair and efficient financial system. By adhering to best practices, companies can build trust and credibility, even as regulatory scrutiny increases.

Now is the time for boards to focus on disclosures and embrace sustainability reporting with utmost integrity!

The post How to Ensure Your Sustainability Strategy Stays Clean appeared first on Innovation of Risk.

Introduction

Today marks a significant milestone for the Australian financial services industry as the Australian Prudential Regulation Authority (APRA) and the Australian Securities and Investments Commission (ASIC) join forces to shape the future of financial accountability. The release of key materials for consultation on the Financial Accountability Regime (FAR) represents a transformative step forward, impacting APRA-regulated entities within banking, insurance, and superannuation sectors, as well as their directors and top executives. The FAR aims to strengthen risk management and governance cultures within these institutions, revolutionizing the way they operate.

A Revolutionary Framework: FAR vs. BEAR

The Financial Accountability Regime is set to replace the existing Banking Executive Accountability Regime (BEAR), which was solely administered by APRA and took effect on 1st July 2018. Unlike its predecessor, the FAR introduces a joint administration by both APRA and ASIC, signifying a comprehensive and collaborative approach to financial accountability.

Noteworthy inclusions in the FAR are its broader reach across the financial services landscape. While the BEAR primarily impacted authorised deposit-taking institutions (ADIs), the FAR extends its jurisdiction to insurance companies, superannuation trustees, and licensed non-operating holding companies (NOHCs). This expansion ensures that the regime encompasses a wider array of entities, ultimately enhancing accountability and transparency across the sector.

The Implementation Timeline

To better understand the timeline of the FAR implementation, here are the key points to note:

ADIs: The FAR will come into effect for authorised deposit-taking institutions six months after the Financial Accountability Bill 2023 receives Royal Assent.

Insurance and Superannuation Entities: Insurance companies and superannuation trustees will be brought under the FAR 18 months after Royal Assent.

The phased implementation allows entities ample time to prepare and adapt to the new regime effectively.

A Comprehensive Consultation Package

In order to ensure a smooth and successful transition to the FAR, APRA and ASIC have thoughtfully released a comprehensive package of documents for consultation. This early engagement with stakeholders aims to solicit valuable feedback from the industry, allowing for the refinement and improvement of the regime’s implementation.

The Promise of the FAR

The introduction of the Financial Accountability Regime presents a promising opportunity for the financial services industry to take a giant leap forward in terms of accountability, governance, and risk management. By bringing together the expertise of APRA and ASIC, the FAR is designed to foster a stronger risk management culture, reduce misconduct, and promote ethical behavior within financial institutions. This regime signifies a clear commitment to building a more responsible and transparent financial sector, ultimately benefiting all Australians.

Embrace the Change with Innovation of Risk

As the financial services industry prepares to embark on this transformative journey, Innovation of Risk stands ready to provide expert support and consultation. Our experienced team of consultants is well-equipped to guide entities through the implementation process, ensuring a seamless integration of the FAR’s principles into their operations. Together, we can build a stronger, more accountable, and transparent financial sector that fosters trust and stability.

Conclusion

The release of key materials for consultation on the Financial Accountability Regime marks a pivotal moment in shaping the future of Australia’s financial services industry. With APRA and ASIC jointly administering this transformative regime, the FAR is set to revolutionize accountability and governance across the banking, insurance, and superannuation sectors. By embracing this change and actively participating in the consultation process, stakeholders can play an essential role in shaping the implementation of this groundbreaking regime.

Together, we can pave the way for a more responsible and transparent financial sector, benefitting not just institutions but every Australian. Let’s seize this opportunity to embrace the Financial Accountability Regime and create a brighter future for the financial services industry.

Contact us for any support you need in this important change for the financial services industry.

The post The Future of Australia’s Financial Services Industry: Embracing the Financial Accountability Regime appeared first on Innovation of Risk.

Today marks a momentous occasion in the world of financial services as the Prudential Regulator APRA releases the final version of CPS230. This milestone heralds a critical step in the development of operational risk practices in the industry, with far-reaching implications for organizations and their risk landscape. In this blog post, we will explore the key highlights of the final version of CPS230 and delve into its significance for the financial services sector.

Commencement Date Extension

One of the key takeaways from the final version of CPS230 is the extension of the commencement date to 1 July 2025. This extension provides financial organizations with additional time to prepare and align their practices with the new standard. Moreover, for suppliers’ contract renewal, either the renewal date or 1 July 2026 are now the crucial dates for agreements being updated. This adjustment acknowledges the importance of providing sufficient time for smooth transitions and comprehensive implementation.

Material Service Providers

In the revised version, the register of material service providers is no longer a part of the Board-approved policy. However, organizations are still required to furnish a register of these important providers to APRA. Identifying and maintaining this register is vital for monitoring and managing potential risks associated with key service providers.

Reputational Risk

Although reputational risk is no longer expressly detailed as part of the full range of operational risk, the final version acknowledges its significance. APRA highlights the continued importance of reputational risk management, emphasizing its impact on the financial industry. While it might not be explicitly outlined, organizations should remain vigilant in managing reputational risks to safeguard their stability and credibility.

Clarity on Critical Operations and Providers

The revised CPS230 brings much-needed clarity on critical operation minimums and material service provider minimums, categorized by the type of financial service. This clarification ensures a more standardized and transparent approach to assessing the significance of operations and providers, leading to better risk management practices.

Enhanced Risk Management

The final version introduces some critical additions to the list of material service provider minimums. Risk management, core technology services, and internal audit have been explicitly included, underscoring their significance in the financial ecosystem. By elevating these components to the forefront of risk considerations, organizations are better equipped to handle potential disruptions and ensure robust risk management.

Removal of Systemic Importance Assessment

A significant change in the final version is the removal of the requirement for each entity to assess whether a provider is systemically important to Australia. This streamlines the evaluation process, making it more efficient and practical for organizations. While systemic importance remains an important consideration, this change simplifies the assessment procedure and allows organizations to focus on other critical aspects of operational risk.

APRA’s Draft Guidance

In addition to the final version of CPS230, APRA has issued its draft guidance for the new standard. This supplementary guidance provides valuable insights and specific instructions for organizations to navigate the changes effectively. It serves as a roadmap for organizations, ensuring they can adapt smoothly to the new requirements.

Conclusion

As the financial services industry continues to evolve, managing operational risk becomes increasingly critical. The release of the final version of CPS230 by APRA marks a significant stride in this direction. With an extended commencement date, clarity on critical operations, and an enhanced focus on risk management, the industry is better positioned to navigate the dynamic landscape of financial services operational risk.

For organizations seeking effective approaches to implement these updates, The Innovation of Risk (link to their LinkedIn page) stands as a valuable resource. With its expertise and experience, this organization can help demystify the intricacies of CPS230 and ensure a seamless transition.

In conclusion, let’s embrace these changes and work together to stay ahead in the ever-evolving landscape of operational risk in financial services. By proactively embracing these updates, we can reinforce the stability and resilience of the finance industry as a whole.

#OperationalRisk #FinancialServices #APRA #CPS230 #RiskManagement #FinanceIndustry #RegulatoryCompliance

The post The Future of Operational Risk in Financial Services: APRA’s CPS230 appeared first on Innovation of Risk.

A Soufflé of Disclosure Reporting

The release of these new standards marks a remarkable milestone in the realm of Climate and Sustainability reporting. With a multitude of global disclosure standards already in existence, the IFRS S1 and IFRS S2 seek to provide a new level of conformity and consistency, making them a welcome addition after years of frustration in the global kitchen of disclosure regulation!

Implications for Australian Companies

For Australian companies, the introduction of these standards heralds a significant step toward mandatory reporting. From January 2024, organizations will be required to incorporate these standards into their annual reporting, with full compliance expected by 2025. The Treasury has commenced its second round of consultation on these proposed disclosure requirements, indicating the seriousness of this initiative.

A Crucial Moment for Boards

In the wake of ASIC’s increased scrutiny around “Greenwashing,” boards must now prioritize their disclosures more than ever. To tackle these reporting challenges, many boards may look to their existing TCFD (Task Force on Climate-related Financial Disclosures) framework. While the new international standards draw heavily from TCFD, they elevate the level of disclosure significantly, necessitating a higher degree of transparency. Consequently, companies may need to upskill their current staff and senior management to meet these demanding reporting requirements.

Greenhouse Gas Emissions in Focus

Among the various areas of augmented disclosure in the new international standards, one noteworthy addition is the requirement to disclose GHG (Greenhouse Gas) emissions for Scope 3. These emissions are attributed to a company’s value chain outside of its immediate operations and have traditionally been challenging to measure accurately. The inclusion of such data is a crucial step toward comprehensive climate reporting.

Conclusion

As the countdown begins toward the implementation of these transformative reporting standards, Australian organizations and global companies operating in Australia must gear up for this profound change. The Treasury’s ongoing consultation presents a vital opportunity for stakeholders to shape these requirements collaboratively. Amidst the evolving landscape of climate reporting and heightened focus on transparency, boards must take the lead in navigating this journey toward a more sustainable and environmentally responsible future.

The new standards are not only a call to action for existing board members but also a compelling read for aspiring “Master Chef” boardroom leaders who seek to excel in climate and sustainability disclosures.

The post ESG Today Unveils Major Update on Mandatory Climate Reporting for Australian Organisations appeared first on Innovation of Risk.

Too often, committee members go through the motions and fail to engage in meaningful discussion and debate. Further, this can be assigned a reason relating to time constraints or, in some cases, the belief that the chair or a single member knows best. Even worse, members represent in the meeting concern and even call for action, but outside the meeting remain passive and uncommitted to real action.

However, an effective risk committee should form the backbone of an organisation’s business practices. It should encourage open and constructive debate, and ensure that accountable members take action where necessary. The committee should set the tone from the top, inspiring and empowering individuals and teams to take calculated and managed risks that support the organisation’s goals.

Ultimately, an effective risk committee is critical to achieving great governance. However, it is important to recognise that the committee’s role goes beyond simply providing a visual representation of risk management. Instead, it should oversee, guide, and require action from all parts of the organization, working in tandem with other business and risk management practices to create a solid foundation that supports positive risk-taking.

Decision-making Process

Every day, risk management is an integral part of the decision-making process across all organisations. Rather than just being a part of the decision-approval process, it’s best to incorporate risk management as part of the decision-making process. The risk committee plays a critical role in supporting this process.

An effective risk committee must support debates, and challenge accountable managers to ensure that actions taken are well-thought-out and lead to the best outcomes from taking risks. It’s important to note that the committee is not there to just rubber-stamp decisions or accept recommendations presented. Instead, the committee should provide valuable advice and, in some circumstances, disagree with the recommendation and recommend taking an alternative action.

Contrary to the notion that there is “no such thing as a bad decision, just a bad recommendation” when it comes to risk committees, an effective and valued risk committee plays a crucial role in the organisation. Such committees must engage in the topics presented, make changes, and drive action. Typically, the most senior and experienced members of an organisation, whether at the board or executive level, form the committee. This talent is there to make a real difference and, most importantly, make things happen.

An effective risk committee not only helps make better decisions but also makes the organisation better. By having such a committee, organisations can ensure that they make informed decisions and minimise risks while maximising opportunities. The committee’s role goes beyond providing recommendations to actually driving action and leading to better outcomes.

The Risk Committee is Good Governance

Effective governance is crucial, but an even more critical aspect is incorporating risk into the decision-making process. Although it may not be a complicated task, it requires careful attention to detail. Deloitte, in response to the increasing interest in board-level risk committees, has developed a guide that outlines the key factors necessary for the committee’s success. Specifically, Deloitte recommends that boards review the committee’s composition, reporting relationships, and responsibilities to ensure they align with the organization’s needs.

Once the foundation for a risk committee is in place, it is essential to incorporate key concepts that promote its effectiveness.

Key Principles for an Effective Risk Committee

To have an effective risk committee, it is crucial to adhere to these ten key principles:

1. Keep the committee small and focused, with executives and directors from both within and outside the organisation. For an executive committee, the most powerful message is having all executives as members of the risk committee.
2. Create a simple agenda that addresses key areas of the business process, issues, risks, controls, controls monitoring (control self-assessment and assurance), and actions to mitigate risk.
3. Provide clear oversight of the frameworks in place, ensuring effective and efficient risk management practices.
4. Oversee the change portfolio of the business from a risk perspective.
5. Obtain alignment, through challenge and debate, and support from a risk perspective of the strategic projects that impact the risk profile of the business.
6. Consolidate multiple risk committees into a single management risk committee that covers all material risks. Leaving a material risk off the table at the risk committee reduces the benefit of having the talent at the table to challenge risks more broadly.
7. Provide sufficient pre-reading time for papers, so that the committee can focus on discussions rather than reading papers during meetings.
8. Focus on top-down “what keeps you up at night” requirements and bottom-up reporting and escalation.
9. Ensuring accountability among all members for the recommendations made during meetings is crucial. The purpose of these meetings is to manage risk and ensure that actions taken align with the appetite and expectations of the committee members. It’s important to remember that not all recommendations will be accepted and implemented as-is; the risk committee is not simply a rubber-stamp for recommendations.
10. Ensure that all members of the committee advocate for decisions made during the meeting. The debate and challenge must happen in the room, not afterward.

To gauge the effectiveness of the committee’s decision-making process, consider tracking the number of recommendations presented and how many of these recommendations are modified or changed during the deliberation process. This can serve as a key performance indicator for the committee, helping to identify areas for improvement and encouraging greater collaboration among members

In summary, while the risk committee is an essential component of managing risk for your business, it cannot replace effective leadership and embedding risk into the decision-making process. People and organisations do make incorrect decisions, the risk committee is there to ensure every possible challenge and debate occurs to reduce the potential of these decisions being incorrect.

The post Effective Risk Committees appeared first on Innovation of Risk.

Chip Heath’s book, ‘The Power of Moments: Why Certain Moments Have Extraordinary Impact’ offers invaluable insights into how to approach these defining moments. Through his work, Heath reminds us of the importance of recognising and seizing these critical junctures. He challenges us to consider the significance of the moments that matter most and encourages us to make them come alive.

As leaders, we must apply these insights to both our leadership and risk management. We must recognise the importance of moments that can make or break our organizations and use them to our advantage. By embracing these pivotal moments, we can inspire our teams to reach new heights and ensure that our organisations thrive.

‘Our lives are measured in moments, and defining moments are the ones that endure in our memories.’

Every single one of us has the opportunity to turn what we do for our customers into truly defining moments. Too often we spend time considering what we do in terms of what we achieve, rather than how it makes each moment special for our customers.

Shifting from judging to supporting

As risk managers, our perspective must shift from merely “judging” to “supporting and growing.” In doing so, we can ensure that every risk moment matters and our organisations are well-positioned to succeed.

However, this is no easy feat. It requires us to identify how our actions support all three lines of defence simultaneously, rather than focusing solely on the role of the second line. As we outlined in our previous blog post on the topic of the ‘3 Lines of Defence‘ model, the symbiotic relationship between each line is crucial to effective risk management.

To support and grow our organisations, we must take a holistic view of risk management. We must work collaboratively with colleagues in all three lines of defence and embrace a culture of transparency and accountability. By doing so, we can identify potential risks and develop proactive strategies to mitigate them.

As risk managers, it is also essential to recognise that risk management is not solely about avoiding negative outcomes. It is equally about identifying opportunities for growth and innovation. By taking a supportive and growth-oriented approach, we can help our organizations take calculated risks that lead to positive outcomes.

Taking the customers’ perspective

Shifting our perspective as risk managers means looking at every engagement (framework), enquiry (advisory) and review (assurance) as the opportunity to support and grow our customers.

In doing so, we must take the perspective of the external customer in our engagement. We must focus on achieving community and customer expectations through simplicity, easiness and kindness. Most importantly we must not step back under the veil of the 2nd line, but step forward as the 2nd line.

‘Moments matter. And what an opportunity we miss when we leave them to chance!’

Chip Heath

The job of a risk manager is not just about managing risks, but also about delivering valuable products and services to support customers and organisations. This means that every engagement, workshop, or report is a meaningful moment that must not be left to chance. In other words, risk managers must ensure that each risk moment matters.

To achieve this, risk managers must approach their work with a focused intention of adding value to their stakeholders, particularly the board and management. This is not always an easy task, as risk managers must balance the need to “call things out” with the need to be positive and supportive.

However, being positive does not mean avoiding facts or failing to identify risks. Rather, a positive approach means looking at risks through the lens of opportunity rather than judgment. This allows risk managers to identify and address risks in a constructive way that supports their stakeholders’ goals.

It is important to note that even the most experienced risk managers will not always get it right. In those moments, the key is to navigate the challenging conversation in a way that promotes positive outcomes. This may involve providing additional information, suggesting alternative strategies, or simply listening to stakeholders’ concerns.

Leaders must take accountability

However, sometimes being positive means calling a spade a spade. As risk managers, we have a responsibility to identify and communicate risks, even when doing so is uncomfortable or difficult. However, it is ultimately up to those who are accountable for making decisions to take action and make those risk moments matter.

Risk managers are not the conscience of an organisation, particularly those who are ultimately accountable for outcomes. Unfortunately, in many organisations, there is a tendency to shift blame and responsibility away from ourselves, rather than taking ownership of our actions and decisions.

Being accountable does not mean being perfect. It means recognising when things don’t go as planned and taking responsibility for our role in the outcome. By doing so, we can learn from our mistakes and make better decisions in the future

In Summary: Making each Risk Moment Matter

Every risk moment matters and risk managers must take ownership of each element of their role as a product or service that supports their stakeholders. By approaching their work with a focused intention of adding value and adopting a positive, constructive approach to risk management, risk managers can help their organisations navigate uncertainty and achieve their goals.

‘to defy the forgettable flatness of everyday work and life by creating a few precious moments’.

Chip Heath

The post Every Risk Moment Matters appeared first on Innovation of Risk.

To help organisations achieve this, APRA has proposed a new standard for operational risk management that will apply to all APRA-regulated entities. The proposed standard, CPS 230 Operational Risk Management (CPS 230), will establish minimum requirements for managing operational risk, with a particular emphasis on business continuity and service provider management. APRA is aiming to implement this standard by January 1, 2024.

The goal of this new standard is to consolidate the key elements of operational resilience into a single framework, while ensuring clear accountability for business operators in managing risks related to resilience. This means that business operators, rather than the risk function, will be responsible for owning and managing these risks.

A maturity assessment is a simple and practical tool for understanding your organisation’s level of operational resilience. It’s not just about compliance; it also helps identify your strengths and weaknesses, allowing you to focus on key risk management activities over time.

Think of a maturity assessment as a way to measure your growth and development, much like the marks on a door frame as you watch your children grow over time. To assist in your assessment against the standard, we have developed a simple and user-friendly maturity assessment tool.

By using a maturity assessment model, you can move beyond pure compliance to an engaging way to support everyone in managing their business and risks. However, ensuring compliance with CPS230 requires creating or updating frameworks, systems, and processes while embedding the activity within your front-line business.

To meet these requirements, consider the following key approaches:

• Conduct workshops with each business area to undertake a maturity assessment against the elements of CPS230.
• Ensure that the activity occurs within the business lines, rather than through a centralized team. The central team, if required, should facilitate engagement with each business area.
• Engage the board and executive team from the beginning of the initiative through completion, including organization-wide education and training sessions.

If you wish to know more and receive access to this tool for your self-assessment purposes please contact us.

The post How is your operational resilience maturity appeared first on Innovation of Risk.

Collaboration is essential to achieving a productive and outcome-focused business, particularly when it comes to innovating risk management. The innovation of risk requires the amalgamation of ideas from a diverse set of skill sets, given the complex and diverse nature of subject matter experts (SMEs) across risk and compliance.

This diversity is critical in helping us “connect the dots” and identify innovative solutions to complex challenges. For example, when it comes to Anti-Money Laundering and the “Know Your Customer (KYC)” process, we must tap into the expertise of operational risk, compliance (AML, Privacy, and Legal), fraud, and credit risk to find innovative solutions.

By fostering collaboration and embracing diversity, we can unlock new and creative solutions to manage risks effectively and drive business success.

Value of Collaboration

One of the biggest challenges in risk and compliance management is demonstrating tangible financial benefits. Unlike other business areas, such as sales or marketing, where return on investment (ROI) can be more easily measured, the benefits of investing in risk and compliance management are often intangible and difficult to quantify.

In many cases, the value of effective risk and compliance management may not be realized until something goes wrong. For example, the cost of a data breach or a regulatory fine can be significant, and may far outweigh the cost of implementing adequate risk and compliance controls. However, it can be challenging to convince stakeholders to invest in these controls upfront, particularly if they do not see immediate financial returns.

Moreover, risk and compliance are often viewed as a necessary evil or a cost center, rather than as strategic enablers of business success. This perception can make it challenging to secure budget and resources for risk and compliance initiatives.

Business Benefit

Collaboration has been consistently shown to lead to better, more robust, and innovative solutions. However, when it comes to risk and compliance, it can be difficult to demonstrate direct financial benefits.

So what benefit does collaboration in risk and compliance provide?

Bringing together subject matter expertise of risk and compliance supports better business decisions. In essence, it increases the chance that all outcomes are considered. This is however hard to quantify, as you are quantifying what could happen, not what did happen.

Take the recent article on the “over-reaction to COVID-19“. This virus and the global response was, and is, complex. Looking back on things from today’s perspective, it can appear ‘easy to predict’ things differently. However, decisions were made with an unknown future of different risks and different outcomes. Predicting today, what it could have looked like is naive and dangerous.

The benefit of considering the bigger picture of risk and compliance is that it allows us to move forward with a clearer understanding of potential risks and outcomes. While the financial benefits of collaboration may not be immediately apparent, taking a collaborative approach can help organisations make more informed decisions and mitigate risks more effectively in the long run.

The benefit of considering the holistic picture of risk and compliance enables us to move forward with ‘eyes wide open’.

5 Reasons Why the Innovation of Risk Requires Collaboration

Collaboration is essential for the innovation of risk, and there are five key reasons why:

1. Different experiences and backgrounds: When individuals with different experiences and backgrounds come together, they bring unique perspectives to the table. This can lead to more innovative and well-rounded solutions.
2. Real-time sharing of ideas: Collaboration allows for the real-time sharing of ideas and discussion of these ideas. This can lead to more efficient problem-solving and decision-making.
3. Continuous improvement: Collaboration allows for ideas to be continuously recorded, amended, reflected upon, reviewed, and enhanced. This can lead to better outcomes over time.
4. Embracing diversity: Collaboration enables individuals with different styles of interaction and behaviors, such as introverts and extroverts, or those from different generations, to work together effectively.
5. Linking to factual information: Collaboration ensures that decision-making is linked to factual information, leading to more informed and well-considered decisions.

While these reasons for collaboration may seem simple, not everyone recognises the importance of collaboration in a risk and compliance context. This may be due to individuals’ desire to maintain information as a protectionist mechanism.

Sharing Information is the Real Power

There’s an old saying that “information is power”, but history has shown us time and time again that this approach often leads to worse outcomes. In reality, the most valuable employees are those who freely communicate and share information, without being concerned about job security or career advancement. They understand that knowledge-sharing leads to the best possible working environment and ultimately delivers the best business outcomes.

As we highlighted in another article, these employees are passionate about making ‘every moment matter‘. They’re committed to creating a culture of collaboration and openness, where everyone feels valued and encouraged to contribute their ideas and expertise. By fostering this type of environment, organisations can drive innovation, improve performance and achieve their strategic goals.

In Summary

Collaboration in the innovation of risk is essential for success. When individuals come together to share their experiences and ideas, they can create more robust and innovative solutions. It enables a diverse set of skill sets to work together and share real-time discussions, allowing for the constant refinement of ideas. Collaborating with subject matter experts across risk and compliance ensures that all outcomes are considered, increasing the chance of better business decisions.

Innovation in risk and compliance is a challenging area, and it is difficult to show tangible financial benefits. However, by collaborating, we can move forward with ‘eyes wide open’ and ensure that we are considering the holistic picture of risk and compliance. This approach provides an opportunity for continuous learning, improvement, and growth.

As a risk professional, I have seen the benefits of collaboration firsthand. I have worked with individuals from different backgrounds, skill sets, and locations, and together we have achieved better outcomes than we could have alone. Collaboration has enabled us to think outside the box, challenge assumptions, and develop innovative solutions that have delivered value to the organisation.

In summary, collaboration is essential for the innovation of risk, and it is the most important thing each of us can do. It allows for the sharing of information and ideas, encourages diversity and innovation, and ensures that all outcomes are considered. As a risk professional, I believe that collaboration is critical to achieving success in the ever-changing risk landscape.

The post Collaboration is Critical for Risk appeared first on Innovation of Risk.

Strive not to be JUST a success, but to be of value.

To overcome this challenge, there are eleven simple tips that leaders can follow to manage risk effectively. These tips can help leaders foster a culture of embracing risk-taking, while also ensuring that their organizations are well-positioned to deliver the best outcomes for their customers.

What if we could make risk management clearer for managing our BUSINESS?

Tip 1 – Work Together

Effective risk management is critical for every organization and its employees. ClearRisk has outlined “10 Reasons Risk Management Matters for All Employees” which emphasizes the importance of working together to manage risks. In any successful team, members must support one another and collaborate to effectively manage risks.

Tip 2 – Think Differently

Apple shone a light on “thinking differently” to achieve an impact on its customers and its people.

Managing risks is similar to innovating in other areas of business. To successfully embed risk thinking, it is crucial to allow for agile and alternative approaches to risk management. The key lesson from past experiences is not to repeat what has always been done, but rather to make changes to how you manage your business to ensure the best outcomes for your customers. 

Tip 3 – Leverage Support

Collaboration is essential to success, and we cannot achieve anything alone. Leveraging the support and expertise of our colleagues is crucial to ensure that we make the best decisions for our customers and each other. The most successful organizations recognize and utilize the strengths of their experts, relying on them to drive outcomes while remaining accountable for those outcomes. Leveraging support does not mean relinquishing accountability; rather, it means engaging others to deliver on our shared goals.

Tip 4 – Connect Everything

According to Conserve’s article titled “The Fundamental Risk Management Skills that Every Leader Should Possess” having an eye for detail while also seeing the big picture is essential. Connecting all the pieces together when it comes to managing your business and risks requires this skill set.

” …you need an eye for detail, being able to spot gaps where further research is needed and being able to see the finer points of day to day risk management as well as the bigger picture.”

Conserve

Tip 5 – Plan for the Worst

The Global Financial Crisis of 2008 and the COVID-19 pandemic of 2020 have demonstrated that significant events can occur in any business over the last two decades. While being optimistic is crucial for business success, it is equally important to plan for the worst-case scenarios for both your customers and your business. Failing to challenge ourselves to explore both optimistic and pessimistic futures often leads to business failures.

Tip 6 – Research and Learn

In a world that is constantly changing, one thing remains consistent: the importance of continuous research and learning. It is crucial to prioritise ongoing personal and professional development, as it allows us to expand our knowledge and skills. We should never stop growing our minds and should aim to continuously broaden our understanding of various topics. By doing so, we can remain adaptable and equipped to handle any challenges that come our way.

“He who learns but does not think, is lost! He wHO thinks but does not learn is in great danger.”

Confucius

Tip 7 – Look Below the Surface

The iceberg image analogy is not only applicable to business and risk management, but can also be used in various aspects of our lives. In fact, the iceberg analogy has been used in many fields, including psychology and personal development, to emphasize the importance of looking beneath the surface to understand the deeper layers of our emotions, thoughts, and behaviors.

Moreover, critical thinking skills are essential for problem-solving and decision-making, not just in business but in every aspect of our lives. By using tools like root-cause analysis, bow-tie method or 5-why’s, we can explore the underlying causes of a problem, rather than just treating the symptoms. This approach helps us to identify the root cause of the issue, and to develop effective solutions that address the underlying problem, rather than just the visible symptoms.

Furthermore, managing risks is an important aspect of any business, and critical thinking plays a crucial role in this process. By examining potential risks and assessing the likelihood and potential impact of each risk, businesses can develop effective risk management strategies that help them to mitigate potential losses and ensure their continued success.

Tip 8 – Embrace Technology

“Attempting to succeed without embracing the tools immediately available for your success is no less absurd than trying to row a boat by drawing only your hands through the water or trying to unscrew a screw using nothing more than your fingernail.”

Richie Norton

Managing risk is ultimately a human responsibility, as technology alone cannot guarantee effective risk management. However, technology can serve as a valuable enabler by facilitating important conversations and documenting outcomes. Without the right tools, the focus on managing risk can be lost in the process of completing risk assessment tasks, rather than achieving desired outcomes.

Tip 9 – Don’t be Blinded by Reward

History has repeatedly demonstrated that focusing solely on financial rewards can lead to poor outcomes for both customers and businesses. However, by recognizing a greater purpose and being there for our customers in their time of need, we can achieve a more powerful and enduring reward. By cultivating strong relationships based on trust and empathy, we can create lifelong relationships that last for generations to come.

Top 10 – Balance All of the Parts

Much like our bodies and minds, our organisations also require balance in order to thrive. It’s not enough to focus on just one area of the business, such as financial success, at the expense of other important factors, like employee well-being or community impact. Rather, we must strive to balance all aspects of the organisation, including its financial performance, its impact on the community, and the well-being of its employees and stakeholders.

Achieving this balance requires a commitment to understanding the needs and priorities of each stakeholder group, and taking a holistic approach to decision-making. For example, by prioritizing employee well-being and investing in training and development programs, organisations can build a more skilled and engaged workforce, which in turn can lead to higher levels of customer satisfaction and loyalty.

“We can be sure that the greatest hope for maintaining equilibrium in the face of any situation rests within ourselves.”

FRANCIS J. BRACELAND

Tip 11 – Monitor What is Around You

In today’s fast-paced world, it’s easy to become distracted by the latest “shiny new toy” and lose sight of the many things that require our attention. When it comes to managing risk, it’s critical to stay focused on monitoring multiple factors simultaneously, both internal and external to our organisations and ourselves.

This requires a proactive approach to risk management, where we regularly assess and evaluate potential threats and vulnerabilities, and take steps to mitigate or prevent them before they can cause harm. It also requires a commitment to ongoing learning and improvement, as the risks facing our organizations are constantly evolving and changing.

To stay on top of these risks, it’s important to develop a comprehensive risk management strategy that takes into account all potential scenarios and factors, and to regularly review and update this strategy as needed. By maintaining a constant focus on risk management, we can help ensure the long-term success and sustainability of our organisations, while also protecting ourselves and our stakeholders from potential harm.

One thing that makes it possible to be an optimist is if you have a contingency plan for when all hell breaks loose. 

RANDY PAUSCH

It’s important to recognize that managing risk is not just about processes, procedures, and systems, but it’s also about the people who are involved in the process. By involving all stakeholders in the risk management process, and making it an enjoyable and engaging part of their working lives, organisations can create a culture of risk awareness and responsibility.

To achieve this, we have outlined 11 tips that organisations can follow.

The post Risk Management Tips for Leaders appeared first on Innovation of Risk.

Historically risk appetite setting has been completed as an isolated risk process that occurs to reduce risk-taking. However, organisations are in the business of taking risks, and a forward-looking, positive risk appetite framework and risk-setting process will empower management and employees to deliver risk-based outcomes in line with the Board’s expectations.

What is the alternative approach?

Deloitte outline in “Risk appetite frameworks – How to spot the genuine article” that,

Everyone these days seems to agree that risk appetite frameworks are good things – even if no-one can quite agree what a good one looks like.

The alternative approach to risk appetite setting is to not focus on the process but on the business engagement. In essence, facilitating constructive challenges, debates and discussions on the key business activities with the business leaders, and then having them and their teams embrace the risk settings as a business enabler.

To support this facilitation, the usage of a structure that enhances the discussion is critical and that is where the simple attributes thrive.

Simple Attributes for Risk Appetite

In our alternative approach there are 4 simple attributes to setting risk appetite:

1. Target or “Sweet Spot”;
2. Operating range;
3. Tolerance; and
4. Exceeding.

Further information on each is outlined below.

“Sweet Spot”

Firstly, we define the “sweet spot” for the business strategy and operations being delivered every day by our people.

This “sweet spot” defines the point we are aspiring to move to; whether that is a growth/increasing position or a contracting/decreasing position. These terms must be adapted to each organisations culture and language. The key here is to use human language that people operate within in their daily interactions.

To support the development of this attribute, our posting on Agile Risk Management outlines the importance of undertaking shorter sprints of activity. This requires us to critically assess our approach to the right sweet spot for risks in each sprint.

Operating Range

Once you have established the “sweet spot” we recommend developing an “operating range”.

The “operating range” is the range of risk the business is willing to take to execute its strategy and operational outcomes. This range will have an upper and lower bound, providing for movements in risk-taking due to internal and external factors and forces.

A good operating range allows factors that are part of normal business operations and part of expected strategic decisions to occur, without exceeding your normal expectations.

Tolerance

The third step is then to set a “tolerance” level, which although we do not want to move within this territory, we are willing to accept a brief entry.

Developing a tolerance should include exploring the “what ifs” and the “black swan” events that could impact your business. The “what ifs” help ensure the level of appetite incorporates some of the unknowns, however, it must not be too wide so as to accept the unknowns as part of risk-taking. By this we mean, we need to test the boundaries of the Board and management in undertaking those business activities and strategic plans.

The key aspect is when an organisation is in the tolerance level, actions must be taken to move back within the operating range.

Exceeding

The final step is to set the level(s) where we are exceeding the organisation’s appetite.

In these circumstances, management will take immediate action to move back within tolerance and then the operating range. In these circumstances, there may need to be consequence management on those responsible for exceeding appetite (i.e. some form of “cost” of exceeding appetite, including training, coaching, and/or potential financial penalty).

In Summary

These simple steps provide a template for understanding, documenting and monitoring your appetite settings.

The setting of risk appetite is powerful in ensuring organisations operate effectively and take the risk needed to be successful.

The post Power of Risk Appetite appeared first on Innovation of Risk.

It is summarised best by this quote, “The two most important days in your life are the day you are born and the day you find out why.” by Mark Twain.

This book outlines the importance of starting with your purpose, and then driving your actions to achieve the value you wish to provide. Albert Einstein recognised this when he said,

“Strive not to be a success, but rather to be of value.”

Mark Brigden, outlines that “you can only control three things: The thoughts you think, The pictures you see, The actions you take”.  He provides a simple and clear read for someone wanting to understand how to embrace technology in their business, including the usage of the internet, including social media, tools to promote your organisation / business / idea.

Mark details, “It’s a long road, but it’s not hard work if you’re having fun doing it”.  This book is not hard work however, and is a simple and concise read of key principles to consider in driving to your dream.

The post Book Review – Become a Game Changer appeared first on Innovation of Risk.

The book outlines 3 simple techniques from the “Technology Rubic, The Conversation Map, and The Workflow Distributor” to help articulate clear guides to engage across and within generations. These 3 techniques are leveraged later on in the book in Part III, which provides a number of case-studies which provide the reader with practical uses of the techniques outlined in the book.

These case studies are a great way to finish a “How-To Guide”, as it allows the reader the opportunity to understand the techniques in context.

Developing a respect for what others value as results helps build a bridge between ages

As a GenerationX person, it is easy to forget that we all have different working styles, and it is important that we recognise our differences. However, it is more important that in order to leverage these differences in the best possible way, we understand how to engage each other better first.  Robby Slaughter, author, provides some great tools to assist all of us to improve how we engage with each generation.

Overall, this book provides a clear and concise view of how to “gain understanding of how other cohorts view work to improve inter-generational relations”, and one that was pleasantly easy to read.

[Note, this book was provided to me by the author; with no prior relationship or requirement]

The post Book Review – How-To Guide for Generations at Work appeared first on Innovation of Risk.

If you don’t know BIS or Basel, then picture them as the Jedi Council of central banks globally. The Reserve Bank of Australia (RBA) sit on this council; and APRA as the prudential regulator leverage the content that comes from BIS for its prudential regulation.

So, what does this Occassional paper outline?

Essentially the focus is on the 4th line of defence, being Regulatory Supervisors and External Auditors, and how they interact with the 3 lines of defence (being the front-line operating functions, risk management and internal audit).

A key comment in the paper is “a need for establishing standards on how to foster the relationship by balancing the obligation of the supervisor to assess the internal function with his collaborative role in maintaining an open and constructive work relationship for information-sharing purposes”.

The paper then outlines a 4th line that splits function between “assessor role” and “collaborator role”. Essentially, this is where one office provides the resources for prudential reviews whilst another office engages in constant dialogue. However, at the moment this is not formally established in a regulatory standard.

Most telling in the paper is that Internal Audit would see “a shift to a fourth line of defence articulation would be accompanied by a closer interaction between internal auditors, external auditors and supervisors”.

Definitely worth a read if you are in Internal Audit and Risk Management.

The post Four lines of risk management defence… appeared first on Innovation of Risk.

Over the past few decades there have been many examples of failures in organisations, both from a process perspective and a decision-making perspective.  These range from organisationally specific examples such as Enron to the Global Financial Crisis.  We have constantly observed that human behaviour can, and will, result in mistakes, errors and failures. We know that “blind trusting” in rational, ethical and effective behaviour is a path to failure.

Many times this failure will be unintentional, but whether intentional or unintentional the results can be catastrophic.  Just as a production line undertakes quality control testing, there is a need for a holistic approach to ensure there are appropriate checks and balances in the process of running an organisation.

The Australian Prudential Regulatory Authority (APRA), the regulator of Australian financial services, released a practice guide for its Risk Management standard.  This practice guide outlines that “an effective risk governance model contains checks and balances to support appropriate consideration of risk management throughout the APRA-regulated institution. APRA considers the three lines-of-defence risk management and assurance model to be one that facilitates an effective risk governance model for risk management. This model provides assurance that there are clearly defined risk ownership responsibilities with functionally independent levels of oversight and independent assurance.”

An effective risk governance model contains checks and balances to support appropriate consideration of risk management throughout the APRA-regulated institution. APRA considers the three lines-of-defence risk management and assurance model to be one that facilitates an effective risk governance model for risk management. This model provides assurance that there are clearly defined risk ownership responsibilities with functionally independent levels of oversight and independent assurance.

Three Lines of Defence Model

The three lines of defence model is academically designed to embed an approach to implementing effective checks and balances across the organisation. Each line of defence has its place in the holistic approach to risk management that organisations in any industry need to undertake.

In relation to the commercial value of this model, it has become apparent that the creation of three (3) teams, where each is responsible for their aspect has resulted in inefficiencies, ineffectiveness and internal politics. This is not because the 3 teams drive to make this happen, but is due to human nature, which sees every part driving to deliver their specific purpose and focus.

The model itself has not created this lack of commercial value.  This is the result of the lack of clarity in understanding each area’s role in coordination and collaboration across the three lines of defence model.

Working through each line of defence, starting with Internal Audit, the third line, first.

Internal Audit Perspective

Internal Audit departments have focused correctly on the aspect of “independence“. This focus has led many audit departments to create their own approaches and models to risk management. This has resulted in multiple requirements for risk management for the entire business.  The additional challenge has been Internal Audit departments have used independence as a reason to not engage in a dialogue on risk management; where the goal should be the consistency of language, approach, and leveraging each other.

Internal Audit refers to undertaking a risk-based approach to auditing, yet then refers to the fact they need to plan their work based on their risk assessment.  This position may be due to the quality of the business assessment process, or it could be due to their approach to risk assessment being different “because they are coming from a different position”.

However, each of these reasons reinforces the non-commercial approach to managing risk because:

• If the risk assessment approach by the business is not adequate then not utilising the assessment does not improve the process, instead it reinforces the fact that investing in risk assessments at a business level is duplicating effort; and
• If there is a requirement for a single holistic view of risk management across the organisation then Internal Audit’s view cannot be different. It may be true that the level of detail may be different, but essentially the organisation has the same set of risks regardless of the line of defence.

The challenge here is that audit independence is used as a reason for audit not participating in defining risk, yet audit needs the risk assessment to do risk-based auditing.

Risk Management Function Perspective

For the second line of defence, an empire has been born.

The size and complexity of the second line has tracked alongside with business issues and regulatory change.  Organisations have responded to the issues both internally and externally with more people, frameworks and complexity.

Ironically the three lines of defence should simplify the organisation through clarity and consistency.  In particular, the second line should be ensuring that risk management is clear and easy to understand, commercial in nature, and that the organisational goal of ensuring responsible and ethical decision-making is undertaken.  It should be providing the tools to create a learning organisation that improves from its mistakes.

The second line of defence should focus on the following key elements:

• Comprise the subject matter experts across risk management so that the business does not need to recruit “subject-matter experts for each department” but rather use a business partner model, supported by central experts, to support business risk decision making;
• As the second line is not owning the business outcome from the risk decision process it should therefore be adding commercial value through review and challenge; and
• The second line of defence can play a key administrative role in governing risk management frameworks and reporting to the relevant governing committees.  This should in theory provide economies of scale to deliver this reporting as a service for the entire organisation.

Of course, all of the above is based on rational thinking by those that lead the second line of defence.

First Line Perspective

The first line of defence has contributed in the issues of confusion that surround the three lines of defence in two ways.

The first is in creating a new empire of risk roles within the business to deal with the administrative burden that has arisen.  This response appears rational at first glance as this “additional workload” can not take away from the role of servicing the customer or business needs.

This appears to outline that managing risk is additional work.  Yet, every decision undertaken by an employee and their leader is a risk decision. 

This appears to outline that managing risk is additional work.  Yet, every decision undertaken by an employee and their leader is a risk decision.  Of course, the main driver of the language of additional work relates to the fact that you have to document your risk profile for business activities and projects considering internal and external factors; document your incidents/events; document your potential response to events; and document how you arrived at your decision.  Let’s reflect on this “additional work”. The documenting of these items is about running a responsible, ethical and commercially relevant business.

The best outcome is that those that operate the controls, understand the risks and controls naturally to help them manage their business. This is no different to documenting processes and guidelines so people know what to do every day in their role. For example:

• The airline knows its risks and key controls, and has them documented and well understood;
• The hospital we visit undertakes a thorough and well-documented risk assessment;
• The mine site or manufacturing plant documents and understands its incidents/events;
• The retail store has a documented response for a systems failure; and
• That our financial services provider documents the approach it took to understand customer needs and supports them making the right financial decision.

The second aspect relates to the first line taking a position that the burden of documenting be placed on the risk management team (second line).  This approach creates a massive void between those that know the day-to-day operations and those trying to embed a risk management framework within the business.  Given this massive gap it forces the second line to spend more time understanding the intricate details of the business activity, effectively replicating the knowledge of the business activity, and therefore creating inefficiency through duplication.  In addition, taking this position brings the second line function into the decision making process and removes their ability to provide robust challenge and oversight.

Summary

The three lines of defence is an ever-evolving model within organisations and one that must focus on being commercially relevant. This can only be achieved through all parts of the business understanding the model and working in a collaborative, supportive and structured manner.

The post Three Lines of Defence appeared first on Innovation of Risk.

For the later there are quite a number of resources online to learn about risk management in agile projects, such as “Risk Management in Agile” by ScrumAlliance or the paper by Ville Ylimannela from Tampere University of Technology titled “A Model for Risk Management in Agile Software Development”.

Having undertaken a lean startup course a number of years ago, I have always had in the front of my mind the need for risk management to embrace agile approaches.  However, the challenge has been in how best to utilise them in an appropriate fashion for this type of process.

Risk management, across all of the different risk classes, traditionally undertakes an approach of outlining/developing a framework and then robustly “rolling it out” across the business.  We can all picture the powerpoint packs, the word documents, the policies, the workshops, the templates and the submission process.  And I am sure there are many risk professionals who have almost fallen asleep themselves whilst presenting this way!

However, under an agile approach the ability to take 6 months to develop a framework document, develop a tool to populate and then provide a long enough period of time to implement is not acceptable.

Utilising the agile approach, the risk management function needs to outline what are the potentially shippable products in their core components or parts.  Consider this for one moment.  You are not trying to develop the perfect end customer solution, but the first iteration of an ever evolving product.  Ironically, most risk management leaders would say that “they are on a journey” or “continually embedding risk management”.  Both of these comments are perfectly outlining an iterative, agile approach.  Yet, we still fall into the trap of taking massive amounts of time to develop a project and framework, which we know is going to evolve!

Once we have these separable and achievable parts, the focus must shift to developing the backlog of key tasks and activities to complete and then undertaking “sprints” to achieve clear, achievable goals which can be implemented.  This process must include a customer experience component where the focus is on how the customer will utilise the shippable product in their daily lives.

As we stand today, I am the first to say that this is an approach I am tying to embrace more in my daily life in risk management.  I feel this approach is the future of risk management, and the key way we can achieve a more robust, clear, concise, and embedded approach to risk management within the business.

Embracing agile risk management is worth taking the time to consider, particularly the next time you are writing that 20 page framework or policy, and know full well the challenge that lays in front of you to have the business embrace the change.

The post Agile Risk Management appeared first on Innovation of Risk.