ASX | InConsult

ASX Takes Control of Corporate Governance

Tony Harb — Tue, 21 Oct 2025 04:15:29 +0000

ASX Takes Control of Corporate Governance Principles

The structure of corporate governance in Australia is undergoing a fundamental change. The system for establishing the Corporate Governance Principles and Recommendations (CGPR), which guide all ASX Listed Entities, is being overhauled after 23 years.

The catalyst for this shift was the collapse of negotiations for the proposed 5th Edition of the CGPR earlier this year. The 19-member ASX Corporate Governance Council (CGC), a body designed to achieve consensus among diverse industry groups, found itself in gridlock.

This friction prompted the ASX to commission an independent “Review Panel” in June 2025 to recommend a more effective path forward.

The Six Key Recommendations Shaping the Future of CGPR

In September 2025, the Review Panel released a report with sweeping recommendations, which the ASX formally committed to adopting in October 2025. This marks a definitive transition from a broadly representative model to a more centralised and expert-driven approach.

The core recommendations are:

Shift Ultimate Responsibility: The sole authority for developing, approving, and issuing the CGPR will move from the CGC to the ASX.
Establish a New Expert Advisory Group: The ASX will be supported by a small, new Advisory Group of 6-10 members (half the size of the former council), led by an independent Chair.
The Philosophical Shift: Members of the new Advisory Group will be appointed in their individual expert capacity. They will be expected to act in the interests of the entire market, moving away from representing specific industry groups or constituencies.
Retain the “If Not, Why Not” Rule: The existing flexible disclosure approach will remain central to the Principles. This cornerstone of Australian governance gives boards flexibility while maintaining transparency.
Simplify and Streamline: Future Principles will be simplified to avoid overlap with matters already covered in the Corporations Act and other legal/regulatory requirements.
Set a Fixed Renewal Cycle: A 4-year renewal cycle will be implemented to ensure the CGPR remains current and can quickly address evolving risks like ESG, cyber security, and corporate culture.

What This Means for ASX Listed Entities

The ASX’s commitment to these changes signals a move toward a more agile and efficient system for maintaining world-class corporate governance standards in Australia. While the 4th Edition of the Principles remains in effect for now, boards should anticipate quicker responses to global governance trends and a renewed focus on core principles over overly prescriptive rules in the next edition.

Can We Help?

We understand the importance of good governance for Australian listed entities. Since 2001, we have assisted listed entities strengthen their risk management framework to align with better practice and the Corporate Governance Principles and Recommendations (CGPR).

Our services are designed to help boards quickly translate the Principles into actionable compliance and disclosure practices, enabling listed entities to meet the higher standards expected.

For small to medium listed entities, we offer bespoke services that include:

Virtual Risk Officer: We offer expert guidance in establishing formal risk frameworks and conduct independent reviews to assess framework maturity. Additionally, we conduct risk workshops, risk culture assessments, and provide specialised services in areas like business continuity, crisis management, fraud control, modern slavery, and climate change risk.
Virtual Chief Information Security Officer (vCISO): We provide fractional or on-demand cyber security leadership to help you meet the evolving cyber risk landscape, without the cost of a full-time executive.
Internal Audit Services: We provide outsourced or co-sourced internal audit functions, ensuring independent assurance on your controls and operational efficiency, which is vital for maintaining board and stakeholder confidence.

Take risk management to the next level and contact us to discuss your risk and resilience needs.

The post ASX Takes Control of Corporate Governance first appeared on InConsult.

The Evolving Duties of the Board

Tony Harb — Tue, 21 Oct 2025 04:14:23 +0000

The Evolving Duties of the Board: From Compliance to Culture and the ‘Social License to Operate’

In an era of relentless scrutiny and rapid stakeholder expectation shifts, the responsibilities of the Board of Directors have expanded far beyond mere financial oversight and regulatory tick-boxing.

While quarterly earnings and strategic growth remain paramount, a new, equally critical mandate has emerged over the last 10 years – the active cultivation and protection of the company’s culture and its overarching social license to operate. This evolution is starkly articulated in the ASX Corporate Governance Principles and Recommendations (4th Edition), released on 27 February 2019, particularly within Principle 3: Instil a culture of acting lawfully, ethically and responsibly.

For ASX listed companies, the cost of cultural missteps can be catastrophic, leading to reputational damage, regulatory fines, leadership churn, and a precipitous erosion of shareholder value.

The global financial crisis, numerous royal commissions, and ongoing corporate scandals have indelibly demonstrated that robust governance is fundamentally underpinned by a sound culture, not just a comprehensive compliance manual.

Navigating the Rise of Non-Financial Risk

The emphasis on Principle 3 signals a profound shift.

Boards are now unequivocally responsible for overseeing non-financial risks. These are the intangible, yet immensely impactful, dangers that emerge from employee conduct, ethical lapses, compliance breaches, and a failure to embed core values throughout the organisation. Historically, risk committees might have focused predominantly on financial, operational, and market risks. Today, their remit must explicitly extend to:

Conduct Risk: The potential for employee or executive behaviour to cause harm to customers, markets, or the organisation itself.
Reputational Risk: The likelihood of negative public perception impacting brand value, customer loyalty, and investor confidence.
Environmental & Social Risk: Non-compliance or perceived non-compliance with societal expectations around sustainability, human rights, and community engagement.
Cyber & Data Ethics Risk: Beyond technical security, the ethical implications of data usage and the cultural approach to privacy.

The corporate landscape for ASX-listed entities has been repeatedly tested by recent high-profile failures that highlight a critical vulnerability in modern corporate governance: the inadequate oversight of non-financial risks and corporate culture.

1. The Qantas Board Governance Issues (2023–2024)

The Qantas board faced intense scrutiny for prioritizing shareholder interests over customer and social license interests, leading to a significant breakdown of trust. Failures included inadequate oversight of operational decline post-COVID, a contentious retention of substantial customer flight credits, and approving executive actions amid public outrage. This demonstrated a critical governance gap where the board was perceived as insufficiently independent and failed to maintain an effective balance between stakeholders.

2. Board Governance Failures (Crown and Star)

Royal Commissions and regulatory inquiries into both Crown Resorts and The Star Entertainment Group exposed massive systemic failures in risk management and ethical conduct oversight. Directors were found to have presided over a culture that allowed extensive breaches of anti-money laundering and financial crime laws to occur. These cases highlighted a catastrophic failure to establish a robust non-financial risk framework, leading to regulatory action, massive fines, and widespread board and executive turnover.

3. Rex Continuous Disclosure Case (2024)

ASIC initiated legal action against Rex and four of its directors alleging breaches of continuous disclosure obligations and directors’ duties. The core of the complaint is that the company issued an “optimistic” profit forecast without a reasonable basis, and then failed to correct the market promptly when financial information clearly indicated a material downgrade was necessary. This serves as a pointed reminder of the board’s duty to ensure the integrity of market disclosures and avoid misleading investors.

Effective oversight of these non-financial risks requires Boards to move beyond traditional reporting structures. It demands probing questions, access to diverse internal metrics (not just financial KPIs), and a willingness to challenge management on the qualitative aspects of their risk culture.

This proactive approach helps to pre-empt crises rather than merely react to them.

Whistleblowers & Anti-Bribery: Barometers of Culture

Two specific recommendations within Principle 3 serve as vital indicators of an organisation’s cultural health: Recommendation 3.3 (whistleblower policy) and Recommendation 3.4 (anti-bribery and corruption policy). These are not merely administrative requirements; they are fundamental tools for fostering transparency, accountability, and ethical conduct.

A truly effective whistleblower policy does more than just provide a channel for reporting; it creates a safe environment where individuals feel empowered to speak up without fear of reprisal. For ASX boards, this means:

Ensuring the policy is widely communicated and understood.
Verifying the independence and impartiality of the reporting mechanism.
Actively monitoring the number and nature of reports, and critically, the outcomes and remedial actions taken. A low volume of whistleblower reports in a large organisation might signal a culture of fear, not a lack of issues.

Similarly, a robust anti-bribery and corruption policy, supported by consistent enforcement, signals zero tolerance for unethical practices. The Board’s oversight here ensures that the company’s values are not merely aspirational but are deeply ingrained in everyday operations, especially in complex international dealings. These policies act as a crucial feedback loop, giving the board direct insight into the integrity and efficacy of their ethical framework.

Aligning Board Remuneration with Risk and Values

The link between executive remuneration and corporate culture is undeniable, as highlighted in ASX Corporate Governance Principle 8 (Remunerate fairly and responsibly). Where incentive structures overly reward short-term financial gains without sufficient consideration for long-term value creation, ethical conduct, and risk management, they can inadvertently foster a culture of excessive risk-taking and compromise.

Boards must ensure that remuneration frameworks, particularly those for senior executives, explicitly integrate non-financial performance metrics. This includes:

Safety metrics: Especially critical in high-risk industries.
Customer satisfaction scores: Reflecting a commitment to external stakeholders.
ESG (Environmental, Social, Governance) targets: Aligning with sustainability goals and community expectations.
Adherence to risk management frameworks and ethical conduct: Penalising breaches and rewarding responsible behaviour.

By aligning incentives with the entity’s core values and its risk appetite, Boards can reinforce the desired culture. This sends a clear message from the top: sustainable success is built on ethical foundations, and individual rewards are intrinsically linked to collective, responsible performance.

This strategic alignment is paramount for securing and maintaining the “social license to operate,” ensuring long-term viability and stakeholder trust for ASX listed companies in an increasingly scrutinised global market.

How We Can Help Your Board

Our services are designed to help boards quickly translate the Principles into actionable compliance and disclosure practices, enabling listed entities to meet the higher standards expected.

For small to medium listed entities, we offer bespoke services that include:

Virtual Risk Officer: We offer expert guidance in establishing formal risk frameworks and conduct independent reviews to assess framework maturity. Additionally, we conduct risk workshops, risk culture assessments, and provide specialised services in areas like business continuity, crisis management, fraud control, modern slavery, and climate change risk.
Virtual Chief Information Security Officer (vCISO): We provide fractional or on-demand cyber security leadership to help you meet the evolving cyber risk landscape, without the cost of a full-time executive.
Internal Audit Services: We provide outsourced or co-sourced internal audit functions, ensuring independent assurance on your controls and operational efficiency, which is vital for maintaining board and stakeholder confidence.

Take Board Governance to the next level and contact us to discuss your needs.

The post The Evolving Duties of the Board first appeared on InConsult.

The AI Governance Maze: Navigating AI Risks and Chaos

Tony Harb — Wed, 11 Jun 2025 04:37:24 +0000

Five years ago (mid-2020), the AI landscape was primarily dominated by “Narrow AI” models performing specific tasks like image classification, recommendation systems, and basic natural language processing. While foundational large language models like GPT-3 were being introduced (GPT-3 was released in May 2020), their widespread public impact was not yet felt. AI governance and enterprise adoption was still in early stages, with around 47% of companies reporting some AI usage, often in pilot projects or specific functions like IT automation, quality control, and cybersecurity.

Today, there are tens of thousands of AI systems actively deployed worldwide, ranging from specialised Narrow AI models to large language models (LLMs) powering various applications. Model capabilities have advanced rapidly, becoming more powerful, efficient, and accessible, leading to a proliferation of specialised AI models tailored for diverse applications across almost every industry. New models are being developed, refined, and deployed constantly by researchers, companies, and open-source communities. Surveys indicate a higher percentage of enterprise adoption (over 75% in some reports), as many have integrated at least one AI-powered solution, leading to thousands of AI systems across various sectors.

But, when you consider individual instances of AI (like virtual assistants on billions of smartphones or recommendation engines on millions of searches), the number of AI instances actively running is in the billions – a vast and intricate web where each instance represents a potential point of failure or vulnerability from a risk perspective.

Artificial intelligence (AI) offers immense opportunities for individuals and organisations. But with rapid AI advancements comes AI risks and the need for effective AI risk management and robust AI governance.

Top 5 AI Risks

The rapid growth and adoption of AI present both immense opportunities and significant risks for organisations. If you had to only focus on the top 5 current and emerging risks, what would they be?

1. Cybersecurity Vulnerabilities and Sophisticated Attacks

While AI can enhance cybersecurity defences, it also introduces new attack vectors and enables more sophisticated threats. AI-powered phishing, deepfakes for social engineering, adversarial attacks that manipulate AI models, and the creation of advanced malware are becoming more prevalent.

A significant percentage of phishing emails show some AI involvement. One report from April 2025 states that 82.6% of all phishing emails analysed exhibited some use of AI technology. Another report from February 2025 indicated that 67.4% of all phishing attacks in 2024 utilized some form of AI.

Consequently, organisations face increased risks of data breaches, system compromise, and reputational damage as cybercriminals leverage AI to bypass traditional security measures, highlighting an urgent need for proactive, AI-informed cybersecurity strategies rather than relying solely on reactive defences.

2. Ethical, Bias, and Reputation Risks

AI systems are trained on lots and lots of data, and if that data is biased, incomplete, or reflects societal prejudices, the AI will perpetuate and even amplify those biases. This can lead to discriminatory outcomes in areas like hiring, lending, or customer service, resulting in significant ethical concerns, legal challenges, and severe damage to an organisation’s brand and public trust. The “black box” nature of some AI models also makes it difficult to explain decisions, raising transparency and accountability issues.

Untamed AI bias can erode customer loyalty, trigger costly class-action lawsuits, and lead to regulatory sanctions, especially as governments globally focus more on algorithmic fairness. Furthermore, the inability to explain AI decisions can cripple internal investigations, external audits, and consumer trust, creating a profound crisis of accountability.

3. Regulatory and Compliance Complexity

The global regulatory landscape for AI is still evolving, with different regions developing varying approaches. At present (as at June 2025):

The European Union has introduced the EU AI Act, a risk-based regulation effective August 2024, but is now discussing exemptions and voluntary measures amidst industry criticism and signs of regulatory fatigue.
Australia currently has no dedicated AI legislation, but the government has proposed mandatory guardrails for high-risk AI and published guidelines, though the path to comprehensive legislation remains uncertain given global shifts and a focus on deregulation.
The United States currently lacks dedicated federal AI legislation, relying on existing frameworks, and its federal government has adopted a deregulatory stance, even seeking a 10-year moratorium on state-level AI laws.
The United Kingdom favours a light-touch, ‘pro-innovation’ approach without dedicated AI legislation, focusing instead on targeted regulation for high-risk AI models to avoid stifling investment.
The People’s Republic of China does not have unified AI regulation but governs specific use cases like deep synthesis and generative AI, aiming to be a world leader in AI by 2030.

Organisations face increasing pressure to comply with emerging data privacy laws, algorithmic transparency requirements, and industry-specific mandates. Non-compliance can lead to hefty fines, lawsuits, and operational disruptions, requiring constant monitoring and adaptation of AI strategies and governance frameworks.

4. Workforce Displacement and Skills Gaps

AI-driven automation has the potential to displace human jobs, particularly in repetitive or data-intensive roles, and even some high-skill professions. While AI is expected to create new jobs, there’s a significant risk of a mismatch between the skills required for these new roles and the existing workforce capabilities. This can lead to unemployment, social unrest, and a struggle for organisations to find the necessary talent to develop, implement, and manage AI effectively.

5. Operational Risks and Over-Reliance

Over-reliance on AI without sufficient human oversight can lead to significant operational risks. Errors in AI decision-making (sometimes called “hallucinations” in generative AI), false positives or negatives, and unforeseen consequences from complex AI systems can disrupt operations, alienate customers, and lead to financial losses. There’s a risk of losing critical human intuition and decision-making capabilities if AI is allowed to operate without proper human in the loop processes and continuous monitoring.

Strategies to Enhance AI Risk Management

To effectively manage the risks associated with the growth of AI, organisations need a proactive, holistic, and adaptive approach. Here’s a breakdown of key actions organisations should take or at least consider.

1. Establish Robust AI Governance and Ethical Frameworks

Set the foundations of good AI governance. Develop clear organisational principles and principles for responsible AI use, encompassing fairness, transparency, accountability, human oversight, privacy, and security. Translate these into actionable policies and procedures that guide AI development, deployment, and operation.

Assign clear roles and responsibilities for AI governance, potentially including an AI ethics committee, Chief AI Officer, or cross-functional working groups. Ensure board-level oversight of AI initiatives and their associated risks.

Conduct thorough risk assessments for every AI application throughout its lifecycle (design, development, deployment, monitoring). Identify potential biases, security vulnerabilities, and ethical concerns, and implement robust mitigation strategies.

Implement continuous monitoring of AI system performance in real-world settings to detect bias drift, performance degradation, and unexpected outputs. Conduct regular internal and third-party audits to validate governance and security controls.

2. Enhance Data Management, Privacy, and Cybersecurity

Establish stringent data governance practices, ensuring the quality, integrity, and representativeness of training data to mitigate bias. Implement strong data anonymization and de-identification techniques when handling sensitive information.

Embed privacy-by-design principles into the AI system development process from the outset, ensuring personal data is handled ethically and in compliance with relevant privacy regulations (e.g., Australian Privacy Principles, GDPR).

Maintain robust cybersecurity measures. Treat AI systems as critical information assets requiring the highest level of cybersecurity. Implement end-to-end encryption, strict access controls, regular vulnerability testing, and threat intelligence specific to AI (e.g., adversarial attack detection). Involve cybersecurity teams from the earliest stages of AI development.

3. Prioritise Workforce Adaptation and Skill Development

Invest ‘appropriately’ in comprehensive AI literacy training for all relevant staff, from technical teams to business leaders. Educate employees on ethical AI use, how to recognise potential biases, and how to effectively collaborate with AI systems.

Develop clear career pathways for roles likely to be transformed by AI. Implement reskilling and upskilling programs to equip employees with the new skills needed to work alongside or manage AI technologies, focusing on uniquely human capabilities like critical thinking, creativity, and empathy.

Foster an AI-friendly culture that encourages experimentation, adaptability, and open dialogue about AI’s role in the organisation, alleviating fears of job displacement.

4. Ensure Regulatory Compliance and Transparency

Monitor and stay updated on the rapidly evolving global and local AI regulatory landscape (e.g., potential Australian AI framework, EU AI Act). Proactively adapt internal policies and practices to align with new laws and industry standards.

Whenever possible, strive for explainable AI (XAI) models, documenting development processes, data sources, and decision-making logic. This transparency is crucial for accountability, trust, and demonstrating compliance to regulators and stakeholders.

Engage legal and ethical experts to review AI applications, contracts with third-party AI providers, and internal policies to ensure compliance and mitigate legal and reputational risks.

5. Foster a Culture of Responsible Innovation

Design AI systems with appropriate human oversight and intervention capabilities (Human-in-the-Loop), especially for critical decision-making processes. AI should augment, not replace, human judgment.

Engage diverse stakeholders, including employees, customers, partners, and even external experts, in the design and oversight of AI systems. This fosters inclusivity, garners different perspectives, and builds trust.

Start with low-risk pilot projects to test AI applications, gather feedback, and iterate quickly. Scale AI adoption responsibly, learning from each implementation.

Take Outs

The widespread adoption of AI, with tens of thousands of deployed systems and billions of individual instances, presents significant opportunities but also critical risks for organisations.

The top five AI risks include increased cybersecurity vulnerabilities from sophisticated AI-powered attacks, ethical and reputational damage due to inherent biases in AI models, complex regulatory and compliance challenges given evolving global AI legislation (which varies significantly by country, from the EU’s risk-based approach to the US and UK’s deregulatory stance), potential workforce displacement and widening skills gaps, and operational risks stemming from over-reliance on AI without sufficient human oversight.

To mitigate these, organisations must establish robust AI governance and ethical frameworks, enhance data management and cybersecurity, prioritize workforce adaptation through training and reskilling, ensure continuous regulatory compliance and transparency (e.g., via Explainable AI), and foster a culture of responsible innovation with human oversight and stakeholder engagement.

Can We Help You Improve AI Governance?

Our AI Risk Governance services are designed to help organisations navigate the complexities of AI, ensuring ethical practices, regulatory compliance, and manage AI risks at every stage of AI development and deployment.

Future-Proof Your AI with Strong Governance

We can help you design and build a clear, custom AI governance framework. This means engaging with stakeholders, setting up clear rules, responsibilities, and ethical guidelines for all your AI projects. By doing this, you’ll reduce unforeseen risks, ensure your AI aligns with your company values, and build a foundation that adapts to future regulations, keeping you ahead of the curve.

Pinpoint and Fix Your AI Risks

Our risk, cybersecurity and AI experts can conduct thorough risk assessments of your AI systems to uncover potential issues like hidden biases, cybersecurity weaknesses, privacy gaps, and operational flaws. We draft concrete strategies to fix these problems, helping you avoid costly mistakes, legal challenges, and damage to your reputation. You’ll gain peace of mind knowing your AI is robust and reliable.

Secure Your AI Against Emerging Cyber Threats

AI introduces new cybersecurity challenges. We can assess the specific security risks of your AI systems and the data they use, implementing robust defences against new threats like AI-powered attacks and data breaches. Our goal is to safeguard your critical assets and sensitive information, ensuring your AI operates in a secure environment and protecting your business from costly cyber incidents.

The post The AI Governance Maze: Navigating AI Risks and Chaos first appeared on InConsult.