The term GRC (Governance, Risk and Compliance) was first used in the early/mid 2000s, gaining prominence after major corporate scandals such as Enron and WorldCom led to the introduction of regulatory reforms like the Sarbanes-Oxley Act (2002) in the United States. These events highlighted the need for stronger governance structures, integrated risk management, and regulatory accountability — giving rise to what we now recognise as GRC.

Many organisations believe that purchasing a GRC platform equals GRC maturity. The reality? Software alone does not create good governance.

True GRC is a capability that is built on policy, people, processes, and culture that is enabled by technology.

When these elements are misaligned, even the most expensive tools fail. This article helps leaders recognise that GRC is an organisational discipline, not an IT project or stand alone system.

Why GRC Is More Than Just Software

Buying a tool without clear governance structures, decision rights, and accountabilities creates confusion rather than clarity. GRC capability starts with purpose and policy — then aligns responsibility, process, and technology.

Risk: Organisations that rush into technology miss foundational elements, resulting in “shelfware”, low adoption and inconsistent practices.

Risk mitigation actions:

• Align technology with policy and governance frameworks.
• Define ownership (risk, compliance, audit) before automation.
• Assess your maturity before tool selection.

People and Culture – The Real Engine of GRC Capability

Even the best system won’t fix a weak risk culture, broken processes or disengaged users. If leadership, risk owners or frontline staff don’t understand their role, GRC becomes a compliance chore rather than a value practice.

Risk: Without role clarity and engagement, risk data becomes unreliable, workflows stall, and decisions are made blind.

Risk mitigation actions:

• Deliver role-based GRC training and cultural embedding.
• Establish governance committees and escalation protocols.
• Strengthen three lines of accountability.

Processes – The Hidden Weak Link in GRC Implementation

GRC tools can only automate what already works. If risk assessments, incident workflows, or policy lifecycles are unclear, the system simply digitises chaos.

Risk: Broken processes lead to inconsistent risk reporting, duplicate registers, and poor audit traceability.

Risk mitigation actions:

• Map and optimise risk, compliance and incident workflows.
• Standardise process libraries before automation.
• Establish data taxonomy and control hierarchies.

Technology as an Enabler – Not the Hero

Software should enable integration, not dictate the GRC model. Over-customisation or ‘bending’ the tool to broken processes often results in complexity and user frustration.

Risk: Technology misalignment creates resistance, workarounds and shadow systems (spreadsheets, emails, manual logs).

Risk mitigation actions:

• Conduct GRC tool health checks and utilisation audits.
• Simplify configuration in line with process reality.
• Introduce optimisation roadmaps post-implementation.

Key Takeaway

Successful GRC is a journey, not a go-live event.

Ultimately, organisations that view GRC as a true enterprise capability – built on strong governance, clear ownership, aligned processes and engaged people – are the ones that extract real value from their technology investment.

A platform alone cannot create maturity; it must sit on a foundation of purpose, process and accountability.

By strengthening capability first and using technology as an enabler, organisations move beyond compliance to create a system that supports confident decision-making, resilience and long-term trust.

How InConsult Bridges the GRC Gap

You don’t build GRC maturity by installing software. You build it by developing capabilit and technology follows.

InConsult helps organisations shift from tool reliance to capability growth. Discover InConsult’s GRC Assurance and Optimisation services.

As risk, governance, compliance, and audit practitioners, InConsult specialises in GRC Post-Implementation Reviews. We help organisations identify red flags, assess system effectiveness, and implement improvement plans. Our independent guidance ensures your GRC system becomes a reliable tool for decision-making, risk oversight, and regulatory compliance — quickly turning underperformance into opportunity.

Bring people, systems and processes together to better manage risk and compliance, contact us to discuss your GRC needs.

Implementing a GRC system is a major investment in technology, processes, and culture. Yet many organisations discover that, a few months after go-live, the system isn’t delivering the expected value. The consequences aren’t just financial – as compliance gaps could lead to increased regulatory scrutiny:

• Under CPS 220 and CPS 230, APRA expects robust Risk Management Information Systems (RMIS) that support timely and accurate reporting.

This isn’t just confined to the Prudential Regulator, as multiple regulators across other jurisdictions continue to demand more from Risk & Compliance teams:

• ASIC requires robust compliance and conduct controls
• AUSTRAC expects systems for financial crime, AML/CTF monitoring, and reporting
• Global bodies like the SEC (U.S.), FCA (UK), and EBA (Europe) enforce integrated risk management, operational resilience, and reporting obligations
• Sector-specific regulators such as the TGA (health), AEMO/AER (energy), and prudential authorities in finance also demand evidence of controlled, auditable processes

This non-exhaustive list highlights the regulatory challenge that modern day organisations face and reinforce the need for mature GRC platforms. So when your GRC system underperforms – it is important to identify issues early and ensure your GRC platform performs from day 1.

Here are some early warning signs to look out for:

1. Low User Adoption and Engagement

Even the most advanced GRC platform fails if users don’t engage with it consistently. Low adoption can manifest as minimal logins, incomplete workflows, or continued reliance on spreadsheets and emails.

User engagement is a critical predictor of system success. Poor adoption leads to gaps in risk reporting, incomplete audit trails, and misalignment between business and technology.

Actions:

1. Conduct targeted user training sessions and refresher workshops.
2. Implement a communication plan highlighting benefits and quick wins.
3. Introduce dashboards and KPIs to show users how their input drives decision-making.

2. Clunky GRC interface or Inefficient Workflows

GRC systems are intended to streamline processes, but poorly configured workflows or overly complex approval steps can frustrate users and slow operations.

Inefficient workflows increase errors, reduce efficiency, and discourage use. When workflows don’t align with how the business actually operates, staff may bypass the system or duplicate work, undermining the platform’s value.

Actions:

1. Review and map existing business processes against system workflows.
2. Simplify approval chains and automate repetitive tasks.
3. Engage key users to test revised workflows before full rollout.

3. Poor Data Quality and Reporting

A GRC system is only as effective as the data it contains. Inconsistent data entry, missing fields, or errors in migrated data can lead to inaccurate dashboards and misleading reports.

Decision-makers rely on GRC systems for insight into enterprise risks. Poor data quality compromises board reporting, regulatory compliance, and risk visibility.

Actions:

1. Perform a data cleansing and standardisation exercise.
2. Implement mandatory fields, validation rules, and automation to reduce errors.
3. Schedule regular audits and monitoring of data quality metrics.

4. Integration and GRC System Performance Issues

Post-go-live, integration with existing systems such as HR, incident management, and policy libraries may be incomplete or unstable. System slowdowns or errors can frustrate users and reduce confidence.

Seamless integration is essential for a single source of truth across governance, risk, and compliance functions. Poor integration reduces visibility, introduces duplicate data, and increases operational risk.

Actions:

1. Conduct a full integration review to identify gaps or conflicts.
2. Optimise data flow between systems and implement automation where possible.
3. Monitor performance and error logs to proactively resolve issues.

5. Misalignment with Risk and Compliance Objectives

Sometimes, the system delivers outputs, but they don’t align with the organisation’s risk frameworks, reporting requirements, or regulatory expectations. Misalignment leads to wasted investment, reporting gaps, and potential non-compliance.

Actions:

1. Reassess system configuration against risk and compliance frameworks.
2. Adjust reporting templates and dashboards to align with board and regulator needs.
3. Conduct workshops with key stakeholders to ensure outputs meet operational and strategic objectives.

Key Takeaway

Post-go-live issues are common but preventable if organisations proactively monitor adoption, workflows, data quality, integration, and alignment. Addressing these early ensures the GRC system delivers real insights, strengthens governance, and meets regulatory expectations. An early Post-Implementation Review identifies misalignments and provides actionable recommendations.

How InConsult Bridges the GRC Gap

Want your GRC system to deliver real value? Discover InConsult’s GRC Assurance and Optimisation services.

As risk, governance, compliance, and audit practitioners, InConsult specialises in GRC Post-Implementation Reviews. We help organisations identify red flags, assess system effectiveness, and implement improvement plans. Our independent guidance ensures your GRC system becomes a reliable tool for decision-making, risk oversight, and regulatory compliance — quickly turning underperformance into opportunity.

Bring people, systems and processes together to better manage risk and compliance, contact us to discuss your GRC needs.

Before investing in a Governance, Risk, and Compliance (GRC) platform, organisations need to pause and evaluate their readiness.

Regulators such as APRA, under CPS 220 and CPS 230, expect organisations to maintain reliable Risk Management Information Systems (RMIS). However, technology alone does not guarantee better risk oversight. A platform implemented without assessing readiness, risks under-delivering, wasting investment, and creating compliance gaps.

A GRC Readiness Assessment helps organisations align their operating model, ownership structures, integration needs, and change capability before committing to a system — maximising return on investment and strengthening decision-making.  Here are our top 5 questions to ask before you invest in a GRC system.

1. What Problem Are We Actually Trying to Solve?

Many organisations invest in GRC platforms without a clear understanding of the problem they are trying to solve. Is the priority regulatory reporting, audit efficiency, enterprise risk visibility, or incident management?

Providing GRC vendors with a list of your requirements is not defining the problem you are trying to solve. Yes it will help – but the ‘functional requirements’ are the results of an in depth needs analysis.

Why it matters:

Without clarity, organisations often purchase overly complex systems with features they don’t need, or they fail to solve core gaps. This leads to underused technology, frustrated users, and poor adoption. By defining the problem upfront, organisations can target match-fit solutions that truly add value.

2. Are Our Processes, Governance, and Data GRC Ready?

A GRC platform amplifies the strengths and weaknesses of existing processes and governance structures. If workflows are inconsistent, controls are poorly defined, or data quality is unreliable, automation will not fix the underlying problems.

• The risk and compliance framework should be robust and have an operating rhythm.
• People should understand the fundamentals of risk management.
• The risk culture must be alive and well.

Why it matters:

Platforms rely on accurate, standardised data to provide insights. Investing in technology without process and data readiness can produce misleading reports, compliance gaps, and lost trust with regulators and boards. A readiness assessment ensures that your frameworks, controls, and data are fit-for-purpose, giving the platform a foundation to deliver measurable business value.

3. Who Will Own and Sustain the GRC Platform?

Ownership is critical for long-term GRC success. We’ve seen ownership range from the company secretary to the risk officer to the IT manager. Assigning responsibility solely to IT or a single department risks poor adoption, missed updates, and fragmented oversight. GRC itself aims to breakdown silos.  A clearly defined governance model ensures accountability for system administration, workflow management, and user support.

Why it matters:

Without business ownership, the platform becomes a compliance checkbox rather than a decision-making tool. Identifying owners across risk, compliance, and audit functions ensures ongoing maintenance, process alignment, and active use – enabling the system to deliver insights consistently and reliably.

4. How Will the GRC Platform Integrate with Existing Systems?

Organisations often have multiple tools: HR systems, incident management platforms, policy libraries, and reporting tools. A GRC platform that cannot integrate with these systems creates silos and duplicate work. Sure, some organisations don’t need full integration, but if you do, integration and security becomes a big issue.

Why it matters:

Integration is essential for real-time visibility and accurate reporting. By mapping existing systems and defining integration points upfront, organisations can streamline workflows, reduce manual work, and provide the board with a single source of truth for governance, risk, and compliance information.

5. Are We Ready for Change?

Even the best platform will fail if users are resistant to change. Implementing a GRC system often requires a cultural shift – from manual reporting and siloed ownership to automated workflows, shared accountability, and transparent reporting.

Why it matters:

Without leadership support and a change management strategy, adoption will be slow, processes inconsistent, and the system underused. Assessing organisational readiness for change ensures that training, communication, and engagement strategies are in place to make adoption smooth, sustainable, and effective.

Key Takeaway

In practice, organisation will have more questions to answer, but this is our recommended starting point.

A GRC platform is only as effective as the organisation using it. Readiness assessment prevents wasted investment, poor adoption, and regulatory gaps. Organisations that answer these questions before selecting a platform position themselves for real value creation — aligning people, processes, and technology.

How InConsult Bridges the Gap

Want your GRC system to deliver real value? Discover InConsult’s GRC Assurance and Optimisation services.

Our GRC Readiness assessment prevents wasted investment, poor adoption, and regulatory gaps. Organisations that answer these questions before selecting a platform position themselves for real value creation.

Bring people, systems and processes together to better manage risk and compliance, contact us to discuss your GRC needs.

Many organisations invest heavily in GRC platforms expecting instant transformation and a strategic engine – only to find they’ve just gained a static reporting tool.

With regulators like APRA explicitly requiring organisations to maintain robust risk management information systems through   CPS 220 (Risk Management) and CPS 230 (Operational Risk Management), it is no longer enough to just own a system.

GRC systems must be implemented effectively, governed properly and capable of supporting real risk insight and decision-making.

Common GRC System Pitfalls

Many GRC systems fail not because of the software, but because of the environment they’re dropped into. Why the gap between expectation and reality?

1. No Clear Problem Definition

Organisations often implement a GRC system without clearly defining the core problem. Is it risk visibility? Compliance tracking? Audit management? Incident management? All the above?

Without clarity, the system becomes a catch-all tool with no meaningful impact.

2. Immature or Inconsistent Processes

Automating broken processes doesn’t fix them; it simply institutionalises inefficiency. If risk assessments, incident reporting or compliance workflows are inconsistent or manual, the system will mirror confusion rather than deliver control.

3. Poor Data Foundations

Garbage in, garbage out!

GRC systems are only as strong as the data they consume. Inconsistent risk registers, outdated policies, and fragmented reporting produce dashboards that look impressive but lack accuracy or trustworthiness.

4. Lack of Change Management & User Engagement

A common but fatal error, teams assume users will “figure it out”. Without proper training, stakeholder buy-in, and ongoing governance, adoption stalls and the system is underused or abandoned.

This problem is further exacerbated when key staff leave.

Technology Alone Isn’t GRC

To function properly, a GRC system requires solid foundations that include:

• Clear Governance – Who owns risk? Who approves controls and exceptions?
• Defined Processes – How do we escalate issues? Track actions? Monitor compliance?
• People & Roles – Do executives trust the outputs? Do users understand their responsibilities?
• Culture & Accountability – Are teams using the system, or still operating in spreadsheets?

Without these components, even the most powerful and expensive GRC platform becomes nothing more than a database with reporting features — not a decision-making engine.

What GRC Success Looks Like

A successful GRC implementation goes far beyond configuration. It transforms how decisions are made. High-performing GRC systems deliver:

• Trustworthy Data & Insights – Executives and Boards rely on it for governance, reporting, and assurance.
• True Integration – Risk, compliance, audit, incidents and actions linked in one ecosystem.
• Active Adoption & Engagement – Staff use it daily because it simplifies their work.
• Continuous Improvement – Dashboards and workflows evolve with the organisation, not remain static after go-live.

In short, the GRC system moves from being a reporting database to a strategic platform for governance, risk and compliance intelligence,

How InConsult Bridges the Gap

Want your GRC system to deliver real value? Discover InConsult’s GRC Assurance and Optimisation services. As experienced risk, compliance and audit practitioners, we:

• Assess readiness before selection.
• Align processes and frameworks before configuration.
• Support user adoption and data integrity.
• Review performance post-implementation to ensure ongoing value.

Bring people, systems and processes together to better manage risk and compliance, contact us to discuss your GRC needs.

The new Topical Requirements, set to be effective September 15^th 2026, will raise the bar and provide a number of benefits including:

• Defining a consistent baseline for evaluating third party risk across all industries.
• Increase confidence in assurance and auditing for leadership and key stakeholders with respect to third party risk profiles.
• Inherently strengthen the resilience of organisations with respect to third party failures, ethical breaches, cyber incidents and more.

Third Party Challenges Organisations Will Face

Despite the benefits, the introduction of the requirements also brings with it new challenges that will have to be faced uniquely by organisations of different size, complexity and industry. As they say there is more than one way to skin a cat, and it is up to organisations to determine the right way.

1. Increases in documentation and evidence

Auditors will be expected to document evidence of assessment of formally structured frameworks and their supporting procedures. The relationship between these frameworks and how they tie into the organisation’s risk management is an additional requirement that expects a level of maturity that is not commonly in place in typical Australian organisations. Even if these frameworks are in place, a lack of cohesion across the different methodologies means evidence collection will be a slow process. In the AICD 2024-25 NFP Governance & Performance Study, 53% of directors said they spent more time on duties than the prior year, reflecting a rise in compliance and assurance demands typical to director roles.

The quality of evidence also plays a key role. ASA 530 for Attribute Testing requires auditors to document a confidence of 90-95% or higher when ensuring controls are adequate. For key controls, i.e. anything relating to key vendors and processes, any deviation from the requirements must be as low as between 0-5%. This leaves very little room for exceptions and drives the outcome of any review.

2. Governance gaps in oversight

The new requirements mandate clear board oversight to ensure third party relationships are well managed. In reality, most organisations in Australia delegate the ownership and oversight of all third party risk activities to Procurement and/or IT. Being able to prove involvement by leadership will be difficult, and in some cases, require adjustment to the responsibilities of leadership roles.

Consistently, we have observed either a lack of resource to dedicate to third party management or delegation to IT roles such as a Cyber Security Lead. The latter introduces implementation concerns as Cyber Security Lead roles tend to lack the required Risk Management knowledge required to undertake third party management.

3. Consistent Risk Management throughout the Third Party lifecycle

To successfully apply a structured and repeatable method to assessing risk throughout the third party lifecycle, organisations must have a formal enterprise risk management that is clear, functional and communicated to all staff involved in the process. The risk assessment process must consistently address selection, onboarding, monitoring, and offboarding.

Private and unlisted companies such as IT service providers, SMEs, NFPs and Charities have no legal obligation to implement a risk management framework with the only exception being an ad-hoc approach for Work Health and Safety. Many third parties that would be used for IT services, marketing, legal services, etc. have no obligation to do so, increasing the risk of poor or no risk management across third party management. The Vero Insurance SME Insurance Index 2024/2025 reported that ~90% of Australian businesses lack a formal risk management process with 81–82% never or rarely conducting risk analyses when required.

4. Ongoing monitoring just got harder

Ongoing monitoring following onboarding is a process that is often not performed successfully or at all by that vast majority of organisations in Australia. The old habits of “set and forget” contracts are not good enough. Even multi-year contracts that address all requirements over the lifespan of the contract will require performance, compliance and cyber control assessment to ensure expectations are being met. Naturally, this will also lean on the risk management framework to determine if any such failures to meet expectations result in risks that are outside of the organisation’s appetite.

The McGrathNicol/YouGov study from August 2024 concluded that 82% of Australian companies do not extend risk assessments beyond Tier-1 suppliers, and 71% of companies that do assess third parties, do not include security practices in their assessment.

5. Aligning to increasing regulatory pressures

The requirements explicitly reference compliance with local, national, and international regulations. For Australian organisations, that could mean at minimum the Privacy Act. However, certain industries are also affected by the Australian Prudential Regulation Authority (APRA) Prudential Standards CPS 230 Operational Risk Management and CPS 234 Information Security. For larger critical providers, the Security of Critical Infrastructure (SOCI) Act and Modern Slavery are just some additional considerations. Achieving consistency across various different regulations and standards increases complexity.

With the delay of requirements under APRA CPS 230 relating to pre-existing contracts to July 2026 for non-Significant Financial Institutions (SFIs), we can expect a natural increase in pressure as the date approaches. If the activities of APRA CPS 234 from 2019 are also an example of what is to come, we can expect at the very least a thematic review. APRA has already committed to conducting targeted reviews of SFIs as part of their 2025-2026 Corporate Plan.

6. Strain on smaller organisations and public entities

Large corporations and enterprises will easily absorb these changes, especially multinationals, as these requirements are not new. For Local Government councils, NFPs, small businesses and providers, these new requirements will demand a new focus on audit and compliance. This new focus will come two-fold as it not only requires additional investment and resource, it could also expose gaps that previously avoided the spotlight.

7. Cultural resistance and a lack of Third Party strategy

As with any uplift of requirements and increased complexity, cultural resistance is an expected reality. Australian organisations will fail unless they can overcome the outdated concept that third party management is a procurement-only task. Overcoming this requires the understanding that third party management is not only operational but also strategic. Our dependency on third parties can be improved by better managing the entire process, resulting in cost savings, efficiencies, lower insurance premiums, greater coverage, new client opportunities and much more.

In May 2024, the Australian Privacy Commissioner highlighted third-party providers as a “weak spot” in privacy and security postures of organisations, reinforcing the need for enterprise-level third party management strategy beyond only procurement or IT.

Why These Challenges Matter

Ultimately, these challenges are worth facing. The requirements encourage stronger governance, better risk management discipline, and greater transparency across leadership into third party relationships. For Australian organisations, this means better preparedness for cyber incidents, supply chain disruptions, reputational crises, and regulatory scrutiny.

Third parties are already the bread and butter of many critical functions within Australian organisations. We cannot expect adequate operations, security and assurance without expecting a level of quality that matches that of our own internal processes.

Where To Start with Third Party Management

In Part 2 of our Third Party Management publication we will go over some key steps to consider and to help you succeed in third party management.

How We Can Help You Build Organisational Resilience

We are here to help strengthen your organisational resilience, systems and processes. Our third party risk management capabilities include:

• In-house developed comprehensives vulnerability scanning of third parties.
• Comprehensive third party risk management assessments to provide independent assurance.
• Helping organisations take their first steps towards implementing a formal and proactive third party management framework.
• Performing an independent review or health check of your existing third party management framework to identify gaps and level of maturity.
• Conducting third party risk and cyber risk awareness workshops covering strategic, operational and project risks.
• Conducting third party penetration tests and comprehensive audits.
• Supporting you across a range of third party services including governance, business continuity, crisis management, cyber risk, third party monitoring and more.

Take risk management to the next level and contact us to discuss your needs.

The most effective chief risk officers don’t just see threats, they see themselves. They understand that their character, their style, and their approach to people are as critical as any technical skill. This is where the power of chief risk officer archetypes comes into play.

By exploring these universal models of leadership, you can unlock another level of self-awareness allowing you to not only understand your natural strengths but also strategically adapt your approach to master the ever-evolving landscape of risk.

What is an Archetype?

An archetype is a universal model or pattern. Think of an archetype as a basic blueprint for a character, idea, or behaviour that appears again and again across different cultures and stories.

In business, archetypes are often applied to brands to help companies define their identity, guide strategy, and connect with customers on a deeper, more emotional level. They serve as psychological shortcuts that make complex ideas more relatable and memorable.  For example, “The Hero” archetype is used for brands that empower customers to be their best. Think of Nike and its “Just Do It” slogan. Another example is “The Outlaw” archetype that is used for brands that challenge the status quo and empower rebellion. Harley-Davidson and Virgin are well-known for this.

Archetypes can also be used to understand and categorise leadership styles and professional roles. This helps in talent management, team building, personal development and recruiting the “right” person.

For example, when recruiting a new Chief Executive Officer (CEO), archetypes help identify which leader fits the company’s current stage of growth. The Fix-It Leader, or Change-Catalyst, is a specialised archetype used for company turnarounds. This leader is not a builder or innovator. They are a turnaround expert whose main goal is to diagnose problems, make difficult decisions and start the changes to restore a company’s health.

Using Chief Risk Officer Archetypes

By categorising risk leaders into archetypes, it may help the board and  CEO understand what kind of expertise and risk leadership is required to manage complex challenges. This approach allows for a more intentional and strategic approach to talent management and organisational design within the C-suite.

Warning, archetypes are not static “personality types” as we see in the The Myers-Briggs Type Indicator (MBTI) tool for understanding personality. The MBTI’s goal is to sort people into one of 16 distinct, static “personality types” (like INTJ or ESFP) based on their preferences in four dichotomous categories. In contrast, archetypes are more dynamic and symbolic. An individual may be influenced by several archetypes at different times and in different ways.

The 4 Chief Risk Officer Archetypes

From our literary review, there are a handful of chief risk officer archetypes already identified mainly from large and credible consulting firms.  Most of these models have presented three archetypes for risk leadership.

Deeper research into these models and a reflection from our real-world experience that include our assessment of various risk management frameworks, risk leadership, risk culture, risk maturity and risk capability across public and private sector organisations has revealed a fourth, distinct profile. In total, we have identified four chief risk officer archetypes that serve as strategic blueprints for how a risk leader operates within an organisation. And remember, a risk leader may be influenced by several archetypes at different times and in different ways.

These archetypes aren’t about a person’s personality type. They describe a leader’s primary focus, motivation, and style. Leaders can tailor these approaches to a company’s specific needs at different stages of its risk maturity.

1. The Innovator

The Innovator is a risk leader who see risk as strategic tool for growth and competitive advantage, not a barrier.

They are not just managing risk but actively using it to drive the business forward.  They are forward-looking, visionary, and a strong partner to the business.

Innovators work hand-in-hand with the business to help drive growth and capture new opportunities. Instead of focusing solely on protection, they are visionaries who use advanced technology, risk models and a higher risk appetite to help the C-suite build new business models, launch ventures, and expand into new markets.

They have a higher tolerance for risk and focus on identifying opportunities within higher levels of uncertainty and complexity.   Operating in higher levels of uncertainty is their comfort zone.

Their key questions are “How can we use risk to our advantage?” and “What’s the best way to take a calculated risk?”

As their core motivation is value creation, Innovators are ideal for high-growth companies, start-ups, new product launches, market expansion, M&A projects or supporting innovation within a larger corporation.

2. The Guardian

The Guardians are risk leaders who prioritise building a resilient and sustainable organisation. They see themselves as the ultimate protectors of the organisation.

Their primary focus is on long-term protection, sustainability and resilience – not just short-term problem solving. They typically create strong and stable foundations to withstand future shocks.

Guardians methodically structure their work and focus heavily on risk governance. They build robust frameworks, embed a strong risk culture, and ensure compliance with regulations. Their main concern is with what could go wrong and how to prevent it.

In essence, the Guardians’ mission is to safeguard the organisation from the ground up, thereby making sure it can weather any storm and any emerging risk.

They often ask, “Are we prepared for the future?” and “What safeguards do we need?”

Guardians thrive in established, risk-averse, and highly regulated organisations. In these environments, long-term stability and resilience matter more than aggressive growth. Consequently, the Guardian’s methodical and protective nature perfectly suits sectors where failure is costly and compliance is mandatory. This is why Guardians are prominent in financial services, healthcare, and public sector agencies.

3. The Operator

The Operators are the risk leaders who excel at the practical, day-to-day management of risk. They are pragmatic problem-solvers who excel at managing the day-to-day realities of risk. They are very hands-on and focus on efficiency, crisis management, and immediate results.

Operators thrive in situations demanding efficiency, decisive action, and stability.

They are action-oriented and decisive, with a strong focus on the present. For this reason, they are often brought in to help stabilise a business, resolve a crisis, or streamline operations. Furthermore, they prioritise getting the fundamentals right and aren’t afraid to make tough, unpopular decisions. Ultimately, Operators are all about managing immediate challenges, whether they’re navigating a crisis or ensuring smooth, efficient operations by de-risking them.

Their key questions are “How can we fix this right now?” and “What is the most efficient way to manage this?”

Their value lies in their ability to handle real-world challenges with speed and precision, ensuring the company remains stable and on course.

Operators are ideal for organisations facing a range of immediate risks and resilience challenges, undergoing restructuring, or those that prioritise efficiency and stability over radical growth. They excel in environments where direct problem-solving is a top priority. Operators thrive in organisations with known risk management issues, companies in crisis, and highly regulated industries. Their pragmatic, action-oriented approach helps them solve problems directly.

4. The Influencer

The Influencers are risk leaders who rely on collaboration and communication to achieve their goals. Instead of using a top-down, command-and-control approach, they use soft power to build consensus and unite disparate teams. In other words, they don’t lead through authority, but through collaboration and persuasion.

Influencers are catalysts for change, focusing on uniting people and building a shared understanding of risk across the entire organisation.

They are collaborative, communicative, and empathetic. They build strong networks, facilitate cross-functional dialogue, and empower others to take ownership of risk.

Their primary question is “How can we get everyone on the same page?” and “How do we build trust?”

Therefore, they are natural facilitators who create open dialogue and a common language around risk, ensuring that risk management becomes a collective responsibility rather than a siloed function.

The Influencer archetype is ideal for organisations that need to foster a collaborative risk culture, break down silos, or manage complex transformations where buy-in from multiple stakeholders is critical. Their strength lies in their ability to unite disparate teams and build consensus. Influencers thrive in large, complex organisations, companies undergoing major transformations, and industries where collaboration, project-based work, and teamwork are critical to success.

Final Thoughts

These four archetypes provide a powerful lens for understanding different styles, moving beyond a one-size-fits-all approach to risk leadership.

It is possible for a chief risk officer to possess elements of all four archetypes, but it’s highly unlikely they will master them all equally. Most individuals have a dominant, natural style they rely on, with secondary styles they can develop and use when a situation calls for it.

Ultimately, by recognising if you’re predominantly an Innovator, Guardian, Operator, or Influencer, you can leverage your natural strengths and identify your blind spots. In turn, this allows you to intentionally adapt your approach to fit your organisation’s specific needs.

These archetypes transform the abstract idea of a “risk personality” into a practical framework for self-awareness and professional growth. This lets you do more than just manage risk. It also helps you engage better with key stakeholders and master your role in shaping a resilient, successful future.

The goal isn’t to be all four at once, but to understand which style a given situation demands and to be flexible enough to apply it.

How We Can Help You Take Better Risks

We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management capabilities include:

• Providing an interim Chief Risk Officer to backfill a vacancy.
• Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
• Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
• Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
• Conducting risk workshops covering strategic, operational and project risks.
• Conducting risk culture assessments.
• Risk management transformation.
• Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.

Take risk management to the next level and contact us to discuss your needs.

It’s a marathon, not a sprint, and your first 90 days are less about implementing a grand new system and more about a strategic reconnaissance mission.

Days 1-30: Listening & Learning to Discover

You’ve just landed a new role, you will bring a fresh perspective and a head full of ideas. But resist the “rookie error” of jumping straight into solutions. Your primary goal in the first 30 days is not to fix things immediately but to deeply understand the organisation’s current state of risk management, both formally and informally. This is your strategic reconnaissance mission.

So, your first 30 days are about building relationships, listening, and understanding the company’s culture. You’re connecting with people, their priorities, and their pain points.

1. Understand the business & its objectives

Before you can help you organisation better manage its risks, you have to understand what it’s trying to achieve. Think of yourself as an archaeologist, piecing together the organisation’s strategic history and future.

Start by listening. In Stephen R. Covey’s The 7 Habits of Highly Effective People, the fifth habit, “Seek First to Understand, Then to Be Understood,” is a cornerstone of effective management, emphasising that genuine listening is the key to building trust and solving problems.

Schedule one-on-one meetings with executive leaders, department heads, and key operational staff. But don’t lead with a pitch about risk. Instead, ask open-ended questions like, “What are your top three priorities for this quarter?” or “What’s the biggest challenge you’re facing right now?” Listen for the recurring themes and pain points. This approach will help you connect risk to their day-to-day reality, making you a key partner in their success, not just a compliance enforcer.

Understand the “why” behind the organisation’s existence and its key drivers. Review your organisations strategic plans, annual reports, and existing business unit performance reviews. Look for key performance indicators (KPIs) and business drivers. A financial services company, for example, might be driven by client acquisition and regulatory compliance, while a government agency might be focused on delivering services and managing public perception. Understanding this “why” behind the organisation’s existence will help you align your risk strategy with its core mission.

Listen more than you talk. Absorb as much information as possible before forming conclusions.

2. Understand the culture & key stakeholders

Every organisation has an unwritten rulebook that dictates how things really get done. Your job is to read it and decipher it.

Pay close attention to how decisions are made. Is it a top-down process, or do teams have autonomy? How does information flow…through formal memos or quick chats in the hallway? Observe who people defer to in meetings, as these are often the informal leaders and key influencers you need to win over.

Find your allies by identifying the “risk champions” i.e. the people who already do risk management well, even if it’s not in their job description. These individuals are your most valuable allies. They might be a project manager who meticulously tracks potential roadblocks or a finance officer who instinctively thinks about fraud. Find them, build rapport, and learn from them. They will be crucial in helping you drive change.

You may be the new kid on the block, so find the people who have the “institutional knowledge”. Build relationships with long-serving staff and administrative personnel. They often hold a wealth of knowledge and understand the informal power structures better than anyone. They can give you invaluable context on why certain processes exist or why previous change initiatives failed.

Be a partner, not a police officer. Position yourself as an enabler of objectives, not a blocker.

3. Assess the current state of risk management

This is where you get into the nitty-gritty, but remember to stay in “assessment mode” not “judgment mode”.

Dig into the paper trail by looking into the existing documentation and reports. Do risk registers and risk assessments exist? If so, are they living documents or dusty relics? How are risky decisions escalated to leadership? Do conversations about risk even occur in meetings, and if so, how? Look for formal processes, but also observe if they’re actually being followed.

Conduct informal interviews with people to look beyond the official documents. Ask staff at all levels about their experiences with risk management. Ask questions like, “What works well when it comes to managing risks in your area?” and “What do you believe are the biggest threats to our team’s success”? Pay close attention to the “grapevine”  as sometimes, the most valuable insights come from informal conversations over coffee. It can reveal what people are truly worried about, regardless of what’s written in a report.

Days 31-60: Confirming & Benchmarking

With a clearer picture of the organisation, culture, and existing frameworks, your focus now shifts. The second month is about solidifying key relationships, validating your initial observations, and beginning to outline potential areas for improvement. This phase is for bringing order to the chaos i.e. this is where you transition from an observer to a trusted partner.

4. Cultivate key relationships & build trust

A month in, trust is the single most important currency you will have. Everything you do now should be in service of building it.

Show you’ve been listening by following up on your initial meetings. Send a brief email or schedule a quick chat to share a summary of what you heard. For example, “Thanks again for the chat. I heard your team is really focused on onboarding a new strategic vendor this quarter, and that their cybersecurity posture is a key concern. I’d love to explore how we can support you in that”. This simple act shows you were listening and value their input.

Identify some “quick wins” by looking for low-hanging fruit where you can offer immediate, tangible value. Maybe a manager is struggling with a clunky risk register or a risk reporting process. You could offer a workshop to review the risks or to streamline the report. Or perhaps a team is launching a new project and needs help thinking through the key risks. Offering to facilitate a short, informal risk brainstorming session can be a huge win. These small successes build goodwill and demonstrate that you are a resource, not a roadblock.

Maintain transparency by scheduling regular check-ins with your direct manager or sponsor. Be proactive in updating them on your progress, sharing your observations, and seeking their guidance. This ensures they’re never surprised and keeps them invested in your success.

Build credibility through action. Small, consistent successes speak louder than grand pronouncements.

5: Benchmark against better practice

Now that you have a sense of the organisation’s current state, you can subtly introduce new ideas about what’s possible. The key here is to do this without criticizing the past.

Subtly introduce new ideas and concepts.  But, instead of saying, “Your risk management process is broken”, try, “In other organisations I’ve worked with, we found that having a clear risk appetite statement helped us make faster decisions. Is that something we could explore here?” This frames the conversation around improvement and a shared benefit, not problems.

As you review documentation and speak with people, your will identify clear differences between the current state and a functional risk management framework. Start planting seeds for change.  For example, ask questions like, “Is there no clear accountability for key risks? Are risks only discussed reactively, after an incident has occurred?” Use these gaps as focal points for future conversations and improvement plans.

6. Develop a preliminary assessment & vision

It’s now time to translate your findings into a clear, high-level narrative.

Begin to consolidate your observations into a concise assessment of the current risk management maturity. What are the top 3-5 challenges? Is it a lack of clear ownership? A culture of blame? Or simply a lack of effective tools? You should be able to articulate these challenges in a clear and compelling way, grounded in the conversations and documents from the results of your first 60 days.

Next, draft a preliminary vision for what improved risk management would look like. This isn’t a final plan, but a simple, compelling statement. For example, “Success would look like a culture where everyone feels empowered to identify risks, and we can make better, faster decisions as a result”. This serves as your guiding star, a simple vision you can keep coming back to as you navigate the next 90 days and beyond.

Days 61-90: Catalysing Change & Outlining the Path Forward

You’ve now spent the last two months as an anthropologist and an analyst. You’ve listened, learned, and identified the pulse of the organisation. Now is the time to translate that knowledge into visible momentum and a clear strategic roadmap.

As a Risk Officer, you’re not just a manager; you’re a catalyst for change, driving early wins, and initiating the strategic plan that will accelerate the organisation’s risk maturity. This is where you demonstrate your value and secure buy-in for the future.

7. Deliver an early tangible win or two

Based on your observations and stakeholder feedback, you should have a solid idea of a quick win project. Now, execute it.

Choose a project that will have a real, visible impact on a key business unit or process. For example, if you discovered that a crucial department is struggling with fraud prevention, deliver a targeted workshop on common fraud indicators and best practices.

8. Communicate success widely

Once a quick win project is complete, ensure you publicise it. Write a brief memo or present a short update at a team meeting. Be sure to credit the individuals and teams who helped you. This shows you’re a team player and that your work translates into tangible benefits.

Communication helps to enhance stakeholder trust in your capabilities, makes you visible to key stakeholders. and builds momentum to demonstrate your value to the organisation.

Focus on value. Always articulate how risk management contributes to the organisation’s success. How a better risk process isn’t just about compliance; it’s about making better decisions, enhancing organisational resilience, and ultimately, achieving strategic objectives.

9. Present your findings & proposed roadmap

You’ve built trust and delivered a quick win. Now is the time to formalise your observations and present your vision for the future of risk management.

Prepare a concise presentation for the leadership team and key stakeholders. Don’t start with a list of problems. Instead, begin with what you’ve “learned” from them. Talk about the strategic priorities you’ve heard and how you’ve observed risk impacting those goals. This positions you as an ally and team player.

Based on your findings, propose a high-level strategic roadmap for the next 12-18 months. Focus on 3-5 key priorities. This isn’t about creating a rigid plan, but a living document that can be refined with feedback. For example, your priorities might be to clarify ownership of top risks, integrate risk discussions into business planning sessions, or enhance fraud detection capabilities. For each priority, briefly outline the benefits and the first steps.

10: Establish governance & communication channels

Your final goal for the 90-day mark is to set up the structures that will sustain momentum into the future.

Begin establishing or revitalising formal risk governance structures. This could involve creating a new risk committee or simply clarifying the responsibilities of key risk owners. This formalises the changes you’re introducing and gives them authority (e.g., a risk committee, clear responsibilities for risk owners).

Develop a communication plan for ongoing engagement. Outline how you will regularly communicate with stakeholders about risk. This might be a monthly email update, a standing agenda item in leadership meetings, or a quarterly risk report that is easy to understand. Consistent, clear communication is crucial for keeping risk top of mind and ensuring your efforts don’t fade into the background.

Be patient, but persistent.  Cultural change takes time, but consistent effort will yield results.

Final Thoughts

Your first 90 days as a new Risk Officer are about building trust and momentum. It’s a three-phase journey. You’ll spend the first month as an anthropologist, listening and learning to understand the business, its people, and its culture. The second month is for building bridges, validating your findings, and subtly introducing better risk management practices to prove your value as a partner. Finally, in the third month, you’ll deliver on your promises by executing a small, visible project, then presenting a strategic roadmap that is tied directly to the organisation’s business goals. Remember, your credibility comes from empathy and action, not from a checklist.

How We Can Help You Take Better Risks

We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management capabilities include:

• Providing an interim Chief Risk Officer to backfill a vacancy.
• Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
• Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
• Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
• Conducting risk workshops covering strategic, operational and project risks.
• Conducting risk culture assessments.
• Risk management transformation.
• Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.

Take risk management to the next level and contact us to discuss your needs.

What is evidence-based problem solving?

Evidence-based problem solving is an approach that involves using data and research to inform decision-making. It’s a systematic and structured process that allows you to gather information, analyse it, and make informed decisions based on the evidence you have gathered.

The concept of evidence-based problem solving has been around for many years, but it has gained significant prominence in recent decades, particularly in the fields of healthcare, education, and social sciences. Some of the pioneers of evidence-based problem solving include Dr. Archie Cochrane, a Scottish epidemiologist who advocated for the use of randomised controlled trials in medical research, and Dr. David Sackett, a Canadian physician who is often credited with coining the term “evidence-based medicine.”

Since its inception in the medical field, evidence-based problem solving has been applied to a wide range of disciplines, including education, psychology and criminology. In education, for example, evidence-based practices have been used to identify effective teaching strategies and interventions for students with learning disabilities. In criminology, evidence-based practices have been used to develop more effective rehabilitation programs for offenders.

Overall, evidence-based problem solving has become an important tool for decision-makers in a variety of fields, as it allows them to make informed choices based on data and research rather than personal biases or popular opinion.

Using evidence-based problem solving to make better decisions

Let’s take an example of a common problem that many senior managers face – meeting sales targets. This is a critical issue for any business, and failing to meet targets can have severe consequences. One way to approach this problem using evidence-based problem solving would be to:

1. Define the problem: Identify the specific sales targets that are not being met and the reasons for this.

2. Gather evidence: Collect data on customer behaviour, market trends, and competitor activity to understand why sales targets are not being met.

3. Analyse the evidence: Use statistical analysis and other methods to identify patterns and trends in the data and to identify potential causes of the problem.

4. Develop solutions: Based on the evidence, develop a range of solutions that are likely to address the underlying causes of the problem.

5. Evaluate the solutions: Test the solutions in a controlled environment to see if they are effective and if they can be scaled up to the wider organisation.

By using evidence-based problem solving, you can make informed decisions that are based on data and research rather than assumptions or opinions. This approach can help you to reduce bias, identify risks more effectively and to develop strategies to mitigate them.

Application of evidence-based problem solving

Lets look at one example of how a business school used evidence-based problem solving to engage more students and meet an important objective.

The Problem:

Unlocking the power of Microsoft Office Excel is an essential skill for any aspiring professional, but not all students were taking advantage of the opportunity. One Business School offered the Microsoft Office Excel Certification Program as part of their suite of opportunities to improve student employability and career readiness. However, despite the program’s benefits, the majority of students did not completing it. Statistics revealed only 20% of students had completed the Program. Even with a reasonable financial budget, the low participation rates meant the program was not delivering its full value i.e. meeting its objective.

The Approach:

To help resolve the issue, evidence-based problem solving was utilised by the team conducting a thorough analysis of student feedback, program data, and industry trends to identify potential barriers to participation.

One key finding was that many students lacked confidence in their Excel skills and were intimidated by the certification test.  To address this, the team developed a series of optional Excel workshops and tutoring sessions to help students build their skills and confidence before attempting the certification test. Additionally, the team recognised that some students may not have been aware of the benefits of obtaining the certification, such as increased employability and the opportunity to earn experience points.

The team also implemented a targeted marketing campaign that highlighted the benefits of the certification and emphasised the value of including it on a LinkedIn profile.

In summary, through the use of evidence-based problem solving, the team was able to devise a targeted and effective solution to increase participation in the Excel Certification Program. By offering additional support and improving marketing efforts, they encouraged significantly more students to complete the program and enhance their professional skills and employability.

Using evidence-based problem solving to better manage risks

In today’s world, cyber security risks are a major concern for businesses of all sizes. These risks can result in financial losses, damage to reputation, and legal liabilities. Therefore, it is crucial for businesses to adopt a proactive approach to managing cyber security risks. Evidence-based problem solving is one such approach that can help organisations make informed decisions about cyber security risks.

The following are ways in which evidence-based problem solving can be used to manage cyber security risks:

1. Identify the problem: The first step is to identify the specific cyber security risk that needs to be addressed. This could include threats such as malware, phishing, ransomware, or social engineering attacks.

2. Collect evidence: The next step is to gather evidence related to the identified cyber security risk. This could involve analysing past incidents (internal and external), conducting vulnerability assessments, or gathering data from security tools.

3. Analyse the evidence: Once the evidence has been collected, it needs to be analysed to identify patterns and trends. This analysis can help businesses understand the root causes of the cyber security risk and develop effective strategies to mitigate it.

4. Develop solutions: Based on the analysis, businesses can develop evidence-based solutions to manage cyber security risks. These solutions could involve implementing new security measures, training employees on best practices, or developing incident response plans.

5. Test and evaluate: It is important to test the effectiveness of the solutions implemented and evaluate their impact on cyber security risks. This can help businesses refine their strategies and improve their overall security posture.

Evidence-based problem solving can be a valuable tool for managing cyber security risks. By collecting and analysing reliable data and evidence, businesses can make informed decisions and develop effective strategies to mitigate cyber security risks. This approach can help businesses stay ahead of potential threats and protect their assets, reputation, and customers.

This is example is relatively straight forward.  But evidence-based problem solving can be applied at a micro-level problem.  Here is an example.

Using evidence-based problem solving to enhance the risk framework

At one large organisation, we recently conducted a review of the organisations risk management framework.  The organisation had all the components required in the international standard ISO31000 (tick), there was commitment from the governing body and management (tick), there were quarterly risk reviews and risk registers (tick) , they were addressing current operational, strategic, project and emerging risks (tick) – but the underlying risk assessment criteria to support risk decisions wasn’t making sense.

We gathered evidence by looking at a number of reports describing risk implications, various risk assessments and met with a sample of decision makers across the organisation to identify the problem.  We found that the risk criteria used was well out of date, the consequences tables were no longer in line with the organisations strategy and financial and operational capabilities and risk appetite descriptors were hard to understand, interpret and apply.

Limitations of evidence-based problem solving

While evidence-based problem solving is a powerful tool, it’s important to acknowledge that it does have some limitations. For example, it can be time-consuming and resource-intensive, requiring a significant investment of time and money. In addition, there may be situations where data is not available or where it’s difficult to collect meaningful data.

Take aways

As a senior manager or risk manager, you face many challenges, and the consequences of making the wrong decisions can be severe. By using evidence-based problem solving, you can make informed decisions that are based on data and research, and that are more likely to be effective in managing risks and achieving your goals. While this approach does have some limitations, the benefits are clear, and it’s a tool that every manager should have in their toolkit.

Can We Help?

We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management capabilities include:

• Providing an interim Chief Risk Officer to backfill a vacancy.
• Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
• Helping organisations take their first steps towards implementing a formal  risk management framework.
• Performing an independent review of your existing risk management framework to identify gaps and level of maturity.
• Conducting risk workshops covering strategic, operational and project risks.
• Conducting risk culture assessments.
• Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.

Take risk management to the next level and contact us to discuss your risk and resilience needs.

The demand for a highly versatile and more strategic risk professional has been increasing steadily over the last 30 years.  But in recent years, there has been a rapid acceleration in demand due to the uncertainties and risks experienced during the COVID-19 pandemic, increasing frequency of cyber-attacks, more challenging geopolitical and cultural issues, growing regulatory requirements and the need to consider climate change risk impacts.

Let’s take a walk down memory lane to see how the role of the Risk Officer has evolved over 30 years and some of the contributing factors.

Pre-1990: Risk Management by Silos

Before the 1990’s, relatively few organisations had a designated Risk Officer or a formal risk management function.  In most cases, the management of risk was built into systems and processes.

Formal risk assessments were often in paper based forms and checklists at project, function or activity level.  The main tool for identifying major risks was the ‘threat’ identification piece in the SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis.

At a decision-making level, the Six Thinking Hats approach created by Edward de Bono in the mid-80s was a popular way of looking at issues and decisions from a variety of perspectives.  The six hats were different colours, and the black hat was about being cautious and assessing risks that required employing critical judgment and identifying concerns.

More ‘sophisticated’ risk management functions, policies, plans, systems, techniques and processes could be found, but often in silos and only in a few sectors:

• Large, international financial service organisations employed Risk Officers who were responsible for approving higher risk loan contracts, overseeing investment/trading positions and monitoring large financial transactions.  In the 1970’s, financial institutions used Monte Carlo simulations to value and analyse financial instruments and investment portfolios by simulating the various sources of uncertainty affecting their value.
• Big and complex manufacturing, engineering, and mining organisations employed a Safety Officer who was responsible for the safety of people and engineers were responsible for the equipment, quality output and continuity of production.
• Public and private sector organisations seeking Quality Management System (QMS) accreditation under the ISO 9000 family of quality standards which were first published in 1987, had to develop formal risk management processes and plans to obtain certification.
• Risk-based auditing was alive and well.  It required auditors to identify and evaluate the risks and controls at process and activity level.

Risk management existed, but it was ad-hoc and not well understood across the business with little oversight by the governing body.

Early 1990’s: A New Standard Emerges

As more organisations were looking to achieve quality management accreditation and apply QMS, there was a big knowledge gap in respect to risk management. There were very few risk management books and risk management practitioners around in the early 1990’s.  There was no Google and no YouTube for resources and tips!

Many organisations started to develop their own risk management approach and guidelines with mixed results.

In 1993, the first role of Chief Risk Officer was established at GE Capital and James Lam is reported as the first Chief Risk Officer. Over the next 5 years, larger financial institutions followed by recruiting Risk Officers.

In 1995, Standards Australia released AS/NZS 4360:1995 Risk Management Standard. This was the world’s first popular and most widely used risk management standard until 2009 when AS/NZS 4360 transformed into an updated international standard, ISO 31000:2009 Risk management – Principles and guidelines.

AS/NZS 4360 did not mandate the role of a Risk Officer per se, it just guided an organisation in designing and implementing an appropriate risk management framework. For the first time, a Standard was available to help answer the question – how should we think about and manage risk more proactively and more formally?

Following its publication, many organisations started to apply the AS/NZS 4360 Standard. The Standard was referenced widely in risk management guidelines by industry and professional bodies.  It became the ‘go-to’ Standard to help manage risk.

So the new AS/NZS 4360:1995 Risk Management Standard helped to define how risks should be managed, but organisations often lacked the resources, skills, expertise and experience in risk management.

Who had the skills to help? Where would future risk resources and the Risk Officer come from?

Late 1990’s: Growing Need but Limited Talent Pool

By the late 1990’s, the adoption of technology had accelerated.  The ‘Tech Boom’ was on! US technology stock equity valuations fuelled more investments in internet-based companies and the dotcom bubble was growing exponentially. Organisations introduced personal computers, local servers and business processes changed as they move away from pen and paper to computers and hard disks.

It was now a great time for technology-based organisations like Apple, Microsoft, WorldCom and Enron in the US and OneTel in Australia.

However, a large talent pool of risk management professionals who understood the depth and breadth of enterprise-wide risks to support the new and more complex world did not exist. The risk management talents were often in the audit division of large accounting firms, large financial institutions and large insurance brokers.

Risk management education as we know it today, didn’t really exist either. Risk management education was in pockets and contextualized to an industry or membership association.  The Institute of Internal Auditors was founded in 1941 and the Risk and Insurance Management Society, Inc. (RIMS) was founded in 1950.  Both provided some form risk management training that were incorporated into one or two modules of study. At the time:

• Insurance professionals understood the concept of risk and physical hazards but limited in operational risks.
• Banks were brilliant at quantitative risk analysis and modelling.
• Engineers understood technical design, production risk and project risk very well.
• Information technology professionals were security conscious, but the risks were mainly internal and around availability, physical and access controls.  The Y2K bug was around the corner and the internet was still evolving. Organisations were becoming more interconnected, but hackers were still teenagers only interested in accessing government departments for the thrill of it and not for the data.
• Accountants had a great understanding of financial risks and some basic knowledge of operational and strategic risks via the business planning process.
• Internal and external auditors (who were often qualified accountants) were seen as best positioned to help.  This was thanks to their training and experience in risk-based audit methods. Although not perfect, auditors were recognized and respected for their ability to assess company wide risks and monitor control effectiveness. Internal auditors had one more advantage – they worked across many departments, projects and functions in an organisation and could see broader risks and their connectivity.

The lack of risk management talent meant that risks continued to be managed in their silos and in most companies, there was no formal risk function or person responsible for looking at risks across the organisation.  Often, there was no one specifically designated to helping management understand, evaluate, manage and monitor the big risks.

With the new dotcom technology bubble came more opportunity, more innovation and more risk taking.  But there is a new risk management standard in Australia and New Zealand gaining popularity around the world and an array of professionals who can think and manage specific areas of risk.

What can possibly go wrong?

Early 2000’s:  The Scandals of the Noughties

The spectacular collapse of Barings Bank in 1995 highlighted not only the importance of managing risk, but the importance of risk oversight and the need for strong internal controls to manage operational risk in a world now relying more on technology with an appetite for taking even more risk.  Remember banks are the masters of quantitative risk analysis!  Is that enough?

Barings Bank was founded in 1762 and was one of England’s oldest and best capitalised merchant banks.  Money wasn’t an issue. It was the bank used by the Queen of England. However, it took one person, halfway across the world (in Singapore) who circumvented normal accounting, internal controls and audit safeguards to send the bank into bankruptcy. Dutch bank ING later purchased Barings Bank in 1995 for the nominal sum of £1.

But it wasn’t until the new millennium (the noughties) that we saw a spate of high-profile collapses that included Enron, WorldCom, Swissair, Kmart, Arthur Anderson, Parmalat, CINAR, FlowTex, MG Rover, HIH and OneTel. These failures had an adverse impact on people, the economy, the stock market, politicians and stakeholder confidence.

After these collapses, the political and social tolerance for future failures reduced significantly.  We saw regulators around the world strengthen risk management and governance practices through various instruments including legislation, prudential standards and guidelines.  For example:

• The Sarbanes Oxley Act was introduced in the United States in 2002.
• Introduction of Prudential and Reporting Standards in Australia in 2002, Singapore and United Kingdom.
• Strengthening of risk management practices for listed companies through the release of the Corporate Governance Principles and Recommendations in 2003.
• Rating agencies start evaluating risk management systems as part of their credit rating assessment.
• COSO, a Committee of Sponsoring Organizations of the Treadway Commission, used the concept of Enterprise Risk Management for the first time when they published in 2004 the Enterprise Risk Management—Integrated Framework.
• Increased oversight responsibilities for the governing body/Board over risk management governance and practice.

One of the first publications about enterprise risk management is published by James Lam in 2003 – Enterprise Risk Management: From Incentives to Controls.  The book becomes a best seller and an important reference point to all aspiring future Risk Officers.

The bar has now been raised. This required organisations to establish more formal, structured and proactive processes around risk management.  Something that is now well beyond the previous siloed approach to risk thinking.

The new approach required a more strategic approach to risk management that required leadership, structure and resources.

Can risk management save the world? Not quite!

Late 2000’s: The Global Financial Crisis

Whilst the US based Sarbanes Oxley Act of 2002 did well to minimise the risk around inaccurate financial reporting (the root problems with Enron and WorldCom), the focus of the Act was too narrow.  A very simple interpretation of the Act is “take whatever risk you like, just make sure your annual accounts are correct, let someone know if they’re not, otherwise you will end up in jail for a long time!”.  Feel free to read the entire Act when you have time. Yes, it is a narrow and siloed approach to risk management.

Meanwhile, other global law makers and regulators had taken a broader and more strategic approach to risk management.  For example, following the HIH collapse in 2001, the Australian Prudential Regulation Authority (APRA) required all financial institutions to adopt a more comprehensive and broader risk management approach covering all risk categories in 2002.  The risk framework could be risk based, use the AS/NZS 4360 Risk Management Standard to help and have a formal plans, systems and procedures with clear responsibilities for activities.  It was basically saying “manage all your risks very well, or we will take your license to operate away from you”.

Well, thanks to the Global Financial Crisis (GFC) between 2007 and 2009, we know which one of the above approaches was more effective.  During the GFC, we saw very large US based financial institutions like Lehman Brothers, IndyMac, Bear Stearns, AIG and Washington Mutual collapse due to very poor risk-taking and deficient investment practices. Sure, the Sarbanes Oxley Act was successful in reducing the risk of creative accounting, but it failed to encourage better enterprise-wide risk management practices.

The lesson here is clear, risk management is only as good as the weakest link and a broader risk management approach is always better.

The Risk Officer Today

As you can see, the role of the Risk Officer is relatively new, but it has been around for many decades now.

There has been a shift from a siloed approach to managing risk to a more structured, proactive and integrated risk management approach and broader oversight of risks by management and the governing body.

The adverse consequences from the spectacular corporate failures of the last 30 years have also shaped risk management practices and reinforced the need for a dedicated Risk Officer today.

Just like any other field of management, it is not perfect.  The Risk Officer helps the governing body and management navigate the issues.

Fortunately for many organisations, the role of a dedicated Risk Officer or Chief Risk Officer is now well entrenched into many well run and successful organisations. Sure, an effective risk management framework and a capable Risk Officer who leads risk management does not mean that nothing will ever go wrong, but done well, it does help reduce the frequency and impact of the big risks and nasty surprises.

Today, the Risk Officer or the Chief Risk Officer in larger organisations, is the designated leader for enterprise-wide risk management responsible for a number of activities that include:

• Designing, operating, embedding, maintaining and continually improving the enterprise risk management framework.
• Monitoring the risk management framework and practices to ensure it operates as designed.
• Providing analysis, advice and support to the Board, Audit and Risk Committee and all lines of management on risk management matters,
• Encouraging a proportionate and balanced approach to risk taking, but also have the courage to call out decisions that involve excessive risk taking beyond the capacity, appetite, values and capability of the organisation.
• Co-ordinating the delivery of appropriate and relevant training to enhance risk management capabilities across the organisation and promote a positive risk, compliance and control culture.
• Reviewing and enhancing key risk management related documents including risk registers, incident registers, risk profiles, policies, plans, risk appetite statement, procedures and authorities to realign to the changing environment and business needs.

The specific activities of the Risk Officer outlined above are not exhaustive and will vary on the nature, size and complexity of the organisation as well as stakeholder requirements. The important point here is the Risk Officer now has a seat at the table with the governing body and management.

A capable Risk Officer can build positive relationships across the organisation, promote the benefits of managing risks, support managers and help navigate risk and uncertainty using both simple and complex risk assessment techniques.

Whilst the Bureau of Labour Statistics US predict that hiring for Risk Officer positions will rise by 11% through 2022, sadly, not all large, complex and growing organisations see a need for a formal risk management function or a dedicated Risk Officer. Risk management is often one of many responsibilities for the Company Secretary, Audit Manager, Governance Manager or the Finance Manager.  That doesn’t mean that these organisations are necessarily worse off, but it can make effectively managing risks more challenging as it competes with other activities, management time, priorities and resources.

Broad Based Skills are Key to Success

According to Willis Towers Watson, the majority of Risk Officers agree that having only exceptional analytical skill is not sufficient. The most successful Risk Officers are able to combine analytical skills with highly developed commercial, strategic, leadership and communication skill to be able to drive change and make a difference in an organization. Risk Officers typically have post graduate education with over 20 years of experience in accounting, economics, legal or actuarial backgrounds.

In another study by Morgan McKinley, a successful Risk Officer must be able to deal with complexity and ambiguity and understand the bigger picture.

How we can help you take better risks

We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management capabilities include:

• Providing an interim Chief Risk Officer to backfill a vacancy.
• Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
• Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
• Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
• Conducting risk workshops covering strategic, operational and project risks.
• Conducting risk culture assessments.
• Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.

Take risk management to the next level and contact us to discuss your needs.

One of the most challenging tasks for a risk manager is to help the organisation articulate its risk taking parameters. These parameters are important because information from here will flow through to risk rating criteria, key policies, major decisions and staff behaviour.

Know your risk capacity

Let’s start with risk capacity. Why? Ultimately, an organisations capacity to take risk will have a significant influence on its risk appetite. The organisation with greater risk capacity will be in a position to take on more risk.

For the record, risk capacity is not defined in AS/NZS ISO 31000 Risk Management standard or in Guide 73:2009 Risk Management -vocabulary. Risk capacity is not always easy to quantify. In simple financial terms it can be determined by things like the value of net assets, available working capital etc. But what about things like reputation or environmental impact which are often much harder to quantify?

Look at risk capacity as the ‘upper limits’ of your risk taking. A risk event beyond this point could mean an organisation is no longer sustainable, no longer a ‘going concern’ and cannot remain ‘in business’. It could mean that an organisations reputation is so damaged that people are prosecuted, go to jail or external intervention is required to enable an organisation to continue to operate.

Risk appetite

Risk appetite is defined by the ISO Guide 73:2009 Risk management Vocabulary as the “amount and type of risk an organization is prepared to pursue or take”. It is the amount of risk that a an organisation wants to take and is willing to accept in pursuit of its objectives. It is the organisations “comfort zone”, the level of risk it wishes to expose itself to. Risk appetite must consider an organisations risk capacity.

It is extremely important for staff at all levels to understand the organisations appetite for risk. Where risk appetite is not clearly articulated and communicated, there is a real danger that decision making will be inconsistent with organisational objectives or even worse, people’s behaviour may not be appropriate to the organisation expectations.

Understanding risk appetite is particularly relevant when an organisation has to make choices/decisions that are inherently uncertain such as investment strategy, major outsourcing appointments, major projects and long term strategic planning. It will help an organisation draw a line between acceptable and unacceptable levels of risk and the level of additional controls and treatments required. Some of the problems encountered by some organisations with their investment strategies during the global financial crisis and the problems with major local government infrastructure projects are examples of a lack of understanding of the risks involved and whether they were within the an organisations risk appetite.

Overcoming the challenges

All management will have an appetite for some types of risk and an aversion to others. Getting some alignment between these different views and finding the right balance is difficult and can create a lot of angst.

It is therefore important for an organisation to formulate its risk appetite and risk criteria through a consultative process involving key stakeholders. This can be done through a combination of workshops, questionnaires and surveys. Ensure that key members of your Audit/Risk Committee are included in this process.

Once an organisations risk criteria start to take shape and some form of agreement about the levels of risk is reached, risk appetite parameters will emerge and can then be documented as part of an organisations risk management framework. Documenting them is important to ensure that the organisations attitude to risk and risk parameters are clear. Some example of risk appetite statements could include:

• “The organisation has no appetite for risks which may have a significant negative impact on the organisations long term financial sustainability”.
• “The organisation has no appetite for risks which may compromise the safety and welfare of staff, contractors and/or members of the community”.
• “The organisation has some appetite for risks that maintain and improve levels of service to the community”.
• “The organisation has some appetite for risks that improve efficiency, reduce costs and/or generate additional sources of income”

Risk appetite statements help to “set the tone from the top”. Incorporating them into the risk management policy is now considered part of good practice in risk management.

Whilst most organisations have a similar risk profile, setting risk appetite is not a one size fits all approach. Every organisation needs to carefully consider its particular operating environment and risk profile before determining an attitude towards risk that is appropriate for its circumstances.

Ultimately, the decision to accept or treat risks needs to be made on a risk by-risk basis. Including statements like “all risks with a residual risk level of 2 and above, must be escalated to the General Manager for review”, should also be incorporated within an organisations risk management framework.

The bottom line!

Risk appetite has to consider the needs of the range of stakeholders that ultimately determine an organisations strategy. It should be developed in a consultative manner that takes into account the context in which the organisation operates and particularly the an organisations risk capacity.

It should be regularly reviewed as the environment in which the organisation operates can change quickly and risks that might have been tolerable previously may no longer be acceptable and vice versa.

Establishing a risk appetite statement and supporting risk criteria will help all stakeholders to better determine whether their actions and decisions are within acceptable or tolerable risk parameters.

Risk appetite has to cascade down through the organisation to act as an early-warning system to trigger escalation or corrective action when risks are outside the tolerable levels.

A clearly articulated risk appetite statement and supporting risk criteria are critical foundations that underpin successful risk management.