For many NSW councils, financial sustainability is a real risk and not just something in a risk register.  Managing financial expenditure i.e. public funds in accordance with legislation is critical. But the real financial question is not how much cash sits on the balance sheet, it is how much of that cash is actually available to use. That is why understanding restricted vs unrestricted funds in local government is critical.

In NSW local government, the restricted vs unrestricted funds distinction matters because a significant share of council cash is either legally quarantined, internally allocated for future purposes, or needed to maintain liquidity for day-to-day operations. The recent NSW Audit Office’s Local government 2025 report identified that:

• 19 councils did not have enough cash and investments not subject to external restrictions to cover three months of general expenses, and
• weaknesses in internal controls and governance were identified at most councils.

For this, and many other important reasons, restricted and unrestricted funds should be treated as a frontline governance issue, not just a finance note at year end.

The legislative and policy framework is clear. The Local Government Act 1993 (the Act) says money raised by a special rate or charge, money that legislation says can only be used for a specific purpose, and specific purpose advances or grants from government cannot be used for other purposes except in limited circumstances.

The Office of Local Government (OLG) Local Government Code of Accounting Practice and Financial Reporting (OLG Code) also requires councils to maintain adequate accounting records, systems and internal controls, and to disclose restricted and allocated cash, cash equivalents and investments in their financial statements.

Council funds sit in 3 ‘buckets’

In simple terms, council funds typically sit in three distinct ‘buckets’:

• Externally restricted funds: money that council is legally required to use for a specific purpose it was provided.
• Internally restricted funds: money that council has set aside by resolution for a specific future purpose, These funds are not ‘legally’ restricted, but they should only be moved or repurposed through formal council resolution.
• Unrestricted funds: money that is available to support day-to-day operations, manage cash flow, respond to unexpected costs and maintain financial flexibility.

Why externally restricted funds matter

Externally restricted funds are the most tightly controlled category of council cash. These are amounts that council holds because legislation or a third-party agreement says the money can only be used for a defined purpose. The OLG Code describes them as cash, cash equivalents and investments available only for specific use because of legislation or third-party contractual agreement, and requires councils to disclose both the amount and nature of those restrictions. Common examples include water funds, sewer funds, developer contributions, domestic waste management, stormwater management and tied grants.

The purpose of external restriction is simple – it protects public trust and legal compliance. Developer contributions are collected to fund future infrastructure. Tied grants are provided to deliver a specified program. Special rates and charges are levied for a stated purpose. These are not general operating funds.

The NSW Audit Office warned that low available cash (money available as unrestricted funds) increases the risk of externally restricted cash being used for an improper purpose, and reported two high-risk findings where councils breached the Act by spending externally restricted cash and investments for an improper purpose.

The strategic role of internal restricted funds

Internal restricted funds, often described as internal allocations or reserves, are different. They are not imposed by legislation or grant conditions. They are set aside by council resolution or policy for a defined future purpose.

The OLG Code says internal allocations are cash, cash equivalents and investments allocated by council resolution or policy to identified programs of work and forward plans, and because they remain at council’s discretion they are disclosed but not deducted from total cash and investments in the same way as external restrictions.

This is where good financial leadership and governance becomes visible. Internal allocations are how councils plan ahead to smooth future costs instead of lurching from one budget shock to the next. Internal restricted funds can be used for plant and vehicle replacement, employee leave entitlements, asset replacement, IT renewal, carryover works, quarry remediation and bonds and deposits. That is exactly what a mature, proactive reserve framework should do – convert foreseeable liabilities, renewal needs and cyclical expenditures into transparent funding strategies.

The IP&R framework also reinforces this discipline. NSW councils must prepare and adopt a Long-Term Financial Plan, use it to inform decision-making, and review and update its assumptions, projected income, expenditure, balance sheet and cash flow at least annually as part of the Operational Plan.

A Council’s Annual Report is also framed as a key point of accountability to the community and must include the council’s audited financial statements. In other words, internal allocations should never sit outside strategy; they should be linked directly to the Long-Term Financial Plan, Delivery Program and Operational Plan.

Why unrestricted funds are the real test of resilience

Unrestricted funds are the balances genuinely available to support day-to-day operations and liquidity, absorb shocks and fund priorities that are not already allocated elsewhere. Unrestricted funds are the cash councils rely on to pay suppliers, continue services, retain staff, manage timing differences in capital delivery and maintain financial flexibility.

The Audit Office’s 2025 report makes it clear why this is important. 19 councils lacked enough available cash to meet three months of general expenses, and the unrestricted current ratio remains an important indicator of short-term financial capacity. The report notes the previous OLG benchmark of 1.5, meaning $1.50 in unrestricted current assets for every $1 in current liabilities.

Therefore, unrestricted cash as funding available for unexpected or emergency expenses, liquidity support, short-term cash flow, operational efficiency and long-term financial sustainability. It also sets a target level of unrestricted cash at the greater of $2 million or 50% of current liabilities not otherwise funded by restrictions or allocations, and treats an unrestricted current ratio below 1.5:1 as a trigger for immediate attention.

Governance arrangements for restricted vs unrestricted funds

The strongest councils do not manage restricted and unrestricted funds just via council resolutions, spreadsheets and memory. They manage them through formal governance arrangements.

That starts with a council-adopted policy that defines external restrictions, internal allocations and unrestricted cash. The policy should set approval pathways and links reserves to the Community Strategic Plan, Delivery Program, Operational Plan and Long-Term Financial Plan. Good practice requires any future internal allocation to be established by council resolution, with a defined purpose and a basis for calculating transfers.

From there, the control framework needs to be operational, not symbolic.

The NSW Audit Office’s better-practice observations are especially useful here. It found some councils still rely on highly manual annual processes to manage and report restricted cash, which increases the risk of error and breach. By contrast, one better-practice council case study linked its quarterly cash and investment budget review statement directly to the general ledger, configured the ledger to reflect externally restricted balances, and had the statement independently reviewed within the finance team.

The NSW Audit Office also highlighted the importance of regular reconciliation, enhanced processes and controls, transparent reporting to decision-makers, and ARIC oversight.

In practical terms, councils should have a clear ownership model.  Finance owns the register and reconciliations, business units own the business purpose of each reserve, executives own challenge and reprioritisation, council owns creation and release of internal allocations by resolution, and ARIC owns oversight of control effectiveness, compliance risk and remediation actions.

Rules for moving money in, out or between funds

This is where councils most often get into trouble.

Externally restricted funds cannot simply be used to solve a general fund cash pressure. Section 409 of the Act limits the use of special rates or charges, legislatively restricted money and specific purpose advances or grants to their intended purpose. Section 410 creates only a narrow pathway for alternative use of some money raised by special rates or charges once the original purpose has been achieved or is no longer required, and only after public notice through the operational plan process.

Internal allocations are more flexible, but that does not mean they should be moved casually. Council’s should adopt a policy that is sensible i.e. transfers into or out of restricted cash require council resolution, whether through a specific resolution, adoption of the Quarterly Budget Review Statement, or adoption of annual financial statements containing a schedule of movements. The policy can state that councils may borrow from internally allocated cash, but not from externally restricted cash without Ministerial consent, and any such borrowing must be authorised by resolution with the full impact disclosed and interest paid.

That is the right principle for all councils to adopt. Legal restrictions are not optional, and internal restrictions are not informal. Even where council has discretion, reserve movements should be rule-based, transparent and documented.

The biggest risks councils need to control

The governance risk is not just technical non-compliance. It is a financial control drift. When councils lose sight of what cash is restricted, allocated or genuinely free, three risks will emerge quickly.

1. Councils may misstate liquidity. A healthy cash balance can hide a weak unrestricted cash position if too much of the total balance is externally restricted. The NSW Audit Office’s analysis shows that many regional and rural councils carry high proportions of externally restricted balances, especially where water and sewer charges form a large part of cash holdings.
2. Councils may create “shadow budgets” through unmanaged internal reserves. If internal allocations are not tied to a documented purpose, target funding basis, forecast drawdown and annual review, they can become stale, duplicated or politically immovable. The IP&R framework is designed to prevent that by requiring annual review of the Long-Term Financial Plan and alignment between planning, delivery and reporting.
3. Councils may breach the Act through weak controls, errors or deliberate misconduct. The NSW Audit Office’s findings on externally restricted cash show that poor monitoring, manual processes and weak reporting are enough to create serious compliance failures.

The KPIs and reports that matter most

Councils should separate compliance reporting from decision-based reporting. At a minimum, councillors, executives and ARIC should receive a reporting pack that clearly distinguishes externally restricted balances, internal allocations and unrestricted cash.

The core KPIs should include the unrestricted current ratio, unrestricted cash as a percentage of current liabilities, months of general expenses covered by available cash, total externally restricted balances by category, internal allocations against target and forecast drawdown, local infrastructure contribution balances and spend rates, and the number and value of approved transfers, internal borrowings, breaches or near misses.

The NSW Audit Office’s financial sustainability analysis specifically used available cash, unrestricted current ratio and own source revenue to assess councils with heightened risk, which makes those measures especially useful for internal monitoring.

The reporting cycle should also be disciplined. The OLG Code states that councils must meet multiple financial reporting requirements, including annual audited financial reports, an annual operational plan, a Long-Term Financial Plan and quarterly budget review statements. The IP&R Guidelines require budget review statements to be reported to council within two months after the end of each quarter, except the fourth quarter, and the Annual Report to be prepared within five months of year end. Many councils have a monthly Investments Report for unrestricted cash oversight.

Restricted vs unrestricted funds – Takeaways

The strongest councils understand that reserve management is not about hoarding cash. It is about governing purpose.

Externally restricted funds protect legal and community obligations. Internal restricted funds protect future service capacity and planned asset renewal. Unrestricted funds protect resilience, liquidity and strategic choice.

When councils clearly define each category, set strict movement rules, link reserves to long-term planning, and report them transparently to council, ARIC and the community, they do more than stay compliant. They become more credible, more sustainable and strengthen the financial management and control culture.

Can we help?

Since 2001, we have worked with more than 115 NSW councils to strengthen risk management, resilience and internal controls through our internal audit and assurance services.  Whichever service you choose, our goal remains the same, to help you manage risk with confidence and provide practical advice that supports informed, effective decision-making.

Can we help? If your council is reviewing its approach to restricted and unrestricted funds, reserve governance or financial control settings, contact us to discuss how we can support your needs.

#RiskManagement #InternalAudit #Assurance #Governance #LocalGovernment #FinancialSustainability #InternalControls #RestrictedFunds #UnrestrictedFunds #CouncilGovernance

The Australian construction industry has undergone one of the most significant digital transformations in its history. Building Information Modelling (BIM), cloud-based project management, IoT-enabled devices, remote site connectivity and integrated supply-chain platforms have improved efficiency, collaboration and onsite safety.

But the digital evolution has brought a new and rapidly escalating challenge, construction cyber threats.

Why? This digital footprint, while transformative, creates a much wider attack surface for threat actors.

According to the Australian Federal Police and multiple global and local reports, the construction sector has become one of the most targeted industries for cybercrime. The Australian Federal Police distributed a media release in October 2025 warning of the significant increase in scams hitting the Construction sector.

For Australian construction companies including large head contractors, mid-tier builders, engineers, architects, subcontractors and suppliers, the threat landscape is intensifying. And without stronger cyber resilience, the industry risks becoming one of the easiest targets for cybercriminals within a short time period.

Why Attackers are Targeting Construction

Construction is now one of the top three most targeted sectors globally for ransomware. Cybercriminals see construction firms as:

1. Time-pressured – project deadlines create urgency, making companies more likely to pay ransoms.
2. Data-rich – building plans, smart homes and offices, access credentials, project financials and bank account details are extremely valuable.
3. Under-protected – many construction companies and contractors rely on outdated systems, legacy networks, or unmanaged subcontractor connections.
4. Highly interconnected – multiple vendors, suppliers and subcontractors increase the number of entry points.

With billions of dollars in infrastructure, commercial and residential projects underway across Australia, the stakes have never been higher.

When Construction Cyber Threats Become Reality

In recent years, the construction sector has experienced several high-profile cyber incidents that highlight the industry’s growing vulnerability.

In Australia, Goodline suffered a major ransomware attack in 2024 after criminals gained access through compromised credentials, stealing over 600GB of sensitive corporate and employee data.

In early 2025, mid-tier builder Novati Constructions was listed on the Lynx ransomware gang’s leak site, with attackers claiming to have exfiltrated contracts, financial data and internal reports.

Internationally, Chicago-based contractor Skender Construction was hit by a ransomware attack in 2024 that encrypted critical project information and exposed personal data belonging to more than 1,000 individuals before the company restored systems from backups and notified affected parties.

These cases underscore the escalating frequency and impact of cyber-attacks across the construction ecosystem, from major contractors to engineering firms and mid-sized builders alike.

Construction Cyber Threats Come from Many Angles

One of the biggest misconceptions in construction cyber security is the belief that the primary risk comes from a malicious external hacker. In reality, threats come from almost every corner of a construction project.

From our experience in post cyber incident investigations, these are the biggest threat vectors impacting Australian builders:

a) Insecure subcontractors and suppliers

Subcontractors often connect to head contractor systems, share files, or use project collaboration platforms. Many operate with minimal cyber security, outdated devices or weak password policies, turning them into high-risk gateways for attackers.

b) Legacy and outdated systems

Many builders rely on old project management platforms, access control systems, servers and network infrastructure, SCADA (Supervisory Control and Data Acquisition) / operational technology and outdated Microsoft or mobile device versions. These systems often lack modern security patches and become easy entry points.

c) Unsecured IoT devices on site

Internet of Things (IoT or Smart Devices) devices are increasingly used to monitor equipment, track workers, manage environmental conditions, control machinery and secure site access. But many IoT systems lack encryption, authentication or secure configuration, leaving them open to exploitation.

d) Human error & social engineering

Insurance industry cyber claims highlight that more than 80% of breaches begin with a human mistake, not a technical failure. Phishing emails, invoice fraud, fake subcontractor communications and compromised file-sharing links are rampant in the industry.

e) Compromised cloud services

Cloud collaboration tools are essential for modern construction. But poor access controls, shared logins, dark web data breaches or unsecured mobile devices create vulnerabilities that attackers regularly exploit.

The Consequences Hit Far Beyond IT

Cyber incidents in construction not only expose data, they disrupt entire project ecosystems. According to industry reports, successful attacks lead to:

a) Project Delays & Operational Shutdowns

Ransomware can freeze project schedules, site access systems, procurement and logistics, design files and BIM models and communication tools. In major projects, every day of delay can cost millions.

b) Cost Overruns

Cyber incidents often cause emergency IT recovery costs, ransom payments, penalty payments for delays, rework due to corrupted files, unplanned labour and overtime, and forensic and legal expenses.

c) Loss of Contracts and Trust

Contracts, especially in government and critical infrastructure, may be revoked if contractors suffer significant cyber breaches and trust in their systems is lost.

d) Legal, Insurance & Compliance Exposure

With increasing regulatory attention and mandatory breach notification laws, construction firms may face regulatory scrutiny, investigations, and litigation.

Prevention Against Cyber Threats is More Effective Than Remediation

According to research, the cost of proactive cyber protection is a fraction of the cost of responding to a major breach.

The most effective strategy is early detection. Identifying vulnerabilities (such as weak subcontractor connections, exposed cloud storage, unpatched devices, or poor security protocols) before attackers exploit them is the key to resilience.

The following strategies can identify vulnerabilities early and significantly reduce both the likelihood and impact of an attack:

• regular cyber risk assessments
• security awareness training for staff and subcontractors
• improved authentication policies
• patch management
• reviewing access controls
• incident response planning

Why a Tailored Cybersecurity Approach is Needed in Construction

Construction is unlike any other sector. With multiple sites, dispersed teams, diverse hardware/software, and complex supply chains, a generic cyber security solution simply does not work. Tailored strategies must consider:

a) Multi-site environments

Each site has unique requirements, equipment, connectivity and contractor access.

b) Distributed workforce

Engineers, project managers, site supervisors and subcontractors work across different locations and systems with varying sensitivity.

c) High subcontractor dependency

Each subcontractor introduces a new set of potential vulnerabilities.

d) Operational technology (OT) & IoT complexities

Integrating physical equipment with digital systems increases risk.

e) Hybrid digital ecosystems

On-premise systems, cloud apps and mobile devices must all be secured cohesively.

Clearly, construction demands a layered, customised cyber security model, one that addresses human, technical, and supply-chain vulnerabilities holistically.

What Construction Cyber Threats Indicate

Australia’s construction industry continues to move quickly into a digital future, but with that progress comes real, business-critical cyber risk.

Cyber-attacks are no longer hypothetical. They are happening every week across the sector, impacting builders, contractors, engineers, architects and suppliers. The consequences are far-reaching: financial loss, project disruption, safety risks and reputational damage.

The message is clear: Construction firms must treat cyber security as seriously as physical site safety, quality control and project governance.

The most resilient organisations will be those that:

• recognise cyber risk as a genuine operational threat
• assess their vulnerabilities early
• strengthen subcontractor and supply-chain security
• build a culture of cyber awareness
• invest in tailored, layered protection

In a landscape where every project is interconnected, a firms cyber security controls are only as strong as its weakest link. Now is the time for construction companies to act before a cyber incident becomes the next major project delay or business interruption.

Can We Help?

We are here to help strengthen cyber resilience. Our cyber risk management capabilities include designing and developing a cyber risk management framework and a wide range of response plans to enhance your cyber resilience capabilities. Our cyber risk management services include:

• Vulnerability scanning
• Cyber Security Gap Analysis against Essential Eight and ISO 27001
• Regulation compliance advice
• Cyber Risk Governance Framework Reviews
• Cyber Risk Governance Framework Development
• Third-Party Vendor Review and Cyber Risk Analysis
• Cyber Risk Awareness Training and Internal Campaigns
• Post-Cyber Incident Review
• Email Phishing Campaigns
• Cyber Incident Response
• Crisis Team Familiarisation Training
• Artificial Intelligence (AI) Risk Governance

Be more resilient to a wide range of cyber risks and get relevant insight into how to protect your systems by contacting us to discuss how we can help strengthen your cyber resilience framework.

The structure of corporate governance in Australia is undergoing a fundamental change. The system for establishing the Corporate Governance Principles and Recommendations (CGPR), which guide all ASX Listed Entities, is being overhauled after 23 years.

The catalyst for this shift was the collapse of negotiations for the proposed 5th Edition of the CGPR earlier this year. The 19-member ASX Corporate Governance Council (CGC), a body designed to achieve consensus among diverse industry groups, found itself in gridlock.

This friction prompted the ASX to commission an independent “Review Panel” in June 2025 to recommend a more effective path forward.

The Six Key Recommendations Shaping the Future of CGPR

In September 2025, the Review Panel released a report with sweeping recommendations, which the ASX formally committed to adopting in October 2025. This marks a definitive transition from a broadly representative model to a more centralised and expert-driven approach.

The core recommendations are:

1. Shift Ultimate Responsibility: The sole authority for developing, approving, and issuing the CGPR will move from the CGC to the ASX.
2. Establish a New Expert Advisory Group: The ASX will be supported by a small, new Advisory Group of 6-10 members (half the size of the former council), led by an independent Chair.
3. The Philosophical Shift: Members of the new Advisory Group will be appointed in their individual expert capacity. They will be expected to act in the interests of the entire market, moving away from representing specific industry groups or constituencies.
4. Retain the “If Not, Why Not” Rule: The existing flexible disclosure approach will remain central to the Principles. This cornerstone of Australian governance gives boards flexibility while maintaining transparency.
5. Simplify and Streamline: Future Principles will be simplified to avoid overlap with matters already covered in the Corporations Act and other legal/regulatory requirements.
6. Set a Fixed Renewal Cycle: A 4-year renewal cycle will be implemented to ensure the CGPR remains current and can quickly address evolving risks like ESG, cyber security, and corporate culture.

What This Means for ASX Listed Entities

The ASX’s commitment to these changes signals a move toward a more agile and efficient system for maintaining world-class corporate governance standards in Australia. While the 4th Edition of the Principles remains in effect for now, boards should anticipate quicker responses to global governance trends and a renewed focus on core principles over overly prescriptive rules in the next edition.

Can We Help?

We understand the importance of good governance for Australian listed entities.  Since 2001, we have assisted listed entities strengthen their risk management framework to align with better practice and the Corporate Governance Principles and Recommendations (CGPR).

Our services are designed to help boards quickly translate the Principles into actionable compliance and disclosure practices, enabling listed entities to meet the higher standards expected.

For small to medium listed entities, we offer bespoke services that include:

• Virtual Risk Officer: We offer expert guidance in establishing formal risk frameworks and conduct independent reviews to assess framework maturity. Additionally, we conduct risk workshops, risk culture assessments, and provide specialised services in areas like business continuity, crisis management, fraud control, modern slavery, and climate change risk.
• Virtual Chief Information Security Officer (vCISO): We provide fractional or on-demand cyber security leadership to help you meet the evolving cyber risk landscape, without the cost of a full-time executive.
• Internal Audit Services: We provide outsourced or co-sourced internal audit functions, ensuring independent assurance on your controls and operational efficiency, which is vital for maintaining board and stakeholder confidence.

Take risk management to the next level and contact us to discuss your risk and resilience needs.

The term GRC (Governance, Risk and Compliance) was first used in the early/mid 2000s, gaining prominence after major corporate scandals such as Enron and WorldCom led to the introduction of regulatory reforms like the Sarbanes-Oxley Act (2002) in the United States. These events highlighted the need for stronger governance structures, integrated risk management, and regulatory accountability — giving rise to what we now recognise as GRC.

Many organisations believe that purchasing a GRC platform equals GRC maturity. The reality? Software alone does not create good governance.

True GRC is a capability that is built on policy, people, processes, and culture that is enabled by technology.

When these elements are misaligned, even the most expensive tools fail. This article helps leaders recognise that GRC is an organisational discipline, not an IT project or stand alone system.

Why GRC Is More Than Just Software

Buying a tool without clear governance structures, decision rights, and accountabilities creates confusion rather than clarity. GRC capability starts with purpose and policy — then aligns responsibility, process, and technology.

Risk: Organisations that rush into technology miss foundational elements, resulting in “shelfware”, low adoption and inconsistent practices.

Risk mitigation actions:

• Align technology with policy and governance frameworks.
• Define ownership (risk, compliance, audit) before automation.
• Assess your maturity before tool selection.

People and Culture – The Real Engine of GRC Capability

Even the best system won’t fix a weak risk culture, broken processes or disengaged users. If leadership, risk owners or frontline staff don’t understand their role, GRC becomes a compliance chore rather than a value practice.

Risk: Without role clarity and engagement, risk data becomes unreliable, workflows stall, and decisions are made blind.

Risk mitigation actions:

• Deliver role-based GRC training and cultural embedding.
• Establish governance committees and escalation protocols.
• Strengthen three lines of accountability.

Processes – The Hidden Weak Link in GRC Implementation

GRC tools can only automate what already works. If risk assessments, incident workflows, or policy lifecycles are unclear, the system simply digitises chaos.

Risk: Broken processes lead to inconsistent risk reporting, duplicate registers, and poor audit traceability.

Risk mitigation actions:

• Map and optimise risk, compliance and incident workflows.
• Standardise process libraries before automation.
• Establish data taxonomy and control hierarchies.

Technology as an Enabler – Not the Hero

Software should enable integration, not dictate the GRC model. Over-customisation or ‘bending’ the tool to broken processes often results in complexity and user frustration.

Risk: Technology misalignment creates resistance, workarounds and shadow systems (spreadsheets, emails, manual logs).

Risk mitigation actions:

• Conduct GRC tool health checks and utilisation audits.
• Simplify configuration in line with process reality.
• Introduce optimisation roadmaps post-implementation.

Key Takeaway

Successful GRC is a journey, not a go-live event.

Ultimately, organisations that view GRC as a true enterprise capability – built on strong governance, clear ownership, aligned processes and engaged people – are the ones that extract real value from their technology investment.

A platform alone cannot create maturity; it must sit on a foundation of purpose, process and accountability.

By strengthening capability first and using technology as an enabler, organisations move beyond compliance to create a system that supports confident decision-making, resilience and long-term trust.

How InConsult Bridges the GRC Gap

You don’t build GRC maturity by installing software. You build it by developing capabilit and technology follows.

InConsult helps organisations shift from tool reliance to capability growth. Discover InConsult’s GRC Assurance and Optimisation services.

As risk, governance, compliance, and audit practitioners, InConsult specialises in GRC Post-Implementation Reviews. We help organisations identify red flags, assess system effectiveness, and implement improvement plans. Our independent guidance ensures your GRC system becomes a reliable tool for decision-making, risk oversight, and regulatory compliance — quickly turning underperformance into opportunity.

Bring people, systems and processes together to better manage risk and compliance, contact us to discuss your GRC needs.

Implementing a GRC system is a major investment in technology, processes, and culture. Yet many organisations discover that, a few months after go-live, the system isn’t delivering the expected value. The consequences aren’t just financial – as compliance gaps could lead to increased regulatory scrutiny:

• Under CPS 220 and CPS 230, APRA expects robust Risk Management Information Systems (RMIS) that support timely and accurate reporting.

This isn’t just confined to the Prudential Regulator, as multiple regulators across other jurisdictions continue to demand more from Risk & Compliance teams:

• ASIC requires robust compliance and conduct controls
• AUSTRAC expects systems for financial crime, AML/CTF monitoring, and reporting
• Global bodies like the SEC (U.S.), FCA (UK), and EBA (Europe) enforce integrated risk management, operational resilience, and reporting obligations
• Sector-specific regulators such as the TGA (health), AEMO/AER (energy), and prudential authorities in finance also demand evidence of controlled, auditable processes

This non-exhaustive list highlights the regulatory challenge that modern day organisations face and reinforce the need for mature GRC platforms. So when your GRC system underperforms – it is important to identify issues early and ensure your GRC platform performs from day 1.

Here are some early warning signs to look out for:

1. Low User Adoption and Engagement

Even the most advanced GRC platform fails if users don’t engage with it consistently. Low adoption can manifest as minimal logins, incomplete workflows, or continued reliance on spreadsheets and emails.

User engagement is a critical predictor of system success. Poor adoption leads to gaps in risk reporting, incomplete audit trails, and misalignment between business and technology.

Actions:

1. Conduct targeted user training sessions and refresher workshops.
2. Implement a communication plan highlighting benefits and quick wins.
3. Introduce dashboards and KPIs to show users how their input drives decision-making.

2. Clunky GRC interface or Inefficient Workflows

GRC systems are intended to streamline processes, but poorly configured workflows or overly complex approval steps can frustrate users and slow operations.

Inefficient workflows increase errors, reduce efficiency, and discourage use. When workflows don’t align with how the business actually operates, staff may bypass the system or duplicate work, undermining the platform’s value.

Actions:

1. Review and map existing business processes against system workflows.
2. Simplify approval chains and automate repetitive tasks.
3. Engage key users to test revised workflows before full rollout.

3. Poor Data Quality and Reporting

A GRC system is only as effective as the data it contains. Inconsistent data entry, missing fields, or errors in migrated data can lead to inaccurate dashboards and misleading reports.

Decision-makers rely on GRC systems for insight into enterprise risks. Poor data quality compromises board reporting, regulatory compliance, and risk visibility.

Actions:

1. Perform a data cleansing and standardisation exercise.
2. Implement mandatory fields, validation rules, and automation to reduce errors.
3. Schedule regular audits and monitoring of data quality metrics.

4. Integration and GRC System Performance Issues

Post-go-live, integration with existing systems such as HR, incident management, and policy libraries may be incomplete or unstable. System slowdowns or errors can frustrate users and reduce confidence.

Seamless integration is essential for a single source of truth across governance, risk, and compliance functions. Poor integration reduces visibility, introduces duplicate data, and increases operational risk.

Actions:

1. Conduct a full integration review to identify gaps or conflicts.
2. Optimise data flow between systems and implement automation where possible.
3. Monitor performance and error logs to proactively resolve issues.

5. Misalignment with Risk and Compliance Objectives

Sometimes, the system delivers outputs, but they don’t align with the organisation’s risk frameworks, reporting requirements, or regulatory expectations. Misalignment leads to wasted investment, reporting gaps, and potential non-compliance.

Actions:

1. Reassess system configuration against risk and compliance frameworks.
2. Adjust reporting templates and dashboards to align with board and regulator needs.
3. Conduct workshops with key stakeholders to ensure outputs meet operational and strategic objectives.

Key Takeaway

Post-go-live issues are common but preventable if organisations proactively monitor adoption, workflows, data quality, integration, and alignment. Addressing these early ensures the GRC system delivers real insights, strengthens governance, and meets regulatory expectations. An early Post-Implementation Review identifies misalignments and provides actionable recommendations.

How InConsult Bridges the GRC Gap

Want your GRC system to deliver real value? Discover InConsult’s GRC Assurance and Optimisation services.

As risk, governance, compliance, and audit practitioners, InConsult specialises in GRC Post-Implementation Reviews. We help organisations identify red flags, assess system effectiveness, and implement improvement plans. Our independent guidance ensures your GRC system becomes a reliable tool for decision-making, risk oversight, and regulatory compliance — quickly turning underperformance into opportunity.

Bring people, systems and processes together to better manage risk and compliance, contact us to discuss your GRC needs.

Before investing in a Governance, Risk, and Compliance (GRC) platform, organisations need to pause and evaluate their readiness.

Regulators such as APRA, under CPS 220 and CPS 230, expect organisations to maintain reliable Risk Management Information Systems (RMIS). However, technology alone does not guarantee better risk oversight. A platform implemented without assessing readiness, risks under-delivering, wasting investment, and creating compliance gaps.

A GRC Readiness Assessment helps organisations align their operating model, ownership structures, integration needs, and change capability before committing to a system — maximising return on investment and strengthening decision-making.  Here are our top 5 questions to ask before you invest in a GRC system.

1. What Problem Are We Actually Trying to Solve?

Many organisations invest in GRC platforms without a clear understanding of the problem they are trying to solve. Is the priority regulatory reporting, audit efficiency, enterprise risk visibility, or incident management?

Providing GRC vendors with a list of your requirements is not defining the problem you are trying to solve. Yes it will help – but the ‘functional requirements’ are the results of an in depth needs analysis.

Why it matters:

Without clarity, organisations often purchase overly complex systems with features they don’t need, or they fail to solve core gaps. This leads to underused technology, frustrated users, and poor adoption. By defining the problem upfront, organisations can target match-fit solutions that truly add value.

2. Are Our Processes, Governance, and Data GRC Ready?

A GRC platform amplifies the strengths and weaknesses of existing processes and governance structures. If workflows are inconsistent, controls are poorly defined, or data quality is unreliable, automation will not fix the underlying problems.

• The risk and compliance framework should be robust and have an operating rhythm.
• People should understand the fundamentals of risk management.
• The risk culture must be alive and well.

Why it matters:

Platforms rely on accurate, standardised data to provide insights. Investing in technology without process and data readiness can produce misleading reports, compliance gaps, and lost trust with regulators and boards. A readiness assessment ensures that your frameworks, controls, and data are fit-for-purpose, giving the platform a foundation to deliver measurable business value.

3. Who Will Own and Sustain the GRC Platform?

Ownership is critical for long-term GRC success. We’ve seen ownership range from the company secretary to the risk officer to the IT manager. Assigning responsibility solely to IT or a single department risks poor adoption, missed updates, and fragmented oversight. GRC itself aims to breakdown silos.  A clearly defined governance model ensures accountability for system administration, workflow management, and user support.

Why it matters:

Without business ownership, the platform becomes a compliance checkbox rather than a decision-making tool. Identifying owners across risk, compliance, and audit functions ensures ongoing maintenance, process alignment, and active use – enabling the system to deliver insights consistently and reliably.

4. How Will the GRC Platform Integrate with Existing Systems?

Organisations often have multiple tools: HR systems, incident management platforms, policy libraries, and reporting tools. A GRC platform that cannot integrate with these systems creates silos and duplicate work. Sure, some organisations don’t need full integration, but if you do, integration and security becomes a big issue.

Why it matters:

Integration is essential for real-time visibility and accurate reporting. By mapping existing systems and defining integration points upfront, organisations can streamline workflows, reduce manual work, and provide the board with a single source of truth for governance, risk, and compliance information.

5. Are We Ready for Change?

Even the best platform will fail if users are resistant to change. Implementing a GRC system often requires a cultural shift – from manual reporting and siloed ownership to automated workflows, shared accountability, and transparent reporting.

Why it matters:

Without leadership support and a change management strategy, adoption will be slow, processes inconsistent, and the system underused. Assessing organisational readiness for change ensures that training, communication, and engagement strategies are in place to make adoption smooth, sustainable, and effective.

Key Takeaway

In practice, organisation will have more questions to answer, but this is our recommended starting point.

A GRC platform is only as effective as the organisation using it. Readiness assessment prevents wasted investment, poor adoption, and regulatory gaps. Organisations that answer these questions before selecting a platform position themselves for real value creation — aligning people, processes, and technology.

How InConsult Bridges the Gap

Want your GRC system to deliver real value? Discover InConsult’s GRC Assurance and Optimisation services.

Our GRC Readiness assessment prevents wasted investment, poor adoption, and regulatory gaps. Organisations that answer these questions before selecting a platform position themselves for real value creation.

Bring people, systems and processes together to better manage risk and compliance, contact us to discuss your GRC needs.

Many organisations invest heavily in GRC platforms expecting instant transformation and a strategic engine – only to find they’ve just gained a static reporting tool.

With regulators like APRA explicitly requiring organisations to maintain robust risk management information systems through   CPS 220 (Risk Management) and CPS 230 (Operational Risk Management), it is no longer enough to just own a system.

GRC systems must be implemented effectively, governed properly and capable of supporting real risk insight and decision-making.

Common GRC System Pitfalls

Many GRC systems fail not because of the software, but because of the environment they’re dropped into. Why the gap between expectation and reality?

1. No Clear Problem Definition

Organisations often implement a GRC system without clearly defining the core problem. Is it risk visibility? Compliance tracking? Audit management? Incident management? All the above?

Without clarity, the system becomes a catch-all tool with no meaningful impact.

2. Immature or Inconsistent Processes

Automating broken processes doesn’t fix them; it simply institutionalises inefficiency. If risk assessments, incident reporting or compliance workflows are inconsistent or manual, the system will mirror confusion rather than deliver control.

3. Poor Data Foundations

Garbage in, garbage out!

GRC systems are only as strong as the data they consume. Inconsistent risk registers, outdated policies, and fragmented reporting produce dashboards that look impressive but lack accuracy or trustworthiness.

4. Lack of Change Management & User Engagement

A common but fatal error, teams assume users will “figure it out”. Without proper training, stakeholder buy-in, and ongoing governance, adoption stalls and the system is underused or abandoned.

This problem is further exacerbated when key staff leave.

Technology Alone Isn’t GRC

To function properly, a GRC system requires solid foundations that include:

• Clear Governance – Who owns risk? Who approves controls and exceptions?
• Defined Processes – How do we escalate issues? Track actions? Monitor compliance?
• People & Roles – Do executives trust the outputs? Do users understand their responsibilities?
• Culture & Accountability – Are teams using the system, or still operating in spreadsheets?

Without these components, even the most powerful and expensive GRC platform becomes nothing more than a database with reporting features — not a decision-making engine.

What GRC Success Looks Like

A successful GRC implementation goes far beyond configuration. It transforms how decisions are made. High-performing GRC systems deliver:

• Trustworthy Data & Insights – Executives and Boards rely on it for governance, reporting, and assurance.
• True Integration – Risk, compliance, audit, incidents and actions linked in one ecosystem.
• Active Adoption & Engagement – Staff use it daily because it simplifies their work.
• Continuous Improvement – Dashboards and workflows evolve with the organisation, not remain static after go-live.

In short, the GRC system moves from being a reporting database to a strategic platform for governance, risk and compliance intelligence,

How InConsult Bridges the Gap

Want your GRC system to deliver real value? Discover InConsult’s GRC Assurance and Optimisation services. As experienced risk, compliance and audit practitioners, we:

• Assess readiness before selection.
• Align processes and frameworks before configuration.
• Support user adoption and data integrity.
• Review performance post-implementation to ensure ongoing value.

Bring people, systems and processes together to better manage risk and compliance, contact us to discuss your GRC needs.

The new Topical Requirements, set to be effective September 15^th 2026, will raise the bar and provide a number of benefits including:

• Defining a consistent baseline for evaluating third party risk across all industries.
• Increase confidence in assurance and auditing for leadership and key stakeholders with respect to third party risk profiles.
• Inherently strengthen the resilience of organisations with respect to third party failures, ethical breaches, cyber incidents and more.

Third Party Challenges Organisations Will Face

Despite the benefits, the introduction of the requirements also brings with it new challenges that will have to be faced uniquely by organisations of different size, complexity and industry. As they say there is more than one way to skin a cat, and it is up to organisations to determine the right way.

1. Increases in documentation and evidence

Auditors will be expected to document evidence of assessment of formally structured frameworks and their supporting procedures. The relationship between these frameworks and how they tie into the organisation’s risk management is an additional requirement that expects a level of maturity that is not commonly in place in typical Australian organisations. Even if these frameworks are in place, a lack of cohesion across the different methodologies means evidence collection will be a slow process. In the AICD 2024-25 NFP Governance & Performance Study, 53% of directors said they spent more time on duties than the prior year, reflecting a rise in compliance and assurance demands typical to director roles.

The quality of evidence also plays a key role. ASA 530 for Attribute Testing requires auditors to document a confidence of 90-95% or higher when ensuring controls are adequate. For key controls, i.e. anything relating to key vendors and processes, any deviation from the requirements must be as low as between 0-5%. This leaves very little room for exceptions and drives the outcome of any review.

2. Governance gaps in oversight

The new requirements mandate clear board oversight to ensure third party relationships are well managed. In reality, most organisations in Australia delegate the ownership and oversight of all third party risk activities to Procurement and/or IT. Being able to prove involvement by leadership will be difficult, and in some cases, require adjustment to the responsibilities of leadership roles.

Consistently, we have observed either a lack of resource to dedicate to third party management or delegation to IT roles such as a Cyber Security Lead. The latter introduces implementation concerns as Cyber Security Lead roles tend to lack the required Risk Management knowledge required to undertake third party management.

3. Consistent Risk Management throughout the Third Party lifecycle

To successfully apply a structured and repeatable method to assessing risk throughout the third party lifecycle, organisations must have a formal enterprise risk management that is clear, functional and communicated to all staff involved in the process. The risk assessment process must consistently address selection, onboarding, monitoring, and offboarding.

Private and unlisted companies such as IT service providers, SMEs, NFPs and Charities have no legal obligation to implement a risk management framework with the only exception being an ad-hoc approach for Work Health and Safety. Many third parties that would be used for IT services, marketing, legal services, etc. have no obligation to do so, increasing the risk of poor or no risk management across third party management. The Vero Insurance SME Insurance Index 2024/2025 reported that ~90% of Australian businesses lack a formal risk management process with 81–82% never or rarely conducting risk analyses when required.

4. Ongoing monitoring just got harder

Ongoing monitoring following onboarding is a process that is often not performed successfully or at all by that vast majority of organisations in Australia. The old habits of “set and forget” contracts are not good enough. Even multi-year contracts that address all requirements over the lifespan of the contract will require performance, compliance and cyber control assessment to ensure expectations are being met. Naturally, this will also lean on the risk management framework to determine if any such failures to meet expectations result in risks that are outside of the organisation’s appetite.

The McGrathNicol/YouGov study from August 2024 concluded that 82% of Australian companies do not extend risk assessments beyond Tier-1 suppliers, and 71% of companies that do assess third parties, do not include security practices in their assessment.

5. Aligning to increasing regulatory pressures

The requirements explicitly reference compliance with local, national, and international regulations. For Australian organisations, that could mean at minimum the Privacy Act. However, certain industries are also affected by the Australian Prudential Regulation Authority (APRA) Prudential Standards CPS 230 Operational Risk Management and CPS 234 Information Security. For larger critical providers, the Security of Critical Infrastructure (SOCI) Act and Modern Slavery are just some additional considerations. Achieving consistency across various different regulations and standards increases complexity.

With the delay of requirements under APRA CPS 230 relating to pre-existing contracts to July 2026 for non-Significant Financial Institutions (SFIs), we can expect a natural increase in pressure as the date approaches. If the activities of APRA CPS 234 from 2019 are also an example of what is to come, we can expect at the very least a thematic review. APRA has already committed to conducting targeted reviews of SFIs as part of their 2025-2026 Corporate Plan.

6. Strain on smaller organisations and public entities

Large corporations and enterprises will easily absorb these changes, especially multinationals, as these requirements are not new. For Local Government councils, NFPs, small businesses and providers, these new requirements will demand a new focus on audit and compliance. This new focus will come two-fold as it not only requires additional investment and resource, it could also expose gaps that previously avoided the spotlight.

7. Cultural resistance and a lack of Third Party strategy

As with any uplift of requirements and increased complexity, cultural resistance is an expected reality. Australian organisations will fail unless they can overcome the outdated concept that third party management is a procurement-only task. Overcoming this requires the understanding that third party management is not only operational but also strategic. Our dependency on third parties can be improved by better managing the entire process, resulting in cost savings, efficiencies, lower insurance premiums, greater coverage, new client opportunities and much more.

In May 2024, the Australian Privacy Commissioner highlighted third-party providers as a “weak spot” in privacy and security postures of organisations, reinforcing the need for enterprise-level third party management strategy beyond only procurement or IT.

Why These Challenges Matter

Ultimately, these challenges are worth facing. The requirements encourage stronger governance, better risk management discipline, and greater transparency across leadership into third party relationships. For Australian organisations, this means better preparedness for cyber incidents, supply chain disruptions, reputational crises, and regulatory scrutiny.

Third parties are already the bread and butter of many critical functions within Australian organisations. We cannot expect adequate operations, security and assurance without expecting a level of quality that matches that of our own internal processes.

Where To Start with Third Party Management

In Part 2 of our Third Party Management publication we will go over some key steps to consider and to help you succeed in third party management.

How We Can Help You Build Organisational Resilience

We are here to help strengthen your organisational resilience, systems and processes. Our third party risk management capabilities include:

• In-house developed comprehensives vulnerability scanning of third parties.
• Comprehensive third party risk management assessments to provide independent assurance.
• Helping organisations take their first steps towards implementing a formal and proactive third party management framework.
• Performing an independent review or health check of your existing third party management framework to identify gaps and level of maturity.
• Conducting third party risk and cyber risk awareness workshops covering strategic, operational and project risks.
• Conducting third party penetration tests and comprehensive audits.
• Supporting you across a range of third party services including governance, business continuity, crisis management, cyber risk, third party monitoring and more.

Take risk management to the next level and contact us to discuss your needs.

The most effective chief risk officers don’t just see threats, they see themselves. They understand that their character, their style, and their approach to people are as critical as any technical skill. This is where the power of chief risk officer archetypes comes into play.

By exploring these universal models of leadership, you can unlock another level of self-awareness allowing you to not only understand your natural strengths but also strategically adapt your approach to master the ever-evolving landscape of risk.

What is an Archetype?

An archetype is a universal model or pattern. Think of an archetype as a basic blueprint for a character, idea, or behaviour that appears again and again across different cultures and stories.

In business, archetypes are often applied to brands to help companies define their identity, guide strategy, and connect with customers on a deeper, more emotional level. They serve as psychological shortcuts that make complex ideas more relatable and memorable.  For example, “The Hero” archetype is used for brands that empower customers to be their best. Think of Nike and its “Just Do It” slogan. Another example is “The Outlaw” archetype that is used for brands that challenge the status quo and empower rebellion. Harley-Davidson and Virgin are well-known for this.

Archetypes can also be used to understand and categorise leadership styles and professional roles. This helps in talent management, team building, personal development and recruiting the “right” person.

For example, when recruiting a new Chief Executive Officer (CEO), archetypes help identify which leader fits the company’s current stage of growth. The Fix-It Leader, or Change-Catalyst, is a specialised archetype used for company turnarounds. This leader is not a builder or innovator. They are a turnaround expert whose main goal is to diagnose problems, make difficult decisions and start the changes to restore a company’s health.

Using Chief Risk Officer Archetypes

By categorising risk leaders into archetypes, it may help the board and  CEO understand what kind of expertise and risk leadership is required to manage complex challenges. This approach allows for a more intentional and strategic approach to talent management and organisational design within the C-suite.

Warning, archetypes are not static “personality types” as we see in the The Myers-Briggs Type Indicator (MBTI) tool for understanding personality. The MBTI’s goal is to sort people into one of 16 distinct, static “personality types” (like INTJ or ESFP) based on their preferences in four dichotomous categories. In contrast, archetypes are more dynamic and symbolic. An individual may be influenced by several archetypes at different times and in different ways.

The 4 Chief Risk Officer Archetypes

From our literary review, there are a handful of chief risk officer archetypes already identified mainly from large and credible consulting firms.  Most of these models have presented three archetypes for risk leadership.

Deeper research into these models and a reflection from our real-world experience that include our assessment of various risk management frameworks, risk leadership, risk culture, risk maturity and risk capability across public and private sector organisations has revealed a fourth, distinct profile. In total, we have identified four chief risk officer archetypes that serve as strategic blueprints for how a risk leader operates within an organisation. And remember, a risk leader may be influenced by several archetypes at different times and in different ways.

These archetypes aren’t about a person’s personality type. They describe a leader’s primary focus, motivation, and style. Leaders can tailor these approaches to a company’s specific needs at different stages of its risk maturity.

1. The Innovator

The Innovator is a risk leader who see risk as strategic tool for growth and competitive advantage, not a barrier.

They are not just managing risk but actively using it to drive the business forward.  They are forward-looking, visionary, and a strong partner to the business.

Innovators work hand-in-hand with the business to help drive growth and capture new opportunities. Instead of focusing solely on protection, they are visionaries who use advanced technology, risk models and a higher risk appetite to help the C-suite build new business models, launch ventures, and expand into new markets.

They have a higher tolerance for risk and focus on identifying opportunities within higher levels of uncertainty and complexity.   Operating in higher levels of uncertainty is their comfort zone.

Their key questions are “How can we use risk to our advantage?” and “What’s the best way to take a calculated risk?”

As their core motivation is value creation, Innovators are ideal for high-growth companies, start-ups, new product launches, market expansion, M&A projects or supporting innovation within a larger corporation.

2. The Guardian

The Guardians are risk leaders who prioritise building a resilient and sustainable organisation. They see themselves as the ultimate protectors of the organisation.

Their primary focus is on long-term protection, sustainability and resilience – not just short-term problem solving. They typically create strong and stable foundations to withstand future shocks.

Guardians methodically structure their work and focus heavily on risk governance. They build robust frameworks, embed a strong risk culture, and ensure compliance with regulations. Their main concern is with what could go wrong and how to prevent it.

In essence, the Guardians’ mission is to safeguard the organisation from the ground up, thereby making sure it can weather any storm and any emerging risk.

They often ask, “Are we prepared for the future?” and “What safeguards do we need?”

Guardians thrive in established, risk-averse, and highly regulated organisations. In these environments, long-term stability and resilience matter more than aggressive growth. Consequently, the Guardian’s methodical and protective nature perfectly suits sectors where failure is costly and compliance is mandatory. This is why Guardians are prominent in financial services, healthcare, and public sector agencies.

3. The Operator

The Operators are the risk leaders who excel at the practical, day-to-day management of risk. They are pragmatic problem-solvers who excel at managing the day-to-day realities of risk. They are very hands-on and focus on efficiency, crisis management, and immediate results.

Operators thrive in situations demanding efficiency, decisive action, and stability.

They are action-oriented and decisive, with a strong focus on the present. For this reason, they are often brought in to help stabilise a business, resolve a crisis, or streamline operations. Furthermore, they prioritise getting the fundamentals right and aren’t afraid to make tough, unpopular decisions. Ultimately, Operators are all about managing immediate challenges, whether they’re navigating a crisis or ensuring smooth, efficient operations by de-risking them.

Their key questions are “How can we fix this right now?” and “What is the most efficient way to manage this?”

Their value lies in their ability to handle real-world challenges with speed and precision, ensuring the company remains stable and on course.

Operators are ideal for organisations facing a range of immediate risks and resilience challenges, undergoing restructuring, or those that prioritise efficiency and stability over radical growth. They excel in environments where direct problem-solving is a top priority. Operators thrive in organisations with known risk management issues, companies in crisis, and highly regulated industries. Their pragmatic, action-oriented approach helps them solve problems directly.

4. The Influencer

The Influencers are risk leaders who rely on collaboration and communication to achieve their goals. Instead of using a top-down, command-and-control approach, they use soft power to build consensus and unite disparate teams. In other words, they don’t lead through authority, but through collaboration and persuasion.

Influencers are catalysts for change, focusing on uniting people and building a shared understanding of risk across the entire organisation.

They are collaborative, communicative, and empathetic. They build strong networks, facilitate cross-functional dialogue, and empower others to take ownership of risk.

Their primary question is “How can we get everyone on the same page?” and “How do we build trust?”

Therefore, they are natural facilitators who create open dialogue and a common language around risk, ensuring that risk management becomes a collective responsibility rather than a siloed function.

The Influencer archetype is ideal for organisations that need to foster a collaborative risk culture, break down silos, or manage complex transformations where buy-in from multiple stakeholders is critical. Their strength lies in their ability to unite disparate teams and build consensus. Influencers thrive in large, complex organisations, companies undergoing major transformations, and industries where collaboration, project-based work, and teamwork are critical to success.

Final Thoughts

These four archetypes provide a powerful lens for understanding different styles, moving beyond a one-size-fits-all approach to risk leadership.

It is possible for a chief risk officer to possess elements of all four archetypes, but it’s highly unlikely they will master them all equally. Most individuals have a dominant, natural style they rely on, with secondary styles they can develop and use when a situation calls for it.

Ultimately, by recognising if you’re predominantly an Innovator, Guardian, Operator, or Influencer, you can leverage your natural strengths and identify your blind spots. In turn, this allows you to intentionally adapt your approach to fit your organisation’s specific needs.

These archetypes transform the abstract idea of a “risk personality” into a practical framework for self-awareness and professional growth. This lets you do more than just manage risk. It also helps you engage better with key stakeholders and master your role in shaping a resilient, successful future.

The goal isn’t to be all four at once, but to understand which style a given situation demands and to be flexible enough to apply it.

How We Can Help You Take Better Risks

We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management capabilities include:

• Providing an interim Chief Risk Officer to backfill a vacancy.
• Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
• Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
• Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
• Conducting risk workshops covering strategic, operational and project risks.
• Conducting risk culture assessments.
• Risk management transformation.
• Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.

Take risk management to the next level and contact us to discuss your needs.

It’s a marathon, not a sprint, and your first 90 days are less about implementing a grand new system and more about a strategic reconnaissance mission.

Days 1-30: Listening & Learning to Discover

You’ve just landed a new role, you will bring a fresh perspective and a head full of ideas. But resist the “rookie error” of jumping straight into solutions. Your primary goal in the first 30 days is not to fix things immediately but to deeply understand the organisation’s current state of risk management, both formally and informally. This is your strategic reconnaissance mission.

So, your first 30 days are about building relationships, listening, and understanding the company’s culture. You’re connecting with people, their priorities, and their pain points.

1. Understand the business & its objectives

Before you can help you organisation better manage its risks, you have to understand what it’s trying to achieve. Think of yourself as an archaeologist, piecing together the organisation’s strategic history and future.

Start by listening. In Stephen R. Covey’s The 7 Habits of Highly Effective People, the fifth habit, “Seek First to Understand, Then to Be Understood,” is a cornerstone of effective management, emphasising that genuine listening is the key to building trust and solving problems.

Schedule one-on-one meetings with executive leaders, department heads, and key operational staff. But don’t lead with a pitch about risk. Instead, ask open-ended questions like, “What are your top three priorities for this quarter?” or “What’s the biggest challenge you’re facing right now?” Listen for the recurring themes and pain points. This approach will help you connect risk to their day-to-day reality, making you a key partner in their success, not just a compliance enforcer.

Understand the “why” behind the organisation’s existence and its key drivers. Review your organisations strategic plans, annual reports, and existing business unit performance reviews. Look for key performance indicators (KPIs) and business drivers. A financial services company, for example, might be driven by client acquisition and regulatory compliance, while a government agency might be focused on delivering services and managing public perception. Understanding this “why” behind the organisation’s existence will help you align your risk strategy with its core mission.

Listen more than you talk. Absorb as much information as possible before forming conclusions.

2. Understand the culture & key stakeholders

Every organisation has an unwritten rulebook that dictates how things really get done. Your job is to read it and decipher it.

Pay close attention to how decisions are made. Is it a top-down process, or do teams have autonomy? How does information flow…through formal memos or quick chats in the hallway? Observe who people defer to in meetings, as these are often the informal leaders and key influencers you need to win over.

Find your allies by identifying the “risk champions” i.e. the people who already do risk management well, even if it’s not in their job description. These individuals are your most valuable allies. They might be a project manager who meticulously tracks potential roadblocks or a finance officer who instinctively thinks about fraud. Find them, build rapport, and learn from them. They will be crucial in helping you drive change.

You may be the new kid on the block, so find the people who have the “institutional knowledge”. Build relationships with long-serving staff and administrative personnel. They often hold a wealth of knowledge and understand the informal power structures better than anyone. They can give you invaluable context on why certain processes exist or why previous change initiatives failed.

Be a partner, not a police officer. Position yourself as an enabler of objectives, not a blocker.

3. Assess the current state of risk management

This is where you get into the nitty-gritty, but remember to stay in “assessment mode” not “judgment mode”.

Dig into the paper trail by looking into the existing documentation and reports. Do risk registers and risk assessments exist? If so, are they living documents or dusty relics? How are risky decisions escalated to leadership? Do conversations about risk even occur in meetings, and if so, how? Look for formal processes, but also observe if they’re actually being followed.

Conduct informal interviews with people to look beyond the official documents. Ask staff at all levels about their experiences with risk management. Ask questions like, “What works well when it comes to managing risks in your area?” and “What do you believe are the biggest threats to our team’s success”? Pay close attention to the “grapevine”  as sometimes, the most valuable insights come from informal conversations over coffee. It can reveal what people are truly worried about, regardless of what’s written in a report.

Days 31-60: Confirming & Benchmarking

With a clearer picture of the organisation, culture, and existing frameworks, your focus now shifts. The second month is about solidifying key relationships, validating your initial observations, and beginning to outline potential areas for improvement. This phase is for bringing order to the chaos i.e. this is where you transition from an observer to a trusted partner.

4. Cultivate key relationships & build trust

A month in, trust is the single most important currency you will have. Everything you do now should be in service of building it.

Show you’ve been listening by following up on your initial meetings. Send a brief email or schedule a quick chat to share a summary of what you heard. For example, “Thanks again for the chat. I heard your team is really focused on onboarding a new strategic vendor this quarter, and that their cybersecurity posture is a key concern. I’d love to explore how we can support you in that”. This simple act shows you were listening and value their input.

Identify some “quick wins” by looking for low-hanging fruit where you can offer immediate, tangible value. Maybe a manager is struggling with a clunky risk register or a risk reporting process. You could offer a workshop to review the risks or to streamline the report. Or perhaps a team is launching a new project and needs help thinking through the key risks. Offering to facilitate a short, informal risk brainstorming session can be a huge win. These small successes build goodwill and demonstrate that you are a resource, not a roadblock.

Maintain transparency by scheduling regular check-ins with your direct manager or sponsor. Be proactive in updating them on your progress, sharing your observations, and seeking their guidance. This ensures they’re never surprised and keeps them invested in your success.

Build credibility through action. Small, consistent successes speak louder than grand pronouncements.

5: Benchmark against better practice

Now that you have a sense of the organisation’s current state, you can subtly introduce new ideas about what’s possible. The key here is to do this without criticizing the past.

Subtly introduce new ideas and concepts.  But, instead of saying, “Your risk management process is broken”, try, “In other organisations I’ve worked with, we found that having a clear risk appetite statement helped us make faster decisions. Is that something we could explore here?” This frames the conversation around improvement and a shared benefit, not problems.

As you review documentation and speak with people, your will identify clear differences between the current state and a functional risk management framework. Start planting seeds for change.  For example, ask questions like, “Is there no clear accountability for key risks? Are risks only discussed reactively, after an incident has occurred?” Use these gaps as focal points for future conversations and improvement plans.

6. Develop a preliminary assessment & vision

It’s now time to translate your findings into a clear, high-level narrative.

Begin to consolidate your observations into a concise assessment of the current risk management maturity. What are the top 3-5 challenges? Is it a lack of clear ownership? A culture of blame? Or simply a lack of effective tools? You should be able to articulate these challenges in a clear and compelling way, grounded in the conversations and documents from the results of your first 60 days.

Next, draft a preliminary vision for what improved risk management would look like. This isn’t a final plan, but a simple, compelling statement. For example, “Success would look like a culture where everyone feels empowered to identify risks, and we can make better, faster decisions as a result”. This serves as your guiding star, a simple vision you can keep coming back to as you navigate the next 90 days and beyond.

Days 61-90: Catalysing Change & Outlining the Path Forward

You’ve now spent the last two months as an anthropologist and an analyst. You’ve listened, learned, and identified the pulse of the organisation. Now is the time to translate that knowledge into visible momentum and a clear strategic roadmap.

As a Risk Officer, you’re not just a manager; you’re a catalyst for change, driving early wins, and initiating the strategic plan that will accelerate the organisation’s risk maturity. This is where you demonstrate your value and secure buy-in for the future.

7. Deliver an early tangible win or two

Based on your observations and stakeholder feedback, you should have a solid idea of a quick win project. Now, execute it.

Choose a project that will have a real, visible impact on a key business unit or process. For example, if you discovered that a crucial department is struggling with fraud prevention, deliver a targeted workshop on common fraud indicators and best practices.

8. Communicate success widely

Once a quick win project is complete, ensure you publicise it. Write a brief memo or present a short update at a team meeting. Be sure to credit the individuals and teams who helped you. This shows you’re a team player and that your work translates into tangible benefits.

Communication helps to enhance stakeholder trust in your capabilities, makes you visible to key stakeholders. and builds momentum to demonstrate your value to the organisation.

Focus on value. Always articulate how risk management contributes to the organisation’s success. How a better risk process isn’t just about compliance; it’s about making better decisions, enhancing organisational resilience, and ultimately, achieving strategic objectives.

9. Present your findings & proposed roadmap

You’ve built trust and delivered a quick win. Now is the time to formalise your observations and present your vision for the future of risk management.

Prepare a concise presentation for the leadership team and key stakeholders. Don’t start with a list of problems. Instead, begin with what you’ve “learned” from them. Talk about the strategic priorities you’ve heard and how you’ve observed risk impacting those goals. This positions you as an ally and team player.

Based on your findings, propose a high-level strategic roadmap for the next 12-18 months. Focus on 3-5 key priorities. This isn’t about creating a rigid plan, but a living document that can be refined with feedback. For example, your priorities might be to clarify ownership of top risks, integrate risk discussions into business planning sessions, or enhance fraud detection capabilities. For each priority, briefly outline the benefits and the first steps.

10: Establish governance & communication channels

Your final goal for the 90-day mark is to set up the structures that will sustain momentum into the future.

Begin establishing or revitalising formal risk governance structures. This could involve creating a new risk committee or simply clarifying the responsibilities of key risk owners. This formalises the changes you’re introducing and gives them authority (e.g., a risk committee, clear responsibilities for risk owners).

Develop a communication plan for ongoing engagement. Outline how you will regularly communicate with stakeholders about risk. This might be a monthly email update, a standing agenda item in leadership meetings, or a quarterly risk report that is easy to understand. Consistent, clear communication is crucial for keeping risk top of mind and ensuring your efforts don’t fade into the background.

Be patient, but persistent.  Cultural change takes time, but consistent effort will yield results.

Final Thoughts

Your first 90 days as a new Risk Officer are about building trust and momentum. It’s a three-phase journey. You’ll spend the first month as an anthropologist, listening and learning to understand the business, its people, and its culture. The second month is for building bridges, validating your findings, and subtly introducing better risk management practices to prove your value as a partner. Finally, in the third month, you’ll deliver on your promises by executing a small, visible project, then presenting a strategic roadmap that is tied directly to the organisation’s business goals. Remember, your credibility comes from empathy and action, not from a checklist.

How We Can Help You Take Better Risks

We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management capabilities include:

• Providing an interim Chief Risk Officer to backfill a vacancy.
• Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
• Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
• Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
• Conducting risk workshops covering strategic, operational and project risks.
• Conducting risk culture assessments.
• Risk management transformation.
• Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.

Take risk management to the next level and contact us to discuss your needs.