Lessons we've learned from Jess Fox. Read more
If these catastrophic events happened in your organisation, does it have the necessary governance frameworks in place to proactively prevent or manage these risks? With the tremendous impact on customers and stakeholders, could your organisation withstand any or all of these events?
Together with a volatile operating environment, the compliance obligations and societal expectations on organisations is increasing. With growing scrutiny in areas like Anti-Money Laundering (AML) and Counter Terrorism Financing (CTF), privacy, and ESG, Boards must lead with strong compliance systems, clear accountabilities, and a culture of transparency.
Effective governance today requires a broader, more strategic approach, particularly to compliance and anticipating risks – with Boards playing a critical role in overseeing these efforts. This type of volatility means Boards need to think differently to ensure their organisations are resilient and responsive in turbulent times.
In recent years, there has been a notable shift in mindset—from focusing solely on ‘recovery’ to building true ‘resilience’. This evolution reflects a growing emphasis on proactively strengthening frameworks to prevent major disruptions before they occur.
A clear example of this shift is APRA’s recent regulatory changes for financial institutions, which require entities to enhance their operational risk management and build resilience around what it defines as ‘critical operations’ – those essential to serving customer interests.
The complexity and pace of change in today’s business environment demands a proactive approach to governance and risk management. Resilience is no longer a reactive concept – it’s a strategic imperative.
This shift becomes clear when we consider just a few of the day-to-day challenges organisations now face including:
Are your compliance frameworks agile enough to keep pace with evolving regulations – particularly in areas like AML, prudential standards, and privacy?
Regulatory compliance is a non-negotiable priority for Boards. Failure to meet obligations can lead to significant penalties, reputational harm, and even personal liability for directors. Boards must ensure robust systems are in place to monitor legislative changes and align internal policies accordingly. Beyond technical compliance, Boards should foster a culture of transparency and accountability – where issues are escalated early, and regulatory responsibilities are shared across the organisation.
The regulatory landscape for AML/CTF continues to evolve, driven by increasingly sophisticated criminal activity and heightened regulatory expectations. Boards must oversee the development and implementation of AML/CTF programs that are dynamic, regularly reviewed, and aligned with current guidance to protect both compliance and reputation.
From system outages to workplace safety incidents, operational risks can directly impact customer outcomes. Are your controls effective in ensuring critical processes function as intended?
For example, payroll systems failing to accommodate the complexity of modern Enterprise Bargaining Agreements (EBAs) have led to widespread and prolonged underpayments of wages. These failures not only result in financial liabilities and regulatory scrutiny, but also erode employee and public trust.
When such issues persist undetected, they can signal deeper weaknesses in internal controls and governance oversight. For Boards, these incidents serve as a strong reminder operational resilience isn’t just about systems uptime – it’s about ensuring that critical business processes are robust, well-governed, and aligned with both compliance obligations and stakeholder expectations.
Modern business models often rely on third – and fourth – party providers for critical operations. Do your contractual arrangements and oversight mechanisms ensure these services meet your standards and values? Are customers’ needs being consistently met and safeguarded?
Beyond meeting ESG and sustainability reporting obligations, does your organisation’s environmental and community impact align with its stated values?
Does the organisation have a clearly defined technology strategy? Has it formally considered the challenges and opportunities presented by AI? Is a formal AI policy in place? Is IT Security seen as a strategic goal? Are effective frameworks in place for the protection of customer data and compliance with Privacy Act requirements? Have these been tested regularly for effectiveness?
Boards must foster a culture of continuous cyber awareness, including ongoing monitoring, employee training, and investment in advanced security technologies that regularly test the effectiveness of incident response plans. This includes having policies in place to ensure responsible use of AI, including Generative AI, to minimise brand, privacy, ethical or legal risks, as well as supporting compliance.
By integrating AI policies and practices into their governance frameworks, Boards can enhance their ability to manage cyber risks and handle potential breaches as firm-wide issues, not simply IT responsibilities.
In today’s interconnected world, global supply chains are increasingly complex and often lack transparency. Organisations must ask themselves: Do we have the visibility needed to address risks such as modern slavery? How resilient are our supply chains to environmental, political, or economic disruptions? At the same time, ensuring a safe and supportive workplace is a fundamental right. This now extends beyond physical safety to include psychosocial wellbeing. Going beyond regulatory compliance in both supply chain governance and workplace safety is essential—not only for risk mitigation but also for fostering a strong risk culture and maintaining high employee engagement.
When operating effectively, a governance framework should, at a minimum, incorporate the following core elements:
As a Board member you should be asking:
In recent years we have seen several iconic Australian company brands suffer significant damage for either failures in controls such as data security or conduct falling below community expectations.
In many instances, a lack of effective governance often accompanied by underinvestment in risk frameworks and systems has left the organisations vulnerable to shocks from risk events both internally and externally.
Strong governance is no longer just about oversight – it’s about how well Boards anticipate, prepare for, and respond to emerging risks. To build resilience, Board members should ask themselves:
By asking these questions today, Boards can protect their business, build trust, and enable future growth. For support in strengthening your governance frameworks and managing emerging risks, don’t hesitate to reach out to our team below.
