The NSW ICAC inquiry into governance at the University of Wollongong should not be treated as just another corruption, procurement or conflict-of-interest headline.
It points to something more useful for boards and executives: governance risk becomes real when influence, appointments, procurement decisions, conflicts, delegations and assurance all move through the same operating system.
The lesson is not “have a conflicts policy”. Most organisations already do.
The better question is whether leaders can show how the organisation identifies, declares, challenges, escalates and evidences conflicts before an external inquiry, regulator or media story exposes the gap.
The 30-second take
This is a governance and operational risk story.
The useful lesson for leaders is not whether the organisation has a framework, policy or committee structure. It is whether those arrangements actually work when relationships, authority, commercial pressure and personal influence enter the decision-making process.
Governance maturity shows up when an organisation can explain four things at the same time:
- Who made the decision.
- Who had the power to influence it.
- Who challenged it.
- What evidence proves the process worked as intended.
If those answers are unclear, the risk is already bigger than the incident.
Start with the operating condition, not the headline
The ABC article reports that ICAC is examining allegations involving favouritism, undeclared conflicts of interest, recruitment processes, consultancy engagements and governance oversight at the University of Wollongong.
Those details matter, but leaders should resist turning the article into a narrow discussion about one institution.
The more important question is this:
Could the same pattern emerge inside our organisation?
That is where risk maturity matters.
A mature organisation understands and tests whether the process was capable of producing a fair, transparent and defensible decision in the first place.
The control question underneath the event
A weak risk conversation asks:
“Do we have a conflicts policy?”
A stronger risk conversation asks:
“Can we prove the policy changed our decision?”
Policies, declarations and registers are not controls by themselves. A control earns its name only when it changes behaviour, creates transparency, triggers escalation, supports challenge and produces testable evidence.
Throughout my career, I have dealt with many conflict-of-interest conversations, both about my own position and about the circumstances of others. I have heard people say, “I know this vendor is significant to us, but we need to develop our people”. “Why are we being so conversative and stopping development”. “In my role as a director I have to be able to develop, and no other board I am on has an issue with this”. “We have these suppliers so we can do things differently, and then when we try we get stopped because it is a conflict“.
Good governance is not about stopping development, growth or engaging with suppliers for their expertise. It is about doing it the right way.
This has meant in my career there have been times where I have removed myself from a selection process for a vendor, called out at executive meetings my conflict because a family members brother was a CEO of a supplier, not attended an external auditors “free” information session, and removed myself from any involvement in recruiting a role reporting to my team when I knew one of the short listed candidates.
I have trusted others to select the right vendor, assess the suppliers performance, found development elsewhere (there is no shortage of “free” opportunities), and to recruit the right person.
Practical questions to ask
For boards and executives, the useful questions are practical:
- Which decisions in our organisation are most exposed to informal influence?
- Where do relationships, prior employment, consultants, suppliers or internal networks create perceived or actual conflicts?
- Who owns the end-to-end integrity of recruitment, procurement and appointment decisions?
- What evidence would show that a conflict was identified early and managed properly?
- Would assurance find the issue before a regulator, journalist, whistleblower or disappointed supplier did?
If the answer is “probably not”, the organisation does not have a documentation problem. It has a maturity problem.
Governance failures are rarely one failed control
Governance issues rarely emerge from a single missing form or one poor decision.
Weak signals usually build the chain: someone steers a selection process too closely, a supplier relationship becomes too familiar, a conflict declaration becomes paperwork, a committee paper avoids the real issue, and assurance checks whether controls exist rather than whether they work.
That is why leaders need to look across the operating model:
- Recruitment is not just a people process.
- Procurement is not just a commercial process.
- Conflicts are not just a compliance process.
Each one is a decision-quality process. Each one affects trust, reputation, culture, performance and confidence in leadership.
The real test is whether the organisation can connect the decision, the influence, the control, the evidence and the outcome.
What mature risk assessment should test
A useful maturity assessment should not ask whether the organisation has a policy library. It should test whether governance works under pressure.
That means looking at whether:
- ownership is clear across the full decision lifecycle
- conflicts are identified before decisions are shaped
- challenge is visible, timely and independent
- delegations are understood and followed
- procurement and recruitment controls reflect how work actually happens
- committees receive the right information, not just comfortable information
- assurance tests evidence, not just process design
- leaders act on weak signals before they become formal issues
This is the shift from risk activity to risk maturity.
The leadership question
The leadership question is not:
“Could this happen here?”
It is sharper than that:
“Where could this happen here, and how would we know early enough to act?”
That is the standard boards and executives should apply.
Because once an issue reaches an external inquiry, the question is no longer whether the organisation had policies. The question becomes whether leaders can prove the system worked — and if it did not, whether they should have known sooner.
The risk management question
Can your organisation prove that leaders understand, own, test, escalate and challenge governance risk across the full decision lifecycle — before a regulator, employee, customer or external shock exposes the gap?

