Risk Management

The Qantas privacy finding: a positive lesson in third-party oversight

A serious data breach does not automatically mean governance failed. The more important question is whether an organisation can demonstrate that it understood the risks, assessed the third party, monitored its controls and responded effectively...

APRA’s CPS 230 Tweaks: Small Amendment, Big Governance Signal

APRA has released final targeted amendments to CPS 230 Operational Risk Management. The item is current and sits within APRA’s prudential framework, so boards and risk teams should treat it as a live governance and…

AI Agents and Non-Human Identity Risk

When a single ungoverned AI tool gave attackers a path from a Vercel employee’s device into Vercel’s internal systems, and a poisoned VS Code extension let attackers pull roughly 3,800 repositories out of GitHub, the common thread wasn’t a coding flaw — it was an unmanaged non-human identity. With AI agents now driving machine identities to roughly 109 per human inside the average enterprise (CyberArk, 2026), most governance frameworks still treat identity as a human-only problem.

Why Standardised AI Risk Assessment Is Critical for Scalable, Responsible AI Use

Grant Thornton's 2026 AI Impact Survey, the AICD/HTI Director's Guide to AI Governance, and a March 2026 Meta AI agent incident all point the same way: organisations scaling AI without a standardised, risk-based assessment framework can't explain or defend their decisions when it matters.

Third-Party AI Dependency Requires Rigorous Risk Management

HM Treasury's move to designate AI providers as UK critical third parties, a German court ruling that made a chatbot's words the company's legal liability, and the Character.AI/Google settlement all show the same pattern: vendor AI risk is now the deploying organisation's problem, not the vendor's. Here's what boards and risk teams need to check before the next case names them instead.

Everyone Passed. That’s Not the Point.

APRA's inaugural System Risk Stress Test found four major banks and six super funds individually resilient, but exposed concentration risk and a super-fund liquidity mechanism that could amplify a system-wide shock.

APRA finalises reinsurance framework changes

APRA's finalised reinsurance framework eases access to catastrophe bonds and shifts capital-treatment decisions to the appointed actuary, changing what boards need to evidence before the 1 January 2027 start date.

AI Risk Management Must Be Business-Led Ownership to Unlock Value and Control

Grant Thornton's 2026 AI Impact Survey, Forrester and MIT research on failed AI pilots, and the EU AI Act's Article 26 deployer obligations all point to the same gap: boards are funding AI faster than they are assigning who owns it. Here's why business-led ownership, not another control layer, is what actually makes AI risk management work.

Recent posts

Popular categories