Regulatory box ticking

Many of my connections know about my brief tenure as GM Risk at #Optus in 2011/12. What initially seemed like a promising role quickly revealed a stark disconnect between my expectations and reality, marking a pivotal moment in my career.

Since leaving, I’ve closely followed Optus' trajectory, particularly its high-profile failures in 2023 and 2025 that have impacted critical services. The backlash to these failures is warranted, and the calls for inquiries to uncover the root causes are loud and clear.

However, many of these critiques seem misdirected, failing to fully acknowledge the crucial role that effective risk management plays in such unfortunate events.

Some media commentary has pointed to the organisation’s foreign ownership and lack of ASX governance disclosures as contributing factors. This perspective misses a critical point: while disclosure obligations under corporate governance principles exist, their enforcement and effectiveness are severely lacking. Many organisations struggle to articulate what good risk management looks like, and regulators have not made meaningful strides to bridge this gap.

Relying on corporate governance best practices, particularly those reported on an ‘if not, why not’ basis, has turned into little more than a box-ticking exercise. The ease of meeting these reporting requirements raises questions about their true value. If the veracity of these declarations goes unchallenged, why do we even bother?

Specifically, Principle 7 requires organisations to "Recognise and manage risk." Effective risk management should empower organisations to take informed risks, not serve as a bureaucratic barrier. It should be a strategic enabler rather than a tool for avoiding decisions or consolidating control. However, the lack of clear definitions around compliance means many organisations report adherence to this principle while lacking robust risk management frameworks—even some with no framework at all.

While the suggestion that ineffective risk management may have significantly contributed to Optus' recent failures holds some merit, attributing these failures to non-disclosure stemming from overseas ownership fails to recognise the ineffective role of the regulator, ASIC. It’s time we shift the conversation to address these fundamental issues instead of pointing fingers at foreign ownership.

Please feel free to share your experiences and message me directly.