Proof of delivery, grounded in real work.
Real engagements that shaped risk, governance, cyber, resilience, and AI governance outcomes for enterprise clients across Australia, New Zealand, Hong Kong, South-East Asia, the GCC, and the United Kingdom.
Selected case studies.
Cross-regional GRC transformation across four countries
Led the GRC transformation program for an APRA-regulated health insurer across Australia, New Zealand, Hong Kong, and Vietnam. Included SAI360 implementation and re-engineering of the non-financial risk framework. Co-designed the Coupa third-party risk module applied across 7,000+ vendors.
Unified GRC platform across four jurisdictions with regulatory alignment per market.
Stood up the cyber risk function end-to-end
For a $10B+ ASX-listed enterprise, designed and delivered the entire cyber risk function - operating model, risk register, control library, and process - now owned and operated by the internal team. Designed the supplier security framework and assessed 115+ suppliers.
Cyber risk function operational and self-sustaining within 12 months.
Risk appetite reshaped for daily decision-making
For Australia's largest container terminal operator, uplifted the enterprise risk and controls framework - taxonomy, register hygiene, ownership, and decision-ready leadership reporting. Re-shaped risk appetite to be usable in day-to-day decisions.
Risk appetite embedded in operational decisions across all committees.
Group-wide risk appetite framework recognised by Gartner
Designed a group-wide risk appetite framework covering 30+ principal risks for a major Australian telco - recognised by Gartner and the Risk Leadership Network as one of the most innovative in the region.
Industry recognition and adoption across multiple business units.
Resilience maturity Developing to Advanced in 18 months
Uplifted organisational resilience maturity from Developing to Advanced within 18 months. Cut Recovery Time Objectives for 25 tier-1 processes by 20%. Aligned to ISO 22301 and emerging CPS 230 expectations.
Two-step maturity uplift and 20% RTO reduction across critical processes.
Archer GRC platform design and migration of 2,000+ risks
Led the design and delivery of the Archer GRC platform for a major Australian telco - migrating 2,000+ risks and enabling scalable enterprise-wide reporting across business units.
Single source of truth for 2,000+ risks, scalable reporting model.
Second-line AI assurance across 20+ AI use cases
Acted as second-line owner for Data and AI risk - led ISO 42001-aligned assurance reviews across 20+ AI use cases. Designed the assurance methodology now used by the internal team.
Repeatable AI assurance methodology covering 20+ use cases.
Second-line cyber maturity model recognised by Gartner
Designed a second-line cyber maturity model aligned to NIST CSF - also recognised by Gartner for its innovative approach to integrating cyber maturity with enterprise risk reporting.
Industry recognition; methodology adopted across the organisation.
Internal and external audit across 7 sectors
Led internal audit, external audit, and risk consulting engagements across Government, Financial Services, Education, Technology, Not-for-Profit, Telecommunications, and FMCG sectors.
Hundreds of audits delivered across 7 industry verticals.
AI Governance program partnership for $10B+ enterprise
Partnered on the AI Governance program for a $10B+ ASX-listed enterprise - strategy, policy, committee charter, and enterprise-wide awareness uplift. Established the foundation for ongoing AI risk management.
AI governance operating model approved at board level.
GRC system implementation for large health and care company
Helped implement a comprehensive GRC system for a large Australian health and care company - covering enterprise risk, compliance, audit, and incident management modules in one connected platform.
Integrated GRC platform replacing fragmented spreadsheet processes.
Cross-company risk culture program
Led the cross-company risk culture program for a major Australian telco - helped improve risk culture metrics measured through annual survey, behavioural observation, and leadership interviews.
Measurable improvement in risk culture index across 12 months.
Future of Risk Management training program
Designed and conducted Future of Risk Management training at a global telecommunications firm - covering emerging risk practices, AI integration into risk, and the evolving role of the second line of defence.
200+ risk practitioners trained across multiple regions.
2LOD agile restructure for risk function
Led the second line of defence agile restructure for a major Australian telco - operating model redesign, role mapping, and team transition to a more responsive risk function aligned to business agility.
Risk function restructured to support agile delivery cycles.
Emerging and escalating risk program implementation
Implemented the emerging and escalating risk program - horizon scanning processes, trigger events, escalation pathways, and board-level reporting integration.
Structured emerging risk pipeline integrated into quarterly board reporting.
Risk and organisation strategy alignment for improved decisions
Aligned risk and organisation strategy across multiple clients to improve decision-making - mapped risk appetite to strategic objectives, designed escalation triggers, and embedded risk into planning cycles.
Risk integrated into strategy planning rather than reviewed afterwards.
Risk framework maturity assessments against international standards
Conducted multiple risk framework maturity assessments against ISO 31000, COSO ERM, and international best practices - including assessment, gap analysis, and prioritised uplift roadmap.
Defensible maturity baselines and uplift roadmaps for executive approval.
Audit and Business Resilience engagements at top-tier companies
Multiple audit and business resilience engagements at top-tier companies across financial services, telecommunications, and government - covering operational resilience and BCP testing.
Resilience capability uplift and BCP plans tested and validated.
2LOD cyber and data oversight model
Developed, implemented and reported a 2LOD oversight model on data and cybersecurity - including KPI design, board reporting templates, and integration with enterprise risk reporting.
Single-page board view of cyber and data risk position, refreshed quarterly.
Risk and resilience training program - global delivery
Developed and delivered risk, audit, and business resilience training programs across multiple jurisdictions - tailored to local regulatory context, with practitioner certification.
500+ practitioners trained across Australia, APAC, and the GCC.
Coupa third-party risk module designed from the ground up
Co-designed the Coupa third-party risk module from the ground up - including risk scoring algorithm and due-diligence workflow. Now applied across 7,000+ vendors in the client's ecosystem.
Coupa TPRM module operational across 7,000+ vendors.
Principal risk profile design across multiple clients
Helped multiple organisations set up their risk profiles, especially their principal risks - risk taxonomy, identification workshops, calibration, and integration with strategy and disclosure.
Defensible principal risk disclosure aligned to ASX and APRA expectations.
Failure patterns we see repeatedly.
The GRC platform with 12% adoption after 18 months
Selected on vendor demos, implemented without adoption planning, and never embedded into workflows. The platform cost more to maintain than the spreadsheets it replaced.
The board receiving ten disconnected maturity reports
Each domain assessed with different scales, methodologies, and vendors. The board could not prioritise because the reports could not be compared.
The program that passed every gate but failed at go-live
Stage-gate reports showed green across the board. No independent assurance. Go-live revealed data migration gaps, untested integrations, and training that never happened.
Start with a conversation.
Whether you are evaluating GRC platforms, assessing your risk maturity, or looking for a practitioner who has done the work - we respond within one business day.