I've spent nearly 30 years inside Australia's largest financial institutions watching risk programmes fail — not because the thinking was wrong, but because nobody connected it to how the work actually gets done.
I founded thirty advisory because I kept seeing the same problem from the inside: risk programmes that produced impressive documentation but didn't change how anyone worked. Registers got filled in, reports got submitted, regulators got satisfied — but the actual risks in the actual processes remained largely unaddressed.
After nearly three decades in executive roles across major banking, wealth management, and superannuation institutions, I decided to approach operational risk from the other direction. Start with the process. Understand how the work actually gets done. Then build risk capability that's embedded in that reality.
If your risk framework disappeared tomorrow, would anyone notice? If the answer is no, the framework isn't doing what it should.
My career has spanned internal audit, risk management, regulatory compliance, governance, and process improvement — across wealth management, investment operations, digital banking, superannuation, and life insurance. That breadth means I bring a cross-institutional perspective that most specialists in a single domain can't offer.
I use agile sprint methodologies for delivery, which means clients see usable outputs every two weeks rather than waiting months for a final report. This isn't just a project management preference — it's how you build genuine capability in teams rather than creating dependency on external consultants.
I'm developing a body of work around what I call outcome-focused risk management — the idea that risk programmes should be measured by the outcomes they prevent and the decisions they improve, not by the documents they produce.
This means starting with processes, not risk categories. It means embedding risk thinking in how people work, not layering it on top. And it means measuring success by what didn't happen and what got decided better, rather than by the weight of the risk register.
I'll be presenting on this at upcoming industry conferences, and it shapes every engagement we deliver.
Operational risk framework design and implementation, APRA CPS 230 readiness, financial crimes risk assessment (fraud, scams, and AML), process-based risk profiling, risk culture and capability development, regulatory engagement strategy, and the practical integration of AI and technology into risk management workflows.