- Directors are shifting from accepting management’s word to actively demanding raw data to verify and stress test operational controls.
- Companies are increasingly decoupling audit and risk into separate committees to provide multiple checks against catastrophic operational failures.
- Distributed digital and AI competency across the entire board is now required to fulfill basic fiduciary oversight duties, rather than treating tech as a siloed IT item.
High-stakes threats demand high-impact governance. As we step into FY27, Australian boards are moving away from retrospective assurance to embrace a new era of proactive, evidence-based leadership.
Australia’s most powerful boards are making quiet but meaningful changes to increase operational resilience, tailor the board’s skill matrix, reduce AI and cyber risk, and improve audit and risk controls. In the face of high-profile data incidents, governance failures and assertive regulators, the pressure on boards to proactively address these issues is mounting.
“The board’s centre of gravity is shifting,” says director Anne Templeman-Jones. As former chair of the Group audit committee at CommBank, and audit and risk chair for Worley, and currently on the boards of Paladin Energy, the NSW Treasury Corporation, Cyber Security Research Centre, and Weebit Nano, Templeman-Jones sees a seismic shift in the boardroom. Accountability is rising faster than certainty.
“The core question a modern board asks itself is no longer, ‘Did we receive the compliance pack?’ but ‘Are we genuinely overseeing this enterprise?’” she says.
In order to meet that challenge, boards are making key changes.
Review of director skillset
While board skills have always been routinely reassessed, the process is becoming much more prominent as boards actively review their skills matrix, says Adelle Howse, non-executive director at Downer and formerly of Macquarie Technology Group. According to Howse, boards are carefully looking at essential, rather than desirable, skills to meet the expertise required in critical areas such as cyber, AI, data and regulation.
Restructuring audit and risk
While audit and risk have traditionally operated as a single function and committee, they are now mostly separate to accommodate the interlocking elements of each and to ensure multiple checks are in place. “Any catastrophic failure is actually a failure of more than one control,” says Templeman-Jones.
When it comes to risk, the board’s role has ceased being one of retrospective assurance, she says. “We’re no longer just verifying what management tells us happened; we’re actively stress testing operational resilience. Rather than thinking about whether we have a framework in place that the regulators are happy with, and management tells us is working, we’re questioning the effectiveness of the controls and asking to see the data.”
This requires a significant shift in demeanor from directors accepting the word of management, to asking to see the evidence. “It’s not always a comfortable conversation to have,” says Templeman-Jones, but in the interest of achieving the lowest risk exposure possible, it’s necessary. “It’s not that I don’t trust the person anymore,” she says. “It’s about my fiduciary obligation now the bar has been set much higher.”
The digital ecosystem
With the exponentially increasing use of technology in business, and regulators like ASIC making it explicit that technology oversight falls squarely within a director’s fiduciary duties, comes the urgent need to appoint board directors with digital backgrounds. “A board cannot exercise informed judgement over what it does not understand,” says Templeman-Jones. “We need distributed digital and AI literacy across the entire board so we can look at technology and strategy in the exact same frame.”
High-exposure security breaches have also kept vulnerability front of mind for directors, she continues. “Cybersecurity, data assets and AI governance are no longer treated as siloed IT line items. They’re permanently embedded into our enterprise risk-management frameworks.”
Governance failures and regulatory pressure
Board behaviour and caution levels are also changing in response to high-profile governance failures across the public and private sectors, says Templeman-Jones. “The companies that navigate this landscape successfully will be those that treat superior governance not as a regulatory compliance tax, but as a core competitive advantage.”
The rising influence of regulators, such as the Australian Securities and Investments Commission (ASIC) and Australian Prudential Regulation Authority, is creating a highly pressurised environment for board decision making. “Regulators are the single most powerful accelerant of these changes,” says Templeman-Jones. “The signal from ASIC is unmistakable – if things go wrong, they’ll look for the specific cases where boards failed to take reasonable, proportionate steps to safeguard the business.”
When well-intentioned ignorance is no longer a defence, and serious privacy breaches can reach up to $50 million or 30 per cent of turnover, the stakes are raised considerably, she adds.
According to Howse, emphasis must be placed on setting up systems and processes correctly from the beginning to help mitigate risk and increase oversight. She acknowledges there is significant effort required to do this, but believes it’s the most valuable investment boards can make.
Instead of treating it solely as a compliance exercise, Howse encourages them to view it more positively. “If what we do for our own internal purposes can align with a regulatory request, then there’s efficiency there,” she says.
Conclusion
While these changes clearly increase the workload on directors, as they operate across multiple time zones, attend countless meetings and confront a relentless reading load, Howse also points to the flow-on effect for management at a time most businesses are emphasising efficiency and cost cutting. She says in spite of the increased fiduciary responsibilities and a narrower tolerance for errors, there needs to be a balance between time spent helping the company grow strategically, while also managing risk, ensuring appropriate governance and completing regulatory reporting requirements.
While the practical impact of these changes shouldn’t be sugarcoated, Templeman-Jones remains committed to a role she sees as “profoundly consequential”, choosing to view the current landscape as an opportunity to recalibrate, put in place robust processes and make sure everyone is on the same pathway moving forward.
Latest news
Already a member?
Login to view this content