FORWARD FOCUS INTIMES OF CHANGE Identifying & managing risk Adopting leading risk practices with a strong risk management culture Cbus recognises the importance of a strong adaptive regularly to ensure that we appropriately support our risk framework as a critical enabler in achieving our strategic working environment so that we can continue to deliver goals. This includes setting and monitoring the frameworks for our members. and policies that support the delivery of our strategy, Risks that were heightened outside of appetite during the year: our ongoing operations and ultimately drive the best outcomes for our members. Cbus continues to operate • regulatory change risk due to the scale, pace and in a highly dynamic pandemic environment and there volume of regulatory change combined with the increased are a wide range of emerging complex external threats uncertainty on regulatory policy and that unfavourable to consider and manage. This only sharpens our focus changes to regulatory policy could materially impact our to ensure that the risks we take are informed by our strategic and operational objectives, and our members’ Board approved risk appetite and framework. retirement outcomes. The likelihood and consequence This year we made enhancements to our risk framework of this risk is largely beyond management’s directcontrol. which include: In response we have strengthened our ability to respond to regulatory change, including: • establishing a separate Board Risk Committee to – review and uplift of the current regulatory change provide a dedicated forum for Directors to provide operating model oversight of risk management. The Board Risk Committee – embedding an integrated approach across various teams has been established based on the following principles: including setting up regular cross functional forums – forward looking and thinking – increased governance through the Regulatory Change – focus on strategic risks Committee and supporting Working Group to oversee – holistic oversight of risk all regulatory change activities. – identification of trends and recurring issues • project delivery risk due to volume of regulatory change – constructively providing challenge to management’s and strategic programs including merger activity required conclusions on risk management to respond to the current environment. This coupled – efficient sharing of information across committees. with the current pandemic environment where staff are working remotely and juggling the impacts to personal • completed a Dynamic Risk Assessment to provide clarity circumstances, has heightened execution risk. There is on the strength of the relationships between risks and a current focus on assessing and uplifting current delivery identify groups of risks that require coordinated responses capacityandcapability, practices and governance to • reviewed our Business Continuity Plans and Pandemic Plan. ensure we can deliver consistently on the diverse This has included incorporating learnings for the programs required within risk appetite. past year where we have been operating in a pandemic As part of the annual strategic planning process, we consider and largely ‘work from home’ environment the material risks and opportunities impacting Cbus. This year • review of our Fraud Risk Assessment to consider the we conducted a Dynamic Risk Assessment to analyse our risk current internal and external environment to ensure profile, the strength of the relationships between risks, and that our controls remain robust to protect against identify groups of risks that require coordinated responses. emerging fraud threats. Key groups of connected risks identified through this process and for which we consider our management Current risk landscape of these risks together include: The external environment continues to be complex and • ‘technology group’ which includes data governance, rapidly changing. Internationally, with the ongoing pandemic there is uncertainty on economic, social and political fronts. it operations and information security material risks. Locally, the superannuation industry is experiencing ongoing This is driven by the changing external landscape, and changes to policy and regulatory settings which is one of regulatory requirements impacting information security the factors driving the pace of consolidation in the industry. and the increasing strategic importance of data governance. Against a backdrop of rapid digitalisation coupled with We have continued to closely monitor and respond to the people working remotely all over the world there has pandemic, particularly the impacts to our people and our been an exponential increase in attempted cyber- members. A dedicated working group has continued to meet attacks, including ransomware and businessemail fraud. 36 Annual Integrated Report 2021