Risk Management Insights

I want to join the BLOG

David Tattam, Director Research and Training

Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).
Find me on:

Recent Posts

Protecht News & Events, Risk in Motion, Risk Reporting, Video, Internal Audit

Auditing your Control Framework - SOPAC 2019

How do you encourage your staff to embrace risk and controls? In this recording, David Tattam talks about how understanding the dynamics and balancing your control framework can help you change your organisation for the better.

This session was recorded at the 2019 SOPAC Annual Conference. To attend the SOPAC Conference in Brisbane in 2020, you can visit this page.

Read More

Video, Risk Libraries, Risk Management Framework, Risk Taxonomy

Disparate and Disconnected Risk Processes and Information? Solving the Problem with Risk Taxonomies

This is part 2 of our video series on "Disparate and Disconnected Risk Processes and Information". In this video, David Tattam talks about what makes a strong risk taxonomy and how you can keep your risk classification consistent so you can build an overall risk profile.

Read More

Video, Risk Libraries, Risk Management Framework

Disparate and Disconnected Risk Processes and Information? Solving the Problem by Integrating the Building Blocks of Risk Management

This is part 1 of our video series on "Disparate and Disconnected Risk Processes and Information". In this video, David Tattam talks about the key building blocks of a good risk management framework and how these can  help form an integrated view of risks in your organisation.

Read More

Risk and Reward, Risk in Motion, Decision Making, Risk Reporting, Video

Building Resilience by Creating a Happy Marriage Between Risk & Reward

How do you build and improve resilience in your organisation? In this recording, David Tattam talks about how understanding the dynamics and balancing the voices of risk and reward can help you achieve sustainable rewards.

Read More

Risk and Reward, Risk Reporting, Risk Data, Intelligence, Dashboards

Spaceships, Prince Charles and reporting truer business performance


  • The accountability of an organisation for its performance is limited by a narrow focus on its financial performance.
  • Developments in risk management and accounting provide a practical solution for measuring true performance using a mix of reward, risk and risk appetite.
  • Measuring true performance requires the measurement of both risk and reward across each stakeholder.

Read More

Risk in Motion, Risk Reporting, Video

Is your risk management a little static?

How do we make decisions based on risk reward when the risk information is out of date? Traditional point-in-time reporting in risk management can result in an artificial view of how your organisation is doing. In this video, David Tattam talks about what you can include in a Risk in Motion report to create a dynamic risk profile of your organisation.

Read More

Decision Making, Video

Is risk management front and centre in your decision making?

In this video, David Tattam breaks down the questions you should be asking to better integrate risk management in your organisation's decision making.

Read More

Compliance Management, Risk Management, Risk Appetite, Decision Making

Can I? Should I? Would I? Using compliance as a decision making tool

Compliance is the act of “conforming to rules”. Deciding to, or not to, conform to rules affects the decisions we make. Compliance is therefore an integral part of decision making.

The question is “What are the rules that we will apply in our business decisions?” These rules can come from two primary sources as described by the ISO 19600 Standard: “Compliance Management Systems”. This standard recognises two main types of compliance obligations:

• Compliance Requirements: Requirements that an organisation has to comply with. These normally arise from external regulatory requirements and contractual requirements.

• Compliance Commitments: Requirements that an organisation chooses to comply with. These are normally manifested through internal policies, practices, codes of conduct, etc. 

Read More

ERM, Risk Manager, KRIs, Press/Media

Importance of 'Challenge' in Risk Management

In my earlier blog “What we can all learn from the APRA prudential inquiry report into the CBA” I noted that one of the strong themes of the report was the importance of “Challenge”. In fact, it is mentioned approximately 75 times including in the following recommendations:

  • Recommendation 7. The CEO ensure that the Executive Committee…. engages in constructive challenge and debate.

  • Recommendation 10. CBA ensure that business unit Chief Risk Officers have the necessary independence to provide effective challenge to the business. 

  • Recommendation 27. Senior leaders reinforce key behaviours of increasing self-reflection, giving and receiving constructive challenge and dealing with conflict effectively.

For those familiar with the three lines of defence model, the second line of defence "Risk Management" has as its key role, “Review and Challenge”. Read the article: Risk Governance and the Three Lines of Defence.

This blog takes a look at:

  • The meaning of challenge.
  • The importance of challenge in supporting strong risk management.
  • The reasons why challenge is so difficult in practice?
  • What a good challenge culture looks like and how can it be practically embedded within an organisation’s culture.

Read More

ERM, Risk Manager, KRIs, Press/Media

What we can all learn from the APRA prudential inquiry report into the CBA

Taking Risk Management to the next level 

The APRA report of the prudential inquiry in the Commonwealth Bank of Australia (CBA) was issued on 1 May 2018 https://www.apra.gov.au/media-centre/media-releases/apra-releases-cba-prudential-inquiry-final-report-accepts-eu. On the following day, I was flying from Sydney to Perth and downloaded the report to "skim" read the key points on the flight.

I began reading on take-off and on landing 4 hours later, had completed the full 111 pages. I could not put it down.

Rather than a negative feeling of what we are doing wrong, I saw instead a rich source of information that we can use to take risk management to the next level.

On page 5, the report states:

"The Report that follows may read as a long catalogue of shortcomings. That would be too narrow a read. The Panel acknowledges the undoubted financial strength and acumen of the CBA, its global standing, and the avowed commitment of staff to servicing customers. CBA needs to translate this financial strength and good intent into better meeting the community’s needs and the standards expected of a systemically important bank in Australia. The Report is a roadmap for this journey."

It is also clear that many other financial institutions accept that they could change the name "CBA" on this report to their own and it would be equally as valid. At Protecht, we see this as a must-read for anyone serious about taking their risk management to the next level. It is, as APRA states, "a valuable roadmap".

The following is a summary of the main lessons we can learn from the report, and also the main themes that run through the report. 

Read More