Our Experience

Our team has a high degree of experience and expertise in supporting our clients; whether it be augmenting their risk functions across the three lines of defence, providing assurance and advisory services, or implementing and reviewing risk management frameworks and operating structures.

Risk Transformation

Major Australian General and Liability Insurer

Risk Transformation Program Leadership

Amstelveen was responsible for setting up, leading and staffing a $100M risk maturity uplift program for one of Australia’s largest insurers. This program was initiated to address the recommendations of the 2019 Financial Services Royal Commission, as well as 2018 APRA Prudential and CPS 220 Reviews. The program scope included uplift of all elements of the risk and compliance ecosystem such as governance, processes, analytics, reporting, systems, and training. This also included members of the team supporting the development of a centralised controls library, and improveing risk profiling and obligations management capabilities.

Big 4 Australian Bank

Risk Remediation Program Execution

Amstelveen was responsible for leading the Risk Remediation program within the Technology and Operations Division of one of Australia’s largest retail banks. The program included the execution of uplift plans across areas including IT service continuity, IT asset management, information security, and IT risk governance and reporting. The program was under considerable regulatory scrutiny and carried high reputational implications for the Group Executive and the Board of Directors.

Major Liability Insurer

Review of 3LoD Operating Model

Amstelveen was engaged by a Major Australian Liability Insurer to support the review of a Three Lines of Defence Operating Model. This engagement involved the review of key risk and compliance artefacts (Risk Appetite Statement, Frameworks, Policies, Standards and Processes), team structures and resourcing, and supporting technology. Our team identified a series of recommendations to improve the management of risk and compliance. We were subsequently engaged to review progress against our initial recommendations and changes to the effectiveness of risk and compliance management practices at the client organisation.

Business Risk and Resilience

Major Australian Payments Provider

Business Impact and Crisis Management Uplift

Amstelveen was engaged to assist in the delivery of an information security controls assurance program. Prior to this, Amstelveen led the uplift of Business Impact Assessments and Crisis Management Planning to meet APRA CPS 232 requirements. This included facilitating workshops with management, designing plans and processes and conducting change management activities. We also advised on the plan and approach for developing critical process and system recovery plans and the testing of these plans, including a remote work exercise shortly before COVID 19. We also assisted with the development of an IT asset register that identifies and classifies all IT assets by sensitivity and criticality.

Fintech Financial Services

Business Continuity Process Support

Amstelveen has been engaged by a financial services provider seeking a Restricted Authorised Deposit taking Institution License from APRA to provide support around their business continuity process. As part of the engagement, we assisted in preparing a business continuity and ITSCM roadmap and documenting an initial draft business impact analysis. Amstelveen has also been subsequently engaged to assist in supporting completion of business impact assessments, documentation of continuity plans, testing of plans and development of a business continuity training program.

Big 4 Australian Bank

Supplier Risk Operating Model Refresh

Amstelveen resources were responsible for delivering the design and implementation of a refreshed Line 2 Supplier Risk operating model, within a broader Supplier Governance uplift program at a large Australian bank. In addition to the Line 2 Supplier Risk delivery focus, our team also provided guidance across wider program delivery elements.

Technology and Cyber Risk

Major Life Insurer

General IT Controls Reviews

Amstelveen supported the internal client team to perform assurance over the complex technology landscape. This included support to the Internal Audit Team’s delivery of the annual IT General Controls review and the review of security controls delivered as part of the Cyber Shield Program. This also extended to include a secondment to the Line 2 Risk team by one of Amstelveen’s team members to assist with IT General Controls assurance testing.

Medical Indemnity Insurer

Technology, Cyber, and Compliance Controls Audits

Amstelveen was engaged to support Internal Audit through the execution of various technology risk, cyber security and compliance (e.g., CPS 234) reviews. Among these included a Cyber Resilience audit which involved a deep dive assessment of business continuity and IT service continuity practices. Amstelveen was then subsequently engaged to assist the Information Security team with uplifting identified capabilities and gaps, including implementing an Information Security Management System and reporting solution.

Diversified Financial Services Institution

Technology Controls Audit

Our team assisted the Internal Audit department of our client to perform IT General Controls reviews over a series of core insurance and financial systems. This engagement was conducted on a secondment basis, with Amstelveen resources embedded and working alongside the client’s Internal Audit team. Our team were involved in a series of reviews and were able to bring attention to previously undetected technology control weaknesses within the client environment.


Major Australian Bank

Core Banking Implementation Project Assurance

Amstelveen was engaged by the Internal Audit team of a major Australian bank to undertake specialist project and technology assurance on an ongoing basis. The scope of these reviews included a core banking solution implementation which was delivered by the client’s in-house technology team over an extended period. Our team resourced a series of deep dive reviews during the project lifecycle, including the initial setup, procurement, development processes and testing, as well as regular project health checks. Ultimately, these enabled the client to reduce risks associated with project delivery and to improve project control mechanisms.

Major Australian Insurer

Co-sourced Internal Audit of Technology and Projects

Amstelveen has been the co sourced provider of technology and project assurance services for a major Australian insurer for the past 5 years. Through this relationship we have planned and executed assurance reviews across the client’s complex technology and project landscape. This has included undertaking technology controls reviews and reviews across the client’s Strategic Portfolio, including a core insurance platform consolidation, cybersecurity uplift program, and infrastructure uplift project. We have also conducted reviews of enterprise wide program governance and portfolio management processes. This has included reviews within the client’s EPMO in Australia and New Zealand.

Australian Financial Services Platform Provider

SOC2 Certification Preparation Audit

Amstelveen resources worked with the provider of an end-to-end loan management system to prepare for a SOC2 certification audit. This involved guiding the client through the certification process, providing an inventory of expected risks and controls, defining and uplifting controls where gaps existed, and providing provider options to undertake the certification audit.

Compliance and Regulation

Telecommunications Provider

Risk and Compliance Uplift Program

Our team was engaged to drive the execution of a major risk and compliance maturity uplift. We identified key obligations, risks and controls, designed risk and compliance management processes, refreshed key policies, and selected and implemented a GRC tool. This program of work received Board level visibility and led to an improvement in risk awareness and maturity across the organisation.

Major Australian Life Insurer

Platform Assurance

In preparation for an APRA Tripartite review, Amstelveen performed a Platform Assurance exercise across our client’s Group platform, where a set of Control Objectives and Control Activities were defined and mapped to CPS234, ISO27001, NIST and internal control frameworks. Amstelveen also tested the design effectiveness of controls to determine whether any gaps existed with defined controls. Results of the Platform Assurance work were reported to the client’s Chief Information Officer and Chief Commercial Officer.

Major Life Insurer

Line 2 IDII Review Support

Amstelveen was engaged by one of Australia’s leading life insurers to support their Line 2 risk function in performing an APRA mandated IDII review. Our team supported the design and development of the scope and approach for this review, and subsequently supported the execution of the review. This included gathering the evidence across all of the key review pillars, including strategy and governance, product and pricing, and data. This work underpinned the regulatory response for the overall sustainability of the IDII product.

Let us tell you more

Risk management expectations are evolving rapidly.
How well is your organisation equipped to respond?