Our Experience

Our team has a high degree of experience and expertise in supporting our clients; whether it be augmenting their risk functions across the three lines of defence, providing assurance and advisory services, or implementing and reviewing risk management frameworks and operating structures.

Risk Transformation

Major Australian General and Liability Insurer

Risk Transformation Program Leadership

Amstelveen was responsible for setting up, leading and staffing a $100M risk maturity uplift program for one of Australia’s largest insurers. This program was initiated to address the recommendations of the 2019 Financial Services Royal Commission, as well as 2018 APRA Prudential and CPS 220 Reviews. The program scope included uplift of all elements of the risk and compliance ecosystem such as governance, processes, analytics, reporting, systems, and training. This also included members of the team supporting the development of a centralised controls library, and improveing risk profiling and obligations management capabilities.

Big 4 Australian Bank

Risk Remediation Program Execution

Amstelveen was responsible for leading the Risk Remediation program within the Technology and Operations Division of one of Australia’s largest retail banks. The program included the execution of uplift plans across areas including IT service continuity, IT asset management, information security, and IT risk governance and reporting. The program was under considerable regulatory scrutiny and carried high reputational implications for the Group Executive and the Board of Directors.

Major Liability Insurer

Review of 3LoD Operating Model

Amstelveen was engaged by a Major Australian Liability Insurer to support the review of a Three Lines of Defence Operating Model. This engagement involved the review of key risk and compliance artefacts (Risk Appetite Statement, Frameworks, Policies, Standards and Processes), team structures and resourcing, and supporting technology. Our team identified a series of recommendations to improve the management of risk and compliance. We were subsequently engaged to review progress against our initial recommendations and changes to the effectiveness of risk and compliance management practices at the client organisation.

Business Risk and Resilience

Major Australian Payments Provider

Business Impact and Crisis Management Uplift

Amstelveen was engaged to assist in the delivery of an information security controls assurance program. Prior to this, Amstelveen led the uplift of Business Impact Assessments and Crisis Management Planning to meet APRA CPS 232 requirements. This included facilitating workshops with management, designing plans and processes and conducting change management activities. We also advised on the plan and approach for developing critical process and system recovery plans and the testing of these plans, including a remote work exercise shortly before COVID 19. We also assisted with the development of an IT asset register that identifies and classifies all IT assets by sensitivity and criticality.

Fintech Financial Services

Business Continuity Process Support

Amstelveen has been engaged by a financial services provider seeking a Restricted Authorised Deposit taking Institution License from APRA to provide support around their business continuity process. As part of the engagement, we assisted in preparing a business continuity and ITSCM roadmap and documenting an initial draft business impact analysis. Amstelveen has also been subsequently engaged to assist in supporting completion of business impact assessments, documentation of continuity plans, testing of plans and development of a business continuity training program.

Big 4 Australian Bank

Supplier Risk Operating Model Refresh

Amstelveen resources were responsible for delivering the design and implementation of a refreshed Line 2 Supplier Risk operating model, within a broader Supplier Governance uplift program at a large Australian bank. In addition to the Line 2 Supplier Risk delivery focus, our team also provided guidance across wider program delivery elements.

Technology and Cyber Risk

Major Life Insurer

General IT Controls Reviews

Amstelveen supported the internal client team to perform assurance over the complex technology landscape. This included support to the Internal Audit Team’s delivery of the annual IT General Controls review and the review of security controls delivered as part of the Cyber Shield Program. This also extended to include a secondment to the Line 2 Risk team by one of Amstelveen’s team members to assist with IT General Controls assurance testing.

Medical Indemnity Insurer

Technology, Cyber, and Compliance Controls Audits

Amstelveen was engaged to support Internal Audit through the execution of various technology risk, cyber security and compliance (e.g., CPS 234) reviews. Among these included a Cyber Resilience audit which involved a deep dive assessment of business continuity and IT service continuity practices. Amstelveen was then subsequently engaged to assist the Information Security team with uplifting identified capabilities and gaps, including implementing an Information Security Management System and reporting solution.

Diversified Financial Services Institution

Technology Controls Audit

Our team assisted the Internal Audit department of our client to perform IT General Controls reviews over a series of core insurance and financial systems. This engagement was conducted on a secondment basis, with Amstelveen resources embedded and working alongside the client’s Internal Audit team. Our team were involved in a series of reviews and were able to bring attention to previously undetected technology control weaknesses within the client environment.

Assurance

Major Australian Bank

Core Banking Implementation Project Assurance

Amstelveen was engaged by the Internal Audit team of a major Australian bank to undertake specialist project and technology assurance on an ongoing basis. The scope of these reviews included a core banking solution implementation which was delivered by the client’s in-house technology team over an extended period. Our team resourced a series of deep dive reviews during the project lifecycle, including the initial setup, procurement, development processes and testing, as well as regular project health checks. Ultimately, these enabled the client to reduce risks associated with project delivery and to improve project control mechanisms.

Major Australian Insurer

Co-sourced Internal Audit of Technology and Projects

Amstelveen has been the co sourced provider of technology and project assurance services for a major Australian insurer for the past 5 years. Through this relationship we have planned and executed assurance reviews across the client’s complex technology and project landscape. This has included undertaking technology controls reviews and reviews across the client’s Strategic Portfolio, including a core insurance platform consolidation, cybersecurity uplift program, and infrastructure uplift project. We have also conducted reviews of enterprise wide program governance and portfolio management processes. This has included reviews within the client’s EPMO in Australia and New Zealand.

Australian Financial Services Platform Provider

SOC2 Certification Preparation Audit

Amstelveen resources worked with the provider of an end-to-end loan management system to prepare for a SOC2 certification audit. This involved guiding the client through the certification process, providing an inventory of expected risks and controls, defining and uplifting controls where gaps existed, and providing provider options to undertake the certification audit.

Compliance and Regulation

Australian Mutual Bank

Compliance Plan Development and Implementation

Amstelveen was engaged by an Australian Mutual Bank which was building a new service offering for the provision of deposits and lending services to SMEs. This project involved the engagement of an outsourced Core Banking provider, integration with various services and systems, setup of new organisational functions and the creation of new front and back-office processes to run the new bank instance. Amstelveen performed a detailed assessment of >1,000 compliance obligations potentially relevant to the entity, identified those that were relevant and tiered these into implementation tranches. We subsequently worked with team members across the project, compliance, risk and the software vendor to incorporate these into delivery plans. We also provided input to the scope of third-party assurance engagements being performed across the vendor’s platform to ensure the coverage of key compliance elements.

Telecommunications Provider

Risk and Compliance Uplift Program

Our team was engaged to drive the execution of a major risk and compliance maturity uplift. We identified key obligations, risks and controls, designed risk and compliance management processes, refreshed key policies, and selected and implemented a GRC tool. This program of work received Board level visibility and led to an improvement in risk awareness and maturity across the organisation.

Australian Liability Insurer

CPS 230 Implementation

Amstelveen resources were engaged by an Australian Insurer to aid in the implementation of CPS 230. This included providing input on the organisation’s Critical Operations, facilitating workshops for the definition of Tolerances, drafting updates to Business Impact Assessments and Business Continuity Plans, and identifying Material Service Providers which are integral to Critical Operations.

Major Australian Airline

PCI DSS Compliance Program

Amstelveen led the client's PCI DSS Compliance Program, which involved developing their compliance framework and uplifting key cyber controls, processes and reporting. This included investigating major changes in the cardholder environment to identify impacted stakeholders, controls, documentation and evidence required to ensure audit success. Further work was completed to develop a continuous control monitoring program through dashboards, automated workflows and assurance reviews, to enhance visibility and maintain accountabilities across the organisation.

Australian Insurer

Financial Accountability Regime (FAR) Implementation

Amstelveen was engaged to aid in the client’s implementation of the Financial Accountability Regime. This involved designing a compliance plan to drive compliance with the obligation, drafting accountability statements, workshopping and refining these with Group Executives, drafting reasonable steps for the evidencing of these accountabilities, and designing a customised ServiceNow module (to link to the client’s GRC system) for management of Accountable Persons, Accountability Statements, Reasonable Steps and attestations.

Major Australian Life Insurer

Platform Information Security Assurance

In preparation for an APRA Tripartite review, Amstelveen performed a Platform Assurance exercise across our client’s Group platform, where a set of Control Objectives and Control Activities were defined and mapped to CPS234, ISO27001, NIST and internal control frameworks. Amstelveen also tested the design effectiveness of controls to determine whether any gaps existed with defined controls. Results of the Platform Assurance work were reported to the client’s Chief Information Officer and Chief Commercial Officer.

Major Life Insurer

Line 2 IDII Review Support

Amstelveen was engaged by one of Australia’s leading life insurers to support their Line 2 risk function in performing an APRA mandated IDII review. Our team supported the design and development of the scope and approach for this review, and subsequently supported the execution of the review. This included gathering the evidence across all of the key review pillars, including strategy and governance, product and pricing, and data. This work underpinned the regulatory response for the overall sustainability of the IDII product.

Let us tell you more

Risk management expectations are evolving rapidly.
How well is your organisation equipped to respond?