At our recent CREW online forum, more than 130 governance and risk professionals joined a timely discussion on the evolving role of risk and compliance within the Three Lines of Assurance (3LOA) model.

Chaired by Sarah Penn the session featured three leaders with deep experience:

• Nicole Oborne OAM, PwC

• Norlena Brouwer GAICD, Aware Super

• Rhiannon Richardson, HESTA

Together, they reflected on the lessons from past corporate failures, the realities of embedding assurance functions today, and the leadership qualities required to ensure risk and compliance are seen as value creators - not just obligations.

Learning from history: Enron and the cost of failure

The discussion began with Rhiannon revisiting one of the defining corporate collapses of the past generation: Enron. Nearly 25 years later, the case remains a stark reminder of what happens when governance structures fail.

Rhiannon emphasised three enduring lessons from Enron:

1. Auditor independence is non-negotiable – When external oversight is compromised by conflicting interests, the assurance function becomes ineffective.

2. Culture drives outcomes – Enron’s internal culture tolerated, and at times encouraged, poor decision-making. Without cultural alignment to ethical behaviour, controls alone will not protect an organisation.

3. Governance must be enterprise-wide – Responsibility for risk does not sit with one function. Enron showed how failures cascade when accountability is fragmented.

Her message was that Enron was not merely a financial failure, but a cultural and leadership failure. For boards and executives today, the reminder is clear: sidelining assurance functions creates vulnerability that no amount of retrospective controls can fix.

The seat at the table: from obligation to influence

Following Rhiannon, Nicole reflected on her career journey in compliance and governance. Early in her career, she recalled often being invited into decision-making forums “because we had to have you there,” not because of the value she was expected to add.

That dynamic, she noted, is shifting, but it requires effort. For risk and compliance to contribute meaningfully, leaders must come prepared with:

• Commercial acumen – Understanding the organisation’s strategy and operating environment.

• Forward-looking insights – Framing risk not as a retrospective checklist, but as part of shaping future opportunities.

• Constructive challenge – Offering perspectives that broaden the conversation, even when uncomfortable.

Nicole’s point was that simply being present is not enough. Risk leaders must demonstrate relevance beyond compliance, positioning themselves as strategic advisors who contribute to business outcomes. Without this, the function risks being perceived as an administrative step, rather than an enabler of strategy.

Shifting perceptions: culture and the long game

Norlena focused her remarks on the cultural journey required to embed risk as a genuine organisational capability. She described it as “turning the Titanic” - slow, deliberate and requiring persistence.

Norlena emphasised that organisational culture, including risk culture, is the foundation of effective assurance. When culture is aligned, risk management becomes part of decision-making rather than an afterthought. Conversely, when risk culture is weak, even the strongest frameworks fail to protect the organisation.

On this point, Rhiannon agreed, but added an important caveat. Positive, high-performing cultures can sometimes have a “shadow side.” Strong collegiality and alignment, while valuable, can lead to groupthink. Without challenge, such cultures risk creating blind spots that undermine effective risk management.

Together, their perspectives highlighted that culture is not simply about positivity or cohesion—it must also foster independence of thought, constructive challenge, and accountability. For executives, the lesson is clear: investing in culture means recognising both its strengths and its potential risks.

Changing how risk is perceived is not achieved through policies or frameworks alone. It requires:

• Visible leadership – Executives modelling engagement with risk issues, signalling that assurance is valued.

• Consistent reinforcement – Ensuring risk messages are embedded in strategy discussions, not siloed in compliance reports.

• Clear value articulation – Demonstrating how risk management supports innovation, resilience, and stakeholder confidence.

For Norlena, the role of the C-suite is crucial. When executives actively champion risk as an enabler, organisations shift from viewing compliance as restrictive to seeing it as a framework that allows ambition to be pursued responsibly.

A Shared Theme: Leadership Defines Effectiveness

Across the panel, a consistent message emerged: the effectiveness of risk and compliance functions depends less on frameworks and more on leadership.

• History provides lessons: Enron remains a case study in why independence, culture, and accountability are critical.

• Presence must equal influence: Risk leaders cannot rely on being at the table; they must earn influence by demonstrating commercial and strategic value.

• Culture enables resilience: Organisations that view compliance as a safeguard for growth are better positioned to innovate and withstand shocks.

For executives, the implication is clear: risk and compliance are not side functions to be consulted at the end of the process. They are essential contributors to decision-making, culture, and long-term performance.

Conclusion

The forum reinforced that risk and compliance functions are undergoing a fundamental shift. They are no longer peripheral guardians of regulation; they are becoming central to organisational strategy and culture.

As Nicole, Norlena and Rhiannon each highlighted, this transformation is not automatic. It requires leadership, risk leaders willing to bring forward-looking insights, and executives willing to recognise and empower their contribution.

The enduring lesson, whether from Enron or today’s governance challenges, is that risk and compliance must be positioned as strategic enablers. Only then can organisations build the resilience and trust required for sustainable growth.