Risk Manager

ROLE SUMMARY 

Firmus is looking for an experienced Risk Manager to lead the development and implementation of the Firmus enterprise risk management function within the Risk & Compliance Department. 

The Risk Manager is responsible for developing, implementing, and continuously improving the organisation’s enterprise-wide risk management framework in accordance with ISO 31000 and the governance requirements of an ASX regulated company. This role ensures effective identification, assessment, mitigation, monitoring, and reporting of risks across strategic, operational, financial, cybersecurity, privacy, and regulatory domains.

The Risk Manager works closely with internal stakeholders to embed risk management systems, strengthen internal controls, and support external certification and assurance activities.

 

KEY RESPONSIBILITIES 

• Develop and manage enterprise risk and compliance processes.
• Lead the organisation’s Enterprise Risk Management Framework (ERMF) and delivery of assessments in alignment with ISO 31000.
• Establish and maintain enterprise risk management systems, processes, and documentation.
• Facilitate regular risk identification and workshops across all business units, including review and monitoring of risk appetite statements, to build risk management maturity.
• Lead risk assessments for strategic projects, technology changes, third-party engagements, operational processes, and enterprise initiatives.
• Oversee the integration of risk management systems (RMS) and governance tools, including the automation of risk assessments in DRATA.
• Provide risk management guidance to ensure compliance with ASX Listing Rules, the Corporations Act, ASIC RG guidelines, the Privacy Act and APPs, and other applicable standards.
• Maintain risk management policies and supporting procedures.
• Manage the Business Continuity Management System (BCMS) and ensure alignment with risk management principles.
• Develop executive risk reports including heat maps, risk trends, and control maturity status.
• Provide risk management training, coaching and advisory support to leaders, project managers, and operational staff.
• Comply with Group policies and procedures such as WHS, InfoSec, Privacy and Data Protection. 
  

 

SKILLS AND EXPERIENCE 

• Management and hands-on experience in an enterprise risk management role, ideally with time spent in an ASX regulated environment and applying ISO 31000 principles.
• Minimum of 5 years’ experience in enterprise risk management.
• Sound knowledge of the risks associated with technology-based listed / regulated companies.
• Experience leading cross-functional risk programs, audits, and assurance reviews.
• Demonstrated ability to design and execute risk assessments across strategic and operational domains.
• Strong analytical and problem-solving skills, with the ability to develop and present strategic ideas and concepts in a clear way.
• Extensive experience in the development and implementation of risk and compliance registers.
• Experience developing risk insights, training, or supporting materials for diverse audiences.
• Highly refined written and verbal communication, presentation skills and high level of personal integrity.
  

 

KEY COMPETENCIES

• International experience.
• Knowledge and experience in a range of risk assessment / management methodologies.
• Familiarity with enterprise risk use cases.
• Exposure to online / digital risk management platforms and tools.
• Holds relevant Government or Defence security clearance to a minimum of baseline.

 

SUCCESS METRICS

• ISO 31000–aligned ERM framework implemented and embedded across the organisation.
• Enterprise Risk Register reviewed quarterly, with clear ownership and treatment plans developed for all material risks.
• Risk appetite, tolerances, and KRIs defined, approved, and actively used in decision-making.
• All relevant business units conduct annual risk assessments for their area of responsibility.
• Major initiatives are risk-assessed prior to approval.
• Material findings from internal risk management audits closed on time with residual risks communicated immediately.
• Ongoing compliance with ASX and regulatory requirements, with no significant breaches.
• Cyber, privacy, and third-party risks consistently assessed, including DPIAs and critical vendor reviews.
• Business continuity and resilience testing completed annually, with lessons learned actioned.
• Clear, actionable executive risk reporting delivered regularly.
• Strong risk culture demonstrated through training uptake and leadership engagement.