01
Can you articulate your board's cyber risk appetite in plain English, and can you explain how that appetite was set, and by whom?
Director Advisory
For Directors
Most directors cannot explain their board's AI risk exposure, describe their cyber incident response obligations, or identify which IT controls they should be challenging. This engagement changes that with a formal, independent assessment built entirely around cyber risk, AI governance, and IT general controls.
Start a Confidential Conversation
Strictly confidential. Fixed fee. Delivered as a formal written report.
The Director's Dilemma
Three Questions Every Director Should Be Able to Answer - About Cyber, AI, and IT
If any of these give you pause, that pause is worth addressing.
02
If a breach occurred tomorrow, could you demonstrate to ASIC that you exercised due diligence, point to the evidence, and show when you last reviewed your organisation's incident response plan?
03
Do you know which AI tools your organisation is currently using, what data those tools are processing, and whether your board has formally approved their use?
04
Can you describe the IT general controls your organisation relies on, and when the board last received an independent assessment of them?
Your Obligations
Personal Accountability, Not Just Organisational
Under the Corporations Act s180, directors owe a duty of care and diligence. ASIC has made that obligation explicit for technology risk — its guidance confirms that cyber security is a governance matter requiring board-level attention, documented oversight, and active challenge of management reporting. The Cyber Security Act 2024, which commenced March 2026, adds further obligations for organisations meeting the responsible entity threshold. For directors of APRA-regulated entities, CPS 234 sets specific expectations for information security governance at board level. This engagement addresses how those obligations apply across three domains that now define director exposure: cyber risk, AI governance, and IT general controls. The question is not whether you are obligated. You are. The question is whether you can demonstrate informed, active oversight — and produce the evidence to prove it.
Cyber Oversight Is a Legal Duty
ASIC has made clear that cyber risk is a director-level obligation under s180. You are expected to understand exposure, challenge reporting quality, and ensure cyber governance decisions are documented. Boards that cannot show they actively questioned cyber reporting — not just received it — are exposed when a breach occurs.
AI Governance Requires Board Control
Directors must understand what AI systems are being deployed, what data they process, and whether board oversight is real. AI has moved faster than governance in most organisations — tools are in operational use that the board has never formally reviewed, approved, or risk-assessed. That is a board accountability gap, not an IT problem.
IT Controls Underpin Director Exposure
IT general controls — access management, change control, backup and recovery, system availability — are the foundation beneath both cyber and AI risk. They are also the controls most commonly misrepresented in board reporting. If directors cannot identify what those controls are and when they were last independently tested, active oversight cannot be credibly claimed.
One Engagement for Individual Directors
The Engagement
Confidential, fixed-fee, and delivered as a formal written report. This is not a general governance review. It is specifically scoped to your cyber risk oversight, AI governance obligations, and IT control accountability as a director.
Personal Assessment
Director Readiness Assessment
A formal, independent assessment of your personal readiness in cyber governance, AI governance, and IT general controls across your board appointments.
This engagement examines what you are specifically required to know and do as a director in cyber oversight, AI governance, and IT control assurance, where your current knowledge and practice fall short, and what steps will strengthen your record of oversight. It produces a written report addressed to you, not your board, and is followed by a one-on-one debrief session.
Who This Is For
person
A director who has sat through a cyber or AI briefing, nodded along, and privately wondered whether the board was asking the right questions — or any questions at all.
gavel
A director whose organisation operates in a regulated sector, has experienced a cyber incident, or is preparing for a regulatory engagement where technology risk governance will be examined.
shield_person
A director who sits on multiple boards and recognises that each carries a different cyber and AI risk profile — and that a gap in oversight on one board is personal exposure, regardless of what the others are doing.
verified_user
A director who wants a documented record of having sought independent specialist advice on their cyber and AI governance obligations — the kind of record that matters in a post-incident investigation.
What You Receive
check_circle
Cyber & AI Obligation Summary: what you are specifically required to know and do, with reference to cyber risk, AI governance, and IT controls obligations across each board you sit on.
check_circle
Domain Knowledge Gap Assessment: the specific gaps in your understanding of cyber risk, AI governance, and IT general controls relative to what active board oversight requires.
check_circle
Cyber & AI Question Bank: 25-30 questions tailored to your specific boards. Includes questions for cyber risk, AI governance, and IT general controls reporting. Use three at every board meeting.
check_circle
Red Flag Guide: what to look for in cyber, AI, and IT management reporting that signals a problem the board is not being told about directly.
check_circle
Personal 90-Day Action Plan: five specific, sequenced cyber, AI, and IT governance actions.
check_circle
Director Declaration of Oversight : a signed template you retain as evidence of due diligence across your cyber, AI, and IT governance obligations. In a post-incident investigation, this is your first line of defence.
Fixed fee. Strictly confidential. Delivered as a formal written report.
Start a Confidential ConversationAndrew Roberts Advisory does not sell software, resell vendor products, or take referral fees. I have no relationship with any technology vendor or managed service provider. My only obligation is to you.
My Commitment
Why Independence Matters
verified_user
No vendor relationships. No referral arrangements. My advice serves your interests, not a product, not a platform.
lock
Every engagement is conducted under a formal NDA. What you share remains strictly between us.
person
I advise from the director's seat, not the IT department's. The framing, the language, and the output are designed for the boardroom, not the server room. My specialist focus is cyber risk oversight, AI governance, and IT general controls.
Ready to Understand Your Cyber and AI Governance Position?
The directors who engage this practice are not those who have ignored cyber and AI risk. They are the ones who have decided that receiving a board paper is not the same as exercising oversight — and that when scrutiny arrives, the difference will matter. Every engagement begins with a confidential conversation. Obligation-free and on your terms.
Start a Confidential ConversationOr email: hello@aradvice.com.au