Reflecting her approach to work, Australia Post’s head of cyber security business won a RIMS award for challenging traditional risk assessments

It started as a vague feeling of unease for Australia Post’s head of cyber security business services, Susie Jones. In time, it grew into a persistent and ever-present concern: namely, that traditional risk management processes across the industry were struggling to deal with today’s more agile business environments.

“I had all of these thoughts and was feeling unsettled about how risk management was operating within agile and lean design-thinking environments,” she explains.

“I felt that there was real friction between risk management processes and the frameworks that we have in place and these new ways of working.”

Then she heard about a new competition run by the RIMS Australasia chapter, which was calling for thought-leadership submissions.

“I felt this friction and frustration with this process for so long, but I didn’t realise until I saw the RIMS competition that I really wanted to write about this issue,” Jones says.

“I wanted to get out of my comfort zone and write about something that was bubbling away in the background. It was actually quite cathartic to get it on to a page.”

It was also highly rewarding, as she won the Risk Revolution Delegate Award.

In her entry, titled ‘Risk Management in the Agile World’, Jones challenged the value of risk assessments and said a more integrated approach was needed.

“The risk assessment really is just a point in time,” she argues. “Often, by the time risk assessments are viewed by the people that actually have the authority to challenge what has already been done, it’s already moved on… It’s already changed.”

This concept reflects the way Melbourne-based Jones approaches her work. She’s always moving, changing and adapting to the challenging and fluid environment of the cyber security landscape.

“I feel more comfortable when I’m working in an environment that’s shifting and changing, rather than staying still,” she says.

“It’s this notion of continuous improvement and challenging yourself to find something different.”

Jones’s tenure at Australia Post is certainly indicative of this drive to grow and change, but it began with a relatively straightforward move into the enterprise, risk and compliance team back in 2014. “I took

over ownership and management of the corporate insurance portfolio, and ran that for about 18 months,” she explains.

“While I was in that role, that team’s focus from a risk perspective was getting out and really trying to drive our second-line risk messages throughout the business.”

As one of the senior members of the team, she was given a business partnership role in addition to her insurance portfolio management. “I became a risk business partner,” she says, “and soon I was talking about risk management every day without actually using the words ‘risk management’.”

Not being one to shy away from a challenge,

she accepted the role of senior assurance manager for Australia Post’s then-new ‘trusted e-commerce solutions’ division.

“It was definitely a stretch move for me, moving further out of just risk and insurance into more assurance management, oversight of compliance matters and everything that comes along with that sort of role.”

As Jones saw it, it was nowhere near her comfort zone. “Up until that point, I hadn’t had any experience with digital businesses before, so it was quite new to me,” she says. “I very quickly jumped into doing things like scaled, agile training to bring me up to speed with ways of working within those business units.”

With an eye to expanding her commercial management skills beyond the risk, insurance and assurance side of things, by 2016 she was working in an Australia Post subsidiary known as Decipha. “It’s a data management business, so I could be across both commercial management as well as assurance management,” she says.

She then moved to work on a cyber protection project and realised that she felt most at home in the information security office. “I really enjoy the space, so I moved across to the role of head of business services, which has been a really good opportunity for me to bring my generalist skills across to a team that is very technical.

“I own the operational risk profile activities and co-ordinate security risk profile work out to the business as well as audit response management and execution. My focus is running the business of running the team, so things like budgeting, strategic planning and reporting, but also helping the team with getting the message out and help to cultivate the right sort of culture across the business.”


How did Jones end up in such a challenging, cutting-edge role? Well, in her own words, “like everybody else in insurance, I completely fell into it”.

While studying for her commerce/arts degree at the University of Melbourne, all she knew was that she wanted to work in the corporate world. “So,

I applied for graduate positions,” she says. “I was working for AAMI as a part-time uni job, so I knew a bit about insurance, and the first call back I got was Marsh, so I went through the program and was offered the role.”

Cutting her teeth at top-three brokers Marsh and then Willis was central to her growth in the corporate world, she says.

“I was fortunate by getting into the graduate program at Marsh to be exposed to all sorts of things, such as site visits to power stations, water-treatment plants and processing plants that in a typical office job, I would never get a chance to see and experience. I learned not to write it off as an ‘office job’.”

Jones advises anyone who is considering a career as a risk professional to “talk to people in these environments to find out what are the different roles and areas they could go into.

“And for those who have already embarked on a career in risk, I’d say be opportunistic… If there’s something you see happening that you want to be involved in, go knock on whoever’s door you need to, to get involved.”

Thinking about her future, she is clear about her overall goal.

“I would like to be able to have a real impact on both customers and the people who I work with,” she explains.

“I am now in the kind of role where I’m starting to get that sort of level of influence, but growing that and being able to improve the day-to-day lives of everybody around me, that’s what drives me. And that’s why I spent 10 years in insurance broking… because you can actually help people on the worst day of their life when they’re making a claim.”