Andrew Vassilopoulos has spent more than four years with Macquarie’s Business Operational Risk Management team. He is currently a product owner on a project that will assist in automating Macquarie’s technology risk management process and believes the organisation is at the forefront in this field.
A former student at the University of Queensland, Andrew Vassilopoulos completed a Bachelor of Economics and a Master of Commerce in Information Systems and Professional Accounting.
When he graduated, Andrew sought a career that could combine his audit and technology skills. In 2015, he joined the Brisbane-based graduate program of a large accounting firm and entered the world of IT risk, audit and assurance. A couple of years into his career, Andrew transferred to Sydney, working as a senior consultant in cyber security, mainly on risk and governance engagements.
In 2017, Macquarie approached Andrew with an offer to join the Business Operational Risk Management (BORM) team as a Manager for Commodities and Global Markets, focusing on technology and cyber security.
“I was attracted to working with a high calibre team,” Andrew explains. “As a large, established organisation, doing interesting work, and with a gold standard approach to risk, Macquarie’s reputation stood out to me.”
“Plus, within financial services, Macquarie is not only on the front-line of risk management, it’s also at the cutting edge of new technology.”
The BORM team is an integral part of Macquarie's approach to risk and its work complements other functions such as audit and the Risk Management Group. The structure means the team sits as part of Macquarie’s Corporate Operations Group, and Andrew and his team members are in turn aligned to different business units, helping them identify, assess, and control business-specific risks.
“We are here to support and advise the businesses,” Andrew says. “Every team at Macquarie has a Business Operational Risk Manager, so we are scattered throughout the organisation. The teams report directly to heads of each business, or a Chief Operating Officer.”
Andrew says one of the best things about working in the BORM team is the exposure it receives. Its roles are truly embedded within the business and valued by management and the team.
Working in BORM, you are able to interact with a wide range of key stakeholders from day one, even interns present direct to the division and executive directors. People seek your advice, and your voice is heard."
Initially, Andrew was aligned to technology and cyber security for Commodities and Global Markets. Since then, he has been involved with a range of projects such as moving critical IT systems from on-premises to the cloud and a merger to carve off an asset finance business into a joint venture.
Andrew says that while an understanding of technology is helpful in his role, the team operates from a risk perspective. This, in turn, requires a broad range of skills around all types risk management, which ranges from cyber security risk such as privileged access, to system malfunction, general cloud, regulatory and third party risk.
“We get involved in a range of projects when there are changes at the business level, like mergers or acquiring a new business which comes with new or different tech,” Andrew explains. “Our job is to help the technology team do their due diligence and assessments, put together approval papers which proactively assess the risks, then put controls in place to mitigate these risks.”
“Each day is always different and never ends up being what you expect it might be at the start,” Andrew says. “A key activity is control assurance, or deep dive reviews of risks and controls to identify opportunities for improvement.”
Other tasks include incident management and twice-yearly risk and control self-assessments (RCSAs), and supporting the technology teams in day-to-day activities like security finding remediation or audits.
“If we identify something, we will do an assessment to enhance the control and mitigate the risk,” Andrew says.
Andrew says that one of the aspects of Macquarie he likes most is that the organisation encourages career mobility, both within and beyond BORM.
“Macquarie has a high-performance culture, but it is also very inclusive and diverse,” Andrew explains. “The organisation is big on encouraging and supporting its people in what they want to do.”
In 2020, Andrew was promoted to Senior Manager, and spent nine months on secondment supporting core infrastructure services.
“Macquarie’s infrastructure BORM wanted to gain business-aligned experience, so we arranged a swap,” Andrew explains. “I gained infrastructure experience looking after foundation technology services like networks, and my colleague received business team experience.”
There are also many formal learning opportunities available with Macquarie. Andrew used this opportunity to complete ‘cloud practitioner training’ to further his technology skills.
“People are encouraged to expand their knowledge beyond their core skill set,” he explains.
Andrew’s current role has seen him become Product Owner for a platform that involves automating aspects of Macquarie’s cyber security risk management.
“We are setting up continuous control monitoring in cyber security,” Andrew explains. “We are also working on resilience, compliance, and data systems.”
“You need to be adaptable, learn fast and think fast.”
As part of an international team, Andrew says the unique hours are offset by a culture of flexible working. He also notes that the Technology BORM team has grown and evolved over time, and that tactical initiatives to improve and streamline processes have resulted in more integrated and interesting work.
“I enjoy the fact that Macquarie is global, there are plenty of internal opportunities across the business, and you're exposed to a lot,” Andrew says.
I like working at the forefront, with the combination of risk and tech. I’m part of a great team, and I couldn't think of anywhere else I would rather be than here at Macquarie."
Since this article was published, Andrew relocated to London where he has moved back into the infrastructure technology operational risk management team.