Executive Accountability Is Expanding - And Bid Risk Is Next in Line
There’s a quiet shift underway at the top of many organisations. Not the sort of dramatic restructure that gets announced with fanfare, but a slower, more consequential redefinition of what executive accountability actually means.
We’re seeing it most clearly in cybersecurity. The Australian Signals Directorate’s March 2025 update to the Information Security Manual (ISM) has made one thing clear: C-level and senior executives are now expected to understand, own, and actively lead on risk. Not just sign off. Not just nod along. Own it.
And here’s the thing: cyber is just the beginning. The same shift in expectations is starting to reshape how we handle bid risk—particularly in large, complex contracts.
The New Cybersecurity Mandate
The ISM now expects executives to:
Maintain cybersecurity literacy (ISM-2002)
Understand the criticality of business systems and data (ISM-2005)
Lead a positive cybersecurity culture (ISM-2001)
Define clear roles and responsibilities (ISM-1997)
Facilitate collaboration between technical and governance teams (ISM-1633)
That’s already a significant step up from previous expectations. And it mirrors global trends like the EU’s NIS2 Directive and new SEC rules in the US that demand cyber risks be governed and disclosed at board level. The NIS2 Directive, for instance, introduces personal liability for executives in cases of gross negligence leading to serious cyber incidents, emphasizing the need for executives to be well-versed in cybersecurity issues.
What This Means for Bid Risk Oversight
In large-scale deals—particularly in sectors like government, defense, healthcare, or financial services—executive sign-off is a key milestone. But often, that sign-off is built around a predictable set of risk questions. You’ve probably heard them:
Have all major risks been identified and documented?
Are appropriate mitigations in place?
Are you confident this deal is deliverable within the agreed scope, time, and budget?
These questions aren’t wrong. They’re just insufficient—especially when treated as formalities rather than prompts for genuine reflection. In too many cases, these get answered with vague reassurances and a well-polished risk register that hasn’t been stress-tested.
When that happens, the board or executive team is left with a thin veneer of assurance—and a potentially large exposure. And when things go wrong post-contract, those same executives are suddenly asked: Why wasn’t this flagged?
A Precedent Set
The expectations now placed on executive literacy and ownership in cybersecurity are setting a precedent. We’re beginning to see similar demands in commercial contracting:
Boards are asking more detailed questions about delivery risk, pricing assumptions, and scope clarity—especially in deals that impact strategic customers or national infrastructure.
Executives are expected to engage earlier in the bid process, not just rubber-stamp outcomes.
Legal and regulatory exposure is growing for deals that involve data, AI, privacy, or sensitive government workloads.
Post-deal review processes are being treated less as internal feedback and more as accountability mechanisms—especially when previous risk signals were ignored or minimized.
It’s no longer viable to leave bid risk entirely in the hands of pursuit teams or delivery leaders. When a contract unravels six months after go-live and the problems were visible during the bid, that’s not just a project failure—it’s a governance issue.
How Executives Can Shift Their Role
To meet this emerging expectation, executive teams need to lift the quality of their engagement with bids—particularly those that carry delivery complexity, long-term commitments, or strategic exposure.
That means:
Lifting risk literacy beyond cyber. Executives should understand commercial models, delivery risks, interdependencies, and the historical causes of project failure.
Challenging assumptions, especially around resource availability, automation promises, subcontractor reliability, or overly optimistic pricing.
Embedding real decision checkpoints, not just gate reviews with templated questions.
Assigning clear accountability—so that roles for pricing, scope control, legal compliance, and solution viability are understood and documented.
Encouraging honest conversations about uncertainty, ambiguity, and what might go wrong—not punishing teams for raising uncomfortable truths.
These steps aren’t about slowing things down. They’re about getting deals shaped better from the start—and avoiding the sort of issues that drain margin, damage reputation, and lead to costly remediation or contract failure.
Leveraging Technology for Enhanced Risk Management
In both cybersecurity and bid risk management, technology plays a crucial role. AI and data analytics can help automate repetitive tasks, provide predictive insights, and enhance collaboration across teams. For instance, AI can analyze vast datasets to predict bid success rates and identify potential risks early in the process, allowing for proactive mitigation. Additionally, AI-driven tools can streamline document management and compliance checks, ensuring that proposals are both accurate and compliant with regulatory standards.
Risk Isn’t the Enemy
There’s a strange irony in how risk is often treated in bid cycles. Everyone knows it’s there. Most people can see it. But we’ve built processes that reward optimism and punish pause. That model is breaking down—and not before time.
The lesson from cybersecurity is clear: executives can’t delegate their way out of risk. They can build trust, hire experts, and lean on advisors—but they remain responsible.
The same applies to bids. As companies like Microsoft are tying executive compensation to cybersecurity performance, similar accountability measures are likely to emerge in bid risk management. This shift towards greater executive accountability will transform how organisations approach risk, making it a strategic business challenge rather than just a technical or operational issue.