Sydney, Australia
Andrew Lingley
Head of Growth & Marketing Operations, Drova
Shares real-world insight on governance, accountability, and resilience, drawn from direct engagement with boards, executives, and regulators.
Dad of two, deeply helpful to his colleagues, and relentlessly action-oriented.
“Compliance fails when it lives in policy. The organisations that win under scrutiny are the ones that make ownership clear, embed discipline into the operating rhythm, and prove resilience in how work actually gets done.”
Andrew Lingley
Head of Growth & Marketing Operations, Drova
About Andrew
Andrew Lingley is Head of Growth and Marketing Operations at Drova. He brings practitioner-informed insight on governance, operational resilience, and organisational execution, shaped by direct engagement with boards, executives, risk leaders, and regulators.
Andrew focuses on how regulatory expectations and risk intent translate into day-to-day operating reality. He also leads Drova's product-led growth initiatives, focused on turning complex governance requirements into practical in-product guidance and adoption.
He previously served as Deputy Chair of the Association of Professional Compliance Consultants (APCC) Operational Resilience Working Group, where regulators joined practitioner forums to hear industry research, operational insights, and implementation challenges tied to FCA and PRA and Bank of England operational resilience requirements.
Alongside his executive role, Andrew has held multiple non-executive and board positions in the not-for-profit sector, contributing to risk assessments, risk appetite statements, regulatory and ACNC compliance, strategic and operating planning, board mergers, and grant and fundraising governance.
At Drova, Andrew also helps lead industry outlook work, most recently across operational resilience, NDIS, and financial services, turning cross-sector patterns and practitioner evidence into clear guidance leaders can use.
Andrew is a Certified GRC Professional (OCEG), a Member of the Corporate Governance Institute, and holds a Master's in Leadership, Administration and Governance.
Andrew's focus areas
Governance and reporting
Integrated GRC and compliance operating models
Risk management and risk appetite in practice
Operational resilience and business continuity
AI governance under board and regulatory scrutiny
Mutuals and credit unions governance patterns
CPS 230 readiness and uplift programs
FAR accountability, ownership, and controls
Practitioner playbooks and implementation lessons
How Andrew helps
Makes regulatory and standards compliance clearer by translating expectations into practical implications for leaders and operators.
Shares practitioner evidence and cross-sector insights from live forums with regulators, executives, and risk leaders.
Helps leaders communicate compliance and resilience credibly through clearer governance narratives and reporting signals.
Publishes practical playbooks and outlooks that help organisations move beyond policy and embed resilience and sustainability into day-to-day operations.
Experience
Head of Growth and Marketing Operations, Drova
Former Deputy Chair, APCC Operational Resilience Working Group
Certified GRC Professional (OCEG)
Member, The Corporate Governance Institute
Master's in Leadership, Administration and Governance from SCD
Multiple non-executive and board roles in the not-for-profit sector
Latest from Andrew Lingley
Stories59
From spreadsheets to sightlines: Why NDIS boards must rebuild for visibility
Governance & Reporting
From spreadsheets to sightlines: Why NDIS boards must rebuild for visibility
NDIS boards are facing a governance turning point as fragmented data and manual reporting delay decisions and hide risk. This article explains why visibility and connected systems matter now.
23 Jan 2026
What happens when operational resilience fails… very publicly?
Operational Resilience
What happens when operational resilience fails… very publicly?
When operational resilience fails, the world notices.
The past year has shown that business continuity plans are not enough. Ransomware attacks, global outages, power grid failures and data breaches have exposed a pattern of unpreparedness. It is no longer about having a backup plan. It is about proving your organisation can withstand disruption, recover fast and protect what matters most. Resilience is no longer optional. It is the standard.
21 Aug 2025
SYSC15A and the credibility gap: Why are resilience plans falling short under scrutiny?
Regulatory & Standards Compliance
SYSC15A and the credibility gap: Why are resilience plans falling short under scrutiny?
There is a difference between having a plan and being ready to prove it.
Under the FCA’s PS21/3 standard, many firms look compliant on paper but fall short under scrutiny. The planning phase is over. The focus now is on outcomes and evidence. The FCA expects firms to show how they will keep services running during disruption, with proof that is current, complete, and connected. Anything less reveals a credibility gap that regulators are ready to test.
21 Aug 2025
Third-party resilience under PS21/3: What the FCA wants you to prove - and the simplest way to prove it
Regulatory & Standards Compliance
Third-party resilience under PS21/3: What the FCA wants you to prove - and the simplest way to prove it
Third-party resilience is now a board-level accountability.
Under the FCA’s PS21/3 standard, outsourcing doesn’t remove responsibility. Firms must prove they can withstand supplier disruption and stay within impact tolerances. That means mapping dependencies, testing scenarios, and holding evidence that stands up to scrutiny. When failure hits, the regulator won’t ask who caused it; they’ll ask why you weren’t ready.
21 Aug 2025
The board can’t outsource CPS 230 accountability… and APRA knows it
Regulatory & Standards Compliance
The board can’t outsource CPS 230 accountability… and APRA knows it
CPS 230 has dragged operational resilience out of the server room and into the boardroom.

No longer a back-office task, it’s now a live legal responsibility for directors. APRA expects boards to approve frameworks, set tolerances, test scenarios — and be able to explain, in plain language, how the organisation stays standing when disruption hits. 

You can outsource the work. But not the accountability.
21 Aug 2025
'We’ve got it covered': The four most expensive words in CPS 230 compliance
Regulatory & Standards Compliance
'We’ve got it covered': The four most expensive words in CPS 230 compliance
CPS 230 moved operational resilience from intent to proof. “We’ve got it covered” now signals risk unless board-ready evidence is on hand.
20 Aug 2025
Doing more with less: Digital transformation in credit unions
Regulatory & Standards Compliance
Doing more with less: Digital transformation in credit unions
Digital savvy credit unions are transforming compliance and customer impact without sacrificing trust and care.
22 May 2025
How credit unions can fix the third-party risk blind spot
Regulatory & Standards Compliance
How credit unions can fix the third-party risk blind spot
Relying on a few tech partners increases risk. Learn how credit unions are preparing for a future-proof model.
18 May 2025
Why governance is getting both harder and smarter for credit unions
Regulatory & Standards Compliance
Why governance is getting both harder and smarter for credit unions
Credit unions are redefining governance, from paid boards to new onboarding, to drive trust, resilience, and real performance impact.
14 May 2025
Resilience to relevance: Experts on credit union changes
Regulatory & Standards Compliance
Resilience to relevance: Experts on credit union changes
Discover how credit unions are shifting strategy in 2025. This report offers insights for leaders in risk, compliance, strategy, and community growth.
5 May 2025
Why better governance future-proofs NDIS providers
Regulatory & Standards Compliance
Why better governance future-proofs NDIS providers
Integrated governance, risk, and compliance gives NDIS providers daily audit readiness, visibility, and control.
26 Apr 2025
GRC is no longer the brakes. It’s the strategic steering wheel.
Regulatory & Standards Compliance
GRC is no longer the brakes. It’s the strategic steering wheel.
Learn how GRC can drive business strategy and corporate culture to create a competitive advantage from compliance requirements and actions.
20 Feb 2025
Barclays’ IT outage: 4 lessons in resilience for finance
Operational Resilience
Barclays’ IT outage: 4 lessons in resilience for finance
Barclays' recent IT outage is a wake-up call for every financial institution. Here are 4 lessons from Barclays on building operational resilience.
11 Feb 2025
FCA firms: Resilience tactics for a VUCA world
Operational Resilience
FCA firms: Resilience tactics for a VUCA world
Disruption comes in many forms. And we can’t always predict what’s around the corner.
4 Sept 2024
Key issues facing mutual banks: And what NOT to do
Regulatory & Standards Compliance
Key issues facing mutual banks: And what NOT to do
Explore the challenges faced by mutuals in today's financial landscape and the implications of inadequate risk management and governance structures.
4 Sept 2024
Mutuals & the GFC: Resilience in a financial crisis
Regulatory & Standards Compliance
Mutuals & the GFC: Resilience in a financial crisis
Ben Woods dissects the resilience of Australian Mutuals, and the benefits of member-centricity and prudent risk management.
4 Sept 2024
How to complete a Materiality Assessment that adds value
ESG & Sustainability
How to complete a Materiality Assessment that adds value
Our ESG experts outline key steps to take in completing a Materiality Assessment, using a leading-practice approach.
4 Sept 2024
Critical risk management lessons from SVB's demise
Risk Management
Critical risk management lessons from SVB's demise
The sudden demise of Silicon Valley Bank sent tremors around the financial world. Here we look at the background and the lessons to be drawn.
4 Sept 2024
Why Boards must lead on enterprise resilience
Operational Resilience
Why Boards must lead on enterprise resilience
Explore the holistic approach to governance, linking ethical culture and adaptable business models, and discover the consequences of negligence.
4 Sept 2024
ESG awareness begins with the right diagnosis
Regulatory & Standards Compliance
ESG awareness begins with the right diagnosis
Learn about the significance of incorporating ESG into a comprehensive approach to achieve 360 degree situational awareness and effective reporting.
4 Sept 2024
From spreadsheets to GRC software: Better reporting ahead
Regulatory & Standards Compliance
From spreadsheets to GRC software: Better reporting ahead
Michael Rasmussen explains why you should move towards integrated GRC management solutions that provide audit trails, consistency, & integrated reporting.
4 Sept 2024
Trust, integrity & cybersecurity: Apple or banks?
Regulatory & Standards Compliance
Trust, integrity & cybersecurity: Apple or banks?
Apple's new high yield savings account attracts $1 billion in 4 days - what can financial institutions learn?
4 Sept 2024
Lessons from over a decade of cyber-resilience: Aussie mutuals
Regulatory & Standards Compliance
Lessons from over a decade of cyber-resilience: Aussie mutuals
Australian mutuals, resilient against evolving cyber threats, serve as a model for financial institutions. Ben Woods explores their proactive approach.
4 Sept 2024
The big risk most corporates overlook
ESG & Sustainability
The big risk most corporates overlook
Company risk management programs that don’t address ESG are missing the point entirely and overlooking the gravest risk we’ve ever faced.
4 Sept 2024
Global risk landscape 2024: How to tackle what you can’t see
Regulatory & Standards Compliance
Global risk landscape 2024: How to tackle what you can’t see
The World Economic Forum's inaugural Chief Risk Officers Outlook presents a comprehensive perspective of potential global risks.
4 Sept 2024
When corporate governance falls apart: Four examples of what not to do
Governance & Reporting
When corporate governance falls apart: Four examples of what not to do
Corporate governance failures uncovered lessons learned and why oversight is critical to long-term performance.
4 Sept 2024
How Australian mutuals are pioneering climate action
ESG & Sustainability
How Australian mutuals are pioneering climate action
Australian mutuals, dedicated to sustainability for decades, lead the charge in building resilient enterprises against climate challenges.
4 Sept 2024
What does ESG look like for high-growth companies?
ESG & Sustainability
What does ESG look like for high-growth companies?
For smaller high-growth companies, implementing ESG practices can be challenging but it is crucial to start your sustainability journey.
4 Sept 2024
Operational resilience: Key steps to maturity
Operational Resilience
Operational resilience: Key steps to maturity
We look at the key steps of building resilience to develop a best-practice operational resilience strategy moving forward.
4 Sept 2024
ESG: Three letters that drive impact investing
ESG & Sustainability
ESG: Three letters that drive impact investing
Making investments to generate positive, measurable impact is the benchmark at the intersection of ESG and impact investing.
4 Sept 2024
How to convince the Board on resilience's value
Regulatory & Standards Compliance
How to convince the Board on resilience's value
Driving operational resilience should be high on your agenda. Here are a few ways to articulate the significance of operational resilience to your Board.
4 Sept 2024
The expanding scope of operational resilience regulatory requirements
Regulatory & Standards Compliance
The expanding scope of operational resilience regulatory requirements
Learn how operational resilience regulatory requirements are expanding on a global scale and how this will impact your organisation.
4 Sept 2024
Would your risk documentation hold up in court?
Regulatory & Standards Compliance
Would your risk documentation hold up in court?
You need to be able to defend your GRC management in a litigious environment. Evidence alone is no longer enough for regulators & auditors.
4 Sept 2024
What small businesses need to know about compliance
Regulatory & Standards Compliance
What small businesses need to know about compliance
Smaller businesses still have plenty of compliance obligations to meet, with fewer staff to help you manage them.
4 Sept 2024
Why net-zero carbon for ESG is like net-zero carbs for health
ESG & Sustainability
Why net-zero carbon for ESG is like net-zero carbs for health
Singling out one problem from a huge web of interconnected issues is not going to move the needle on ESG factors.
4 Sept 2024
Have your GRC spreadsheets hit the complexity barrier?
Regulatory & Standards Compliance
Have your GRC spreadsheets hit the complexity barrier?
Using spreadsheets and documents across disparate systems to manage risk processes is ‘the inevitability of failure’.
4 Sept 2024
Inside Ireland’s bid to become Europe’s anti-money laundering hub
Regulatory & Standards Compliance
Inside Ireland’s bid to become Europe’s anti-money laundering hub
We delve into Ireland's strategic bid to host AMLA and the transformative impact it could have on the European financial regulatory landscape.
4 Sept 2024
Canada’s Bill S-211: A move toward corporate accountability
ESG & Sustainability
Canada’s Bill S-211: A move toward corporate accountability
Learn how to mitigate third-party and supply chain risks and strengthen your ethical and transparent business practices.
4 Sept 2024
Optimising risk management in a post-COVID world
Risk Management
Optimising risk management in a post-COVID world
With a focus on risk management, we explore the new ways of thinking that recent world events have taught us.
4 Sept 2024
The case for equal stakeholder weighting in ESG materiality
ESG & Sustainability
The case for equal stakeholder weighting in ESG materiality
Why do ESG Materiality Assessments use even stakeholder weightings to produce the Materiality Matrix?
4 Sept 2024
Navigating operational resilience: From theory to practice
Operational Resilience
Navigating operational resilience: From theory to practice
Practical lessons learned from the recent CPS 230 Operational Risk Management Morning Briefing in Sydney.
4 Sept 2024
Own your impacts: Whose responsibility is ESG?
ESG & Sustainability
Own your impacts: Whose responsibility is ESG?
Why should corporations proactively address Environmental, Social and Governance (ESG) issues? Because they can.
4 Sept 2024
Four ways GRC can support operational stability
Regulatory & Standards Compliance
Four ways GRC can support operational stability
Well-targeted GRC strategies can help organisations break down silos, improve communication and reduce interdepartmental tensions.
4 Sept 2024
Interpreting your materiality matrix
ESG & Sustainability
Interpreting your materiality matrix
Our ESG experts deep-dive into the Materiality Matrix, understanding each segment, and how to interpret your results.
4 Sept 2024
A history of corporate governance and why it remains so important
Governance & Reporting
A history of corporate governance and why it remains so important
Learn more about the rich history of corporate governance and why it is still such a critical concern for businesses today.
4 Sept 2024
15 reasons to prioritise operational resilience
Operational Resilience
15 reasons to prioritise operational resilience
Discover why operational resilience is crucial today with 15 compelling reasons to prioritise it in your organisation, ensuring adaptability and success.
4 Sept 2024
220 daily regulatory changes? Here's how to keep up
Regulatory & Standards Compliance
220 daily regulatory changes? Here's how to keep up
With 220 regulatory changes globally, finanical services firms can stay informed and compliant with one central, intelligent GRC platform.
4 Sept 2024
Which stakeholders should you include in your Materiality Assessment?
ESG & Sustainability
Which stakeholders should you include in your Materiality Assessment?
Andrea Spencer-Cooke & Dr Young-Ferris explore how to choose the right stakeholders for a Materiality Assessment that delivers maximum impact.
4 Sept 2024
Cyber risk then and now: The Y2K readiness lesson
Risk Management
Cyber risk then and now: The Y2K readiness lesson
Discover how Aussie mutual banks tackled Y2K-laying the groundwork for today’s proactive cyber risk strategies.
4 Sept 2024
Avoiding silos in a risk-connected world
Regulatory & Standards Compliance
Avoiding silos in a risk-connected world
Break down silos and boost resilience in a connected risk landscape. Discover how integrated GRC systems drive smarter, stronger operations.
4 Sept 2024
APRA’s governance lessons from helen rowell
Regulatory & Standards Compliance
APRA’s governance lessons from helen rowell
Explore APRA's governance evolution with insights from Helen Rowell. Learn how Drova helps APRA-regulated SMEs navigate compliance and future challenges
4 Sept 2024
UK Regulators’ bold plan to boost financial sector resilience
Regulatory & Standards Compliance
UK Regulators’ bold plan to boost financial sector resilience
The Bank of England, PRA, and FCA’s joint proposal sheds light on the crucial aspects of fortifying critical third parties in the UK's financial sector.
4 Sept 2024
Achieving 360° GRC: Interconnectedness is the key to confidence
Regulatory & Standards Compliance
Achieving 360° GRC: Interconnectedness is the key to confidence
360° GRC means every policy, risk, control, and incident connects—delivering confidence when regulators or boards ask for proof.
3 Sept 2024
Breaking biases: Driving inclusion from the board down
ESG & Sustainability
Breaking biases: Driving inclusion from the board down
Inclusion requires more than goodwill—it needs governance, data, and action to challenge bias at every level.
3 Sept 2024
Navigating the future of disability services
Regulatory & Standards Compliance
Navigating the future of disability services
NDIS providers face new compliance standards, margin pressure, and stakeholder demands—success hinges on integrated governance and risk practices.
3 Sept 2024
Why a holistic governance lens is vital
Governance & Reporting
Why a holistic governance lens is vital
Holistic governance links board duties, stakeholder expectations, ethics, and accountability into one continuous improvement system.
3 Sept 2024
Operational resilience fail leads to £48.6m fine
Operational Resilience
Operational resilience fail leads to £48.6m fine
TSB’s migration missteps and the FCA/PRA fine underscore why resilience must be tested, evidenced, and governed end to end.
3 Sept 2024
Why risk management is everyone’s job now
Risk Management
Why risk management is everyone’s job now
A strong compliance team is an essential first step towards effective risk management – but it is only one part of the puzzle.
22 Aug 2024
What is operational resilience? 5 key insights
Operational Resilience
What is operational resilience? 5 key insights
Explore core concepts of operational resilience and build a solid foundation to navigate today’s business risks.
6 Aug 2024