Our approach to managing risk

We employ a ‘three lines of defence’ model aligned to ISO 31000.
The first line of defence are our employees who identify and manage risks across the organisation; second line includes our risk, compliance, and investigations teams who oversee and challenge first-line activities; and the third line are internal and external auditors who provide independent assurance to the Board and senior management.
Risks are analysed, prioritised, and tracked in our risk management system. Formal acceptance of risks within our risk appetite are documented and confirmed by management upon their closure.

The Southern Cross Health Society Board and its Audit and Risk Committee are responsible for the security of our information assets, including IT systems, services, and data.
The Board establishes the security governance structure, defines sub-committees, identifies executive responsibilities, and develops risk management functions while determining our risk appetite and monitoring our security status.
Reporting directly to the Chief Digital Officer, Southern Cross’s full time Head of Information, Security and Risk Management leads the team responsible for security operations, security architecture, technology risk management, and information management.
Mandatory all-staff and contractors’ security training incorporates policy documents that apply to everyone, such as acceptable use policies, and relevant documents are communicated directly to specific technical audiences.
Our full suite of IT security policies is reviewed annually.

We focus on mitigating and managing information technology (IT) security risks associated with the use, storage, and transmission of information while ensuring compliance with industry standards and internal security policies and practices.
Our information security team conducts assessments, third-party evaluations, and performs regular security controls testing to identify and address any issues.
Our internal audit function collaborates with an international firm to develop an annual audit plan that includes at least one information security audit each year.

We classify information as either confidential or highly protected and apply stronger security measures to higher-risk data.
All information is stored in secure repositories with traceable access controls, granted only with authorisation from the information owner.
Retention periods vary by record type and legal requirements, and our records retention policy includes periodic training and monitoring.
Information sharing with approved third parties occurs only under appropriate protections, ensuring that all providers adhere to the same high security standards as Southern Cross.

We partner with reputable third-party vendors to manage various information technology (IT) systems, including but not limited to, cloud services, software development, and payment processing.
Member information may be shared with third parties solely for the purposes outlined in our Member Privacy Statement and in adherence with privacy standards.
We conduct comprehensive risk assessments for each vendor to help ensure the protection of our information assets and the use of robust security measures.
All our contractual agreements with third parties include provisions for security compliance and the protection of sensitive data.

All vendors undergo a comprehensive vetting process during their onboarding and are periodically reassessed. Preference is given to vendors who can provide independent audit reports such as ISO 27001 and System and Organisation Controls (SOC) 2.