Panellists at the Strategic Risk Forum in Sydney discussed standing up to the board, recruiting millennials and using near-misses as a risk management tool.
Any risk manager seeking lessons on how to be frank and fearless in the face of pressure from senior management was in for a treat at the Strategic Risk Forum in Sydney on November 28.
StrategicRISK Asia-Pacific editor Lauren Gow led a lively debate between panellists Susie Jones, head of cyber security business services at Australia Post, Eamonn Cunningham, former chief risk officer at Scentre Group, Andrew Potter, general manager risk and compliance at BAI Communications and Nicole Grantham, chief risk officer at SAI Global.
The discussion opened with tips on how to have tough conversations with senior management without getting anyone off-side. As Jones noted: “Having continuous communication with all senior leadership across the business, not just the board, is fundamental to managing all kinds of scenarios, including those unforeseen scenarios.”
Cunningham agreed that a person’s status within the business should not be a governing factor when it comes to discussing risk management.
“Fundamentally, I think the conversation you are having with the board should be the same type of conversation you are having with every part of the business. Their status within the business should have no bearing on how you think about their overall risk. You should be having these conversations with every department from the lowest to the highest level and you should be consistent in your approach. They should be looking to you for openness and transparency.”
Jones reiterated that communication is key to success in a risk management role. “It is fundamental to not getting people off-side. If you are providing frank and honest updates, on a regular basis, in a timely fashion, then there shouldn’t be surprises. Unless of course, you are surprised, in which case so be it. Say it,” she added.
Cunningham agreed that honesty is the best policy. “You need your CEO to trust you, to ensure he or she is not on tenterhooks that you may be about to reveal something to the board which causes them to ask,
‘What the hell is going on?’ Your message needs to be consistent all the time; it can evolve but the theme should be the same. You must, as risk managers, stand up and be counted.
“PARIMA PRESIDENT FRANCK BARON HAS WRITTEN IN STRATEGICRISK ABOUT THE NEED FOR MORE RISK MANAGEMENT FACULTIES AT UNIVERSITY AND I AGREE THERE ARE NOT AS MANY AS THERE SHOULD BE. I DID MY DEGREE FROM 2001-05 AND IT WAS MORE RELATED TO HEALTH AND SAFETY RISK, WHEREAS NOW WE LOOK AT RISK MANAGEMENT MORE BROADLY. I HAVE NOW GONE FULL CIRCLE AND HIRED A GRADUATE MILLENNIAL.”
BAI Communications general manager, risk and compliance Andrew Potter
“Risk management is about core principles and you must never compromise on yours. People should always know what you are thinking, even if that way of thinking evolves over time.”
Grantham agreed that the element of surprise should be avoided as much as possible. “If there is a risk that you as a risk manager think should be discussed at that table, then it should not come as a surprise to any of your business executives or CEO at that table.”
Uncomfortable conversations are just part of the job, she added. “It may be painful at the time, but it will pay off in the long run. There may be some strong and uncomfortable conversations beforehand, but those conversations should never be happening on the day of the board meeting. You will never be in our role and not ruffle feathers; but you don’t want to ruffle them unexpectedly at a board meeting.”
Potter pointed out that sometimes it’s the risk manager who’s surprised. “When you are in front of the risk committee or board, you are hoping that they aren’t going to throw something at you suddenly that they haven’t made you aware of beforehand.”
HERE TO HELP
Cunningham moved the discussion on by arguing risk managers need to do an about-face on the way in which they approach different parts of the business. “I completely agree with the notion that risk management should be engaging with all levels of the business, all over the place in order to raise the profile of risk management to a higher level,” he said. “We need to start by saying, ‘I am here to help you,’ instead of ‘I am here to create issues and friction.’
“Yes, we do need a compliance arm, but as much as possible, that needs to be kept separate to risk management. Otherwise, risk management won’t be able to effectively engage with the rest of the business and get it to work for the benefit of the organisation.”
Instead of thinking or saying, ‘I am here to help you,’ risk managers should modify the phrase to ‘I am here to help you help yourself,’ said Cunningham.
He stressed that making all employees just as risk-aware as the risk manager shouldn’t be a concern. “You want to walk away from each discussion knowing that the person or department is better equipped to help themselves. I am not trying to engineer us all out of a job, but ultimately if you are doing your job properly, the rest of the business will learn to be as risk-aware as you.”
Trouble really begins when the business shies away from engaging with the audit function properly and for extended periods of time, said Jones: “From a third-line-of-defence perspective, I think this really only works when you truly embrace the nature of being an audit team. Being a true audit team brings an enormous amount of value but it doesn’t work if you try and dress it up as consultation or risk management. I believe the audit function really needs to stay separate and ultimately there should be two lines of defence instead of three.”
Attracting and retaining quality staff remains a challenge for the risk industry, so the panel discussed at length how to attract staff from all areas of the business to achieve the widest variety of talent. Cunningham argued the issue comes down to sourcing staff who are already in sync with the corporate culture. “It has to start here because if you as a risk manager can’t infuse yourself with the core culture of the company, you won’t be able to be effective. It is ultimately about being able to communicate effectively with the business from all perspectives, not just a narrow one. So being able to attract and retain talent from all parts of the business means you are already a step ahead.”
Potter’s view, after completing an undergraduate degree in risk management, is that formal risk management training will help to attract the best and brightest, as well as giving them a firm base of skills to fall back on. In addition, he says it is about keeping staff interested and engaged.
“In terms of retaining talent within your team, it is about giving them the skills and opportunities to continuously learn and improve. Giving them a chance to learn externally through courses and conferences gives them the knowledge to do well in their roles, but experience on the job is also valuable,” he added.
For the long term, Jones argued that the industry needs to embrace diversity not only in terms of gender, but of age. “Looking around, there are not many millennials in this room, and whilst that might make us comfortable right now, in 20 years’ time, we are going to need them in this industry.
“Talking to experts, the way you attract and retain millennials is completely different to how you attract older generations. If you are looking to the future of your risk management function, you may need to change the way your area is spoken about within the business and the opportunities for variation in the role. I think it is also about flipping it and asking yourself what does your team have to offer someone and looking at how you can adapt that for different types of people.”
An audience question involving the panellists’ use of ‘near-miss’ scenarios as a risk management tool provoked a lively discussion.
Jones said Australia Post had used near-misses extremely productively when it came to cyber security. “In every board or executive paper, in every report we do for everybody, we start the conversation with near-misses. We may include incidences where something small has occurred which could have been much bigger, where we explain what happened, what went wrong, what we need to be mindful of and the risk associated.
“Alternatively, in cyber security, we are able to draw on the big, publicised incidents like WannaCry. It is obviously easier to draw upon in cyber security, but I think it works in a wider context too.”
Potter said: “We have had an example of a risk at BAI where, until we were able to demonstrate that risk in play, the CEO was unable to see why it had such a high risk rating and why we were doing stuff about it. So near-misses can really help to validate the plans you already have in motion.”
But Grantham argued: “Validation of risks through analysing near-misses tends to be more operational than strategic in my view. From a cyber perspective, when we look at validating our existing control framework, we use near-misses as a tool to show why we may need to invest more funds and resources in a certain area.”
BREAKING DOWN THE BARRIERS
Susie Jones explains why the traditional ‘three lines of defence’ model is dead
What underpins my issue with the three lines of defence is that it creates a hands-off environment. The hands-off issue comes in the first two lines: either your operational risk or your second line of risk teams.
There is little effective communication between the teams setting the risk management framework and the teams who are actually implementing and using it. Fundamentally, this is a problem from my point of view.
If you have one team doing design and oversight of a framework that doesn’t work alongside the team who is going to use it, there are bound to be problems that arise in the application or suitability of the framework.
Breaking down those barriers is your first point of call because this is what translates into friction within the business. There is a lot of focus on the framework and making sure we are operating within this risk management framework.
And whilst I do understand there are compliance and regulatory requirements, I think we need to start focusing on the practicality of how we can make each part of the business look at risk in a more effective way.