Anne-Marie Paterson [00:00:00]:
I think the new face of risk is different. Risk has a real seat at the table. Risk is very much part of the C suite these days in all corporates. And in order for them to live up to that title of being a Chief risk Officer, you have to think differently. You can’t do what you did in the past. You need to evolve and you need to become relevant, and you need to stay relevant for the business because it’s an expense. But it’s an expense that ultimately enables the strategy foreign.
Karissa Breen [00:00:48]:
Joining me now is Anne-Marie Patterson, a profound risk executive. And today we’re discussing the changing face of risk. So, Emery, thank you for joining me and welcome.
Anne-Marie Paterson [00:00:56]:
Thank you for having me.
Karissa Breen [00:00:57]:
Okay, so there’s so many things going on in mind. I really want to talk about the whole role of maybe the new chief sort of Risk officer. Now, I’ve had multiple people on the show over the years talking about risk. Everyone’s got a different version. You come with a very unique perspective to the whole risk space. But what do you sort of say when I ask you, like, what does the new sort of Chief Risk Officer look like in your eyes?
Anne-Marie Paterson [00:01:19]:
For the new Chief Risk officer, in my opinion, opinion isn’t just the person in the office that is saying no to everything. They are the true enabler of the business. They translate. So they take the jargon, the governance, the frameworks, the taxonomy, regulations, all those big words that risk professionals often use, and they’re the words that people’s eyes tend to glaze over when people are talking, and they turn it into something the business can actually use, that they can harness, that they can take forward to enable the strategy to be executed. So it’s not about stopping things. It’s about making sure that the business can take the risks without setting itself on fire or breaching regulations. And so while I think the old world of risk was very protective, was very almost black letter, now we’re more a bit like a gps. We’ll show you the different paths to have a smoother journey that’s going to enable the strategy.
Karissa Breen [00:02:19]:
So would you say, traditionally speaking, to your point, black letter? Do you think people still follow some of that methodology or way of operating, and then as a result, maybe that’s a little bit passe for people like yourself that think, you know, we’ve evolved from that. But I still. People who are like that.
Anne-Marie Paterson [00:02:37]:
Absolutely. So you will definitely meet in the risk communities, those that are very academic, that are very focused on quantitative style measures and spreadsheets and so on. And that’s where I think the new face of risk is different. Risk has a real seat at the table. Risk is very much part of the C suite these days in all corporates. And in order for them to live up to that title of being a chief risk officer, you have to think differently. You can’t do what you did in the past. You need to evolve and, and you need to become relevant and you need to stay relevant for the business because it’s an expense, but it’s an expense that ultimately enables the strategy.
Anne-Marie Paterson [00:03:22]:
And that’s what I think is different now. But yet you do still get those remnants of people from the past that have worked in risk forever and a day. But when it comes to them trying to influence the business or trying to tackle non financial risk, which I’m sure we’ll talk about a little bit later on, suddenly they’re a little bit out of their comfort zone because it doesn’t neatly fit into a spreadsheet.
Karissa Breen [00:03:48]:
Okay, so use the operative word, they’re relevant. So I want to get into that, but I also want to get into people from the past. Do you think people from the past know that they’re from the past or do they just. It’s like sort of people that still keep thinking like they’re living in the 80s when it’s like we’ve gone beyond that. So do you think that people have that self awareness that maybe their way of thinking is a little outdated? Or do you think that they may agree that they’re outdated but they don’t care because it’s the way they’ve done it?
Anne-Marie Paterson [00:04:14]:
I don’t think, well, look, there’s all walks of life in this world. So in my experience I have found that a lot of the more traditional risk professionals tend to perhaps be unaware of how they’re coming across or that they’re outdated. They are so fixed in a very regimented way of working that they’re not necessarily open to what is new. But it’s the new wave of the C suite, the CEOs, the business leaders who are saying we want something different, we want to be enabled in how we’re doing things. The world is getting more complex with regulations and standards and laws that are coming through. And so they need to have these new leaders who can translate it, who can influence, who can really infiltrate throughout the business without it being seen as this added cost or impost or Even worse, risk being seen as that person that walks around with a spreadsheet wearing brown tweed. So I think a lot of people are probably unaware or maybe very uncomfortable with the idea of change.
Karissa Breen [00:05:27]:
Yeah, that’s a good observation. So would you say, going back to, what do you think people’s version is of a risk observer? So you said spreadsheet, perhaps a clipboard, tweed. I mean, people have different versions of a cyber person. What do they look like? Or Liberian. Like everyone’s got this stereotype. And maybe I’ve always mentioned this before, like Hollywood’s got something to blame around those stereotypes. But what is it that you think people have in their mind when they think about a risk person? What do you think that version looks like?
Anne-Marie Paterson [00:05:53]:
Oh, look, I think it tends to be someone that does walk around in a suit. They do probably have a clipboard or a spreadsheet or nowadays they’ll call it their GRC system or their risk register. And they are very good at quoting policies and standards and regulations and there’s no fun to be had. I think that is a very stereotypical view that people hold off risk. People will come to talks when you’re talking about risk and you can see their eyes start to glaze over. They’re waiting for, you know, the really big words that are going to come out where people sound very superior in their thinking and things are changing because risk is, and this is really cliche, but risk is everyone’s business. Risk is not just for the second line. Risk is not just for the risk team to manage.
Anne-Marie Paterson [00:06:45]:
It is every single person’s responsibility in a company, in an organization, whether you are the cleaner or whether you are the CEO, you all have a responsibility when it comes to risk. And I think that is where the change and the shift is happening. And so when people do think of risk, they traditionally think of someone a lot more conservative. In fact, in my mind, I tend to see a white male in a suit with a clipboard and probably in brown. And I know that is a stereotype and that’s probably not in any way reflective of the modern risk world. But I’m so used to people groaning when they hear the word risk. And I think it’s really shifted now that the whole dial, the dialogue is changing.
Karissa Breen [00:07:36]:
Well, you still say that risk folks are conservative though, like, maybe not necessarily in their appearance, but in their thinking. Because, you know, historically it’s been derived from, oh, we’re going to look at a five by five risk matrix and we’re going to do this and what about that? Like, maybe their thinking is a lot more regimented than perhaps other fields like marketing or PR or media or stuff like that. So do you think it’s just by default, a more structured approach, therefore it just comes across a little bit more conservative?
Anne-Marie Paterson [00:08:03]:
Look, I’m going to put it out there and say the best risk leaders are not regimented, they’re not necessarily conservative. They if to the contrary, they’re creative. There’s a lot of freedom in managing risk. It is all about how do we enable the strategy? And you’ll probably could probably play bingo with me saying enabling the strategy today in the podcast, but how can we give the business the tools to be able to move forward, to execute, to get the best outcomes for your customers, your shareholders, your investors, and be able to navigate through the myriad of regulations, prudential standards, laws that are in place. And so I think there’s a lot of freedom. And so the best risk practitioners see risk as freedom. They don’t see it as this square box and how everything has to be regimented. So, yes, there obviously are certain things that most risk practitioners will have in common.
Anne-Marie Paterson [00:09:05]:
So you will have risk registers and you will have a GRC system and you will have frameworks, but in how you apply it, in how you influence it, in how you infiltrate throughout the business, risk and the risk mindset and the risk awareness, that is what is different. So when I think about risk people, are they conservative? I don’t think they’re any more conservative than any other discipline. It’s just their mind might be turning a little bit more to what could go wrong here. But then the next question is, what can I do to put us on track to enable the strategy and to be able to find a way through all the different regulations that are in place that we have to get through?
Karissa Breen [00:09:46]:
Do you think Australian businesses, generally speaking, given your experience, are conservative? Now? I asked that question. I run the podcast, I interview a lot of vendors. They don’t mind putting their company against it, et cetera. They’re encouraged to do that. But sometimes when you’re talking internal people, their company gets a little bit freaked out about my opinions on my own, and all that because they’re worried about someone, because it’s a risk, in case someone says something that is divisive and they don’t want to be attached to it. So there’s a lot of these risks that go into it. Do you think Australia as a nation, though, is conservative in how they approach risk, would you say?
Anne-Marie Paterson [00:10:18]:
Well, that’s a really Good question. The first couple of thoughts that come to mind are we don’t have a freedom of speech in Australia like they do in America. So we have quite robust defamation laws in Australia because we don’t have that freedom of speech. And so I do think that we are perhaps more so towards the right in terms of conservatism, in terms of what we say and how we approach things. In terms of the level of risk and the conservative nature. It depends really on the industry as well. So you might find, and I’ve predominantly worked across financial services, it’s relatively conservative, but that’s possibly as a result of the Royal commission into banking that occurred, you know, some years ago and a lot of the checks and challenges that we have in place and the regulation in place, there would be other industries which definitely would have much less conservative view and you see that, you know, playing out across the papers day to day. But overall, I probably would tend to say that Australian companies are perhaps a little less conservative than what you might find across the world.
Karissa Breen [00:11:32]:
Yeah, and the reason why I asked that is because maybe that has got something to do with your traditional chief risk officers being conservative because that’s the business that they’re operating in. And you know, I’ve worked in financial services as well, like they’re being regulated. You got auditors coming in, you do have the people coming up the clipboards asking you questions. If you don’t do things by a certain date, then you’re going to get pinged, then you’re going to have a massive backlog of stuff you need to do, but X amount of date and you’re under resourced and then you get a fine, which has happened to your point around the Royal commission. So maybe it’s a cultural thing, generally speaking, that is then permeated into the CRO, which then gets permeated down to the next person and so on. So maybe like if we were to zoom out, it’s a cultural thing then in Australia, look, I think a lot.
Anne-Marie Paterson [00:12:18]:
Of it in terms of the views of risk and the traditional conservative views of risk, I think a lot of that comes from a strong emphasis traditionally on risk being all about financial risk. And it very much being an area that is quantifiable, that there are clear cut tangible metrics that you can measure against it. And it’s almost similar to accounting. It’s quite, it’s tick a box, it’s all there, it’s in black and white. But I think the last 10 years or more, with the real surge in the Push for risk culture. And that is something which every company should be embracing, which is really the behaviour of risk, the how we do things, not the what. I think with that it’s causing us to leave behind some of those conservative notions because we’re recognizing that when it comes to managing risk, it’s about having a risk mindset, not a compliance mindset, not a mindset of I do this because I’m told to, but rather I’m doing this because I’m considering in every decision that I make what could go wrong here or what could go right and what are my responsibilities in managing that risk. And so I think with the push for mature risk cultures in organizations, it’s causing us to be more creative because you’re dealing with culture and culture is not something that can be contained in a spreadsheet.
Anne-Marie Paterson [00:13:59]:
So I think the shift is happening. I think the new crow and the future for the crow is changing because no longer can you just rely on those financial metrics and everything that is within your risk register. It is so much broader. It’s about shifting the culture and the mindset of how people view risk in day to day decision making.
Karissa Breen [00:14:24]:
Okay, I want to double click on this because I think this is interesting. You mentioned before, Emery, it’s more than just financial risk. So talk me through around what are the risks? Generally speaking, that’s coming up in the minds of chief risk officers. And I say that with an undertone of now with competitive landscape, with AI being very prominent on people’s minds, these companies need to take some level of risk. To say to your point earlier relevant, because if they’re like, oh, we’re too conservative and not going to take any risks, then they become irrelevant, they go bankrupt, everyone lose their jobs. So then how do you find the equilibrium between the risks and then also outside the financial side of it, what is it that people are sort of thinking about?
Anne-Marie Paterson [00:15:05]:
So I think when it comes to non financial risk, there is absolutely a large spotlight, particularly in Australia and particularly in financial services, on non financial risk that largely came about from the Royal Commission. I think companies started to realise that the biggest impact on the balance sheet wasn’t your financial risk issues, but your non financial risk. You’re talking about reputation, employee conduct, employee, your operational risks. And that can extend into areas such as AI and technology and you know, really all the risks that are centered around the processes and how people are conducting themselves. Those are the risks, culture and behavior that are really at the forefront of companies now because they’ve seen the fallout of what can happen. When that is disregarded, you can only look around, particularly in Australia, at all the different enforceable undertakings that have recently come to light. The scrutiny from our regulators, they’re not scrutinizing on financial risk, they’re looking at the non financial, they’re looking at the behaviors and how we are managing the operational risks. And so I think there’s a really big shift into that space and that’s what we are very much focused on.
Anne-Marie Paterson [00:16:27]:
AI brings it a whole new world. There’s always a lot of debate around should AI be its own risk class, Is it an operational risk, is it a model risk category? And I think there is. You made a really great point when you said companies need to have a certain appetite for risk in order to stay relevant. And you can see across the landscape now, particularly with AI, companies are realizing if we don’t embrace this and move forward, we are going to fall behind, our competitors are going to move at a greater speed. Because it’s not that AI will replace a CRO, it’s not that AI is going to take away a lot of the different risk related roles that are more traditional, but it will be a tool that will enable you to minimize, you know, a lot of the risks that come about and some of the operational risks which come from manual handling, handling from human errors. So I think there is a really big push moving into the non financial risk space, the emerging risks that are coming with that. I’ve mentioned AI just before, but one of the things that is really perhaps on my mind is that our technology is moving at a much faster rate than our regulations and law. We’re not keeping up with it.
Anne-Marie Paterson [00:17:52]:
And so that’s something that no doubt our regulators have on the forefront of their mind. And how can they manage that?
Karissa Breen [00:18:00]:
Do you think Australia is just too regulated? Because when I speak to people across the globe on this podcast and I’m sitting in this position, I’m on the other side of the world from you right now. Do you think that I. Look, I get it, but then are we focusing perhaps on the color of the racing stripes of the car rather than the actual engine within the car, proverbially speaking?
Anne-Marie Paterson [00:18:21]:
Look, my view would be we are possibly one of the most regulated insofar as financial services. I think it’d be a challenge to find another country with more regulation, particularly in the financial services industry. Are we too regulated? In some circumstances, yes. But then history has shown the fallout where there’s not regulation. So it’s a bit of a. It’s A hard one to answer in terms of if we relaxed some of the regulation, and really we have to go to the heart of what is the regulation there for? It is to protect the shareholder, the customer. That is predominantly the prime aim. So if we were to relax it, there would have to be, obviously, studies around what is the risk of harm and so on.
Anne-Marie Paterson [00:19:13]:
I don’t see our regulations being relaxed anytime soon. I think that’s where the role of the chief risk officer has to play in terms of we are regulated, we are heavily regulated. How do we navigate through this so that businesses are still able to execute on their strategy? And so that’s why I think the role of the chief risk officer is evolving and is changing. And when I said before risk can be creative, this is where you have to be creative, particularly when you are so heavily regulated.
Karissa Breen [00:19:48]:
So how do we as an industry balance the regulation with not stifling the innovation, which potentially. With innovation, yes, okay, there’s risk and there’s all these sort of things, I get that. But you need to be able to keep doing that to stay relevant, to stay ahead of your competitors. Because what we’ve seen in the last like 10, 15 years, like companies that have literally come from nowhere and completely overturned big businesses and made them irrelevant, and we’ve seen many use cases for that. And this could be a real thing because so many people are bogged down in the regulation, which I get. But then is it counterintuitive? And I know it’s a bit of a hard question, man, so I’m just thinking that. I get your point. If it’s not regulated, then you have, you have more issues around the protection of customers, which we still even have with all the regulations.
Karissa Breen [00:20:34]:
But then it’s like if you have too much, but then you’re going to stifle innovation. And then we as Australia may suffer from, you know, international trade, because people could say, well, we don’t want to deal with you because you’re so far behind, because you’re so heavily regulated.
Anne-Marie Paterson [00:20:47]:
I think it’s a balancing act. And so it really comes down to each company’s risk appetite, to be honest. As in, what is the risk that the company is willing to take in order to execute on the strategy. And I don’t think our regulations are so great that they would stifle our ability to be competitive with those around the world. I think it’s how we actually manage those regulations is how we interpret, put in place processes and frameworks to manage through those, to manage through those, rather than Just take a very linear and literal path. And so I think that is where AI can certainly help, obviously with the right governance and safeguards around that. But there are certain things where we can streamline our processes and optimize how we are doing things while still minimising the risk that comes about with that.
Karissa Breen [00:21:49]:
So if you were to zoom out, what do you think? Ultimately, people just don’t get about risk.
Anne-Marie Paterson [00:21:54]:
They think it’s boring. I’ve said it before, they do, they think it’s boring. And people go, oh, risk, my goodness. I really do believe there’s a lot of creative freedom in managing risk. It’s not all doom and gloom. The other thing is, risk is not just disasters, it’s actually about opportunity. In fact, you can’t innovate, you can’t expand, you can’t survive in business without taking risk. In fact, that is the premise of businesses.
Anne-Marie Paterson [00:22:21]:
Businesses are all about risk. And so what people don’t seem to understand is that risk management isn’t about just bubble wrapping the whole business, it’s about choosing your risks and doing it deliberately, doing it with knowledge and foresight. I mean, you’re not going to put on a blindfold to cross the road, and if you do, then you might be in a bit of danger. It’s the difference between using the lights at a crossing and walking across blind. So I think the biggest misconception is that all risk is bad, whereas we don’t tend to focus on the upside of risk. And as you mentioned before, there are companies that have come in and completely disrupted industries with new innovative ideas. That’s the risk they took. The upside has eventuated for them.
Anne-Marie Paterson [00:23:12]:
And so risk is a balance. It’s both looking at what can go right, but then also looking at what can go wrong. And where do you sit on that seesaw?
Karissa Breen [00:23:21]:
So talk to me a little bit more about the upside of risk. So you mentioned before, these businesses coming from nowhere, overturning these other ones to have a competitive advantage. Is that what you mean by that? And do you think it’s also because some of these startups, they probably don’t have a lot to lose in some aspects. And some of these businesses that are super old and entrenched in a certain way of doing things are legacy systems they have to use or migrate across because all their information’s on there. Do you think there’s a bit of that? Perhaps? So talk to me more about how can people get into the mindset around the upside of risk rather than focusing and catastrophizing about all the bad things that could go wrong.
Anne-Marie Paterson [00:23:59]:
I think when it comes to the upside of risk. So you will often every company will have a risk appetite statement. You know, what is the level of risk that the board of directors willing to accept in order for management to deliver on the strategy. And so we talk about tolerances in a risk appetite statement. And the tolerances can be both the upper limit and a lower limit. And it’s not all about the negative side of risk. It can be about the upside as well. So we’re willing to take a certain level of risk because we see the upside down can be greater than the risk of not doing that certain task or initiative.
Anne-Marie Paterson [00:24:43]:
And so that’s another thing. That’s not thing, but that’s another concept that is coming forward, which is the risk of not doing so. What is the risk of not going ahead with a project? What is the risk of not embracing new technology? And that’s where you will see the risk is you may fall behind with your competitors. And it is about weighing it up in every decision that you are making. And in a strategy. When a company take a traditional bank, a bank will lend money to your mums and dads to buy a home. Now they are taking a risk on the basis that we are going to lend a certain amount of money. And they have all these, you know, security against that.
Anne-Marie Paterson [00:25:27]:
But the upside from that is a $500,000 loan might end up paying, I don’t know, 1.5 million in interest over a 30 year period. That is the upside of the risk that the bank is taking in lending that money. And so people don’t tend to think about the upside. They tend to go, oh, well, what will happen if we lose our money if the, if they can’t pay? And that’s when you have controls in place to try and mitigate against the downside of risk. So that’s why when it comes to risk, you really need to look at the whole spectrum. You can’t just focus on all the negative sides. You need to really look at what if this went right and if we look at what can go right and then you balance it against what can go wrong with the appropriate controls. That’s when you tend to find it’s more balanced.
Anne-Marie Paterson [00:26:15]:
So I think it’s. A lot of companies don’t speak about the upside of risk. And that’s probably because it’s really tangible to see the outcomes of poorly made decisions where risk hasn’t been considered, such as, you know, you could have a significant debt that Amass, you could end up with a fine, there could be breaches left, right and centre. So I think the negative side of risk is a lot more tangible, but the upside isn’t perhaps focused on as much. But I certainly in the last at least 10 years have heard a lot of discussion around, well, what is the upside? We don’t just want to hear, and I’m talking about boards here, a lot of boards saying we don’t just want to hear the negative side, we want to hear about the upside, we want to hear about what can go right.
Karissa Breen [00:27:00]:
Do you think it’s a bit of that, that theory, you win some, you lose some. So what I mean by that, and I know that sounds quite whimsical, but what I mean by that is going back to your example on the bank loaning someone money, some people can’t pay it back, that’s what’s happened. But then don’t you think there is some sort of calculator or there is some risk assessment to say, hey, we know overall doing this for a hundred plus years, that 80% of people over time just, sorry, 80% of people do pay back the loans, 20% don’t, something happens or whatever goes on. So do you think that that’s just more mature way of looking at it, that you can’t sit there and think, hey, I’m going to try to mitigate every single thing because that’s just, that’s just not going to happen. It has to have some risk. But do you think it’s a mentality of we may run into an issue, but hopefully the issue is not so big where we have a massive problem?
Anne-Marie Paterson [00:27:50]:
Absolutely. And so that comes back to the risk appetite. Like a particular company might say, we have a medium risk appetite insofar as debts not being repaid. So we might, out of 100 loans, we might be comfortable if 15 of them are not repaid. Another company might say, out of 100, we only are comfortable with one not being repaid. So you can see a different level of risk appetite there. And so I think the way moving forward is we’ve become a lot more sophisticated. We do a lot of the modelling around things and scenario planning and all of that.
Anne-Marie Paterson [00:28:26]:
And so there is that place for where there will be those kind of spreadsheets behind the scenes in risk in order so that when you are putting forward a proposal or a strategy to a board, they are having a fulsome amount of information to make a decision based on where their tolerance sits from a risk perspective. But I think There has to be. Every company just having a business in and of itself is a risk. So whether people realise it or not, they are probably thinking about risk every single day in every decision, but they’re not realising it as obviously as I’m spelling it out.
Karissa Breen [00:29:03]:
So I want to look at the inverse. So have you ever seen in your career people being just too risky, where it’s maybe almost bordering like cowboy esque behavior, where you’re like, well, these people are spiraling out of control, where it’s like they’re taking too much risk?
Anne-Marie Paterson [00:29:18]:
Absolutely, yeah, without a doubt it doesn’t. What I would say is if you go into any large corporate and if you were to look at their GRC system and do a trend analysis, you would find some wonderful examples of where people have taken too much risk. The question is, have they taken that risk outside the company’s appetite? Is it where they have acted, you know, outside of their own delegation in doing that? Or are there examples where. And there would be for sure companies who’ve had a very high risk tolerance where maybe they shouldn’t have, maybe they’ve been a little bit too bold in what they’ve done and they haven’t properly looked at what is the inherent and then residual risk, which is the risk after you’ve, you know, put mitigants and controls in place and so that. Absolutely, I’ve seen happen. And all you have to do is pick up the papers, the business papers and you see every day there are companies that are taking risks, some that pay off and some that don’t. In some of the ones where they don’t pay off, often there will be a root cause analysis as to what has gone wrong. And usually you’ll find somewhere along the way there’s been some kind of control failure or someone’s not even thought to put in place a control because they’ve just gone, this is such a brilliant idea.
Anne-Marie Paterson [00:30:41]:
We don’t even want to hear about all the things that could go wrong. So it absolutely happens. And that’s why I think risk has a place to actually not curb that innovation and enthusiasm, but to kind of say, okay, well look, this is what could go wrong, but hey, here’s a way of how we could perhaps mitigate it. So you can still go down that path, but these are some things that we could put in place that might reduce that risk.
Karissa Breen [00:31:07]:
So going with the example of it more, do you think as well that even if someone acted alone in how they’ve done something, perhaps even if it was against the Risk policy or the appetite. Do you think that still happens often though, that maybe they made an error in judgment or maybe they were completely blinded by it and didn’t even think about it and then made a decision that ended up being a massive problem?
Anne-Marie Paterson [00:31:30]:
100% that is operational risk in itself. So an incident really is, you know, where a risk has actually come to life, it’s occurred and there is ordinarily a negative outcome of some kind. And if you go to the heart of a lot of what those issues are, I would hazard probably somewhere around 40 to 50% would be due to human error, which can be a range of different things. It could be something as simple as a typo on a letter or putting the wrong data into the wrong system, or it could be someone has actually made the wrong decision or the wrong call on a certain matter. So it happens all the time. It’s just, in fact there’d be hundreds and hundreds that occur monthly or even daily in some of the really large organizations. It’s whether or not they’re sufficient to really have an impact on, for example, the shareholder, the customer, the company’s balance sheet overall. And so a lot of companies will have a tolerance around incident levels and recognizing that there is no perfect system, there is no system in place that is going to stop incidents 100%, stop issues from occurring, stop risk from culminating in an incident short off doing nothing.
Anne-Marie Paterson [00:32:59]:
And then there is the risk of doing nothing. So absolutely there’s those kind of decisions made every day and the role of risk is really to anticipate where those risks might lie in terms of human error. And how can you mitigate it? Is it through education? I personally think it’s through a risk mindset. If every person in the company is embracing risk and saying, well, I am as responsible for managing this as anyone else and I have the tools and I have the ability to make a decision and a risk informed decision, then that in and of itself is helping to minimise the risk of human error.
Karissa Breen [00:33:36]:
I want to talk about reputational risk. So recently I saw an major Australia airline. Something happened, someone in the lounge doing something that one of the lounge representatives from the airline didn’t, didn’t want to happen. When approached them, ladies come online, raised her opinions, being picked up, you know, then all of a sudden the major airlines then responding to the incident now according to the representative said absolutely, you know, doing these things in the lounge are 100% allowed. This individual acted alone. So they went outside of the policies of the, you know, yeah, risked. But then that resulted in massive backlash for them. So talk me through that.
Karissa Breen [00:34:18]:
Now that everyone’s got a voice, everyone’s voicing everything online, they’re saying whatever they want gets picked up by news outlets and then it can have a flow on effect. So how do people sort of factor that sort of thing in terms of the reputational side of it? Now when they’ve taken on. It could have been a, you know, junior employee that didn’t know. It could have been like, I don’t like what’s happening. And therefore they’ve had a massive impact over something that could have been avoided. But equally they’re thinking, well, maybe if we didn’t even hire this person in the first place, we would have been not in this position.
Anne-Marie Paterson [00:34:52]:
Yeah, that’s. Look, reputational risk is a non financial risk. They are absolutely non. Financial risks in many respects are almost harder to manage and oversight than a financial risk because they’re often not tangible. You could not possibly write every single scenario that could occur that could result in a reputational impact to a business because there are so many variables, particularly the bigger the business. So reputation, conduct, culture, behaviour, they are all measures or they are all risk areas that need to be managed. And they’re usually managed within the realm of what we would call operational risk or strategic risk. And so that’s where risk culture becomes really important.
Anne-Marie Paterson [00:35:40]:
And so you could. So in that particular circumstance, I imagine that particular staff member would more likely than not be subject to now some kind of disciplinary process because they have, you know, caused an incident which is outside no doubt the risk tolerances that that particular company may have had in place. And. But just dealing with that person as an individual, that’s very hard if you employ 50 or 60,000 people. By disciplining one person is probably not going to suddenly shift the culture or reduce the risk of other incidents of a similar or slightly different nature occurring. But that’s where risk culture is really about shifting the mindset of all your staff and it’s establishing that risk mindset. A culture where all the staff understand their role and their responsibilities. And it’s education.
Anne-Marie Paterson [00:36:35]:
It is also about rewarding good risk behaviors. That’s the other side. So people can see the benefits of, you know, where they have, for example, intervened or challenged something which may have been not in line with the practices. They’re rewarded for having spoken up, for having challenged what is about to occur. So it’s really difficult. So you’ll find a lot of the big companies will usually have a reputation risk, reputational risk, as one of their core risk classes on their risk appetite statement. They’ll have a certain tolerance for what they will and won’t allow within the company, and then you’ll have a whole set of scenarios and controls to try and minimise the risk. But again, short of having absolutely no staff and no business, there’s always going to be some level of risk that you are taking.
Anne-Marie Paterson [00:37:29]:
Part of what a chief risk officer does is not only you’re there to manage the risk, but you’re also there to manage when things have gone wrong. Because sometimes it’s how you respond that makes all the difference, because you can’t stop something from occurring 100% of the time, but how you respond to it and what you do to try and then prevent it occurring again can make that difference. In that particular. I did read in the paper about that particular instance, I imagine that company is likely to have some new education campaigns for all staff to be aware of what is acceptable behaviour and what is not when you’re speaking to customers and so on. So I imagine there will be some kind of educational uplift as a result of that.
Karissa Breen [00:38:18]:
And then going back to big enterprises, 50, 60,000 people, would you say that businesses have accepted the risk that there’s going to be a percentage of those people in 50,000 that maybe go a bit ham bit rogue? Something happens, you’re probably not going to hire 50,000 conscientious workers. Do you think that that risk has been considered as well, that there’s going to be something like the incident we just spoke about? There’s going to be someone’s done something silly, they shouldn’t have any results. And it being across the major newspapers in Australia, for example. Do you think that that has been considered as well?
Anne-Marie Paterson [00:38:52]:
Absolutely. And that again, goes down to the tolerance level that the board will set in terms of their risk when you are hiring persons. So no doubt in a large company with, you know, 50 or 60,000, they would have sophisticated HR divisions, they would have sophisticated talent acquisition, they would have background checks, processes and procedures, and all of those really are controls. They are there to help mitigate the risk of hiring that rogue person that could then go on to create a disaster for the company. But I think a person would be foolish to think that a control can be 100% effective in minim, in not minimising, but eradicating the risk entirely. I think there’d be very few leaders that could go through their whole career without having said they have absolutely hired a person that they would never again hire. And even they though they’ve done reference checks, background checks, psychometric testing, everything under the sun. Human beings can be at times unpredictable and also can be masters of manipulation.
Anne-Marie Paterson [00:40:01]:
So someone might present in a certain way, have all the right credentials and you don’t know if they’re going to potentially go off rogue. So there is a certain level of risk that every company takes when they’re hiring someone. It’s just they will usually put in place controls and processes to try and minimise that risk off that rogue employee.
Karissa Breen [00:40:21]:
So Emery, to sort of round off our interview today, what do you want to leave our audience with? Something that they can take away?
Anne-Marie Paterson [00:40:27]:
I think the number one thing I’d like people to take away when they think of risk is to not think of risk as the roadblocker or the speed bump, but rather risk. Risk is the area that is there to enable the strategy. It is to enable the business to deliver the best outcomes for customers, for shareholders, for investors. And risk is not boring. Risk really is perhaps the most creative area to play in because when you’ve got a whole lot of regulation and law around you in order to navigate that, it’s not always taking that linear path. You need to think outside the square while still being aware of the boundaries so that you can deliver the best outcomes for the business.
