This week we caught up with Kate Hughes, Chief Risk Officer, Telstra, who spoke with us about the differences in Risk Management between public and private sector organisations. Kate will be a Keynote speaker on day one of the RMIA National Conference.
Your keynote will outline the Difference in Risk Management Between Public and Private Sector Organisations. Are you able to outline one or two of the primary differences for us here?
There are a few differences, some of it is driven by different stakeholders but there is also the issue of transparency and that can drive different approaches to risk appetite and risk management. Most privately held companies are not required to disclose their financial information and they don’t need shareholder approval for their strategy so can possibly choose to pursue more (or less) risk. This can mean that they can shift their focus more simply, potentially focusing more on long term growth rather than making sure shareholders are receiving their dividends. However private companies may struggle to attract directors with risk management experience as they often have smaller boards and the regulatory requirements around governance aren’t so obvious, so there may be a disconnect between management and board about how risk should be managed, and yet in some cases given the lack of capital markets support, it’s arguable that risk management practices should be stronger. You could argue that in publicly listed companies the board is required to very visibly manage risk and there is greater transparency about how they do that but these organisations tend to be larger with strong capital markets supporting them whereas in private companies the board is less visible and there are fewer requirements around risk management and disclosure of governance practices. Generally speaking public corporations are more likely to be subject to regulatory scrutiny, particularly those with specific regulatory risk requirements relating to their operations. All of these things will influence the risk tolerance and appetite and ultimately the types of risk management strategies the company employs.
How would you describe the culture of risk management at Telstra?
At Telstra, managing risk is everyone’s responsibility and we know that effective risk management helps us not only achieve our business objectives and ensures that we meet our legal and compliance responsibilities, it also helps us to protect shareholder value. We have a very strong tone from the top for managing risks and this is actively demonstrated by senior leaders encouraging risks and issues to be understood, managed and escalated.
How would you describe holistic and contemporary risk management?
Holistic risk management is understanding and managing the entire risk landscape faced by an organisation. Telstra’s Material Business Risks are an avenue that we use to identify those all-encompassing risks and the way they are managed throughout the organisation. Everyone has a part to play in managing aspects of those material risks, and understands how they impact them. This is really about taking a portfolio view of our risk environment, not just the risks themselves but how they interact. We tend to think of contemporary risk management as a process that is applied in a consistent manner and is embedded within our critical business practices, activities and processes. It’s not done by the “risk professionals”, rather everyone (throughout the organisation) understands their risk responsibilities and accountabilities, know what their key risks are and can provide assurance they are being controlled effectively. In contemporary risk management organisations use incidents and issues to continuously improve performance.
What’s the most difficult part of translating theory to practice?
Personally, I think jargon and over-complicating the topic of risk to non-risk professionals. It is all too easy to make Risk and Risk Management technical and theoretical but the truth is, risk is just another aspect of leadership. Anybody in a decision-making role in an organisation (wherever in the hierarchy) would use risk as a basis to make business decisions, we need to remember who the audience is and talk to them like human beings – in terms they understand.
What are the biggest risks that Telstra faces at the moment?
We have a suite of material risks which indicate our most significant areas of uncertainty. They tend to arise from our external environment or because of decisions about our strategic direction. They may have a material impact on the achievement of the company’s strategic objectives. Such risks include the complexity of our NBN transition; a rapidly evolving regulatory and policy environment; rapid and pervasive business model and technology disruptions; and evolving our data management to meet the current and future challenges or being a global technology company. We also face a range of Operational Risks which if not managed appropriately create a poor customer experience, unnecessary work for our executive management and often cause reputational damage. At Telstra we manage a number of very important operational risks including privacy; information security; fraud & ethical behaviour; business resilience and of course the health & safety of our employees and members of the public.
How does your experience at ASIC inform your approach to risk?
My time at ASIC really equipped me with a different perspective on regulation and how it can help create a stable business environment, level playing field and protection for consumers. It provided me with a broad understanding of the regulatory environment and how different business models work and the practical knowledge of the issues and risks that all businesses face. I think a stint with a regulator can be a terrific development opportunity for any risk management or compliance professional. It certainly helps inform your thinking about regulatory and reputational risk!
How do you balance commercial decisions with ethical considerations?
It’s not a “balance” at Telstra. We firmly believe that good commercial decisions must be ethical to be sustainable. Our company’s purpose, values, code of conduct, and integrity policies provide guidance on ethical and responsible decision making and behaviour. The principles within each of Telstra’s integrity policies are values-led, and designed to build an ethical culture where our employees are trusted to make the right decision. For most people, ethical decisions are not made just because it’s described in a policy. We are very conscious of the ethical risks we face both in our business today and also into the future as we grow into a global technology company. We take steps to prevent corruption and create an ethical culture across the range of diverse conditions our business operates in and we continuously reassess how these are working for us. We’re committed to responsible business practices, and we’ve been a signatory to the United Nations Global Compact (UN Global Compact) since 2011 committed to supporting its principles – on human rights, labour rights, environment and anti-corruption – wherever we operate. Kate has been its Board for approximately the past 12 months.
Kate Hughes is a Keynote Speaker at this years RMIA National Conference 16-18 November 2016 | #rmia2016