Governance Bites #26: how the board manages risk, featuring Phil Doak.

Show Notes

Phil Doak is an experienced executive, executive director, and director, particularly in the financial services industry. He is a partner at Mosaic Financial Services Infrastructure, and a Chartered Member of the Institute of Directors. 
Mark Banicevich asks Phil about how a board manages risk, and Phil talks about an entity's Enterprise Risk Management Framework. He touches on risk management at many levels through the entity, and tools entities use to manage risk. Mark and Phil discuss an entity's risk appetite, and how an entity manages its risk culture.
#governance, #governancebites, #boardroom, #boardcraft, #director, #riskmanagement

Transcript

0:05

Hi. Welcome to Governance Bites. I'm Mark Banicevich, and today get to spend time with Phil Doak. Hi, Phil. Hi, Mark. Nice to be here. Nice to see you. You, too. Thanks very much for your time. You, too. Phil's a Partner at Mosaic Financial Services infrastructure. It’s the technical name of the firm, isn't it. Mm hmm. A specialist in financial services, and does consulting to various entities around the financial services industry in New Zealand. He's also a Chartered Member of the Institute of Directors, and has a lot of board experience. So, a great person to have a conversation with. And today we're going to talk a little bit about risk. So, thank you very much for your time. You're very welcome. Okay. So, my first question for you then, Phil, is, what are the board's responsibilities and obligations around risk? Well, I mean, ultimately, the board has carriage of an organisation's purpose, and its business strategy, and, you know, understanding how that plays out over time. And the risks to fulfilment of the purpose, and the strategy, sits with the board. I was actually on a webinar yesterday, where there was an interesting quote coined around,“risk brings strategy to life”. I thought that was quite an interesting little anecdote. Yeah. And so, you know, ultimately, the buck stops with the board. But I think it's important to understand, you know, the board isn't responsible for the day-to-day management of risk. It sets up the oversight of it, and we'll chat a little bit more about how that plays out. But in terms of the management of both financial and non-financial risk, that sits with the board. And I guess I'd add, it's not just about risk avoidance. Yes. It is about risk management, you know. Yes, right. And there's plenty of examples over time where, you know, business models have been disrupted because there was the appetite to actually take risk, to pursue it, the strategy of a business wasn't necessarily there. So, I think the responsibilities, sort of, come down to establishing, you know, what the risks are. The conversation about what the appetite – Yes. – for risk, you know, for risk is. What's the strategy to manage it? You know, practically, how that's going to play out through the organisation. How you oversee the implementation of risk? Does the business, is it resourced well? Yes. With the right skills and expertise to do that. And then, I think, another key part of it is, ensuring there's, you know, there’s a director to hold management to account, at the end of the day. And how you do that in the risk, you know, context, sort of, fits - Right. - With part of the, you know, what the objectives are. Okay, thank you. Because, as you suggest, you know, ultimately, business is about taking risk, right? So, you have to accept some risk. And, as you said, the board's duty is very much about setting that appetite. Deciding what risk they'll accept, and then what risk they don't want to accept. Whether they mitigate it, or avoid it, or what, or some other strategies. But there's always going to be this level of risk. And you've also suggested that the board can't do everything around risk, because the board isn't involved within the day-to-day operation. So, to a large extent, they set the framework for it, and then delegate it through the management, to be looked after on a day-to-day basis. Is that? Yeah, that's part of it. And I guess, you know, we're going to chat a little bit about how they might do that, right. And I guess, the frameworks that might support that. So, you know, as with, we were chatting earlier, you know, there's an interest in, sort of, exploring the concept of an enterprise, risk management. What do we mean by that? And, you know, that is a concept that is, I think, of, it is almost the architecture for how risk is managed within the business. Yeah. So, it's holistic, it's a conceptual framework. But it has with it, really, the practical elements that support the management of risk. And so, and it brings it together, into an overarching framework, that provides a reference point over time for how board can look at, how are we doing in certain of those elements, right, that sit within the framework? So, and some of those elements, are, you know, the strategy, the business strategy, what are we trying to achieve? Yeah. The risk appetite, which you've talked about, which is an important component. The risk management strategy itself. And then, it's how it's implemented. So, yes, you've got your normal risk artifacts: your risk registers; your policies, procedures, controls; the reporting; the data that comes through to support decision-making; the accountability structure within the business, who's responsible for what; and the capabilities. But there's a couple of other key components that, sort of, sit within that enterprise view. And one is governance. Yes. Right. So, how does governance play out in terms of the role of the board? If the board’s set up subcommittees to fulfil to what ends, to fulfil what functions. And then the really important bit, I think, is around risk culture. And having a view on that. Right. And how, because you can have the artifacts, and all the risk registers you like, but ultimately, risk culture plays out every day in your front line, and your executive, and your decision making, and within the board itself. And so, how do you think about that? And is that culture supportive of the sort of risk outcomes as a business you think, well, are key to achieve that purpose? Yes. And achieve that strategy over time? Okay, right. So, the framework that you're talking about here is your Enterprise Risk Management Framework. And you've talked about a number of components of that framework. So then, how does an entity go about setting up this framework? You know, does it all get kicked off? Yeah. Well, having a conceptual construct for it is, sort of, helpful, you know, which, you know, has a nice set of the components. But I guess, some of the, you know, the challenges with it are, having that view of strategy for a start. Right. And the conversation around, what are the risks? Right. And taking an expansive view of those, right. Because they can range from quite specific financial risk. They can range, expand, into, sort of, the non-financial risks of things like technology not working. You know, products not delivering in the way that they're supposed to. Which can create all sorts of issues. People risks. And then there's the risks more broadly to your strategy, the trade strategy itself, you know, that are very much environmental. Whether it's the risk of new technology disrupting your business model. Risk of regulatory change that was not foreseen, disrupting, you know, your business model. Competitor responses. Yeah. All those sort of things that sit around, you know, a strategy. A strategy conversation. So, you know, you need the framework. You need to have an expansive conversation around what can, what are the risks with that? You know. We've touched on the appetite for certain things going off the rails, or otherwise. Yes. And then again, I guess, beyond that, having that view of clarity around accountability structures, culture. You know. How does that all support, and is going to support, your business, your business outcomes, over time? Yes. And importantly, you know, where does that sit today, you know? So, I think, sometimes I've been involved with clients where we've got the framework, and it's been helpful to cast a lens over the organisation using the framework today. Yes. And the degree to which all those components are coherent, and self-supportive of the business' outcomes, versus what's the trajectory of the firm? Where's it going? Where does it aspire to be? And what needs to change over time? Yes. Like, if you're going into a new a product area, for example, that might be new. Okay, and that might bring new risks that go with it. Right. So, how are you thinking about that? And so, I think in terms of the board being able to manage those, manage against that enterprise risk effectively, having clarity on those things is important. And understanding where your current capability sit today. And, you know, and I think being able to engage with the management team constructively. And be able to challenge constructively, the view - Yes. - is important. So, I think, you know, boards that operate, you know, well, you are pretty dialed in on those sort of complexities, right. Right, absolutely. You've mentioned a number of different tools that a board can use to manage that risk, and one of the tools that you mentioned in particular, was a risk register. And from what you've said so far, it's certainly more than just considering what your risks are, putting them on a register, and then reviewing that register every board meeting, or something, to see whether it's changed. Correct. So, what else would you do, you know, if you're a setting up a company, you've maybe grown quite quickly, and somebody's come in, and said, "We need a risk register." What do we do with it? Well, I think the risk register can play an important role, but it's, I think, what's the value of creating the register, is actually the conversation. Right, yes. Right. And I've been involved in some discussions with the board where I said,“Forget the register today. Let's go around the table individually, and collectively, and ask the question," 'Well what do you think, given our purpose, given our strategy, given what we're trying to you, given the market," 'What are the three or four risks that are going to keep you awake at night?' ” Yes. Right. And it's an interesting conversation to have. Very much. And to, sort of, surface, you know, what those are. And then obviously that's not the end of the conversation. That's the start of it. The beginning, yeah. And if you've got a board that has some, you know, brings some diversity of views and life experience and perspective to that, you'll get a wider view of, a more expansive view, potentially, of some of those risks. And then, clearly, you've got your executives view, and their experience, that they bring to the table, as well. But, you know, I think, you know, the starting point is purpose and strategy. The conversation around the risks to that. And it is a conversation which then informs what lies in a risk register, right. Yes. But you can have a risk register that can go down layer on layer on layer on layer. Yes. It can get very detailed. And I think then is a challenge there to be able to see wood for the trees. And being able to surface, what are the most critical ones that, as a board, we need to be focused on? Versus the ones that, look, we need to understand that management has the right controls and processes in place to deal with them. Yes. Right. But, you know, we need to particularly focus on these things. And that's not a set and forget. No. Right. No one saw, no one, probably, had Covid on the risk register. Interesting, some might have had something like that if they remembered about bird flu that, sort of, predated it a bit, right. Yeah. But the conversation, it's a living thing. Absolutely. Okay, so, I think if, yeah, so I think that's a key thing. So, the value of the register itself is really just to make sure that you don't take your eye off the ball. In any of those things that you thought about in the past. And as a board you want to keep focused on those significant ones, and make sure that they're under control, and the ones that are less significant, where you've been able to transfer the risk, through insurance, for example, you just check and go,“Yeah, everything's under control at the moment.” Well, I think you've also got, the risk register, it's not a fixture. It's dynamic. Right. Yes. So, I see registers that end with a column that says, residual risk. We're happy with it. It can't end there. The question is, well, okay, that's fine. You think you've got that covered. But what's changing in the business now? Yes. And what's going to change? Right. Yes. And where is there tension around some of these risks? Depending on where the business is at any point in time, right. And so, you know, I think, it's a dynamic thing. And that's why, you know, as I say, that, you know, the register is a living thing It's a dynamic, and needs to be looked at in that context. But that, and the manner in which that happens, sort of goes to some of these other elements, which form part of the framework. Which goes to, well, what is the information that's surfacing to me as a director, that informs me as to what's changing in the business? Where am I getting information from, as a director, to exercise my independent view? To challenge management, as to the risk changing inside or outside the business? Yes. And then there's that sense of culture, risk culture, which I talked about before. You know, what is the voice of risk within the businesses? Is risk seen as good business practice? Or frankly a pain in the butt, that's just going to tell me the twenty things that I can't do, as opposed to enabling me to get the things done? And, you know, and there are things that, I think, are really key from the board's viewpoint. Because you set the tone - Yes. - on those things. And there's a great book called "The Fish Rots From The Head"[by Bob Garrett] down, right. Which if you want to read of something at some stage, I'd recommend it. Because, and it says, you know, speaks to that tone from the top. And that covers, not just the risk components; it's ethics, and all manner of, a bunch of other things. But, you know, in terms of the organisation's posture around risk, you know, it's really a key thing. That was, actually, the other point I was going to pick up on, from what you talked about before, was about this concept of risk culture. Because, as you say, it's a very important aspect of it. And, you know, I often say when I'm talking to students, or talking to businesses, and things, about risk: it's risk that sees companies fail. You know, companies that carry on with their strategy going well, or if they don't have a strategy, that're ploddling along from day-to-day without significant side winds, they tend to continue. But it's when something unexpected comes along, that's when companies tend to start to go downwards, and eventually, you know, fail. So, managing risk is such an essential element. And as a company gets bigger, as you say, the culture around risk is very important. So, what does a, what is a board's involvement in establishing that risk culture, and making sure that it is right for the risk appetite of the board? Yeah, well, I think, again it's having a cohesive perspective, and a unified perspective, of what the outcomes are that you're trying to achieve. Yes. And what does good look like, you know? And, I mean, culture is probably one of the most challenging pieces to manage. And as a director, you're not in the business. No. Right. But you cast a long shadow. Yes. Right. And it's something I was always told, you know, as an executive, moving to a senior executive position:“Don't underestimate the length of the shadow that you cast, based on what you say, what you do,"and as much what you don't say, and what you don't do.” Right, yes. Right. So, as a director, you know, you're not in the business, right. But your tone, whether the messenger giving bad news is shot, or otherwise, you know, that that tone sends ripples through the organisation, to different degrees, you know. Yes. And in the dynamics there can play, you know, can play out. So, I think there's a starting conversation, do you understand what is the, you know, what is our posture as a board? What is the messaging? Yes. How do we want our business - whether it's the business, or the administration, the NGO [Non-Government Organisation], whatever it is, has the same effect. What is the messaging we want people to feel about risk? Is it okay to make a mistake? Is it okay to speak up? We want you to speak up, right? So, the person that speaks up, you know, needs not to have been like, you know,“Thanks very much for coming.” You know. Yes. And it plays out in decision-making, right. You know, are we going to go, and there's always pressures, commercially, to get to market on stuff, right. Yes. You know, and that's part of the strategy, and there's risk in whatever you take to market. But, you know, how far, you know. We're seeing it play out a little bit, you know, within the industry at the moment. In the CoFI [conduct of financial institutions] and the conduct reviews under way, where, you know, there are decisions made about whether to invest in tech, certain tech, or not. Or to defer, or not. Yes. You know. And that's a risk decision, right. Absolutely. And it sends messages around, you know, at any point in time, what you think's important. I think, one of the trends that we're noticing in our industry, as well, is more and more firms have a Chief Risk Officer, right? Yeah. Somebody that's absolutely focused  on that. And that sends a real signal through the company, that risk is a major concern. Yeah. It's interesting. I mean, you're right. I mean, I found it interesting just having been in the sector for a while, now, - Yes. - both in banking, and wealth and funds, and things. I've observed there has been a proliferation of risk roles. Yes, there has. Right. I mean, a proliferation. Now, part of that, you could say, well, it's because there's a proliferation of regulation, as well. And so, you know, and that's for sure. There has been. And organisations, have to invest in the people, capability, to respond to that, right. But the challenge, I think, that can create is, who's actually accountable? Where, like, within the organisation, how does line one, line two, line three [compliance], which everyone, you know, is sort of like, the mantra for what a good accountability should be. Yes, the three levels of compliance. That's fine in theory, right. But in, depending on the size, shape scope, complexity, of an organisation, they might not all have the lines as delineated as that, right. Yes. Because they're just not at the same scale, right. Not enough scale, yeah. But equally, when you do have the scale, and you've got all that in place, you know, there's a decent body of thought that says, you know, there's some real issues to be managed. The three lines is not a panacea for solving everything. No. And particularly, if those lines, you still need collaboration. You still need sharing of information. And this, again, goes to aspects of risk culture. Because, you know, there's line one. So, if they think,“Risk is compliance’s job. It's not mine. I'm just here to sell stuff.” Right. You know. “I'm here to deal with this customer. I don't deal with, you know.” They just, they're the handbrake. There are people that say, “No." That versus, you know,"I'm in the client address here. I've got carriage of risk.” Yes. Right. In the manner in which I'm interacting with my clients. And the way in which I'm fulfilling their needs. And the decisions I'm making about taking a product, or developing a product, and taking that to market. You know, I want that to be a quality outcome. And my thinking around risk is part of that. And that gets, flows into how different organisations, to varying degrees, incorporate risk into their product development, service development cycles. And you know, there's the nice term of compliance by design, for example, which has that as an overt part of taking of developing new solutions. Yes, absolutely. So, but that's just another example of, I guess, of risk culture. But also accountabilities within an organisation. Yes. And as new things get created, and work through their decision cycles, you know, what are the questions that are asked at each point of that cycle? Yes. It's about establishing a culture in a business, where everyone knows that the risk and compliance team are there as the angel on your shoulder, and to help you to make sure that you don't make a big mistake that costs a company a lot of money. Well, yeah, I mean, ideally if, you know, if you're in the front, irrespective of where you sit in that, culturally you're trying to do the right thing. Yes. And also, you're empowered to do the right thing. And increasingly, you're seeing the development of supporting technology. Yes. You know, sort of, regtech [regulation technology] platforms, if you like, that can take things like complaints, and incident management, and those things. They're right in the front line. Yes, right, right. So, and there's some pieces around that. Around educating, you know, what is or isn't significant. And, but to be able to capture that insight at the front line. And have front line, you know, feel that they're part of that. Yes. And then that generates insights that the compliance line two teams can, and/or line one quality assurance teams, can review and draw insight from. So, see increasingly, you know, you're seeing the ability to leverage technology to help with some of those things. But like all technology, whether it's that, or a CRM [customer relationship management] platform, it's about behaviours and education, as well. And you know, and it's interesting, even when you think around things like incidents, you know. Depending on the person who sees that incident, they might look at it and go, “I don't think that's a big deal.” Yes. Right. And then someone else, who maybe can bring, has had more experience. Has more knowledge of the organisation. More knowledge of the market. Might look at that, and go, “That's only a one thing that is a big deal!” Right. You know. Yes. So, and I guess, that's part of, as you build culture, and you build the framework up, you know. Because that's not a risk issue. Right. It's the education, through. That's way too detailed. That's at a front-line thinking. Empowered to put their hand up. And that's where the training, and stuff, through the organisation is so important. Yeah. And just embedding. It just becomes, it's part of how we do it. It's about delivering better outcomes, whether it's for customers, shareholders, employees, all the stakeholders. Because no one likes things going wrong like that. No, no. But equally, you know, the framing of decisions around doing new stuff, you know, and how that's thought about. I mean, you still want people to feel, you do have to push the boat out on some things, right. Yes. You know, see you're not going to go forward without taking risk. Again, business is about taking risk, yeah. Yeah. Well, that's been cool, Phil. I think I might have to come and tackle you another day, and carry on this conversation a little bit. Because there's other areas that we haven't talked about. But thank you very much for your time today! I'll look forward to catching up with you again soon. All good. And I'll see you next episode. Thank you.