The following is a recap of the Q&A section from our live webinar in April. I spoke with Peter Deans, former Bank of Queensland Chief Risk Officer. The interview has been lightly edited for clarity.
Can you please elaborate on how to exit from crisis management in a controlled manner? Specifically, in regard to COVID-19 as there really is no end date like a financial crisis.
I think for the businesses that have had to activate comprehensive business continuity plans and crisis management plans, it's really matter of mapping out what a progressive easing or progressive return to some sort of normality would be. I think the professional services firms, office- based ones, it's probably a more interesting question because a number of them already talked about not returning to exactly the way they were.
Kelly Bayer Rosmarin CEO of Optus - I worked with Kelly at CBA - and she came out last week and said that they won't return to the office environments as they did previously, and of course they're bringing onshore a lot of the contact centre activity that was previously done offshore and that will be staying permanently. So I think it's a matter of just planning out what the redesigned operating model or business model is because I think every business will actually be a little bit different.
The one thing I think you need to probably have is have a couple of timelines because ultimately, we all are dependent upon the government providing a lead in terms of when restrictions get eased and what the nature that is.
You spoke a bit about Risk Managers being the back-room boys and girls. Given they are probably working hard now, how should they be getting in front of execs and boards and making their work more visible?
I think it falls back on executives in the boards to take some ownership of risk management and to reflect on: what could we have done differently, how more resilient could we have been, could we have practiced crisis management exercises more, could we have thought more about business continuity.
Ultimately, for the risk managers particularly if they're a little bit down the hierarchy, there are limits to what they can do in terms of forcing change. It’s a cliché “you can lead a horse to water, you can't make it drink”. And I think structural changes is a key thing for those that don't have a head of Enterprise Risk Management or a Chief Risk Officer or some very senior executive with visibility in the organisation.
Every organisation can be a little bit different but I would expect that once the dust has settled, the boards will need to have a rethink about how they manage all things risk.
Decades of globalisation, decentralisation, establishing longer supply chains into low cost countries, implementing lean and just-in-time manufacturing processes. Will this pandemic result in a reversal (to some degree) of these approaches/strategies and how will this impact the risk landscape?
Absolutely. I think the biggest tech companies in the US - the likes of Apple and so on - have actually had multiple manufacturing operations in multiple countries so that they won't rely on only one.
What this however has shown is that there are key components which are actually only manufactured in one region or one company. So this will probably be for the executives to pull apart supply chains and treat it as the wake-up call, for not just businesses but governments themselves, to rethink on dependency now.
Everyone will have a bit of a think about just-in-time likewise, and people may be prepared to invest a bit more in inventory for a longer period. This is also the trade-off that people will be staring into, with traded off financial performance for business resilience at a high-level.
How do you communicate the somewhat abstract value of scenario planning to Executives who don't inherently understand it or view it as a low-confidence look into the crystal ball?
I probably say if they don't get it now they probably never will.
I don't think you're going to be able to persuade someone who fundamentally doesn't see value. I think the strategy or technique is you really find someone around the executive or executives that don't get it, and it can be lateral.
So let's say it's a CEO who doesn't understand it, so get the CFO on board, get the other executives on board, go and find someone on the board, or the owner or shareholder. Find someone who is a True Believer who can help you work around and get the majority consensus holding sway.
Have you seen any new risks emerge from COVID or are the current risks just amplified the ones you've identified in 52 Risks?
I could expand the risk categories but ultimately do you want to put “terrorist attack” as a risk, “pandemic” as a risk, “civil unrest” as a risk, “asteroid hitting the planet” as a risk?
It's more looking at the resilience of the business through the 52 Risks lens. Have a look at the categories and think about to what extent if there was a disruption and what type of disruption it could be.
The pandemic has highlighted probably 6 or 8 risks in the 52 Risks categories: revenue, supply chain, outsource, labour supply risk, partner risk.
So I think the risk categories are all there, it's a matter of not worrying too much about what might have caused them because you will spend too much time crystal ball gazing to use that phrase something else posed early on.
Source: 52risks
Do you foresee a jump in interest in supply chain risk?
That partner risk you speak of is something that our clients lean on our platform a lot to do. For example, they're asking their supply chain or suppliers through on-boarding questionnaires: “do you have any loan facilities that if taken away is going to have a material impact on your ability to deliver your contracted services?” Do you see it's something that's really going to start dialling up?
Yeah absolutely. There’s a good news story here again drawing back on my time at BOQ. We went from having a fairly nice procurement function that developed and became a lot more sophisticated over 7 years. I think that mirrored the sophistication in the procurement sector more generally.
So, I think the sector will just continue on the very good journey it's been on to date. Another one of the favourite phrases “diversification cures almost all ills” and I think obviously having multiple suppliers at the end of the day is better than a sole supplier from a business continuity perspective.
The key decisions you always want to weigh up is “does the risk of being reliant solely on one outweigh the benefits from the financial, contractual and partnering perspective?”
From a financial risk, have you seen any examples of fraud within the process of "Procure to Pay" during this COVID distraction?
A little bit of a double-edged sword here with digitisation of payments processes. Supply chains have left those channels more open to fraud, and the fraud people are very sophisticated commercial enterprises.
I did actually have a chief security officer at BOQ and he spent a bit of time chasing those people all around Eastern Europe and he said they are just like commercial businesses that come to work every Monday morning, they have sales meeting on what’s on this week.
Emerging trends and opportunities and payments channels is obviously where they’re zeroing in on because a lot of their normal channels - over the counter, payments in shops, credit card usage in a physical sense has almost ceased to exist, it's all over the internet POS payments.
Felix actually developed functionality to help mitigate that type of risk. It's not specific to COVID. The capturing functionality in that vendor onboarding step mandates that banking details need to be validated a couple of times when vendors want to request a change.
Because we have clients that have experienced instances of disgruntled employee reaching out to a supplier and saying “hey, we’ve changed our bank account details can you please pay into my personal bank account” or whatever it may be. So, I think there are definitely some functions out there that can assist. If you're interested in learning little bit more that about that please reach out to us and we can chat further.
Insurance is an important tool in managing risk. How do you see this changing as insurers are losing money with drought, bushfires, floods and now COVID-19? Also many organisations look to outsource as much risk as possible to their suppliers but who will want to take on this risk?
For the insurance sector more broadly, they have a couple of challenges here. One is obviously the overall loss - contrast Australian-based insurers, or general insurers that cover droughts, bush fires and floods vs Global insurers. The Australian insurance sector is challenged from a general insurance perspective. I think those that are active in the other insurance lines, for example trade credit insurance and business interruption insurance to the extent, it covers pandemics. Likewise, they will be challenged from a returns perspective for the next few years.
What actually makes it more problematic - and this is probably the global insurance industry lens here - is that there has been, to a large extent - and I wouldn't use the word subsidisation or cross-subsidisation - but to a large extent, the insurers when they're looking at premiums and returns on insurance business, they do look at the investment portfolio from the premiums that they’d collect and of course the investment portfolio this year would have performed very poorly.
In eras of zero interest rates, likewise the outlook won’t look great for the investment portfolio. So all things being equal, you'd probably see a premium increase or as insurers call it “a tightening in the market.” It’s their favourite phrase - which means you’re covered for less and less and they charge you more.
I think in terms of this allocation of risk between suppliers and customers, at the end of the day, it's going to have to be case-by-case. Insurers will be risk-averse for a number years now for all the reasons I’ve talked about, and there will be a greater level of self-insurance across many types of business risks, including trade credit.
Can you elaborate on the alignment of risk management and remuneration? Is that alignment better than alignment with performance or KPIs such as cost reduction?
The phrase that the financial services sector has been using for a number of years now is “gate openers” - and I know this has spread more broadly into the corporate sector - where you essentially have to have gate openers from a Risk and Compliance perspective to get any sort of performance bonuses or incentives.
I think that's a good approach and again probably the devil's in the details on how you actually document what gate openers are in a simplistic sense. It might simply means completing your online compliance training or going to a workshop which achieves something but probably what you want is the sole gate opener for a bonus.
But I think pulling together a basket of KPIs or target minimum thresholds to get over, is certainly the right approach in terms of designing remuneration frameworks.
The bigger question - and where this tends to fall down a little bit - is not exercising discretion when there’s been clear risk management failures. During the financial services Royal Commission, you saw quite a lot of examples given where boards and remuneration committees had turned a blind eye or played down what were clear Risk and Compliance failures to facilitate the continued payment of bonuses and incentives.
You'll see in the next year or two that most businesses won't be in a financial position to pay any sort of sales or incentive targets. The majority of the world will just be getting their base pay - probably lower base pay - until profitability is restored. But I think there's been a good progress in spreading.
And the good thing is if you look at the HR sector, they have been quite good in recent times at picking up some of these industry trends and the consultants do a great job at rolling them out right across industries, sharing best practice. So I think you will see more and more alignment of risk and remuneration.
What role can technology play in regard to risk / compliance mitigation during and post-Covid, can you give any examples?
One of my criticisms of the risk profession is that they've been a little bit slow taking up technology. Things like risk registers, which list individual risk items, at some organisations go into the thousands of lines of an Excel spreadsheet. When it gets up to management committees and boards, there's an element of ‘you can't see the forest for the trees’ and I think many organisations today are still using manual reporting processes to report bottom-up risks which tend to be more that operational risk category. That discussion has also slightly skewed the conversation towards the micro measurable risks, and it's meant that there hasn't been enough time or hasn't been an inclination to think about some of the more macro risk such as a pandemic.
So you’ll find many organisations that have got very healthy and detailed risk reporting every month but it was missing the bigger picture. I think it's balancing up using technology so that time is freed up for Risk and Compliance Managers to do that reporting, to filter out all the noise. A lot of things particularly compliance risks can and should be managed down the line. There needs to be assurance up the line that it is being effectively managed, but you don’t need a detailed show-and-tell of all the compliance and regulatory reporting that many organisations have.
There are some good Governance Risk and Compliance solutions out there. And many of them tackle individual verticals such as Felix. You guys are a compliance solution for your verticals. But I think there's still a need for a more holistic approach that does actually merge top-down and bottom-up.
Yeah, absolutely. And from our own perspective, a good example of a piece of technology that can play a role in compliance management during and post COVID is Felix. It ensures that organisations are only engaging compliant vendors, with periodic expiries or renewal notifications of insurance and compliance documentation. As I said earlier in the presentation, it's putting those things in the hands of buyers who need to engage from those suppliers and during a COVID environment where people are working from home, that's a really powerful thing.
Want to watch the full webinar with Peter's presentation? Head over to this page to register.
About Peter Deans
Peter Deans is a former Chief Risk Officer and risk management specialist. Peter retired from banking & finance in 2019 after a career of over 32 years at several Australian and international banks.
Peter is now a risk and strategy consultant supporting companies in the financial services, corporate and start up/technology sectors. Peter was awarded Australian Banking & Finance magazine’s Chief Risk Officer of the Year award in 2014, 2015, 2016 and 2018.
Peter is also the Creator & Founder of the 52 Risks management framework and a Non-Executive Director of The Regtech Association in Australia.