Governance, Risk & Compliance Quarterly with Naomi Burley

Podcast Transcript

Nathan Luker: [00:00:01] Welcome to the RelyOn Podcast, a show that delivers practical insights for leaders to build better organisations where people can live, work and study. I’m Nathan Luker, co-founder at Rely, where we help some of the best-known brands prevent, detect and respond to culture and conduct issues via our intelligent platform. Welcome back to the show. Today’s conversation is a little bit different. We’ve partnered with Australia’s GRC Institute to bring you the latest happenings and expertise across governance, risk and compliance. Each quarter, we’ll be joined by the GRC CEO Naomi Burley to discuss the hot topics in risk and management. So, Naomi, welcome.

Naomi Burley: [00:00:41] Thank you, Nathan. It’s such a pleasure to be here. I really enjoyed all the things we’ve done together in the past. So it’s very exciting to be speaking to a different audience from our members.

Nathan Luker: [00:00:53] Maybe we can start off with telling us a little bit about the Institute.

Naomi Burley: [00:00:57] So the GRC Institute is the Premier Member Association for Compliance, Risk and Governance Professionals in our region. We’re primarily around that compliance space. So the risk we look at a lot is around that obligations risk, culture risk, all those sort of things that fit in around that behavioural bit and meeting stakeholder expectations. We’ve got about 3000 financial members and another 3000 guest users who come in and do different activities with us on and off. It’s a funny kind of profession where not everyone identifies as a compliance professional long term, but they flit in and out of these line two roles. So that’s where we try and fill their need with those we cut across all industries. There’s a lot of financial services there, but across all industries in Australia and New Zealand.

Nathan Luker: [00:01:52] We’re going to be doing these quarterly. As we said, we’d thought we’d kick off with our opener that we’ve introduced the GRC three, the three big things in risk news. We’re going to start off with a late 2022 to now — take us away.

Naomi Burley: [00:02:06] Oh look, there are some really big things happening in this space, especially if you are in financial services or you have your ear to the ground about executive accountability and that extends across all industries. So I think that nexus between actually understanding where risk management, stakeholder expectations, culture and your obligations fit along with holding executive accountable is a big theme emerging out of that. Even if things like the FAR regime, which you’ll know about if you’re in financial services or a specific executive accountability regime, hasn’t come in yet. There are implications under the Corporations Act and there’s media and stakeholder interest ever since the Royal Commission for organisations to be held accountable. So that’s a really big theme because I don’t think executives are across their non-financial risks. Very, very good with their financial risks, not so good with these nuances around behaviour and around culture necessarily grasping those intangibles. So that’s a big one. The other big thing that’s come to light from members sort of discussing it is the constant reshuffle internally in organisations, mergers and acquisitions. It’s a lot of volatility when you get an economic kind of pressure on organisations and that is playing out in interesting ways with gaps emerging in risk management, the owner of a previous risk might no longer be there or might have moved into another position. So organisations are actually finding themselves with no one looking after some key risks. So those are sort of two big ones that came out of nowhere. And then there are increased regulatory expectations around the management of these non-financial risks that you actually have a very good handle on those, especially in the technology space, obviously in data privacy, which is a really difficult one, but as well that you are from an executive point of view, pushing the ship in the right direction as a holistic ship. And I think that’s where you and I have found a lot of synergies between whistleblowing and having open conversations and getting a feel for the culture of an organisation, because that’s what can shift people over the line with behaviours you don’t want to see that and that brings you foul of your regulator. So some big things.

Nathan Luker: [00:04:34] Interested about point two about people being on the risk register that are no longer with the organisation or responsible for that element. How are best practice organisations handling that at the moment in practice?

Naomi Burley: [00:04:47] Look, we’re hearing from members that what that involves then is a massive project and they’re getting specialists who are then remapping those risks and making sure they’re actually up to date and there’s someone in there. But I think it’s been a little bit of a sleeping issue for some people, not realising until the proverbial happens in a particular area and no one knows who to talk to, no one knows who to ask or why that wasn’t being monitored. We’ve had different trends around simplifying board papers and simplifying controls, and then you realise you’ve actually cut off something that’s really, really essential because there was no one to speak up and advocate for that control staying in place. So yeah, it’s an interesting one. And I think lead risk indicators are something that we have talked about for a really long time and our near misses as the nirvana of if you can get a grasp on what those look like, what they feel like, they become tangible data for you, you could be a little bit ahead of knowing what your priorities are, but they’re really hard to get, to get data around to all agree that that was a near miss, that it’s actually related to a potential incident so it can become a hot topic for debate and might seem like a luxury item when you haven’t got your key risks in order. So it’s one of those things that cyclically we revisit and we try and encourage members to look for them. But they’re hard push sometimes to identify what that might actually look like in their organisation.

Nathan Luker: [00:06:17] And in relation to where I guess it’s stemming from, there’d be very few people that would argue against the spirit of the program to strengthen and increase, you know, at an individual entity level their accountability across financial and non-financial conduct risk. What are the discussions around risk leaders at the moment about how they’re approaching the commencement date and how are they planning this shift? Is it a phased approach? It would some context would be wonderful.

Naomi Burley: [00:06:47] Yeah. Look, because it’s gone back and it’s being revisited again and may take a lot a while to introduce. It’s going to be another one of those ones where everyone was set and ready to go when they thought it was coming in. And now they’ve got to reset. And there’s a bit of a reset. But I agree with you. I think the conversations that have been had to date have been incredibly valuable for organisations, for someone who is in that key role, who is likely to have their name put forward as the accountable person to really get a good handle on what that looks like. So in practice, what has it been for those who are leading this discussion? It’s been a whole lot of uplift in those leadership roles around understanding what those risks actually look like getting their terminology straight across that organisation so that they all agree what reporting they’ll need, what language they need to use, that an incident is an incident versus something else. So those who are leading this and who are getting prepared and who will be prepared for whatever comes across their plate are having those conversations already and they are getting uplift in those leadership positions. The worry will be is if it’s delayed and you get shifts in those leadership positions, you get new people coming in, you do have to start that process again. So delays in the legislation doesn’t help anybody, but they are having good conversations. And I think the recent breaches with Optus and Medibank in that privacy space because that’s really sensitive with your stakeholders have been great conversation starters for a lot of organisations.

Nathan Luker: [00:08:26] How can these leading indicators of near misses be used by boards and risk professionals to reduce risk and avoid these major incidents? I think two parts of the question is using far as well non-eligible entities. I think listeners would be really interested to hear from your member cohort. Is there a trickle down effect to those risk professionals who are not captured and need to think about that? Are they taking key learnings and applying it? And how did the entire membership base react to what happened in 2022 and how did they mitigate risk at their own organisation?

Naomi Burley: [00:09:03] I think that there are two parts to that question. In terms of the trickle-down, I think what has happened with those conversations around fire and preparing a lot of people took lessons from there and a lot of people took lessons from the UK. And I think there is a very sensible understanding out there in all industries, even those not captured, that stakeholder expectations are around someone being accountable. And even if it’s not formalised, the expectation is like it was with Optus. They weren’t captured. But you expect a scalp there at some point. You expect someone to be standing up in front of that room of journalists and explaining your position, you know, so that’s as bitey as it can get. And standing up there and saying, oh, we don’t actually know what happened. We can see that that does not meet anyone’s measure for having a handle on running your organisation when you handle money or you handle data and data is a new currency, let’s face it, that’s something that we all give away when we sign up to a whole lot of things. And I think people are starting to become a little bit more savvy because it’s got that intersect with scams and frauds and being able to start a new account somewhere. So in that side of things, I think that there’s been greater engagement with risk professionals. So leaders have gone to them and asked their opinion and they recognised that they can’t just rely on a report being pushed up.

Naomi Burley: [00:10:40] They can’t rely on decisions being made by line two. And that’s a big difference for some organisations where they left their Chief risk Officer to just take care of the risk. And relied very much on them to do it as opposed to engaging with it and making the strategic decisions that needed to be made to support sensible risk decisions. So there’s a little bit of both. I think they also recognise a little bit more, but I think there’s the potential for a lot better growth that they’re the ones pushing the culture piece. And that can take them a long way forward. And I think that leads into your lead indicator question. We’ve had this conversation about culture for a really, really long time and I think that it’s now on a cycle where some leaders in business can understand that some of those lead indicators are buried in that culture piece they’re buried in whether people can report upwards, whether they feel open to criticising their own organisation or whether they feel that their jobs in threat if they raise an issue. So I think some of those best practice people are realising that those are some of the really important lead indicators because otherwise everybody is going to cover their tail and not and not mention anything until it’s too late or they’re going to leave the organisation. And you’re just recruiting new people all the time, which is an issue in itself. So it’s a tough space getting a good lead indicator.

Nathan Luker: [00:12:13] It’s interesting. I connect with what you said about line two and below. There’s always an issue with that. And you know, I think about a really well known global annual report that’s released by the Association of Certified Fraud Examiners, and in essence, they review organisations across hundreds of countries, 130 countries, actually and they talk about fraud. It takes the average fraud takes 12 months to detect. The median loss is above 100,000 US. And I remember for years there it was approximately 5% of revenues lost to fraud. And they find that tip offs are one of the leading indicators to detect fraud. And I’ve never seen near miss included there in those report findings. But tip offs alone, they’re obviously important. With all that information, why is the conversation still happening? Because those findings have been around for a long time. Risk professionals have known this for a long time. How is it happening in practice? Our risk professionals and leaders really making it easy for employees and stakeholders to say something when they see something?

Naomi Burley: [00:13:21] I think that’s a really good question because you’re right, It has been it’s been the same indicators, how you detect fraud is someone saying something. You’ll have organisations that’ve got a really robust three line structure and audits not picking it up or it’s not picking up, as you say, for the 12 month period it’s been going on. So it’s one of those interesting ones where I think and this is a conversation that a lot of our members are having and we are having as well. The uplift needs to come into acknowledging that some things are a control, like communication can be a monitoring control or indicative of something that you need to dig deeper on. And I think that that is part of it, is that fraud in particular can get siloed because it’s regarded as a specialised area. And I think that there continues to be a disconnect between fraud and culture. And I think they think that it’s something that’s going to happen and there’s no way we could have impact on it culturally. So we’ll just have this little specialised unit over here. And I don’t know that they’re having holistic conversations around what it means or deep diving into that data like in these annual reports and going, okay, but is there an organisation where they could connect that they’re getting more than your statistical average of fraud and their cultural piece. But I do think I think one of the issues is siloed.

Naomi Burley: [00:14:52] They don’t encourage reporting of, like you say, that kind of near-miss descriptor because there’s no easy basket to put it in. Even if someone was reporting, I think something dodgy is going on and conducting an investigation into what that might be. No one understands the reporting around when you just have formed a suspicion. So this is also a conversation we have in the AML space. Where you have to report a suspicious matter externally to AUSTRAC. When you’re financially monitoring. That’s a whole different shift that people in that space have had to take on a journey where you don’t have to be sure, you don’t have to conduct an investigation, you have to have gotten a suspicion. And that’s really interesting data that goes to AUSTRAC. Now if our law enforcement agencies, because that goes to about seven law enforcement agencies, if they’re collecting all of this data and like I said, you don’t need to approve it, you just got a suspicion you formed it, you send off the report. They collect that data from lots of different places and they analyse and they arrest people based on that accumulating enough data. And I think that’s what organisations don’t do well. They don’t even encourage a “you formed a suspicion” or “you are uncomfortable about a situation” reporting. They only want to utilise the hotline for something you’re really sure about. And that’s what human beings do. They wait until they’re absolutely sure.

Nathan Luker: [00:16:16] Life doesn’t work that way, you know, we help build, as you know, organisations to create listen up, speak up brands. And we have a framework of how we do that. And it’s focused on behaviour change. And we have a great team who deliver that. And the whole focus is on that. And it kind of speaks to psychological safety as well. Really interesting. I want to take us back and double tap on disconnect between fraud and culture. Some listeners may not know what you mean, and I’d love for you to expand on that.

Naomi Burley: [00:16:48] I think okay, so the way that I see it structured in a lot of organisations is that there is a specialist fraud team, so they may never access necessarily your normal tip off line. So that might be someone else’s monitoring that. And then they send through something that seems obviously to fit in that fraud scheme. So they may monitor in particular ways, but I have never heard of them coming in on a conversation where we talk about the cultural drivers. That’s kind of someone else’s piece of work. So I think that there is a belief in this, in this fraud community and the auditing of fraud, even that human beings do all this and that your average is at 5% of human beings will try and steal money or, you know, whatever the percentage is, and they’re working on that, as opposed to could we work on this culturally where everyone wants to belong? You wouldn’t rip off your grandmother. You wouldn’t rip off someone who you had a really strong relationship with. Why do they feel so disconnected from the organisation that they feel like they can steal money from their own organisation that employs them? So maybe it is. Or maybe you just employ criminals. It could be that. It could be the bad apple. But it is that whole bad apple view of the world as opposed to let’s have a look at how strong the tree is. Why are we getting so many bad apples? So it’s I haven’t heard of anyone having that cross discussion around, around that kind of piece.

Nathan Luker: [00:18:24] We talk internally and with clients we use a pretty basic model is a program for show or for real, you know, and I think always agitating against that, saying these controls are these policies, procedures and programs. Are they for real or are they for show? And that’s something we always kind of base as us. And, you know, the same report talks about conduct and culture issues like bullying and intimidation. And we live in this world every single day with assisting clients in their programs. They’re clearly red flags. But, you know, Royal Commission after Royal Commission after article after article, it’s actually the opposite problem. The fraud and culture connect. It’s there’s actually people are making attempts to raise it internally and leaders are failing to act. Do you have an opinion on why that’s happening?

Naomi Burley: [00:19:13] Yeah, I think it comes down to an inability to understand the complexity of what they’re dealing with. You know, the people piece. And again, this is a massive generalisation and someone will listen to this going, Oh, well, my board is different and my senior executives are different and I think that’s great. But I think this is all in that suite of diversity inclusion, speak up. And culture piece is you don’t see and I can complain on behalf of our members. I do not see enough compliance and risk people getting directorships, getting non-executive directorships. They ask too many pointy questions and I know of some members who’ve been pushed off because they focus on the non-financial risk and it’s inconvenient. I don’t know how many people, managers or HR people who get promoted up to that C-suite enough to lead some of these conversations and make bullying and make the intersect between that and culture a real thing. And like with the same with the bad apples thing, I think it’s very easy from on high to say, well, that’s that individual, they’re a bad apple, let’s handle them and put them somewhere. Or ignore it because whoever is making the complaint is a whinger. So depending on the size of the organisation, their sophistication and understanding, understanding of what this means for the organisation as a whole and their maturity around that, you can have a very different outcome if they’re really experienced, if they’ve worked across industries, if they understand that the people being able to work together is a really important ingredient for your culture piece, then they will address it in a very real way. But where they have very little understanding, they tend to bury it. So that’s where I think that is. It is a lack of understanding of those non-financial risks.

Nathan Luker: [00:21:17] We’re working with a really large organisation in education and we just admire them greatly because no, they haven’t appointed a HR person or a risk professional on the board. That’s a step that hasn’t been taken. But they have just appointed a culture and conduct subcommittee with cross representation, with risk and HR involved. It’s phenomenal. They are investing in a multifaceted whole of organisation. Listen up, Speak Up program. It has a brand. Yes, that’s the shiny stuff. The things that make you feel good. But it’s connected to the values. It’s endorsed by the leader. And it’s a full program that connects to the ten year strategic plan. Wow. And there’s a whole range of other elements to it. But that’s what we mean by for real and that’s it. That took years in the making. It took years to write the strategy, years to get it approved. And then we’re playing it. Obviously a small role in that in the grand scheme of things, it’s the people they’re turning up every day advocating for that change. Now there are some macro trends that have helped that, you know, we’ve spoken about some today. There’s the positive duty also. So is it a compliance lens? Is it a culture lens that they’re taking? And hopefully a mixture of both. But I strongly agree with you. I think people need that better representation. And we can’t look at everything like with a negativity bias. You said asking those pointed questions. Well, sometimes they’re just needed. It’s that simple. So you need a bit of everything. You need the commitment, you need the technology and the willingness of people who are receiving these issues to triage them, to properly do proper data collection, to synthesise them into meaningful stories at those subcommittees. So there is a really complex way to bring this to light. We both know that.

Naomi Burley: [00:23:03] It’s a really complex web. And that was one of the things that our members have been discussing recently. It’s sometimes down in line one, you are buried under all the stuff you have to do as well. We talk about the executives and your board being really busy and they are. There’s a lot of things to turn their attention to that they might not be personally experienced in. But your people in line one are flat chat as well and they sometimes don’t even understand what they’re looking for. Or does it warrant speaking up about this? Because I don’t actually understand what that means or who to call for a particular issue because it looks like X to them and to someone else on the other end of the line, it looks like something else completely, you know, appalling or needs to be escalated in a different way. So it’s a mix of both. And you have to have lots and lots and lots of conversations around it, I feel, to bring it to. But that’s really inspiring that they’ve got a culture and conduct committee. I think that that would be an amazing step forward to even have an intermediary body that can then explain to your executive directors, right, This is what you need to understand about this report we’re setting up and telling stories like you say, translate it for all the different roles within the organisation, and that’s where you would pick up your near misses because someone would go, This probably isn’t the thing, but I saw X, Y, Z, and we’re not actually following the procedure anymore. We’re doing this now because this other thing gets in the way, and that’s what our members find a lot. They’ll go back to review. They’ll realise in their monitoring they’re not actually receiving any data on a particular point. You might assume that that means everything’s going great or you might wander into that area of the business and realise they’ve thrown the rule book away because all those controls were getting in the way of them getting stuff done in a quarter of the time they needed to do it. They weren’t trying to be bad, but they thought, we’re getting it done. That’s our job. In the meantime, all your controls are gone on managing that risk, so you have to do a bit of a scramble. And I think that that’s where if you had a meaningful conversation again, so they understood why the process was there. If they don’t like the process, talk about it. Tell us what you want to change. And I think there’s a lot of that doesn’t happen.

Nathan Luker: [00:25:10] Yeah, you’re right. Getting cross representation works we’ve seen works really well. That’s based on and it sounds simple, but based on storytelling. So seeing in the culture and conduct example that we have, I know there’s a plan to use storytelling across departments to talk about a real life scenario or fictitious and try and level the playing field about the language and the acumen of each department. Let’s tell a story about the situation that happened, and a near miss, Oh, let’s talk about some potentials and let’s use our combined skill sets to try and mitigate that. It’s been exciting to watch. Very exciting.

Naomi Burley: [00:25:46] Yeah. And think it’s one of those little things. You don’t have to wait for it to be really big thing. They’re little things that can help them shift in a different direction. They see the change happen. And we’ve talked about this a lot in compliance about the two way feedback and quite often that’s identified in organisations that’s only making it visible, someone getting punished for doing the wrong thing. You know, we take compliance seriously by sacking this person. But there’s also the flip side of that. We take compliance seriously by working with you to get a process that works for you and works for our obligations and works for our stakeholders. Quite often some of the breaches happen in some financial services because line one is actually trying to please the customer. You put a lens on it like that, you know, say with something like onboarding a customer, it’s a really long process. If you misinterpret your obligations, if you’ve got a really clunky process in there and line one just wants to get the customer on and keep the customer happy and it might not even be about achieving their sales target. They’re just really embarrassed to have to keep asking this customer to keep proving who they are so they onboard them. And that’s later on a risk obviously in the AML space. But in the meantime, with their lens on, they’ve been doing what they believe is driving their integrity and value in that organisation. It’s not meeting their obligations though, so there needs to be a marrying of that. And if you can see improvements and engagements, that’s also another way for, like you say, a little thing, but it’s driving that your opinion matters to us. What you say to us matters. If you are concerned, it matters. You don’t have to come to us with a big stick of dynamite on, you know, lit before we’ll pay attention to you.

Nathan Luker: [00:27:33] That’s a great example. You know, I’m just reflecting on a discussion I had a few days ago in Sydney with a client who their strategy was a lunch and learn every month where they invited as many people that wanted to attend. They have a fun award that they give out. I think they call it something along the lines of a risk ninja or something along that nature. But it’s not for the risk team, it’s for others. And they really focused on how can we reward people having a risk mindset. And that’s what we’re going to optimise for as part of our risk appetite, part of our business objectives. Because you and I are touching a lot on other objectives, I guess, that that cause behaviour. It was a really beautiful example. It was humanising the risk team, having a lunch and learn, and I think they put on a few coffees and it was a really large organisation and not every month would there be a large turnout, but sometimes there would be. And over time they’re seeing that change. And there’s a range of branding the risk team are doing on laptop stickers and all sorts of things just to drive home that appetite and that to show that risk is everyone’s job. And it’s a great example.

Naomi Burley: [00:28:43] It’s things like that. Yeah. A lot of our members are out there trying to engage in those fun collegiate ways, getting input, and it’s hopefully gone as the bad old days where line two functions are just imposing. This is how you’re going to do it and this is what you need to do to comply without actually consulting the people who need to do the complying. And so it’s really great if you can build risk champions in line one. They don’t have to make the strategic decisions. They don’t have to make a call, but they can absolutely have the right mindset. And then as well, then your speaking up becomes incredibly valuable because they know what to tell you about.

Nathan Luker: [00:29:23] Yeah, exactly right. You know, the same client I was talking to, I was talking about speaking up and, you know, very similar line that you just said. And I actually got corrected and said, no, speaking up, creating a speak up, that’s when you haven’t got it. He goes, This is just the way we are now. So it’s an expectation. So I understand what that communicating, which is we don’t that’s just a minimum expectation of being here now. No one even thinks about it. You just speak up. And I thought, what a wonderful place to get to. Because, you know, in our discussions you can always talk about the group who could do better. And it’s a wonderful thing to see that they feel as though they’ve reached that position. And no doubt, you know, there’ll be a storm coming like any organisation has to deal with from a risk perspective and they’ll deal with it and hopefully be better off for it. Anyone in your membership group or anyone’s heard you speak and dealt with Kwame and the team really recognise how much value you add the profession and how you take a really rich tapestry to the way that you deliver your training, your insights, etcetera. That isn’t niche. It’s really broad like our convo today, and I think that’s why I love chatting with you and bringing this series to listeners to complete the sentence. We’re not going to ask you every episode, but we need to ask you today. Great cultures rely on…

Naomi Burley: [00:30:32] Open communication. I thought about this one before I came on and thought this. That’s it.

Nathan Luker: [00:30:39] Well said. Non-threatening, inclusive communication. Yeah.

Naomi Burley: [00:30:44] Nobody has a bad idea communication. 

Nathan Luker: [00:30:49] Speaks to my heart. One of our values is think straight, talk straight. So I couldn’t agree more. Naomi, thank you so much. Look forward to next quarter when we have back on.

Naomi Burley: [00:31:01] Me too. Thank you. And thank you for your inspirational examples. I’m going to be going back to the membership and mentioning that they should perhaps have a culture and conduct committee. That’s a good innovation. I like it.

Nathan Luker: [00:31:13] It pushes the needle. Good to hear. Thanks so much, Naomi.

Naomi Burley: [00:31:18] Thank you.

Nathan Luker: [00:31:20] Thanks for listening to RelyOn. You can access the show notes from this episode, download resources and listen to other episodes at relyplatform.com. If you enjoyed the episode, we welcome you to submit a review or send an email to hello@relyplatform.com.