Risk Culture with Anne-Marie Paterson


Host, Nathan Luker, is joined by AMP’s former Chief Risk Officer, Anne-Marie Paterson, to discuss how to lead an intelligent risk culture that supports innovation and high performance without sacrificing good governance.

In this podcast (30 mins), Nathan and Anne-Marie discuss:

  • What is a risk culture?
  • The role of whistleblowing to build an integrity-led culture
  • The role of data, metrics and technology in supporting governance and risk professionals to build a risk culture
  • Anne-Marie’s insights on good governance from working in the highly-regulated banking & finance sector

If you’re enjoying the show, subscribe and submit a review via Apple or Spotify.

Additional Resources

Here are some additional resources that will help you explore building an intelligent risk culture

Podcast Transcript

Nathan Luker: [00:00:03] Welcome to the RelyON podcast, a show that delivers practical insights for leaders to build better organisations where people can live, work and study. I’m Nathan Luker, co-founder at Rely, where we help some of the best known brands prevent, detect and respond to culture and conduct issues via our intelligent platform. In today’s conversation, I’m joined by Anne-Marie Paterson, the former Chief Risk Officer of Governance, Integrity and Business Services at AMP and we’re exploring risk culture. Welcome to the show, Anne-Marie.

Anne-Marie Paterson: [00:00:36] Thanks for having me, Nathan.

Nathan Luker: [00:00:39] Anne-Marie, you were the finalist in the 2021 Governance Top 100, and you’ve been an executive leader in large, sophisticated and highly regulated financial institutions like CommBank, AMP, and you’ve worked at some really large not-for-profits like the Salvos. It’s an interesting career. Can you start off by telling our listeners a little bit about yourself and what drives your passion for good governance and building better workplace cultures?

Anne-Marie Paterson: [00:01:03] So in answering this question. I’m thinking back to from the outset of my career and the different roles that I’ve had, the different experiences and the different companies I’ve come across and what I’ve reflected on is that when people go into a business, they never go into it with the aim of having poor governance or a toxic workplace. I’m yet to meet a company where that is its aim. But what I do find is that a lot of businesses might start off relatively small. And the purpose of that business usually is not to have great governance and a great workplace culture either. The purpose is to deliver a service, to produce goods, whatever that might be, to drive a profit, or if you’re a not-for-profit, to still drive an income, to be able to use that for other purposes. And so, one of my chief observations is that when people go into these businesses and when you’re working in them, you may not necessarily be a governance specialist, you may not necessarily be a culture specialist. You are focused on what you know best and that is your product or your service, and that is what you’re driving forward. And so when I’ve come into businesses and I’ve seen some of the problems that they face, whether it be a bullying concern, it could be some kind of dispute resolution, it could be a regulatory problem. It’s not usually about a lack of intention to have good governance or to have a great workplace. It’s usually because the person is so passionate about what they do know and what they are best at that they’ve perhaps neglected to think about the overarching ecosystem in which their business is being run. And so as time went on in my own career, having been a lawyer for approximately 17 years before moving more towards the corporate space and working with lots of different businesses, both big and small, both not for profit, government regulated and unregulated, I found they all have that common link, which is you’ve got circumstances where perhaps governance and good risk culture and good workplace culture is not at the forefront of their mind. It becomes something that will get to it when we can because we’re very busy doing X, Y and Z. And so I’ve become really passionate because I believe to get the best out of your business, to be able to satisfy your customers, your clients, your stakeholders, your shareholders, your members, if you’re, for example, a superannuation trustee, you need to have a really solid governance in the first place, but you also need a good workplace culture because otherwise things can go pear-shaped very quickly. And so my passion comes from being able to come into a company and see what’s going on and be able to work with the company to help enhance the governance and enhance the workplace culture so that overall, whatever they are selling, whether it’s a service or a good or a product, they’re really meeting the needs of their customers and their stakeholders and shareholders, and that then drives better business.

Nathan Luker: [00:04:34] I love that you highlighted the intersection of risk culture, BAU and building a better business. Before we progress, can we start with the basics? Can you define risk culture?

Anne-Marie Paterson: [00:04:47] Sure. So risk culture is a subset of culture. So let’s just keep that really simple. That’s what it is. It’s a subset of the culture. Risk culture is about how you manage risk, not what you’re doing, but how you’re doing it. It’s the behaviours around risk management. And that’s why when we talk about risk culture, it is really important to understand that it is that subset of culture. It is the behaviours. That is in a nutshell. You can read lots of white papers. You can look on the Internet and see lots of material. But if you want to break it down really simply, it is how you manage risk that is it as simple as it can be.

Nathan Luker: [00:05:31] It’s a good point, Anne-Marie. If risk culture is a subset of a broader culture and we know how difficult culture in general is to change and how long it takes, where does someone stop?

Anne-Marie Paterson: [00:05:46] I think if you’re tasked with developing a risk culture program, with uplifting risk culture in an existing business, or if you’re starting a business. It all comes back to looking at the current ecosystem, looking at the current culture that you have in the workplace. With risk culture, there are the ten dimensions as per APRA’s guidelines, which is for those that are regulated by APRA, but it’s all equally applicable to those that are not regulated APRA. And it focuses on dimensions such as leadership, such as challenge, being able to speak up, understanding, risk, understanding responsibilities. And there’s a whole raft of them which you’ll be able to see on our website afterwards with the link to the ten dimensions of risk culture. And so I think it’s important when you enter into an organisation and you’re looking at risk culture, you need to get a really good lay of the land. What is currently going on in that organisation? What are the surveys? If there speak up surveys being undertaken, if there are dashboards that talk about issues or incidents or anything to do with risk, you need to have a look at what is currently going on and doing an assessment as to where you’re currently sitting. Every organisation will be different when it comes to risk culture. Risk culture is not something that has an end date. It continues like culture as well. It’s not that you ever reach a certain level and go, tick, we’ve got this great risk culture and we’re not going to do anything more with it. It’s something that continuously matures. And I think we’re yet to see a company that could actually stand up and say we have a perfect risk culture. And so when you’re dealing with risk culture, you’re wanting to look at how risk is managed within that business. And again, the focus is on how, not on what someone is doing, not on the metrics, but on how you are actually managing risk culture. What I really like is when you’re talking about leadership, everyone talks about it comes from a tone from the top. But it’s not just the tone from the top. There’s also the echo from the bottom. You want to meet mid-way, you want the person, whether they’re in the mailroom or the CEO, to understand what is risk and what does it mean to that person and to the company they’re employed with, and how do they manage risk? That is the heart of risk culture.

Nathan Luker: [00:08:28] Echo from the bottom. That is a wonderful line, that really gets cut through into what we need to be aware of. And what I’ve really appreciated in our discussions, what you’ve taught me and also in the content and events that you’ve been in, is universal adoption and application I guess across an organisation. As you say, it needs to be heard upwards, and it’s the same with whistleblowing in a way. And you could argue the whistleblowers, some of the most loyal employees, when you look at it that way, it changes the dynamic and the echo from the bottom is another wonderful way to think about that. I want to take us to 2019 and 2020. What a year and a period for the banking and finance sector. The royal commission findings were handed down ASIC’s launch legal proceedings against many in the sector and the spotlight was well and truly on leaders in the sector around their culture and conduct issues. At the time, you’re the group whistleblowing officer in charge of a team in managing culture and conduct and integrity. What did you learn? What did you learn about leadership, about conduct, culture, change, management, and risk culture?

Anne-Marie Paterson: [00:09:39] Whistleblowing is a key component of risk culture in setting up the whistleblowing program in 2019, it became apparent how a lot of findings that come from whistleblowing matters are so interwoven with culture and risk culture. And it was to the extent that it was necessary to bring risk, culture and whistleblowing together with whistleblowing being, as I said earlier, a key component. Having an organisation where people feel safe to speak up, where people feel safe to constructively challenge ideas, to be able to collaborate, to be able to talk about risks, to be able to talk about issues in a way where they’re not subject to any kind of retaliation, where their thoughts and their diversity of thought is encouraged, is absolutely critical in establishing a strong risk culture. And so during 2019 and 2020, with the spotlight the media had on financial services and on our culture. What I saw was a huge shift in how we thought about risk. Traditionally, many risk professionals would classify financial risk as the primary area where a company could become undone. But after the Royal Commission  and after, and following sorry, the aftermath of that. It was really apparent that it’s non-financial risk, which is sometimes harder to quantify. That is the real issue for many organisations. And while the Royal Commission really looked at the banking and finance industry, this is prevalent across the board and I can look back historically at various companies that I have consulted or worked with or provided legal advice to where I can see that it’s a non-financial risk that has been the biggest problem and the biggest barrier to growth, to success. So 2019 and 2020 shone the light on non-financial risk, which is just one component of risk. But it’s the component that talks about your conduct, that talks a lot about how you’re doing things, not what you’re doing, but how you’re doing it. And again, the how is what risk culture is. So in many respects, it joined whistleblowing and risk culture together for me. So I was able to understand how a lot of the work that was being done in whistleblowing was having a direct correlation to the risk culture and the health of risk culture in an organisation and to see where all the dots are joined and how you can’t separate the two. In the same way, ou can’t separate risk culture from risk management from your traditional ways of managing risk. It all has to be linked because it is all about how we do things as opposed to what you’re doing. And a lot of the time with whistleblowing matters, it’s how things have been conducted as opposed to what has been conducted. And so, again, it really highlights how significant non-financial risk, such as conduct risk can be for an organisation and the health of an organisation.

Nathan Luker: [00:13:16] I’d like to really interesting to double tap into whistleblowing and the focus on how things are done. You talk to us more about that. What insights can you share about managing those types of whistleblowing matters?

Anne-Marie Paterson: [00:13:30] So whistleblowing from the changes to the Corporations Act in 2019, obviously there was a huge increase in the scope of matters that fell within the whistleblowing regime under the Corporations Act as as opposed to previously. And so suddenly you had matters such as workplace safety concerns, where there could be an indictable offence that was suddenly being captured by the Corporations Act. So in its truest sense, you know, certain degrees of bullying or work or safety issues could be captured. You could have racial vilification matters that were being captured by the Corporations Act and a whole raft of other kinds of matters. And when you look at some of those concerns, so take, for example, bullying. It is often how people are conducting themselves as opposed to what they’re doing. So it’s not the fact that they spoke to someone, it’s how they spoke to someone. It’s not the fact that they are, whatever the situation might be, if it was a sexual harassment. It’s not the fact that they are complimenting someone, it’s how they are doing it and how it’s being received. And so the how we so important, it’s not to say that there isn’t conduct that’s inappropriate associated with the what, there certainly is, such as fraud and discrimination and so on. But how we do things has such a vital impact on the business and the culture. And that’s why I look at things like non-financial risk and say a lot of that is about the how. And that’s why it’s harder to quantify. It’s like when someone says, well, what makes a great culture? I don’t think there’s any one answer because a lot of the views are subjective and they have to take into account the broader circumstances of a workplace. And that’s why risk culture is so interesting because it really focuses on the how.

Nathan Luker: [00:15:33] It’s fascinating. Same with our work with whistleblowers as well. Your experiences are very similar to those across all organisations around the how. Connecting to your dots earlier about no one is turning up to work usually, the vast majority of people, to do a bad thing and people also aren’t turning up to work to be a whistleblower. And we both agree that whistleblowing and whistleblowers are critical to creating a positive culture and are a risk culture by default. How did you go about encouraging people to do that? How did you go about encouraging people to not be passive bystanders, to be active bystanders, to where that whistleblower badge with pride? What was your approach? I think if I would be fascinated to know how you achieve such a positive experience.

Anne-Marie Paterson: [00:16:17] So for me, when I talk about whistleblowing, I don’t dilute the name when I do seminars, whether they be internal or external. I think it’s important to understand that whistleblowing is what the legislation says it is. Whistleblowing is what is protected, and there really shouldn’t be a stigma around whistleblowing. The way that I’ve approached whistleblowing and encouraging persons to speak up ties in with risk culture, in having a culture where people feel safe and it’s about understanding what is it that people don’t feel safe? What is it about the name whistleblowing that people don’t like and addressing that. I went to a leadership course a couple of years ago, and probably one of the most powerful things I learnt from that is when you’re speaking with people, it’s really important to understand what motivates them, not about what motivates yourself, but what is it with that person that motivates them, because if you can tap into that, you will be able to influence them in decision making, in all sorts of areas. And the same goes with encouraging people to speak up. What is it that’s motivating them? Is it that they feel there’s a sense of justice that needs to be undertaken? Is it that they feel they’ve been wronged and they want the right thing to occur? What is it that motivates them not to speak up? Do they feel afraid? Do they think  I just can’t do this? What I found in my experience was being able to demonstrate the strength of the law, of whistle blowing. The Corporations Act and the penalties for breaches of confidentiality, of retaliation, are not for the light hearted. And I found that by talking about the penalties, by talking about the actions that could be taken, people stood up that little bit taller and realised that they did have other recourse, that if something didn’t go well with their matter, there was recourse, whether it be through ASIC, whether it be through an emergency disclosure, whatever the case might be. But the number one way that I went about trying to encourage people to speak up was to educate them on what their rights were, what the law says, but also what was I going to do? What was the team going to do? How were we going to manage things? Education and knowledge is power. When people feel empowered, their fear starts to wane. So if someone feels that they’re in control and I really do believe that the Corporations Act puts the whistleblower in control, in control of how a matter is managed, in control of who it’s spoken to, how it’s dealt with, all of that. It gives them a lot of power. And if you feel that you have that power, you’re more likely to be brave enough to speak up. So I think it’s a twofold. One is about education and really educating people in a way that motivates them to do the right thing. And the second is about having a proper process in place and not something that’s only as good as the paper it’s written on. If you say in your process you’re going to do X, Y, Z, you need to do X, Y, Z. And that is so important because all it really takes is for you to provide that surety to one or two people. And they start talking, they start sharing to other people and that’s what I have found over the course of my career with whistleblowing or people raising complaints or issues. It’s been, oh, I spoke to such and such and they told me that they’d raised XYZ with you and this was the result. I now want to raise something similar as well.

Nathan Luker: [00:20:21] Do you find that that aura, that reputation of the people managing the whistleblowing program, your team, essentially, it isn’t just the whistleblowing matters where they’re earning that reputation because you’re absolutely right, that great trade, that the socialisation of the safety is felt through the organisation in very short time that can get around and create the success of a program. But it’s the day to day interactions, it’s how people perceive you in meetings, but they know you’re going to be the person receiving the report in that whistleblowing policy. I know that Anne-Marie and your team are going to be the ones are saving it, anonymous or known, but it’s your overt day to day actions that where you get judged. It isn’t just in how you manage that one report. Its are you a person of high integrity and ethics outside the whistleblowing function? How are you turning up to meetings? Are you inclusive? Are you asking good questions? Are you showing vulnerability, allowing people to fail in day to day, how are you taking on feedback? These things matter as a whistleblower protection and also just an entire whistleblowing team because it’s those day to day actions that drive a lot of the trust and psychological safety. And I want to bring that back to the point that you made, which was brilliant. Like earlier we said the process follows culture. I think speaking up follows listening, or you need to show that you’re listening first. You need to show that there’s trust first to drive people to want to reach out in a way that’s suitable to them. And sometimes that will be through the whistleblowing policy. What other insights did you learn? Do you have other things that you can share? Having operated in a highly regulated sector?

Anne-Marie Paterson: [00:22:01] Reflecting on my various experiences with whistleblowing and managing workplace disputes, I think it’s important that when you enter an organisation, that you might bring an awful lot of experience and knowledge with you. But that does not negate you actually sitting back and observing the organisation and understanding how that organisation works. If you’ve gone from an organisation of 20,000 people to an organisation of a thousand people, you cannot just assume that what worked with 20,000 is going to work with 1000. You need to be able to understand how everything is currently working and to be able to put in place something that is practical and user friendly for that organisation. And I think that is a really big learning, that is something I’ve definitely experienced myself at being able to come in, use your knowledge and your experience, but leave your arrogance at the door. Look at what’s in place to make sure that whatever you are setting up is right for the culture and is right for the purpose of the organisation. Obviously you do have guidelines and so on from ASIC and through the legislation, but how you do things, I’m going to link that back to risk culture again. It’s how you do things and it’s the how that makes the difference. And that can be in how you present yourself at work, how you manage a team, how you set up processes, and also who are you partnering with. Because a lot of the times when you’re dealing with whistleblowing, it can feel quite lonely because you’ve got such strict confidentiality around you. Who are you partnering with? How are you managing things? How are you looking after yourself and your team in what you’re doing? So I think the number one thing I’ve learnt is ensure that whatever program you are putting in place, it’s right for that organisation and take the time to actually look at the ecosystem. Don’t just launch in and start making changes before you’ve realised what is actually occurring in the workplace.

Nathan Luker: [00:24:19] Data and metrics and technology would play a role in that, both when you’re getting started in your example, but then throughout to be successful, to conduct measurements, to building continuous improvement, how have they played a role in your approach to whistleblowing in risk culture?

Anne-Marie Paterson: [00:24:39] So I think metrics and data, what I would always caution people when you’re dealing with metrics and data is they will tell part of the story but not the full story. It’s usually the qualitative metrics which actually tell the real story. And so, metrics and data are really vital in terms of being able to see progress in certain areas. So it might be, for example, issues and incidents, you might have some metrics around the reporting of issues, the managing of issues and incidents and so on and you can see how we are managing risk from that perspective. But you cannot take a metric on the number of issues being managed within a time frame as being a sole indicator of the risk culture of your organisation. You need to look at the broader issues, broader circumstances as well and risk management. Likewise, with whistleblowing, it can be really tricky when you’re looking at data because are you saying you have a successful whistleblowing program because you’ve got an awful lot of whistleblowing occurring? Does that then mean if you have an organisation that doesn’t have a lot of whistleblowing occurring, that it has not so great a risk culture? Again, you’ve got to look at the broader circumstances of what is going on and understand that data and metrics play one part and they are there to help guide the story, but they are not the full story. And that’s why I say the best dashboards tend to have a mix of both quantitative and qualitative data.

Nathan Luker: [00:26:26] Yeah, absolutely Anne-Marie, I completely agree. Some of the very best whistle blowing programs merge quantitative and qualitative data to broaden the context they have around the reporting environment. They ask lead and lag type questions to understand their cohorts willingness to speak up and any blockers in the system preventing a bystander or a victim choosing to speak up. Really important work. You are well known for your experimental and fun training programs to develop a risk culture amongst your employees. Where does someone start with their own training program? How do you know what an employee group needs to gain cut through?

Anne-Marie Paterson: [00:27:09] I think it’s as do all of the above. So some of it was at the outset. For example, if you’re doing mandatory training and you’re looking after the mandatory training of an organisation, you might wish to actually put it out there in a survey and find out what is it that people like or don’t like. What do people remember and what do they not remember about the training? And some of it is a bit of trial and error as well. You’ve got to be brave to be able to try something new. And if it doesn’t work, to be able to very quickly pivot and be agile. And that’s where I think the saying is if you’re going to fail, you fail very fast and then you very quickly move on. And so I think when it comes to training and the different things that I’ve done throughout the organisations that I’ve worked at, we’ve definitely tried different things. And what works for one organisation may not work for another. And so we have used metrics. And so for example, if we have created a video or a series of training, we will have metrics to determine the numbers of people that have voluntarily undertaken that training surveys afterwards to see what do people actually think of it. If it was a video that was put up on a site, how many views are you getting? How many comments are you getting? Again, they are indicators of what is going on, they’re not the full story. Often it’s talking to people or when you’d have an unsolicited comment of, oh, I saw that video the other day and it was fantastic. Or it might even be that some of your other metrics start shifting as a result of the training. So you might find that you have done training on whistleblowing and suddenly you do have a spike in whistleblowing numbers. So what is making clear is that people are actually starting to understand what their rights are. It’s highly unlikely that in the space of five days, a huge influx of misconduct has suddenly occurred. It’s more likely that people have gone, oh, I did that training and yes, this occurred a little while ago and I’m going to actually speak up about it. So I think it’s using those metrics and those dashboards. The other thing I think that’s vital is speaking to peers, speaking to your service provider, getting their reflections. Your service provider deals with a lot of different companies. They are going to hold some absolutely gold information around what is happening around the broader industry that you work in. So it’s important to have networks outside your own organisation. And it might be if you’re in banking, there might be an interbank or it could be through your service provider and some of their other clients, they might provide roundtables where you can sit and talk with peers to understand what’s occurring in other organisations so that you can properly assess the trends occurring in your own.

Nathan Luker: [00:29:57] Anne-Marie, a final question and one we ask all of our guests. Please complete the sentence. Great cultures rely on…

Anne-Marie Paterson: [00:30:05] The tone from the top and the echo from the bottom.

Nathan Luker: [00:30:09] Perfect. I love it, Anne-Marie. Until next time. Thank you so much for joining us.

Anne-Marie Paterson: [00:30:14] Thank you for having me.

Nathan Luker: [00:30:21] Thanks for listening to Rely ON. You can access the show notes from this episode, download resources and listen to other episodes at relyplatform.com. If you enjoyed the episode, we welcome you to submit a review or send an email to hello@relyplatform.com.

Book a demo

See how Rely can help you prevent, detect and respond to workplace issues and build an intelligent risk culture.

Subscribe to Rely

Join our community!

We help leaders build better cultures. Join us and make an impact!

Content summary

Share content

Subscribe to podcast

Related content

Empowering a Safer & Healthier Workplace: A Partnership for ongoing Psychosocial Wellbeing

A new industry partnership between Rely and Flinders University considers how to best help people feel they can safely disclose traumatic events such as discrimination, bullying and harassment in a compassionate way
Psychological Health & Safety in the Workplace

Intelligent case management to better manage Psychological Health & Safety in the Workplace (Data Insights from SafeWork Australia)

Mental health conditions account for an increasing proportion of serious workers compensation claims and has significantly increased over the past 5 years.
Insights from the Expert Review Panel into Aviation Safety at Boeing

When employees fear speaking up, disasters happen

Our brands seen in