Latest Products

Interview: Embedding the right culture

Monday 26 February 2018

* This article was originally published in the December Edition of the GRC Professional. Click here to download a PDF version of this article.

Wade Martin, Head of Risk Management at Cbus Super Fund was awarded the Risk Professional of the year. 
GRC Professional caught up with Martin last month to talk about his professional development, changes in the risk management space and the importance of embedding an effective culture within an organisation.

How did you get into risk management and what has been your career path?
I started out at KPMG in 2005 with a specialist legal focus, consulting on regulatory change, compliance, governance, risk management and assurance—so, a fairly broad base! In 2013, I moved to Cbus after assisting the Fund (as a client) with a large piece of regulatory change that involved the introduction of Prudential Standards for superannuation, including heightened risk management obligations.

Was this a planned career path or did you just take the opportunities as they appeared?
The focus on risk management was less planned than my specific focus on the superannuation sector. From a career perspective, I specialised in that industry, given its huge growth potential. When I started working in super, there was around $800bn in super assets in Australia. It now sits at around $2.3 trillion and has been projected by to be as high as $9trillion by 2035. Such significant growth provides not only a stimulating and challenging environment but also plenty of opportunity from a career perspective. Societal and regulatory expectations of financial institutions with respect to risk management continue to grow very rapidly. APRA’s regulatory approach is very much risk-based rather than prescriptive. Given the compulsory nature of superannuation, it is not unreasonable to expect the highest standards of governance and risk management when looking after our members’ money. Risk management was a logical path for me to take. It allowed me to draw on a broad base of specialist knowledge and develop and challenge those skills in a rapidly-growing sector.

How have you managed your professional development?
Degree-qualified in law and commerce, I completed my CA in 2008 with KPMG. Both KPMG and Cbus are very supportive of professional development and flexible in the types of opportunities they offer. Since then, I have tailored my learning in line with business needs. This has meant a greater focus on emerging risk areas in the industry—cyber risk, digital disruption and data governance. Increasingly, the focus on culture and conduct has required risk professionals to draw on research in behavioural science to better understand what drives risk perceptions and decision-making. This is something on which my team is focussed, and it is informing both our research efforts and our professional development going forward.

What was the transition like from KPMG to Cbus?
The transition itself was refreshing. With any change, there are elements you enjoy and things you miss. On the upside, working for a relatively small organisation allows you to get stuck into solving a wide range of organisational problems, both big and small. Cbus is a member-based organisation with a culture that encourages the fact that our members are central to everything we do. I found this culture both energising and empowering from a risk management perspective. In a firm like KPMG, you have access to deep expertise and thought leadership across a range of disciplines, both domestically and internationally. As our internal audit partners, I can still draw on that expertise, in fact probably more so now I’m on the client side.  

What are some of the greatest challenges you have faced in risk management?

I think the biggest challenge in recent years has been keeping pace with the rapidly-growing expectations of risk management from all stakeholders. This has been driven by a surge in complexity and uncertainty in today’s business environment.  All organisations are searching for innovative ways to expand and maintain competitiveness, and the challenges presented are building faster than most organisations’ ability to build capability, ensure resilience and maintain a strong risk-aware culture. Keeping pace requires you to challenge yourself continually as to whether you are focussing on the right risks and whether you have organisational capability to manage those risks.

What have been some of your most rewarding risk management moments?
I think the most rewarding element is successfully demonstrating the true value of risk management as an integral tool in strategic planning. You have to keep risk management fresh and on point—you need to help people to see those opportunities or threats that might otherwise be obscure. Recently at Cbus, we undertook a dynamic approach to risk assessment. As a leadership team, the Board and Executive analysed the connectivity between our organisational risks and the velocity with which they could impact the Fund. Essentially, we introduced two new lenses to help us see risk in a different way. By looking at the connectedness of Enterprise risks, we were able to identify highly-connected clusters of risk that will require careful management and co-ordinated control responses. These risks weren’t necessarily prominent at an Enterprise level when assessing them in isolation using traditional likelihood and impact analysis. Seeing your senior leaders invest time, energy and enthusiasm into better understanding risk and embracing a new approach is hugely rewarding.

I know with compliance, there has been a lot of debate about where it should sit within the organisation. Are you seeing the same kind of debate when it comes to risk?
Ultimately, risk needs to maintain operational independence within an organisation. I think the risk leadership of the C-suite is critical to ensure risk has sufficient stature and influence to be effective. Risk management needs to work closely with legal and compliance functions, increasingly with human resources, and must be aligned and embedded in the strategic planning process. The structures that facilitate this are less important, so long as operational independence is respected and risk has a ‘true seat at the table’.  

There has been a lot of debate on conduct risk and risk culture, and there is certainly a lot of regulatory scrutiny in this space. Do you feel the regulatory approach to this is going in the right direction or is there some critical element that is not being addressed?
I think the focus on culture is understandable. Culture has been described as the final frontier of the post-crisis regulatory response. Internal control and regulatory oversight hasn’t been sufficient to prevent a number of historic corporate failures. In many instances, it was the prevailing culture of offending organisations that contributed to the outcomes. 
Increasingly, Australian regulators are looking to put the onus on boards to form a view of the risk culture of their organisations. The approach has not been overly prescriptive, with regulators like APRA and ASIC very much looking to industry for leadership on risk culture. In the public narrative, both regulators have been clear that they are not looking to police corporate culture. I think this is the right approach. At Cbus, the Board and Executive have embraced the opportunity to demonstrate thought leadership in this space. The challenging part is measuring the prevailing culture and discerning meaningful insights from this measurement. No single measure will give you the full picture and there are inherent limitations in all mechanisms; together, however, a well-designed program can start to paint a richer picture of the behaviours and attitudes within an organisation.
At Cbus, we have implemented a suite of initiatives designed to measure culture. Surveys and metrics are pretty common tools but require careful design to ensure you get a read on the true causal drivers of behaviour. It’s the resulting conversations with the business that add value, and you need to be focussed on agreeing actions to drive changes.
At the request of our Directors, we introduced a ‘Board to Business’ program that allows our Directors to cross the traditional divide between the board and management, providing an opportunity for directors to meet and have discussions with non-executive staff. It serves two purposes: firstly, it provides a forum for Directors to communicate to our people their expectations around managing risk; and secondly, it allows Directors to gain direct insights into how the business is run, the challenges in day-to-day operations and how front-line staff manage those challenges. We’ve also worked with our internal auditors to embed cultural assessments into routine assurance activity with a ‘soft-controls’ approach that uses a behavioural model underpinned by eight cultural drivers (factors like role-modelling, ‘discussability’ and commitment) that have a real or potential impact on behaviour. It supplements the assurance activities over hard controls and provides yet another lens over organisational behaviour.
Together these initiatives go some way to helping our leaders form a view of culture and, importantly, where potential areas for improvement might lie. The landscape will evolve continually and will likely require risk functions and boards to draw increasingly on capability from cognitive science and psychology—just as the regulators are building that capability internally.

How did you feel when you found out you had been highly commended for risk professional of the year?
It is always nice to be recognised. However, it is more a reflection of the capability and commitment of my team and other teams across the organisation. Risk management can only succeed and be effective if there is organisational support and respect for what we do. It really is a credit to our Board and Executive for setting the right tone, embracing risk management and supporting new approaches.

What do you hope for the future of risk management?
I would hope the profession can meet the challenges of an increasingly-complex landscape and become part of organisational DNA. This will only happen if the profession is adaptable, embraces technology, and enables not only better performance but also better societal outcomes.

What advice would you give to emerging risk professionals?
Immerse yourself in strategy. Understand the drivers and uncertainties within the strategy. This frames all activity conducted under the banner of risk. Be clear and transparent with the business in what you are trying to achieve as a function and measure and report on your progress. Continually challenge yourself. Are you and your team focussing on the right risks? Are you really providing insights for the business? Does your approach to internal control still facilitate an agile, innovative approach? It’s important for risk professionals to be champions of change within their organisations and to partner with the business to enable strategy. Only then will you build the trust and confidence you need to be successful. 

2018 Risk Professional for the Year

Wade Martin, Head of Risk Management at Cbus Super Fund