riskspeak

riskmanagement

Talking innovation and disruption with Telstra’s CRO

Kate Hughes talks to StrategicRISK about how risk management is helping Australia’s largest telecommunications provider become a global technology player

It’s 6.20am and Kate Hughes’s phone goes off. The chief risk officer for Australia’s largest telecommunications provider, Telstra, has been called to activate the crisis management team to deal with a major outage affecting thousands of customers.

By 7am, an action plan is in place and Hughes can begin her day. But an hour later she receives a report from a whistleblower alleging bad behaviour of a senior executive, which sees her launch an immediate internal investigation through her fraud team. Then, a few hours later, Hughes is alerted to a customer privacy breach, so it’s then a call to the regulators to alert them of the incident.

It’s not even lunchtime, and Hughes has already fielded more incidents than most chief risk officers would see in a month.

Hughes has agreed to an interview with StrategicRISK to discuss how risk management is helping Telstra navigate a strategic business model change from a traditional domestic telecommunications provider to a global technology company.

But first, a history lesson.

Telstra is one of Australia’s most well-known companies. The country’s largest telecommunications provider builds and operates networks around Australia and markets mobile, internet access, pay television and other entertainment products and services.

But the pace of digital change has not been kind to traditional telcos, forcing Telstra, and most of its competitors, to pivot from their historic business model.

Today the company has its sights on being a global technology company.

Last year the company invested almost $1.2b in acquisitions, including a controlling stake in 15 new businesses. It also expanded its reach in Asia through acquiring Pacnet in Singapore and launching TelkomTelstra in Indonesia, and activated new business units such as Telstra Health.

This pace of change, coupled with the profound shift in the way people connect and communicate, means Telstra faces a challenging set of business risks that threaten it achieving its growth ambitions and financial targets.

This is where Hughes comes in.

“Most people say to me, I’ve got one of the most interesting jobs in the company and I would agree that I do. There’s very little that I’m not across, or not involved in, or not able to add value to,” Hughes says. “I get to make decisions about the kind of ladders we use in the field, I get to talk about the risks of having handbrake alarms in some of our cars, and I also get to talk about the risks of technology disruption as it will impact on our strategy to be a world-class technology company.”

The risk function at Telstra has evolved significantly over the past three-and-a-half years under Hughes’s leadership. The 160-strong risk office now looks after the group’s risk management, compliance and privacy functions, as well as its law enforcement capabilities, fraud investigations, enterprise resilience, security, and health, safety and environment arms.

Hughes, who reports into chief financial officer Warwick Bray, admits she is lucky to work for an executive team who take risk management seriously.

“It’s a privilege to be involved in something that helps our executives make better decisions,” she says.

And with the pace of change that Telstra is facing, that decision-making needs to happen quickly.

“We can be disruptive or we can be disrupted and we’ll probably be both. That’s not necessarily a bad thing. I think disruption creates solid incentive to be more innovative and that’s good,” she says.

Telstra is undergoing a major internal simplification process, driven by the risk of not being able to keep up with younger, more agile, tech start-ups.

“I’m in a meeting every Tuesday morning on this to see what am I doing to help us get there,” Hughes says, adding that she sees the company’s simplification and disruption impetus as an opportunity to show the benefits of risk-based decision making.

“Everything we do requires us to do a risk assessment and that shouldn’t be seen as an onerous, bureaucratic thing, but actually built in to our processes every day.

“Part of the business case is doing a risk management assessment. You don’t tack it on the end, it’s not done at five minutes to midnight, it’s not done once we’ve agreed to everything else … it’s part of the process.

“That is the evolution of risk management – to take it out of the academic, out of the process, and make it much more part of the business conversation so that it actually adds value to the commercial decision-making challenge that your leader has,” she says.

Hughes cites an example with the head of Telstra property, who had to decide how to allocate his spending when it came to upgrade work on the group’s exchange sites. By applying a safety rating to every exchange, Hughes team was able to prioritise which sites should be worked on first.

Back to where it started

In some ways Hughes has come full circle to her role at Telstra.

After graduating with a commerce degree with majors in economics and finance, she took up a role at the NSW Treasury. One of the first companies she audited was Telstra, sitting in the very same Melbourne offices that she does today.

She then moved to the Sydney Futures Exchange where she was responsible for surveying the open trading floor for rouge or illegal trades during its final year of operation.

“I was one of about four women in a room of 400 men that had some pretty bad behaviours,” Hughes recalls.

From there, she moved to the Australian Securities and Investments Commission (ASIC), the country’s corporate, markets and financial services regulator. And it’s this insider experience which has proved invaluable to Hughes at Telstra – one of the country’s most highly regulated companies.

“One of our big risks is going to be a rapidly changing regulatory environment,” she says. “It will go to things like how we regulate data ownership and data sovereignty in the long term.”

Regulators around the world are struggling to keep up with the implications of new technology – and most are doing so at different paces, not to mention with vastly different strengths of legislative iron fists.

For a company with global expansion plans, this adds a huge layer of complexity.

“How do you grow in those countries where your company’s cloud strategies aren’t going to fit with theirs, for example,” she says.

“[Regulation] has the potential to certainly change how we develop and market products. It’s one of the material risks that we talk to the board about. What you have to get very good at doing is staring over the horizon beyond your normal two to three-year period, out to five to eight years and start to think about what regulation will matter then.”

In a disruptive environment, Hughes also sees the potential for corporates to challenge existing regulation.

“If you look at Uber and Airbnb as two business model challenges, everybody talks about those as being challenging at a business model level, but what for me was most interesting is that they challenged existing regulator models as well. Uber drivers never stopped and said ‘I need a taxi license’. So what would happen to us if we fundamentally changed [current] regulation? We do a lot of black swan thinking about some of those risks,” she says.

Cyber and security challenges

In the nearer term, Australia is set to bring in data loss notification laws which will force companies to advise customers when their details have been unlawfully accessed.

“It’s not going to be a huge issue for us because we’ve always thought long and hard about who we should tell when we’ve had a breach of some kind,” Hughes says.

This stance was put the test last year. Just two weeks before Telstra’s $697m acquisition of Pacnet was finalised, the Asian telecommunications business was hacked by an unknown third party which gained complete access to the company’s network including emails and other administrative systems.

Telstra said it wasn’t told about the breach until after the deal’s completion on 16 April.

In that instance, Hughes says Telstra voluntarily went to eight different regulators about the breach.

“Each one had different expectations about whether or not we would or should tell them,” she says. “We’ve always felt better to be upfront and honest. The worst thing you can do is look like you’re hiding it.”

But Hughes fears that the new breach notification laws could result in consumers getting “notification fatigue”, where they fail to act on important data breaches because they are being alerted of them so frequently.

Instead, when it comes to cyber security, Hughes is turning the lens to the company’s employees, which are often considered the weakest link in any cyber security programme.

“We run drills to see if we can trick our employees into doing something that they shouldn’t have,” she says, such as clicking on a link or opening a suspect attachment.

In the first drill, 30% of employees failed. That dropped to 18% in the second round.

What’s in a name?

Managing major reputation crises is also something that Hughes is well versed in.

In 2005, she was asked to join a company in the midst of a major corruption scandal that saw it on the front page of the papers for more than 400 consecutive days, and its shareholder value slashed by almost $1bn overnight. That company was the Australian Wheat Board (AWB), which was accused of paying millions of dollars in bribes to Saddam Hussein’s regime in Iran in exchange for lucrative wheat contracts.

“Part of my job was to build the right internal controls, the right risk processes and the right compliance controls to ensure we never ever did that again,” she says.

For four years, Hughes worked with a new management board to help turn the business around.

“Leadership in good times is always a pleasure. The hardest job you will ever do is lead in tough times when there’s bad news on the front page of the paper and your employees feel embarrassed to work for you,” she says.

Hughes believes reputation isn’t a risk as such, but an “outcome of other things you didn’t do very well”.

Regardless, when you’re an organisation the size of Telstra, reputation is incredibly important.

“This year we have put in place much more formal metrics to measure the impact of our resilience on reputation,” Hughes says.

For example, during network outages, Telstra can map social media mentions against the network issues to give an indication on the importance of resilience to its customers.

“It’s also a really good predictor of consumer behaviour, so how many of these [incidents] does it take before a consumer, one, rings up and complains, two, gives us a negative rating, or three, possibly changes services. That’s critical insightful data that we work with marketing, media and communications teams on,” she says.

Hughes is one of the most passionate advocates for strategic risk management that you will meet. But she’s far from traditional.

“The one thing I rarely say to people is that I’m the chief risk officer; what I often say is I’m an executive at Telstra, because part of my job is not just talking about the risks, but talking about the opportunities. At the end of the day my real job is to make sure that our executives know how to make decisions.

“Helping people consciously choose to take risks is good because it means that they’re doing it utterly informed.”

Hughes says that risk managers must move from talking about the “what” – the list of risks and risk registers – to talking about the “now what”.

“Being the person who forces people to sit through three-hour long risk workshops so we can satisfy ourselves that we’ve got 25 pages of risk registers is an academic exercise that has never sat well with me,” she says.

“Doing [risk management] for the sake of governance, whilst necessarily, is not necessarily always valuable. Doing it because it helps [the company] make a better decision, save money, spend it more wisely … and potentially be a disruptor yourself because you’ve found a hole in the market that no one else has, that’s where the real value comes from.

Advertisements

One step toward letting yourself lead: Let go! – Renee Charney, Ph.D. Candidate

One step toward letting yourself lead: Let go!

I asked her a question that encouraged her to step back and reflect a bit:  “What do you want?” She thought about it for a minute and then answered: “I want my team to do what I want them to do!”

Now we really had something to explore.

Many times new leaders (and, at times, seasoned leaders, as well) get securely attached to their own ways of performing a job; their way is the right way because, as their personal experience demonstrates, it’s been those very skills and techniques that got them into the position they now hold; it’s because they did a great job.

But here’s where leaders might get derailed. If they hold fast to what they know best, their expertise, they squander the opportunity to truly lead.

Rooke and Torbert (2005) suggest that great leaders are not differentiated by their personality or management style, but rather their “action logics”—how they react (or act) when they step (or are pulled) out of their comfort zone. People, according to the model, fall into one of seven of these action logics, which include such groupings as achievers, experts, diplomats, strategists, and individualists.When we allow ourselves to step back, reflect, consider others’ perspectives or ways of doing a task, we ourselves grow to be more inclusive and relational in our leadership capacity. And, by doing so, we can also transform how our organization develops across teams by modeling the same behaviors and, by extension, enriching the environment for others to also develop.

Rooke and Torbert (2005) further suggest that most of our working population rests within the action logic stage of “expert”—actually 38% of the working population—someone who may be well-suited as an individual contributor due to his or her technical expertise and, possibly, less suited to be the developmental leader needed to grow others.

Here’s the opportunity.

When leaders are willing to practice new habits of letting go, and allow their team members to try new things (and, perhaps, perform tasks that might not map directly to what they would have done), amazing and wonderful things happen – for both the leader and the team.  In Rooke and Torbert’s (2005) “action logic” language, this behavior demonstrates a later stage of development called the “achiever” stage (30% of the population), which occurs when a leader expands her capacity to focus on team development and team goals, rather than on personal expertise and personal goals. As you might imagine, as adults expand their capacity to let go, step back, and enable others to take more responsibility, make more independent decisions, and deepen their capacity to “lead in place” (Wergin, 2007), this leadership growing pattern becomes more challenging; leaders must be able to enter into the unknown and trust others’ capacity to lead. This leadership development process enables teams the opportunity to step up and take the lead on projects, and to learn from both their successes and mistakes. The leader, in turn, gets to learn new ways of doing tasks and, by extension of the willingness to let go, deepens the loyalty and trust across the team.

My client decided to give it a try to let go and see what would happen. She decided to let herself lead. What she noticed was enlightening!  Her relationships with her team members became richer, their creativity soared, and they began to make decisions independently. She then gained more time to work on her own tasks, thinking and planning strategically (and was able to answer her emails in time to get home to her family at a reasonable hour). She grew as a leader and gained the respect of upper management as her team achieved results that exceeded expectations.

A simple shift of thinking can make all the difference as we commit to growing ourselves as leaders and to growing our teams. Letting go of what we know andletting ourselves lead can be that simple shift. What possibilities to let go might you see within your leadership life?

New Managers Need a Philosophy About How They’ll Lead – Carol A. Walker 

Being promoted to manager is a good sign you’ve been successful to date — however,  the road from this point forward gets trickier to navigate. Your job is no longer just about getting the work done. You’re more likely now to find yourself juggling conflicting demands, delivering difficult messages, and addressing performance problems. While there is no guidebook of straightforward answers to your new challenges, having a clear philosophy can provide a firm foundation from which to.

With respect to your career, a philosophy is simply a cohesive way of thinking about your role. Very few people take the time to establish one. Most managers live in a reactive mode, responding to issues based on gut feelings, past experiences, and examples set by others. The success or failure of this approach is often determined by your temperament (some people are naturally more gifted managers than others) and the caliber of your role models—two factors largely out of your control. Whether you’ve been lucky in these areas or not, having a core philosophy can help guide you through the day-to-day and the job’s tougher moments.

The idea of “servant leadership” is a great place for new managers to start. Robert Greenleaf coined the term 35 years ago, but the concept is still vital and empowering. Granted, “servant” doesn’t sound nearly as powerful as “boss,” but it has the potential to deliver far more of what most of us are really after: influence.  The reason is simple. When you have a servant mentality, it’s not about you. Removing self-interest and personal glory from your motivation on the job is the single most important thing you can do to inspire trust. When you focus first on the success of your organization and your team, it comes through clearly. You ask more questions, listen more carefully, and actively value others’ needs and contributions. The result is more thoughtful, balanced decisions. People who become known for inclusiveness and smart decisions tend to develop influence far more consistently than those who believe they have all the answers.

Servant leadership is most powerful when applied to managing employees. The first step in embracing this mindset is to stop thinking that your employees work for you. Instead, hold onto the idea that they work for the organization and for themselves. Your role as servant is to facilitate the relationship between each employee and the organization. Ask yourself, “What will it take for this employee to be successful in this relationship?” And, “What does the organization need to provide in order to hold up its end of the bargain?” When these questions drive your thinking, you advance both parties’ interests. (The same principles apply to managing products, supply chains, and customer relationships, but we’ll keep our focus on employees here.)

Does servant leadership prohibit telling people what to do or correcting their behavior? On the contrary, it means that you must do these things to facilitate an individual’s success within the organization. The key is that your mind is in “servant mode” when you perform the daily tasks of management.

For instance, assigning work should be a thoughtful process that balances business goals with an individual’s interest, skills, and development needs. Not every routine task has to be so thoroughly considered. But whenever significant assignments are made, putting them into context maximizes their impact. An employee who understands why she has been asked to do something is far more likely to assume true ownership for the assignment. When she owns it, you become more guide than director. You ask how you can support her and how she would like to report progress rather than tell her these things. An employee who believes her boss understands her strengths, values her input, and encourages her growth is likely to stick around for the long-term.

Clearly, the servant approach to assigning tasks requires more thought and preparation than simply dishing them out. It takes time. But remember that you are actually multitasking—you are making sure the work gets done while simultaneously strengthening the individual’s relationship with the organization.

Adopting the servant philosophy should also make it easier to provide corrective feedback. You are merely a facilitator, and facilitators aren’t angry, frustrated, or resentful when they deliver feedback, because it isn’t about them—it’s about the relationship between the two other parties. For that reason, exercising the servant frame of mind makes development conversations feel less personal. You aren’t disappointed in your employee’s actions; you are simply explaining how they get in the way of what he’s trying to accomplish for himself and the organization. When your only agenda is setting someone else up for success, your words tend to be received more openly. True upset happens when either party’s interests are allowed to suffer over time without intervention. It must be the manager’s primary concern to balance those interests.

By definition, developing a reputation takes time. However, when you are consistent with the servant approach, people know what to expect from you and trust ensues. Trust, combined with the smart, inclusive decision-making discussed earlier is a surefire way of gaining influence.

We’ve just scratched the surface of the many challenges that you will confront as a first-time manager. There is simply no way to anticipate them all. But a core servant leadership philosophy will provide critical guideposts to help you manage in real time. Whatever your temperament, a serving mindset will keep you out of the reactive and self-protective patterns that can impede your success. Servant leadership may not appeal to those who are attracted to a more traditional idea of power, but it should be the choice of those interested in influence and results.

How Your Boss Views Failure Determines Your Success – Oscar Benjiman

As Americans we spend the majority of our lives in a cubicle or office somewhere, working diligently as a cog in some giant machine. All so that we can afford essentials like housing, transportation, health care and food. Money continues to top the charts as the thing that brings us the most stress, and it’s no coincidence that our jobs come in a close second.

For many of us, the biggest pain point on the job comes from the relationship we have with our boss. A boss that doesn’t know how to properly motivate, challenge and credit employees can have a overwhelmingly negative impact on their team. What’s worse, once employees start leaving reviews on sites like Glassdoor.com, the manager’s actions, or lack thereof, can have a truly adverse effect on the company’s brand and especially its ability to acquire new talent.

After all, employees who are highly skilled have options, and rarely do anything just for the money. So why would they ever choose to work in a toxic environment?

Now, when I use the terms “boss”, “supervisor” or “manager”, I’m referring to everyone from c-level executives to mailroom employees. There’s hardly an organization that doesn’t have at least one manager who turns their division into a petri dish of bad ideas. Typically it’s because they take advice from dopey management books, misapply lessons from stories of the lives of famous CEOs, or implement a surface level understanding of human psychology that they get from online magazines.

I’ve manned cash registers, worked on research teams, have been a middle-manager, owned a small business with 6 employees, and directed a team of 30…so I know what it’s like to be a manager, and I’ve also dealt with many of them in a wide variety of situations. Those experiences, coupled with years listening to family, friends, colleagues and strangers rant about their bad bosses, have given me a rich perspective.

Whether you’re actively searching for new employment, hiring managers for your company, or simply making a decision about whether to stay with the organization you’re in now – there’s one key indicator that signals that you may be dealing with a manager from hell.

HOW YOUR BOSS VIEWS FAILURE

Some of the most inept and unsuccessful managers I’ve known have seen failure as a curse word, a proverbial third rail that should never be touched or crossed. Some even went so far as to change the definition of success midway through a project to avoid failure.

From the outside, or perhaps from first-hand experience, you might empathize with their situation. You might see it as a manager protecting their team or company from the barbarians at the gate. After all, failures such as missing goals can depress stock prices or ruin a company all together. Isn’t the fear of failure a good thing?

Simply put, no. As noble as a manager’s intentions might appear, the fear of failure is a perfect recipe for mediocrity and obsolesce.

Thomas Edison cut to the heart of the matter when he said, “I have not failed, I’ve just found 10,000 ways that won’t work.” Whether it’s testing drugs that cure diseases or figuring out how to launch and land reusable rockets on Mars, failure is a vital part of the equation.

It’s just as important to know how to do a thing, as it is how not to do a thing.

I’m not suggesting that managers who wear failure as a badge of honor should be celebrated. What I’m saying is that managers who are willing to take risks to reap big rewards are invaluable to both the company as well as the team they manage. How a manager views failure is important, because that mindset carries with it a slew of  other valuable character traits.

When your boss can appreciate failure’s place in the workplace, you can expectnot to be thrown under the bus every time they need to account for a failure. You’ll likely have the opportunity to learn new skills and gain a great deal of autonomy at your workplace, since you’ll no longer be mired in BS and trying to maintain the status quo. You might even be given credit for your successes…imagine that. Most importantly, you will find purpose in the work you do, while simultaneously building a stellar resumé for any future pursuits.

WHEN IT’S TIME TO LEAVE

However , if you’re in a situation where your manager acts like the one in the Dilbert cartoon below, your best option is to simply leave. Sure, there are circumstances where getting a different job isn’t feasible, but more often than not, that’s just something we tell ourselves so that we don’t have to  deal with the uncomfortable reality of change.

If you do find yourself working for the boss from hell, leave before the stress kills you, both figuratively and literally. Once you decide to leave, here are a few basicsthat will improve your job search:

  1. Get active on LinkedIn in your particular field of expertise. This means interacting within Groups, as well as creating content for LinkedIn Pulse
  2. Browse open job positions on LinkedIn as well as other career sites, taking note of skills you don’t yet possess
  3. Learn those skills at your job by requesting training, being part of a specific project, or by learning it yourself. Acquire these skills by whatever legal means you can imagine
  4. Work on building your own website as a portfolio to showcase your thoughts, talents, abilities, and general knowledge
  5. Use social media to connect with other like-minded individuals, past employees and other potential contacts

This will take time, so set a realistic hard date for your exit once you’ve figured out how much time you need to acquire new skills and showcase current ones. This is of utmost importance, because it will solidify your plan in your own mind and make it more real. And, of course, don’t be afraid to fail. Just remember to document and learn.