Talking innovation and disruption with Telstra’s CRO

Kate Hughes talks to StrategicRISK about how risk management is helping Australia’s largest telecommunications provider become a global technology player

It’s 6.20am and Kate Hughes’s phone goes off. The chief risk officer for Australia’s largest telecommunications provider, Telstra, has been called to activate the crisis management team to deal with a major outage affecting thousands of customers.

By 7am, an action plan is in place and Hughes can begin her day. But an hour later she receives a report from a whistleblower alleging bad behaviour of a senior executive, which sees her launch an immediate internal investigation through her fraud team. Then, a few hours later, Hughes is alerted to a customer privacy breach, so it’s then a call to the regulators to alert them of the incident.

It’s not even lunchtime, and Hughes has already fielded more incidents than most chief risk officers would see in a month.

Hughes has agreed to an interview with StrategicRISK to discuss how risk management is helping Telstra navigate a strategic business model change from a traditional domestic telecommunications provider to a global technology company.

But first, a history lesson.

Telstra is one of Australia’s most well-known companies. The country’s largest telecommunications provider builds and operates networks around Australia and markets mobile, internet access, pay television and other entertainment products and services.

But the pace of digital change has not been kind to traditional telcos, forcing Telstra, and most of its competitors, to pivot from their historic business model.

Today the company has its sights on being a global technology company.

Last year the company invested almost $1.2b in acquisitions, including a controlling stake in 15 new businesses. It also expanded its reach in Asia through acquiring Pacnet in Singapore and launching TelkomTelstra in Indonesia, and activated new business units such as Telstra Health.

This pace of change, coupled with the profound shift in the way people connect and communicate, means Telstra faces a challenging set of business risks that threaten it achieving its growth ambitions and financial targets.

This is where Hughes comes in.

“Most people say to me, I’ve got one of the most interesting jobs in the company and I would agree that I do. There’s very little that I’m not across, or not involved in, or not able to add value to,” Hughes says. “I get to make decisions about the kind of ladders we use in the field, I get to talk about the risks of having handbrake alarms in some of our cars, and I also get to talk about the risks of technology disruption as it will impact on our strategy to be a world-class technology company.”

The risk function at Telstra has evolved significantly over the past three-and-a-half years under Hughes’s leadership. The 160-strong risk office now looks after the group’s risk management, compliance and privacy functions, as well as its law enforcement capabilities, fraud investigations, enterprise resilience, security, and health, safety and environment arms.

Hughes, who reports into chief financial officer Warwick Bray, admits she is lucky to work for an executive team who take risk management seriously.

“It’s a privilege to be involved in something that helps our executives make better decisions,” she says.

And with the pace of change that Telstra is facing, that decision-making needs to happen quickly.

“We can be disruptive or we can be disrupted and we’ll probably be both. That’s not necessarily a bad thing. I think disruption creates solid incentive to be more innovative and that’s good,” she says.

Telstra is undergoing a major internal simplification process, driven by the risk of not being able to keep up with younger, more agile, tech start-ups.

“I’m in a meeting every Tuesday morning on this to see what am I doing to help us get there,” Hughes says, adding that she sees the company’s simplification and disruption impetus as an opportunity to show the benefits of risk-based decision making.

“Everything we do requires us to do a risk assessment and that shouldn’t be seen as an onerous, bureaucratic thing, but actually built in to our processes every day.

“Part of the business case is doing a risk management assessment. You don’t tack it on the end, it’s not done at five minutes to midnight, it’s not done once we’ve agreed to everything else … it’s part of the process.

“That is the evolution of risk management – to take it out of the academic, out of the process, and make it much more part of the business conversation so that it actually adds value to the commercial decision-making challenge that your leader has,” she says.

Hughes cites an example with the head of Telstra property, who had to decide how to allocate his spending when it came to upgrade work on the group’s exchange sites. By applying a safety rating to every exchange, Hughes team was able to prioritise which sites should be worked on first.

Back to where it started

In some ways Hughes has come full circle to her role at Telstra.

After graduating with a commerce degree with majors in economics and finance, she took up a role at the NSW Treasury. One of the first companies she audited was Telstra, sitting in the very same Melbourne offices that she does today.

She then moved to the Sydney Futures Exchange where she was responsible for surveying the open trading floor for rouge or illegal trades during its final year of operation.

“I was one of about four women in a room of 400 men that had some pretty bad behaviours,” Hughes recalls.

From there, she moved to the Australian Securities and Investments Commission (ASIC), the country’s corporate, markets and financial services regulator. And it’s this insider experience which has proved invaluable to Hughes at Telstra – one of the country’s most highly regulated companies.

“One of our big risks is going to be a rapidly changing regulatory environment,” she says. “It will go to things like how we regulate data ownership and data sovereignty in the long term.”

Regulators around the world are struggling to keep up with the implications of new technology – and most are doing so at different paces, not to mention with vastly different strengths of legislative iron fists.

For a company with global expansion plans, this adds a huge layer of complexity.

“How do you grow in those countries where your company’s cloud strategies aren’t going to fit with theirs, for example,” she says.

“[Regulation] has the potential to certainly change how we develop and market products. It’s one of the material risks that we talk to the board about. What you have to get very good at doing is staring over the horizon beyond your normal two to three-year period, out to five to eight years and start to think about what regulation will matter then.”

In a disruptive environment, Hughes also sees the potential for corporates to challenge existing regulation.

“If you look at Uber and Airbnb as two business model challenges, everybody talks about those as being challenging at a business model level, but what for me was most interesting is that they challenged existing regulator models as well. Uber drivers never stopped and said ‘I need a taxi license’. So what would happen to us if we fundamentally changed [current] regulation? We do a lot of black swan thinking about some of those risks,” she says.

Cyber and security challenges

In the nearer term, Australia is set to bring in data loss notification laws which will force companies to advise customers when their details have been unlawfully accessed.

“It’s not going to be a huge issue for us because we’ve always thought long and hard about who we should tell when we’ve had a breach of some kind,” Hughes says.

This stance was put the test last year. Just two weeks before Telstra’s $697m acquisition of Pacnet was finalised, the Asian telecommunications business was hacked by an unknown third party which gained complete access to the company’s network including emails and other administrative systems.

Telstra said it wasn’t told about the breach until after the deal’s completion on 16 April.

In that instance, Hughes says Telstra voluntarily went to eight different regulators about the breach.

“Each one had different expectations about whether or not we would or should tell them,” she says. “We’ve always felt better to be upfront and honest. The worst thing you can do is look like you’re hiding it.”

But Hughes fears that the new breach notification laws could result in consumers getting “notification fatigue”, where they fail to act on important data breaches because they are being alerted of them so frequently.

Instead, when it comes to cyber security, Hughes is turning the lens to the company’s employees, which are often considered the weakest link in any cyber security programme.

“We run drills to see if we can trick our employees into doing something that they shouldn’t have,” she says, such as clicking on a link or opening a suspect attachment.

In the first drill, 30% of employees failed. That dropped to 18% in the second round.

What’s in a name?

Managing major reputation crises is also something that Hughes is well versed in.

In 2005, she was asked to join a company in the midst of a major corruption scandal that saw it on the front page of the papers for more than 400 consecutive days, and its shareholder value slashed by almost $1bn overnight. That company was the Australian Wheat Board (AWB), which was accused of paying millions of dollars in bribes to Saddam Hussein’s regime in Iran in exchange for lucrative wheat contracts.

“Part of my job was to build the right internal controls, the right risk processes and the right compliance controls to ensure we never ever did that again,” she says.

For four years, Hughes worked with a new management board to help turn the business around.

“Leadership in good times is always a pleasure. The hardest job you will ever do is lead in tough times when there’s bad news on the front page of the paper and your employees feel embarrassed to work for you,” she says.

Hughes believes reputation isn’t a risk as such, but an “outcome of other things you didn’t do very well”.

Regardless, when you’re an organisation the size of Telstra, reputation is incredibly important.

“This year we have put in place much more formal metrics to measure the impact of our resilience on reputation,” Hughes says.

For example, during network outages, Telstra can map social media mentions against the network issues to give an indication on the importance of resilience to its customers.

“It’s also a really good predictor of consumer behaviour, so how many of these [incidents] does it take before a consumer, one, rings up and complains, two, gives us a negative rating, or three, possibly changes services. That’s critical insightful data that we work with marketing, media and communications teams on,” she says.

Hughes is one of the most passionate advocates for strategic risk management that you will meet. But she’s far from traditional.

“The one thing I rarely say to people is that I’m the chief risk officer; what I often say is I’m an executive at Telstra, because part of my job is not just talking about the risks, but talking about the opportunities. At the end of the day my real job is to make sure that our executives know how to make decisions.

“Helping people consciously choose to take risks is good because it means that they’re doing it utterly informed.”

Hughes says that risk managers must move from talking about the “what” – the list of risks and risk registers – to talking about the “now what”.

“Being the person who forces people to sit through three-hour long risk workshops so we can satisfy ourselves that we’ve got 25 pages of risk registers is an academic exercise that has never sat well with me,” she says.

“Doing [risk management] for the sake of governance, whilst necessarily, is not necessarily always valuable. Doing it because it helps [the company] make a better decision, save money, spend it more wisely … and potentially be a disruptor yourself because you’ve found a hole in the market that no one else has, that’s where the real value comes from.

Advertisements

What constitutes risk management – A senior management’s view

When discussing how to improve the value contributed by risk management, I typically start by saying ‘where do we start?’. At the heart of this question is the desire for a simple and practical point of view that makes sense in practice. Because risk profile, appetite and tolerance are different in different organisations, risk management presents itself differently. However, there are 4 fundamental pillars:

  1. Process

Like any value adding activity, risk management requires a process and it entails a purpose, inputs, activities and outputs. According to ISO31000, the activities typically include risk identification, sourcing, assessment, measurement, mitigation and monitoring. The purpose of the process varies from organisation to organisation too. It may be reducing performance variability, prevention of incidents or taking more risks to maximise returns.

6-1

  1. Integration

Traditionally as well as in financial services sector, risk management is focused on protecting the value of assets tabled in the company’s balance sheet, related contractual rights and obligations. Typical risk management methods include insurance, tools for treasury risks, mitigation of environmental risks such as health and safety concerns. Whilst these forms of risk management had served a useful purpose in the past, contemporary risk management serves a higher and better use. The relevance of the risk management process increases if it is integrated with core management processes that help the organisation in achieving its objectives and executing its strategy. The degree of the integration again varies and typically include core processes such as strategy formulation, business planning, performance management, capital and funding planning, M&A and project management etc.  effective integration means risk management is embedded into the rhythm of the day to day business decisions and contribute to establishing competitive advantage and boosting performance.

  1. Culture

Effective risk management requires a top down sponsorship and consistent application of conducive behaviours. If the reward system is not balanced with shareholder interests, if the board doesn’t question the assumptions and risks taken for a strategy, or if risk management is restricted to compliance or after-fact firefighting and not focused on strategic issues, risk management will not be able to have an impact at the crucial moment. Robust risk culture promotes open communication, knowledge sharing, promoting best practice and continuous improvement and more recently a focus has been placed on value-driven commitment to ethical and responsible behaviours.

  1. Infrastructure

No given the risk management processes, how it integrated with core business processes and the elements of an organisation’s culture, the focus then turns to whether the organisation has what it takes to get the job done – its infrastructure – its policies, procedures, organisational structure, reporting lines, systems and people related to managing risks. If the infrastructure requires improvement such as a lack of risk management policy, unclear risk appetite, unclear roles and responsibilities, lack of risk reporting process or IT systems (GRC), resources must be diverted to have these areas addressed.

Essentially these 4 elements are the foundation of an effective risk management framework and it should be what senior management and the Board look for when establishing risk oversight, or what a maturity assessment be looking at. Ask some of these questions when you think about your company’s risk management practice:

  • Do we have a process to identify risks related to our strategy?
  • Is our risk management only focused on insurable and financial risks?
  • Is our risk management capabilities coordinated across the company or operate in silos
  • Do we have risk materialise primarily because there is a lack of risk culture or understanding?
  • Is risk management restricted due to resourcing limitations?

What are your thoughts and your experiences in your organisation???

How does risk management stay relevant in a fast-evolving digital world? (Continued)

Let’s start off with a recap

Last time we discussed how innovative culture represents the most important force behind modern business success, which drives innovation in both technology and the business model that applies such technology.  We dived into the concept of agile and agile thinking being the essential ingredient for building an innovative culture. We compared agile culture and its underlying value beliefs and how they influence the ‘way of work’ for different organisations.

In the context of risk management, the differences in this culture undertone, shared values and the way of work have profound implication to the risks faced by the organisation and how these risks can be best managed. Let’s explore this using project management as a relatively straightforward example.

Maybe I should rename this post to – ‘how to deal with the inevitable agile disruption?

Project and project risk management

How an organisation runs and manages its projects says a lot about itself. All projects are subject to constraints within the boundaries of the ‘way of work’ because they must work in tandem with resources already committed – people, funding, processes, priorities, inter-dependencies and timing.

An established companies usually run projects within a clear structure of teams, roles and responsibilities, reporting lines, handoff points and decision making regime. Embedded within a formalised PMO, traditional project risk management fits into this linear project lifecycle (usually waterfall) and is anchored by clear action points (or management controls) at key milestone stages such as qualitative and quantitative risk assessment, management review and approval points.

2-1

Comparatively in a start-up agile environment, project management is turned on its head. Team are mostly cross functional with significant autonomy in deciding what and how to deliver a product or value. Non-value adding activities such as process maps and progress report are considered ‘waste’ because constant progress will render them outdated by the time they are created.

Evolved from project management, the agile thinking has been dubbed as the single most fundamental feature for most of the modern successful tech companies. In advanced agile organisations, agile way of working extends beyond project management and becomes ‘the norm’ and ‘business as usual’ reinforced by people initiatives on trust, learning, innovation, sharing and value. I have seen organisations continuously deliver products or values in squads, tribes and guilds without formal reporting lines or delegation authority.

The key risks addressed by traditional project risk management – time, cost and quality – are significantly mitigated simply by the approach advocated by agile philosophy –  Agile teams can start with a simple user story to build a minimum viable product deployed into production through short and iterative sprints dotted with regular feedback loops. Agile practitioners will know that I had omitted a whole lot of other enablers, pre-requisites and tools of agile practice. For more details, refer to here, here, here, here, and here.

So how risk management can stay relevant and add value for a company that is yet to embrace digital revolution and agile (denial), or a company in transition (embrace), or a full digital/agile organisation (improve)? From my recent experiences, these are some conversation starters:

For agile aspirants, the values may lie in

  • Education of ‘agile way of working’ through a risk lens. A better understanding will lead to better acceptance for change. I was surely confused with jargons like lean, kata, Kanban, test-driven development and feature toggles and why the team believes ‘wall walks’ is better than a ‘status report’?
  • Providing people who came from an established environment with a risk assessment of ‘going agile’. An objective and independent assessment on how key attributes such as cost, time and quality can be managed in an agile environment? Why is it ok for project team to not commit to a deadline until much later into the project?

For those in transition, the values may lie in:

  • A risk assessment on how the transition as a project can impact and deliver value to the company. Informing a decision on the necessary investment in resources, people skills and organisational restructuring to maximise the values of ‘going agile’?
  • Leveraging risk knowledge in current process and practice to identify ‘best value’ opportunity for agile adoption. Being an agile champion and a catalyst for incremental changes. Highlighting the positive risks associated with agile and the risks of inaction.
  • Do what risk managers do best naturally in promoting a collaborative culture that values trust, transparency and challenging status quo.

For those already agile equipped, the values may lie in:

  • Providing management comfort over key risk areas that conventional risk information would otherwise not be available. Particularly for C-suite executives who usually came from a traditional setting. Gone are hefty business cases, periodic status reports and approval gates, replaced with risk insights from stand-ups, wall walks, demos and retrospective reviews.
  • Qualitative risk assessment in this high velocity environment where emphasis is skewed toward stakeholder feedback that is mostly subjective? Visual risk representation such as risk burn-down chart would bridge the communication between project teams and business stakeholders.
  • Contributing to the management of the most important asset – people. Devs, Agile coaches, BAs, Product owners and senior management. How best to recruit, retain, develop and grow people in an evolving environment? How to facilitate, promote and build a culture that is conducive to agile philosophy?
  • Providing risk support to the management of operational risks associated with ever moving structure and elevated autonomy. For instance proliferated user access management, IT change management (DevOps), security and availability risk consideration within the development lifecycle, incident response and problem management.

2-2

In true agile fashion, risk managers, irrespective of the industry or the disruptive journey the company is at, must also be digital-ready and agile – trial and error, explore and continuously improvement to stay relevant and add value. What is your experience?

#agile, #project management, #project risk management, #risk management, #culture, #values

How does risk management stay relevant in a fast-evolving digital world?

Any experienced risk management professional would know it best – establishing a risk management framework is no mean feat, particularly if it’s for a ‘one of a kind’ organisation and not guided by a set of prescriptive regulation and standards. Above all the bells and whistles a risk team can build is one crucial attribute – risk management must stay relevant and add value to the achievement of the organisation’s strategic objectives.

Strategic objectives are enabled and influenced by important factors within the organisation itself –processes, projects, resources and culture. Beyond these intrinsic factors, in recent times many companies had to deal with the impacts of the digital revolution as the disruptive forces of ‘Internet’ transcend tech sector and seep into pretty much every industry. Uber for taxi, Netflix for video, Airbnb for hotel, the list goes on.

This fast and inevitable change is forcing risk professionals to renew their emphasis on ‘emerging risks’ and must now broaden their ‘feel on the pulse’ beyond immediate competitors and adjacent industries. This is introducing an additional layer to the above question – ‘How does risk management stay relevant and continue to add value to organisation’s strategic objectives (in a digital world)?’

It is obviously a complex question that doesn’t have a simple answer, so let’s peel back to the basics and explore this topic piecemeal.

Illu #1

Learn from the best

In preparing for the disruption and its impacts, organisations must understand and learn the key factors fuelling the success of many modern successful companies. One thing for sure – simply embracing and adopting new technology only gives temporary reprieve in this fast evolving world. In fact, recent research confirmed that the technology itself only disrupts to certain extent as followers embrace and adapt. It is the innovative business culture that drives constant discovery of new business model and application of technology that is the most disruptive.

2

Agile and agile thinking

Literature abounds on why individual or companies succeed, you don’t need to go far to be inundated with business coaches and mentors spruiking ‘how to’ guides. Here, here, here. However, many would agree that ‘agile’ thinking is universally one of the most fundamental ingredients for many success stories.

Let’s focus on this topic for now, so what is agile?

Evolved from a form of project management methodology and manufacturing, agile and agile thinking are interpreted in countless ways and applied differently. In its very essence, its reciprocal power advocates value adding behaviours, cut development cycles, facilitate informed decisions and drive continuous improvement. In an advanced agile environment, agile thinking would become so pervasive in all aspects of the organisation, defining its culture, the way of work and risks that propel its growth.

Let’s look deeper using real corporate examples

Typical of a traditional yet progressive company with mostly established processes and linear structure, a great deal of emphasis would be placed over important values such as team work, accountability, efficiency and simplification to support the execution of its strategy. Typically, most manufacturers, banks, telcos, retailer would fit to this category.

On the other hand, a tech start-up based on agile principles of being lean and people oriented would focus on more tangible and actionable values such as collaboration, empowerment, fast throughput and continuous value delivery. Team structure and formalised policies would be minimised with virtually no reporting lines and delegated authority. Examples are Spotify, REA, Pivotallabs and many more.

Illu #3

Ok, you noticed I haven’t really answered my original question. That’s for another day.

#riskmanagement, #agile, #disruption, #culture, #values, #stayrelevant, #rispeak