We are delighted to announce that risk specialist, Bavan Nathan will be speaking at #RISK London this November.
Bavan is a senior risk and assurance executive who has is passionate about innovation and new thinking in governance, risk, and assurance.
He brings 24 years’ deep risk management and internal audit expertise, having advised clients across multiple industries, both in the UK and Australia.
Bavan will leverage his wealth of experience in an exclusive panel debate at #RISK London. The session, “Risk Resilience and Enterprise Agility: Two Sides of the Same Coin”, will see our experts explore how companies can integrate resilience and agility into risk-management strategies.
We caught up with Bavan for more insight into this crucial topic, and to learn more about his fascinating career pathway to date.
Could you outline your professional journey so far?
I started out in external audit with Arthur Andersen and attained by Chartered Accountant, later Fellow, qualifications. However, I went searching for different and varied challenges. I have, since then, focused on building and advising companies on governance models, risk management, controls, compliance and assurance needs.
I have done this with Andersen, EY, PwC and KPMG. At the latter, where I spent most of my career, I was a Partner and towards the end of my time there, was a leader for various risk, controls and assurance service functions.
Finally, I moved to Tesco to be their Chief Audit and Risk Officer to lead the transformation of the internal audit and risk functions. I was asked to deliver a value-adding, leading edge and fit-for-purpose functions.
This entailed the transformation of the technical methodology (a clear and coherent framework for making effective insight and risk-based decision making to operate with confidence and at pace), transforming the capability and culture of the team, enabling better business partnering, integrated risk and assurance, and use of technology and data. The results were described by key stakeholders as “truly innovative and comprehensive. World class.”.
What structures do companies need to have in place to optimise risk resilience and enterprise agility?
At a high-level, key features of a good risk management framework not only give resilience and agility, but also better risk awareness within the business; better risk insights and risk-informed decision making and better strategic use of risk understanding.
I believe, if you get the fundamentals right, the resilience and agility fall out of that. All too often, risk and resilience activities within companies (financial services excepted) tend to be compliance-focused on the ‘knowns’ and those that are currently ‘hot topics’ (e.g. AML or ABC or Cyber). All of these are, of course, very important. But, how do you also assess and respond in proportionate and balanced ways?
I believe, in my experience, the key things needed are:
Clarity and common understanding throughout the organisation, around the different risk types. There are two key risk types to consider. Firstly. Those that are non-negotiables (e.g. cyber, AML, ABC and other regulatory risks) that could impact the licence to operate. Therefore, those risks require black and white rules and standards that will need to be defined very clearly; risk and crisis response plans defined; communicated and trained throughout the organisation; and monitored/assured rigidly.
The second kind are those risks where you can make judgements around best course of responding to that risk (including taking greater risk for greater rewards). This will require common language and simplified methodology, processes, risk insights and risk reporting structure supported by technology. Broadly, I call all of these elements ‘methodology’.
Although there are of course different ways to do this, and to ensure fit for purpose risk framework for each organisation, I believe up to 80% of this is common across the board. The difference will be shaped largely by the organisation’s strategy and ‘risk appetite’.
Risk management is essentially a tool to enable management to make better decisions. This should not be forgotten when thinking about ‘risk management’. Without being driven by this, all too often risk management becomes a compliance process, and the value and effectiveness is lost. If you think about it, resilience and agility is all about making the right decisions at the right time.
As described above, you can put simple structures to aid in the decision-making. But, what will be critical is proper risk insights to enable better decision-making. What this means is providing management throughout the organisation with the right information and insights to make decisions on a day-to-day basis. This means spotting risk patterns in data from both internal and external sources. This includes obtaining, collating, analysing and presenting structured, unstructured and qualitative data.
From internal financial and operational data to external sources and indicators from social media. These data and insights should be linked to risks and set-up in a way that corresponds to the type of risk described above. And, in a way that the business understands and linked to the language/metrics that the business uses on a day to day basis.
So, clear understanding of the risks facing the organisation, the measures and insights needed, understanding of the data needed to support them, and then access to that data will be critical.
All too often, risk management (resilience) is seen as a risk management function’s responsibility. The reality could not be further from the truth.
Risk management should be the responsibility of everyone in the business and accountability sits with leadership/management. It is important that leaders and the organisation understand that they are responsible for understanding the risks, assess and manage the risks.
They should also understand that they are responsible for taking risks safely to maximise returns. As such, the paradigm needs to shift where everyone in the business seeks to understand what ‘risk’ means, those risks that they face in their day-to-day job, as well as emerging risks.
It is also crucial that everyone takes the right steps proactively to anticipate and manage risks. I find that regular, focused and purpose-led risk analysis and discussions lead to agile and effective risk-based decisions. To enable this, I would suggest that the Risk Management functions need to build business-relevant and pragmatic processes for risk discussions, identification, analysis, escalation, reporting and decision-making. I implemented a flexible ‘risk partnering’ model to enable this at Tesco. This means that we have slightly different approaches for different parts of the business to meet their different needs.
Alignment of 3-LOD
I think a key requirement is comprehensive alignment of the different lines of defence. All too often, different functions like compliance and risk functions operate independently. You may have a ‘ethics and compliance’ function looking at AML and ABC, and then someone else looking at Fraud, and someone else looking at Health and Safety, and someone else looking at financial controls etc.
Although that is not wrong, if they do not align, each function then propels their focus as the primary risk requiring management’s attention. This leads to confusion (and sometimes conflict) in the business about where they need to focus and not knowing priorities.
It becomes difficult for people in the business to differentiate the levels of care they may need to show. Or to make the right decision. And, in my experience, all too often there is compliance fatigue. As you can imagine, this is when most non-compliance and breaches in resilience materialise. There are way too many examples of this. It is critical that all functions work together to simplify the compliance requirements and to simplify the way in which the business is asked to respond.
Capability and Culture
Linked to risk awareness above, there needs to be, in my opinion, seismic shift in how everyone in the business approach risk management.
I believe there needs to be a shift away from risk reporting (to comply with year-end annual reporting) to thinking about risk as a component of the decision making on a day-to-day basis. This will require all of the above structures but also a risk management and compliance functions that have teams who look to support decision-making rather than merely doing compliance and simple risk reporting.
For those risks that could lose to loss of licence, that discretion will be minimal, but, it still requires the business to make a decision on its priorities to rate/rank those risks too.
What technologies should companies be relying on in order to drive risk resilience and agility?
This all depends on the needs. But, what I would focus on as a risk leader is to focus on what information (data) and insight will the business need? How can I obtain that? How can I make that available to the business in the most efficient, effective, and practical way? What technology/tools will I need for that?
If you don’t get the first three questions right and understood, it is easy for the technology “tail to wag the dog”. So, before talking about technology, I think the underlying needs and requirements are understood.