NFR Summit 2023 Panel Session Summaries
How to organise a COO
The COO Community needs to build integral skills and personality traits. These may include openness and responsiveness to the workforce, keeping clients at the heart of everything they do and every decision they make, and using both soft and hard power to motivate workforces. A key trait required by the COO is the ability to be agile, and about making changes to adapt when things do not work.
ESG is a key area in which the FCA are taking an interest, they are calling for more action and less talking, and they want the UK to be the first net zero aligned major financial centre in the world. ESG is good for people, good for the planet, and good for business, so fostering good ESG practices is a key responsibility of the COO as part of their address of Non-Financial Risks. As part of ESG there is increasing need to build inclusion in workplaces, as many have now achieved a measure of diversity in their workforces. What matters now is translating that to inclusivity.
Upcoming regulator focus will be more on the supply chains and networks of firms, and the impact they have on ESG. Third parties and distributors need to be integrated closely with operations and in particular into the management of risks undertaken by organisations, as they are increasingly treated as one and the same.
The 2023 NFR Landscape
The Control Risks team discussed the top risks that COOs need to have on their radar for 2023 in the major risk categories. The most significant included the risk of escalating geopolitical tension between Russia and NATO/China and Taiwan/ China and the US; disruption in the global energy market caused by the Ukraine war and the consequences this may have on the use of energy by firms in the winter of 2023; and risks related to increased regulatory stringency implemented by governments that are feeling out how they will operate in the wake of their increased control/intervention during the Covid pandemic.
Cyberspace weaponisation occurred extensively in the opening of the Ukraine crisis, the effects of which are now being felt in the commercial sector with increasingly frequent and more serious ransomware attacks, particularly levelled against larger organisations.
Global digital architecture breakdown is another key element of Cyber risk. Accessing data and managing privacy is increasingly difficult across borders, and this is leading to the regionalisation of cyberspace.
“A very big thanks from me, as well. I thoroughly enjoyed the session and hope the audience got as much out of it as I did. Looking forward to keeping in touch until the next time.”
Charles Hecker Partner, Global Issues Group, Control Risks
Back to the top
Geopolitical Contagion
It is key to focus in on what the true meanings and possible effects of risks are even when they appear obvious. War is a key geopolitical risk and yet it is vital to understand how it might specifically affect a firm’s operations environment. The pandemic and the Ukraine crisis have brought management of risk events to the fore as a concept.
The question organisations need to consider is ownership of Non-Financial Risk. While it is important for risk to be addressed by everyone it is key also to not let the management of risk be diluted too far through the firm. The Chief Risk Officer, in that case, needs to coordinate this internally, and make agile decisions that can be implemented early on from the top, to react to situations in a unique way.
Geopolitical risk preparation can be done by simulating crisis events, but there must be a balance between risk simulation and revenue generation, so as to avoid one side of the business fighting the other.
Non-Financial Risk Management
Culture is absolutely key to the management of Non-Financial risk, and fostering a culture within a company which encourages its employees to keep their minds on potential non-Financial risks is a major achievement. Good business culture means that Non-Financial risk management will not be regarded as ‘outside’ the purview of particular employees, the culture of collective responsibility will prevent an atmosphere of ‘that’s not my job so I am not going to help manage it,’ which is a key barrier to combatting Non-Financial Risk. The focus should thus be on making employees genuinely care about the management of NFR.
The key to fostering this culture within a business is managing human capital effectively and sympathetically. This is not just the role of the HR department, but there is a need for the COO to take action as well to make the team feel safe, secure and able to engage in the business. The goal should be the creation of a virtual community, and making the best of office time.
Operational resilience is important in NFR management, and is what regulators are looking for within organisations, particularly in the wake of the pandemic. But if operational risks were being more effectively controlled through the fostering of risk conscious culture within organisations, there would be less need for the mindset surrounding operational resilience, and less need for such extensive controls within businesses.
New Working Patterns: Is anyone getting it right?
The interplay between policy and purpose is key, as is relating them to new ways of working that have been adopted since the pandemic. There are logistical concerns to begin with, amounts of desks and meeting room availability being limited. But there is also the question of the interplay of power between employers and employees, whether it is possible to insist on employees returning to the office, or whether it is better to encourage a return to partial in-person working by producing hybrid working guidelines.
It is important to foster positive working environments, and this can in some ways be facilitated by in-person working, it being much easier to build trust between colleagues, and with clients, through face to face interaction. Employers can develop a sense of community, and an enjoyable working environment, which is a natural consequence of better relationships with co-workers, drives business incentive and pushes employees to perform better. A sense of belonging and fulfilment is thus crucial.
In order to ascertain whether these measures are being implemented correctly it is vital to accurately measure the effects they have on the workplace environment. The collection of data about employee satisfaction is very important, and asking employees about their morale and experiences through various forms of data collection and especially through surveys can investigate the extent to which they feel empowered, productive and engaged. The degree of employee participation in such measures also acts as a barometer of overall employee engagement in the internal workplace culture.
Back to the top
Servant Leadership: Resilient teams for a turbulent world
Servant leadership is a growing concept at the moment, and involves taking a step back from an authoritarian style, while devoting time, effort and resources to understanding and meeting the needs of employees to function productively in their roles. This is particularly important in the current employment climate as talent is a commodity and is in short supply, with rates of attrition being high. The idea is to grow within an organisation a feeling of commitment by making employees feel worthwhile and valued in their roles.
The first step to this is clarity: employees must be given very clear instruction as to what is and isn’t their role, and how best they can perform their role so that they feel supported by their manager and capable of achieving their goals. It also helps to establish a sense of belonging, and this can be done by fostering good workplace relations, by engendering good communication through departments, and acknowledging the challenges and workload faced by individuals. Another aspect of leadership is the decisions surrounding levels of autonomy, for though the exact degree of autonomy given to employees is a matter of personal choice for the leader, it is nevertheless important to give full consideration to exactly how much autonomy will produce the most productive results for a given team. This necessitates the building of trust between managers and employees, and a sense of shared belonging.
The idea that autonomy is total and automatically deserved by employees is incorrect, they need to earn that trust from their manager, and that needs to run both ways, the employee must feel safe and secure enough to trust that they can make mistakes and their manager will respond in a constructive way, allowing them to develop and learn.
“I thought the quality of speakers and the panel discussion was excellent, so well done.
Venue was excellent.”
Jason Hope General Manager, Business Controls, Monitoring & Remediation, Westpac International Bank
Keynote Speech: The Human Dynamic
Culture and conduct are key to the world of business controls. The fundamental focus of business culture should be engagement, and encouraging inclusion is the key to that, making employees feel supported. Being able to see superiors in positions of power that look like you, and belong to the same groups as you, is a key factor in helping employees to feel like there is a future for them in an organisation. Building engaged workforces drives retention, and retention is the cheapest form of recruitment.
Firms should be horizon scanning and looking at potential future risks, being prepared to deal with them well before they happen. Firefighting problem areas that emerge rapidly, while not addressing the root cause of control failures, is a major possible weakness. Deep seated culture changes are needed within businesses to drive positive change.
Humanity is a key element to remember in leadership. Being a leader is about showing one’s humanity, and feeling ‘shame’ and other human emotions is a profound but integral part of leadership. It is important to recognise and address this in order to foster the opposite: pride. Aligning pride with purpose allows everyone to feel included in the conversation surrounding risk management, and in the workplace environment more generally. As the diversity within a business intensifies, the conversation becomes more versatile, and people’s willingness to make contributions increases as they feel more comfortable.
Back to the top
ESG: Social and Corporate Governance through a Non-Financial Risk Lens
ESG brings with it a focus on sustainability, which should be embedded at the heart of what an organisation does, and organisations need to establish what that means for each individual department, and amongst colleagues, in order to build a more sustainable workplace.
This is an important part of the purview of the COO, who is able to coordinate ESG measures across the organisation as a whole while maintaining a wider perspective, but will also be able to obtain and utilise extensive ESG related data. This is key to grounding any ESG measures, and particularly those relating to ‘S’, the social element, in facts, and ensuring their permeation right through the organisation. Often ESG programmes look impressive on an organisation’s website, and seem to be far reaching and extensive, but the reality of the experience of employees is very different. Microaggressions, like being spoken over or dismissed in meetings, are still prevalent, even in organisations which present themselves as shining proponents of ESG. Actions like these create a sense that employees are not included, which negatively impacts engagement in the business.
Measuring NFR from an ESG perspective is difficult and the metrics that financial services use are still evolving. Developing more effective measures to allow comparative analysis of ESG progress remains key to developing positive ESG initiatives.
Emerging Risk and Horizon Scanning
There is a distinction between horizon risks, those which remain in the future, and emerging risks, those which have begun to take effect. As your business model changes, there is a need to be constantly reviewing and updating both the horizon and emerging risks. The individual outcome of each potential risk is not the key, instead focus should be on objectivity.
When escalating risks, data, news and intelligence collection are all key. Focus shouldn’t just be on the delivery of new projects, but on the risks associated with them, which should be weighed and reported to the board. If projects are implemented successfully, there is a tendency not to reflect on what might have gone wrong and how the project’s delivery could have failed. Thus, reflection is a key element to a successful review.
Introversion is a danger in scanning for emerging risk, and many teams managing risks are not trained to look externally where risks can originate. An external perspective can provide a fresh insight and improve capacity to manage risk, especially when paired with extensively collected and collated data. As a discipline, Non-Financial Risk often lacks roots within hard data, usually because it represents only a small part of a parent organisation, which makes larger data sets from external sources all the more important.
Third Party Risk
When onboarding 3rd parties, banks need to ensure that their onboarding procedures and negotiations are very thorough. These are long term agreements constituting millions of pounds worth of capital transfer, and lasting multiple years, so the risks, and just as importantly the expected outcomes, must remain paramount during the negotiations. The end result of any such agreement should always be client satisfaction and this must be the perspective that firms champion. The terms of the relationship, and the expectations both sides have of each other throughout the agreement, must be very clearly decided upon.
The aims of the organisation and the vendor must be aligned, and the relationship must be profitable for both in order to ensure that both remain committed. The idea of considering vendors as ‘them and us’ isn’t constructive, and if there are major faults or crises where client services aren’t delivered, it will be to the parent firm and not the 3rd party that the news reports and the clients will turn for answers. Fostering a good relationship with 3rd parties can have the opposite effect, as they will do more and go further to support organisations in a crisis.
Risk management is becoming increasingly focused on third parties and suppliers, and firms need to hold their vendors to the same standards as themselves when it comes to the regulator, to better manage the risks. The whole supply chain must communicate well, and must keep the desired outcomes in mind as fully as possible.
Back to the top
3LOD: A journey not a destination
The idea of 3 lines of defence grew from a paper, the concept being picked up on by regulators in 2013, who viewed it as having enormous potential value in the controls sphere. The model acts as a lens through which to view your risk framework, and should be treated as such, more like a concept than a tangible system.
It is key to heavily incorporate people and culture into the 3 LOD, allowing it to function harmoniously. Defining each individual control is important as a way of managing the controls team, who need clear and concise direction as to what their role is and exactly how to execute it.
Banks have come from an environment where there was limited trust and have spent years building that trust up. Culture is the ‘unwritten control’ and does not form part of any defined system, but it is key for employees and firms to know right from wrong. Developments in culture have put banks on a much more positive footing now in comparison with even 5 years ago. Positive culture also helps avoid duplication across the different lines of defence, as it allows people to feel empowered enough to speak out and make it clear that a particular angle has already been covered, so there is no need to do so again.
The ROI of Culture and Purpose
Culture and purpose within businesses are clear objectives of the regulators, but these concepts can easily be shelved when firms are under pressure or major stress. Building inclusive culture where everyone feels comfortable enough to speak up is key, but to do so people in positions of power, like COOs, may have to put themselves in uncomfortable positions to allow others to make themselves heard.
If business culture is not managed, employees can coagulate into groupings that shut out diverse opinions and encourage group mentality, which can lead to a lack of psychological safety for individuals and to uncomfortable working environments, with microaggressions becoming the daily reality for workers outside the core groups. It is important to develop leaders to be good role models, and train staff to be able to challenge poor conduct professionally and encourage them to feel secure enough to do so.
Purpose needs to run right through the business, and to form part of the culture. Firms need to develop their employees to achieve this: they need to help them understand what their personal purpose is, what the organisation’s purpose is, and how the two can be aligned so that an individual is striving for the success of the organisation. Purpose must sit at the heart of major business decisions, and guide corporate policy, to achieve that.
Debate: Controls v Purpose
“Thank you very much for hosting this I had a really enjoyable time and was delighted that my concerns about the timing of the debate were clearly ill founded as it seemed to go swimmingly with great engagement from everyone. Very best wishes, Toby.”
Toby Billington Managing Director, ICG Risk & Controls, Citi
Back to the top