Risk is similar to strategy in that it requires a big picture, whole-of-company view.
Joanna Knox, the chief risk officer for Telstra, does not have the traditional background of a risk manager. Dr Knox started her career as a physiotherapist and went on to do a PhD on how pain affects motor control. She also spent time as a lecturer of neuro-anatomy at the University of Queensland.
‘My move into the business world came via an opportunity at management consulting firm Bain & Company, which I saw as a way to learn a whole new skill set.’ That opportunity would lead Dr Knox to spend over ten years at Bain, before making her way to Telstra. ‘I had a passion for customer strategy, and did a lot of work in telecommunications. Once I decided to move out of consulting, Telstra was the obvious choice.’
Dr Knox’s first role at Telstra was Head of Strategy for New Businesses, focusing on incubating growth opportunities. A year later, she took up an opportunity to pivot into risk — a logical shift in her mind. ‘Risk is similar to strategy in that it requires a big picture, whole-of-company view. In simple terms, business is all about opportunity and risk. I had already developed deep experience in the opportunity side, and the CRO role allowed me to build out another side of my skill set.’
The opportunity coincided with Telstra setting out on a major multi-year transformation. Telstra’s transformation imperative is all about improving customer experiences and radically simplifying the business. ‘It’s about eliminating pain points and making our products easier to use and understand, supported by changing and simplifying how we work so that we are not creating complexities through our own activities’.
I could see how risk could become a strategic enabler for us, to get better outcomes for customers, staff, and shareholders.
Given the timing of this strategic transformation, Dr Knox was a natural fit for the CRO role. ‘I think I was an appealing candidate because I think differently to a traditional risk person. I could see how risk could become a strategic enabler for us, to get better outcomes for customers, staff, and shareholders. I brought some non-traditional techniques to the table, to improve our risk management’.
It was the current CEO, Andrew Penn, when he joined Telstra as the CFO, who separated the enterprise risk function from Internal Audit to create a three lines of defence model given his prior experience in financial services. ‘My predecessor did a huge amount of work to set up the capabilities to manage risk in a way that reflects the nature and scale of Telstra’s operations. The creation of the CRO role also enabled risk to be a respected voice at the table.’
What else has driven the traction and the profile of risk within Telstra? Dr Knox credits a wider shift in the external environment, ‘Things like the Hayne royal commission and the focus on corporate governance, risk culture, and ethical decision-making. It’s an exciting time to be in risk because it’s got everyone’s attention’.
Reflecting on where Telstra is at right now in their risk maturity, Dr Knox spoke about the positive changes she is proud to have played a part in implementing, as well as the path forward.
‘One of my early priorities was to focus on getting the right set of top risks. Going into our transformation, it was critical that our top risks had the right strategic focus. At the same time, we decided to try a different approach to risk appetite. Our business is hugely diverse, and our willingness to accept risks is dependent on the circumstances and trade-offs. There’s no value in articulating risk appetite unless it is real, specific, and actionable so that it helps to make decisions.’
What is different about our risk appetite framework is that it is underpinned by a very data driven approach. ‘Each of the risks have a number of metrics, and thresholds to know where we’re at versus where we’d like to be — for example, a risk relating to talent and capability, we’re always going to have natural attrition, and it may impact key capability areas. We pushed to get to a position where we could objectively monitor the point at which we are inside, versus approaching, outside appetite. What percentage of critical roles need clear and immediate successors? What percentage of key capability areas have vacant roles? The key ‘so what’ of these metrics and indicators were then written into an overall statement, which is easier for internal stakeholders and the Board to engage on.’
The most important part of setting risk appetite is the dialogue between Board and senior Management on what we are willing, or not willing, to accept
The risk team at Telstra are now partway through a process with the Board to further enhance how they set and engage on risk appetite. ‘We believe that the most important part of setting risk appetite is the dialogue between board and senior management on what we are willing, or not willing, to accept. If we can set those guardrails in a way that we are agreed on, and can monitor, then the Board can be confident that we’re operating and making decisions within the risk appetite that we have agreed.’
For each of the top risks, they are taking the board and senior management through a set of surveys to understand their individual perspectives on how much risk, or what circumstances we should be more willing to accept. The risk team and risk owners then conduct sessions with the board and management team to discuss and understand the divergent views, and settle on a collective position.
‘It was interesting to run the surveys with the board and management, because we were asking them to make trade-offs from a set of risky options. Although it was conceptual, it got everyone in a mindset that allowed them to think about risk and risk appetite differently. The results from the survey were fascinating — we were very aligned on some topics and had much broader perspectives on others. It is a mechanism to identify divergent perspectives, so that we can get to the bottom of why, avoiding the bias that ‘groupthink’ can introduce.’
Broadly, Dr Knox has also had a continued focused on clear risk accountability. ‘At an organisation like Telstra, it’s so important to be clear on who is responsible for managing what so things don’t fall through the cracks. One of the things the chair of the Audit & Risk Committee impressed on me from day one, is that the first line risk owners are the most important part of the three lines of defence. I find myself constantly reminding my peers and stakeholders that I don’t own or manage any risks — our role in the ‘risk team’ is to help everyone at Telstra to get better at managing their risks. A key element of success on this priority has been the efforts of the risk teams across Telstra to reinforce this message day to day.’
Dr Knox reinforced that Telstra’s transformation is a key enabler that has allowed her to enhance risk effectiveness. The change in the way Telstra works as an organisation and the shift to new ways of working, including agile, have had a big impact on risk culture. ‘It forces us to flag and escalate issues early, and to be really clear about roadblocks. It leads to more dynamic reporting and collaboration. All of those things drive more effective risk management.’