Interview: Poppy Fassos – Managing risk well demonstrates value

We speak with Poppy Fassos, Vice President Risk Management, Optus about the underpinnings for enterprise risk management and the role of the risk team to build trust and value. Poppy will be part of the CRO panel discussion at the NSW Governance and Risk Management Forum on Tuesday 17 May.

Poppy Fassos, the Vice President Risk at Optus was an Economist who came into risk management late in her career, when Alden Toves, the Group CRO at the Commonwealth Bank, offered her a role as his Chief operating officer. At the time she had been working in a number of strategy, marketing, and communications roles, having moved there from her role as an Economist in Global Markets investment banking.  ‘Alden offered me the role because of the diversity in my career. At the time, the problem he had to solve was being able to communicate the importance of risk to the business, in a simple and effective way. He believed someone with my skills could be the much-needed conduit between the technical risk team and the rest of the business. For me, risk was an interesting area as it drew on my background in economics and capabilities of strategy and change.’

After 20 years in banking, Poppy took on a role leading the IT risk transformation program at nbn. It was after hearing about her work there that in 2020, Kelly Bayer Rosmarin, CEO of Optus, offered Poppy the opportunity to rethink Optus’ approach to risk management, to develop a risk discipline from the ground up, in a more pragmatic and fit-for-purpose manner. 

Having now worked in senior risk positions across telecommunications, financial services, and technology, Poppy reflects that there are some key underpinnings that hold true not only for modern enterprise risk management but for all the disciplines that make up the modern enterprise: People, Policies, Systems and Processes.

‘If you get these elements right and understand how they each support each other then you’re on the right track. The first element is People – this means having the right risk capability and the right risk-aware mindset in the business. Policies is about having the right risk framework, supporting guidelines, and governance in place and ensuring they are not overly complicated, but fit-for-purpose. It must be clear how all the component parts work together. You also need a Governance Risk and Compliance (GRC) system that meets the requirements of your business, depending on its level of maturity.’

The days of spreadsheets for tracking risks and issues should be well and truly behind us, Poppy says. Not only would that approach introduce further risk by managing activities in such a highly manual way, but it also does none of your people or your business any favours. ‘Being able to automate workflows, undertake data analysis for insights, means your people are working on the most valuable aspects of risk, that is, helping your business to evaluate a situation and make the right decisions. Equally essential is the need for well thought out, simple risk processes because this means there is consistency in the way we undertake risk management at a fundamental level, to ensure quality outcomes. The simpler the better too, as people will be more inclined to follow them if they are easily understood.’

The role and expectations of the risk manager has evolved Poppy says from what it was say 5 or 10 years ago. They are called on to have a much deeper understanding of their business and the strategy than ever before because people see them as a trusted advisor and a crucial contributor. This means that risk professionals should think more broadly and deeply across a variety of disciplines, which Poppy says is a very tricky skill to master. ‘At the Board level, the CRO and their risk team need to be able to demonstrate their knowledge of the business and how risks can impact the enterprise strategy. The expectation is they provide an objective perspective to management to help deliver the right outcomes. Boards are highly aware and engaged with the risk agenda and have moved beyond conversations regarding issue management. They see the role of risk as helping the business to navigate the ever-present uncertainties in a pragmatic way and achieve the organisation’s strategic objectives.’

The telecoms industry, in which Poppy now works, is part of national and global critical infrastructure. As a sector that is embedded throughout the fabric of our community and nation, the challenges are huge and the opportunities many. Recent global crises — climate, health, geopolitical, economic — have further accelerated the thinking around how telecoms can drive resilience and recovery while also strengthening community readiness and strategy against future crises. ‘The connectivity that our services provide has become critical to nearly all aspects of our lives. Resiliency and cyber security have been evolving for years, and every event advances learnings. We work closely with the Australian Government, academia, and other companies to ensure that, as a nation, we are aware of threats and using best practice risk mitigation.’

There has for many years now been a focus on digital transformation and the opportunities that it offers customer service and engagement. Equally, there are risks that the pervasive use of technology and the exponential growth of digitalisation bring. ‘Australians are early adopters; in fact, more than 86% of our customers choose digital options to engage with us, so we make sure that we provide options like chat bots, asynchronous messaging and our award winning My Optus App that meets and exceeds their expectations. And whether it is study, work or play, connectivity, and the infrastructure to support it must keep up and keep ahead. That requires investment and operational planning — all of which must be assessed for short and long-term risk through a consistent lens.’

Digitalisation is often talked about as an opportunity for bringing about greater access and opportunity and equity in our societies. But the recent global pandemic has exposed in many parts of the world a widening gap between haves and have nots, driven by whether they had the access and skill and economic ability to be connected or to remain connected. This is a risk that will continue to manifest. ‘I’d go one step further here: the recent pandemic — and resulting reliance on connectivity — has magnified the gaps we have right here in Australia. This is an area about which Optus is passionate, both through our advocacy programs, and in programs we have like Donate Your Data, which allows customers to donate their unused data to people who need it, such as under-privileged students.’

The need for organisations to integrate ESG into their enterprise risk management strategy has never been greater. ‘We look to embed ESG risk and opportunities into our enterprise risk strategy by understanding the threats these risks pose to the Optus strategy in the near and longer-terms. We work very closely with our Corporate Sustainability team on our sustainability strategy, which focuses on the areas where we can have the most significant impact for our customers and community, stakeholders, and our business. These focus areas are identified by undertaking a materiality assessment. And as we undertake our annual risk profiling exercise, these become an input into that so that we can cross validate and sense check.’

The Optus annual Sustainability Report uses the Business for Societal Impact or B4SI framework to measure and report on impact. B4SI measures sustainability against three routes of impact — community investment, business innovation for social impact and procurement for social impact. The 2025 goals are set against certain key focus areas that have been identified through their materiality assessment. These include digital enablement, sustainable innovation, the future of work, circular economy, climate action and equity and inclusion.

Reflecting on the top global and national risks that will impact governments, communities and businesses in the coming years, Poppy believes cyber security, environment and climate risks and geo-political risk are top of the pile. ‘The threats to cyber security, including nation state attacks that could threaten critical infrastructure, are increasing. And the requirements to protect our business and customers need to be leading, not lagging. When it comes to climate and environmental risks, the more immediate concerns are around business continuity and extreme weather conditions. There is also the urgency for being responsible about our own footprint because in the longer-term, there are opportunities here, for example operational efficiency and improved resource management through the increased availability of renewable energy.

Geo-political risk meanwhile has affected borders and impacted supply chains and vendor services. The pandemic really tested business continuity plans and redundancy capabilities, as everyone around the world was competing for the same resources at the same time.'

‘My philosophy is that risk needs to demonstrate how managing it well drives value and builds customer trust, the most important elements of business. By understanding the risks across an organisation’s value chain, end-to-end, means you are able to understand what needs to go right to deliver the right customer outcomes. This builds trust and lasting relationships with customers, and ultimately drives value to the business and its stakeholders. The discipline of risk management should not be complicated, but be used as an enabler for the business, like the way the finance discipline is essential to any organisation. Our role is to partner with the business to guide and advice it with some level of objectivity to help it be risk aware and make better informed decisions to deliver to our strategy.’

Material published in Governance Directions is copyright and may not be reproduced without permission.