Profile: Grant Whitehorn, director of ERM, Department of Defence
It’s fair to say the Department of Defence operates in exceptionally risky conditions. Stuart Fagg spoke to the man responsible for keeping its civilian and military risks in check, Grant Whitehorn, director of ERM
Describe your role
As director of enterprise risk management (pseudo-chief risk officer) for the Department of Defence. I have responsibility for implementing an enterprise risk management (ERM) framework across the organisation, encompassing the full spectrum of civilian and military risks. This also includes the ERM policy and guidelines; being the technical training authority for risk management in Defence; responsibility for the coordination of risk management education and training across Defence; responsibility for the ongoing management of the ERM framework; responsibility for the provision and maintenance of ERM framework products and services; the provision of risk management advice to risk managers, risk specialists, senior executives, the Secretary and Chief of the Defence Force (CDF); and for providing regular reports to the Defence committee and Defence audit committee on the status of ERM across the entire organisation.
I also chair the Defence Risk Management Working Group, which is comprised of senior risk professionals responsible for specialist areas of risk management, such as navy, army, air force, projects, finance, procurement, logistics, personnel, ICT, audit, reputation, business continuity and insurance. As director, ERM, I also represent Defence on the Standards Australia Committee responsible for the 4360:2004 – the Australian and New Zealand risk management standard. I somehow also manage to fit in the role of national president for the RMIA – a voluntary role which I really enjoy.
How does your role fit into the overall structure of the Department of Defence?
I report to the chief finance officer who reports to the Secretary and CDF. The Secretary and CDF then directly report to the Minister for Defence. The chief finance officer is the executive risk champion for Defence and takes my work very seriously, as he can appreciate the positive changes it will bring to the organisation.
What element of your role do you find most challenging?
Staying abreast of the myriad issues that Defence faces on a daily basis is a constant challenge. Every day is different. One day I might be dealing with scoping IT requirements for the Defence risk management information system and the next might be conducting a risk assessment for liability issues regarding submarine rescue. This is what makes the job so interesting. Another key challenge is the integration of risk management processes to bring conformity to our reporting regime. The major challenge here is convincing and negotiating with the broad range of stakeholders that manage their own risk management processes and systems. But being a networker I just love this aspect of the role. If I achieve my objectives in this role I think I could just about take on any other risk management challenge/role that is offered to me.
How did you begin your career in risk management?
I never realised it in the early days but I’ve always really been a risk manager – in fact we all manage risk intuitively everyday. However, it all started back in 1999 when I was working as a private investigator and was engaged to conduct a physical security risk assessment for a large utility company. That was really my first formal risk management role. I then worked for Centrelink as their national risk management training and marketing coordinator. I also facilitated risk assessment workshops and provided internal risk consulting services to Centrelink executives, managers and staff. I then was promoted to assistant director risk management and security with the then Department of Employment and Workplace Relations. After DEWR I joined the Department of Industry, Tourism and Resources in the capacity of assistant national manager risk evaluation and compliance. After about 18 months there I was asked to work for Airservices Australia as a senior risk analyst in their corporate treasury group. Airservices embarked on a restructure and so I sought other opportunities – that’s what landed me my current role as director, ERM, for Defence.
What have been the biggest recent developments in risk management?
The acknowledgement of risk management as a discipline in its own right.The understanding of the industry and broader business sector that risk management is very different to compliance. Essentially, compliance is only a license to operate whereas risk is all about growth and realising opportunities to take your business forward. The emergence of the chief risk officer role and its prominence in the ‘C’ suite is also key, as is the alignment of risk management with corporate governance and strategic planning and linking that back to your budget.
What do you see as the major challenges ahead for risk professionals?
Maintaining a focus on business performance improvement and innovation using effective change management techniques that are customised towards the culture of your respective organisation – having a lasting positive impact on the culture of your organisation will be the key to a risk professional’s success. The development of ISO 31000 – the new international risk management standard, which is due to be released in early 2009. Risk professionals will need to decide what standards they base their ERM programs on and how this impacts on their processes and reporting structures. Embedding risk management into existing business systems and practices, rather than creating an add-on process. Effective ERM will only be truly realised in an organisation that implements seamless risk management as part of its core business processes and systems. That’s why I don’t really put much emphasis on risk management plans. They normally become ‘shelfware’ anyway. The trick is to integrate risk management as part of your business plan, project plan, IT system, etc. People I’ve worked with to implement this find this method far more effective than a stand-alone risk management plan.
What would your advice be to someone starting out in risk management?
Make sure you have a sound understanding of how business works and learn as much as you can about corporate governance and the organisation you work for.Be mindful to balance the hard skills versus the soft skills. By this I mean, like any other profession, you can have all the technical risk management skills in the world, but unless you balance these with effective communication, negotiation and influencing skills you’ll never achieve anything. Any decent risk professional will tell you this. Change management abilities and sound political management skills are essential if you want to be an effective risk manager.
What do you see as the key future trends in risk management in Australia?
The appointment of more chief risk officers as companies realise the importance of the role and the value it can bring to an organisation. More of a focus on ERM and performance management systems to measure the effectiveness of ERM programs with regards to budget, strategy, human capital, reputation, sustainability, productivity and other areas of corporate performance. In other words: how do we know our ERM program is making a positive contribution to the organisation, adding shareholder value and improving customer service and decision-making to maximise business outcomes? It’s all about providing assurance to the board and senior executives that your risks are being effectively controlled and that the business is maximising the achievement of its objectives through a robust ERM framework … People join a winning team, not a sinking ship.
Grant Whitehorn is director, enterprise risk management at the Department of Defence and president of the Risk Management Institution of Australasia
News