Zurich’s general counsel & head of corporate governance Cathy Manolios explains why an increased focus on risk management is creating new GRC roles, and reveals how to communicate the risk message to employees.
Which areas does your department cover?
Legal, compliance, risk management, company secretarial, regulatory affairs, records management.
Who reports to you?
The head of risk management, head of compliance, three senior legal counsels and the head of governance.
How do you divide your time between all these functions?
It is true that different functions demand different parts of my time. At the moment, the risk management area is getting a huge amount of focus as we move towards our implementation of the new capital reforms.
And, in fact, bringing James on board [James Myerscough, head of risk management] is recognition that risk management is becoming so significant. And if we want to really make strides in terms of ensuring that we really embed risk management, then we need a dedicated resource within my team.
Are the new reforms the main issue you’re facing at the moment?
Yes. But even before we began capital reform project, we have been working on a ‘risk embedding’ project. The aim of this is to make risk management front of mind for all our staff. It included a variety of activities including posters and competitions.
We also put the top 200 go through quite an intensive training program, at which time they were given risk tools to use when making decisions. Interestingly, what we found is that – having provided that training – people did take it on board, and this department was getting more and more requests to come and assist with risk assessments etc.
It was clear that, the more we got out there and talked to the business about the importance of risk-based decisions – the more demand there was for our services. And we realised we needed a leader that could devote themselves 100% to managing the risk team.
Previously we had a combined head of risk management and compliance role; both of those areas are just getting too big. The volume of legislative change – both within Australia and from overseas – is too big for one person.
APRA has been critical of risk management within insurance [click here for story], what’s your reaction?
I think APRA was of the view that a lot of insurers had in place nice documents, but not much was done with them. Which is why, as part of the new capital reform, APRA talked about the use test: it’s all well and good to have risk management documents and tools, but they have to be used or embedded.
What are the main operational risk issues that you face?
One of our big focuses at the moment is on the control framework. We’re in challenging economic times; the whole industry is under great cost pressure. As companies become more cost focused and staff numbers decrease, there’s a possibility that people will take their eye off the control ball. So, one particular challenge that I’ve set for myself is to ensure that doesn’t happen at Zurich.
Last year we had a program to raise awareness of risk management. This year we have designed a big program to remind our managers that maintenance of controls, and adherence to controls, are an important part of their job.
Knowing what your controls are and whether they are working well is key to risk management. When we do our risk assessment work, we ask the business to assess how well each risk is managed and controlled. And the last thing we want is for someone to say we have got an effectively designed control, and an effectively implemented control, when that’s not right. So, if they give us wrong answers to control questions that risk may not be being managed as well as it should be.
Is it a big issue getting the risk message right through the organisation?
Yes. A key part of our program is to help staff understand that the jobs they do are critical to supporting the control framework and therefore keeping risks at bay.
Is there a resistance from salespeople to risk management paperwork?
I think that culturally they’re pretty good, but we are very conscious of making our messages meaningful to all staff.
In a meeting we had with Daniel Fogarty, the new CEO of Zurich’s general insurance business, he said that we need to make our communications more engaging so that people do see ‘what’s in it for me’. For us, that means articulating why the risk processes enhance decision making and why that leads to better relationships with customers and advisors and a stronger company.
So we’re very focused on making people see why it’s important. And in fact James is very good at that. He is currently working one on one with the senior managers to help them understand how decisions they make may have capital impacts. And he is also working with marketing to understand how we can get those messages to resonate with the more junior staff.
How is the task of getting the risk message up to the board and C-suite?
We have an extremely engaged board. Certainly in terms of capital reform, in the last six months we’ve had three or four lengthy workshops with them, and we have monthly workshops scheduled with them for the rest of the year.
APRA and Ian Laughlin have done a very good job of making boards and senior management across the industry realise that they own capital management. We already had a very engaged board, but APRA’s work in getting the message across has been very useful.
What lessons can you offer to our readers in terms of communicating the risk management message to employees?
Last year’s risk management campaign was launched (without prior announcement) with a desk drop flyer reminding everyone that ‘we are all risk managers’. And on the back of that flyer was a short statement about what that means to me: I’m a risk manager because I make decisions that may affect Zurich’s risk profile, or because I own controls that protect the company. The flyers were written in a way that was friendly and engaging and we’re confident it was quite effective.
Everyone in the company was then offered the opportunity to win a prize: they had to go onto the intranet and read a page of key messages and answer a few questions.
We kept the messages really simple. These messages were incorporated into posters which now sit throughout the business. And we just rotate the posters from time to time.
We’ve also included in each meeting room a poster which sets out key decision-making principles. We’re trying to immerse people these reminders, so they can’t escape the risk management message. And then for the top 200 there was quite formal training programs, where they were given more detailed tools and checklists.
We’ve also redesigned board papers, so anyone who presents to the board completes a section on risk. And we’re in the process of developing another document which helps businesses conduct their own risk assessments. With our team of six we don’t have the ability to conduct risk assessments every day, so we train people on how to do that themselves.
What are the other key challenges of your role?
Capturing what’s going on in the company is something that I continue to focus on. The reason I think having the governance functions sit together and work together [is a good thing] is because they can leverage off each other’s tools, knowledge bases and relationships. And that works very well for us.
The compliance department has an incidents database in which we record compliance breaches – breaches of law. It’s quite a sophisticated home-grown system: we can print off reports and look for trends, etc.
That incident database – although initially designed for compliance – is now being used to capture other types of mishaps, breaches of authority, etc. And it’s used by the risk management department to monitor controls – as in ‘are the controls still working?’ But it’s not being used comprehensively to capture all risk incidents that occur. So my goal is that by the end of this year we will open the database up so it can start capturing all incidents in one place – whether it be a compliance issue, some sort of general control breakdown or an emerging risk – so we get a single view of the whole company.
So part of my challenge for the rest of this year – and part of James’ challenge – is to educate the business on the need to actually record the near misses: the incidents that aren’t breaches, but that we should keep an eye on.
We also are streamlining the reporting that we do. Currently I think we’re pretty good at making sure that everything that needs to be reported to the Board, is reported, but it’s reported in multiple reports: we submit a compliance report, a risk management activity report, a risk landscape report… all issues get reported separately.
So there’s no lack of reporting, but it’s hard for the senior management teams and the board to quickly see what these reports collectively are telling them. So what we’ve moved towards is a single, over-arching report, which captures key themes, trends and developments. We’re calling it our dashboard report. It’s two pages, and is designed to be a ‘one stop shop’ report.