Gareth Byatt

An interview with Byron Tidswell
General Manager Risk, Assurance and Audit at V/Line
(Melbourne, Australia)

Interviewed by: Gareth Byatt, IRM APAC Global Ambassador;
Principal Consultant, Risk Insight Consulting


Gareth: Byron,

Thank you for taking the time to talk to me about your role, where you see risk management heading, and how your membership of the IRM helps you with your work and professional career.

I’d like to start by asking a bit about your background and you how long you have been a member of the IRM.


Byron: I have been a member of the IRM for around 8-9 years after I completed the International Certificate in Risk Management.

I have developed a portfolio risk management career which has largely centred around either building risk, compliance or assurance functions from scratch, or turning around underperforming functions into ones which add some sort of value to the customers of those functions – adding additional perspectives to their decisions, providing insights or comfort over performance, or providing platforms for decision making. Ultimately my objective is to help the Executive Team and Board make their business better through an engagement style that connects the dots and delivers opinion and recommendation on issues that matter most to them. And while there are always things that can be improved, I’ve done this reasonably successfully in retail, telecommunications, energy/utilities, financial services industries, along with some time in professional services, a technology start up and now in rail!

I have an information systems degree and post graduate qualifications in management and leadership (along with my IRM course) so I bring quite a commercial and strategic view to the table.


Gareth: How does being part of the IRM help you in what you do?

Byron: Being a member of the IRM brings some credibility to my professional story and experience. A lot of people “fall into” risk management roles and learn their trade on the job. And while there is nothing wrong with that, the modern day risk management professional needs to have an education and membership in risk management that signposts them as being qualified – they understand the different perspectives, frameworks and capabilities of risk management and turns them into something that is very fit for purpose for their business. The IRM has done that for me.


Gareth: I’d like to move on to some questions about where you see risk management heading. What key things are you seeing as challenges and opportunities for Risk professionals today and in future?

Byron: I was pleased to talk about this in a bio/case study for the IRM recently. Thanks for raising it.

Two prominent challenges and opportunities come to mind. Firstly, staying relevant and engaging. Too often I see risk management professionals roll out the same approach and templates that they have always done since risk management became a profession. This approach is not usually effective. Most organisations and industries have evolved and innovated in the way they engage with their customers, their employees and their communities. The risk management profession, in my opinion, needs to keep evolving in turn and reflect on the way we support and
engage our customers, so that we are not the last to know what the big issues that Management are contemplating and/or the last to make it to the decision making table, well after the decision has been made. We have to develop an intimate knowledge of the business that we work in / for - its cycles, external environment and key decisions that lie ahead, and we need to understand what our “customers” want from us in terms of support and how they want us to shape and articulate information. There are a couple of crucial ways we can achieve this in my opinion – one is to provide opinion and recommendation to Management. There is no point just facilitating a process and providing information back to Management for their consideration – we need to tell what it means and what they should do with it. This leads me to a related point, which is communicating to Management in the language of business and not in the language of risk. For us to be at the decision making table and called on to provide support, we’ve got to be known and recognised for being able to deliver value in a way that Management understand, not in a way that meets a particular standard or framework.

The second challenge we have in our profession is to keep forging forward even when Management does not always endorse or implement your advice or recommendations. We work really hard to present information in a way that is engaging and articulates issues in a commercial, in the language of business (and not in the language of risk) and sometimes our recommendations won’t always be implemented. That’s OK and sometimes entirely appropriate. We have to reflect, celebrate and learn and not get too caught up in the disappointment. After all, we’re advisors to Management, we don’t run the business!


Gareth: Are there any particular elements of this that relate more to Asia-Pacific than other regions, or are all our challenges global in nature?

Byron: I think our challenges are more global in nature, than being confined to the Asia-Pacific region. We’ve seen a fair few updates or revisions to the key corporate governance or risk management standards over the last year or so, either as final version or for consultation – COSO’s ERM Framework and ISO 31000 in a global context, and more locally, in places including the UK, Australia and Singapore. If you work in financial services, you’ll have seen quite a lot of change. Recently in Australia, there is a fair amount of discussion regarding how effective some of the rules and guidelines are actually working at the moment.

In my view, it boils down to one challenge and opportunity – which is to make sure your governance and risk management is fit for purpose for your organisation, and that it drives business performance and growth, it is not seen as the handbrake to happiness. At the same time, it must instil confidence in regulators and shareholders that you know what you’re doing. Carbon copy implementation of any of these standards from cover to cover is not really going to achieve this objective. This is a view that seems to come across quite strong in many of the thought leadership publications at present from most parts of the world!


Gareth: One of the things I have been talking to people about recently is how Risk professionals need to be embedded into teams (projects, businesses, organisations), whilst not being “native”. That is, to ensure we help people whilst being objective and impartial. What’s your take on this?

Byron: A lot of people use the Three Lines of Defence model to describe what I call the risk operating model – where does your organisation’s risk management capabilities sit and how do we make sure it works? The concept of “being independent to Management” continues to surface – we can’t possibly own the risks – our role is just to facilitate or “challenge”.

In my view, it is this model and these attitudes that are part of the problem and part of the reason why some organisations, or some levels of Management, are not buying into the need for risk management to be a core part of their business. As a profession, we’re wanting and trying to be involved in the business, but appear to others like we don’t want to be accountable for anything – unfortunately, we can’t have both worlds. Most businesses are being continuously challenged by their customers, competitors and market environment locally and globally – they simply don’t have the time to wait for us to get ourselves sorted – so they move on with the best information they have at the time. We need to recognise and be in tune with this fact of modern business life.

For us to work more effectively with our business – regardless of whether it is a project team, or function within a business, or a whole of business function – we need to strip back the traditional-style risk operating model and start thinking differently about how we engage and interact. It’s a new “mindset”, if you like. We need to define who our customers are and what they need (hopefully, we understand
this by asking them, not telling them). Once that is understood, we then deliver value with them – in a way that people understand and find tangible. Most people today understand who the decision makers are in their business, so we’re not really adding anything by saying to those people “we’re independent” or “we don’t own the risks”. We should be demonstrating options and solutions through our offering, which has to be more than just finding holes, or running a meeting and hoping someone finds the answer. If we succeed at this, we’ll be seen as a critical advisor to the business, and one who’s first called to the table – it’s not going to matter who we report to on an organisation chart.

The final point I’d say on this subject is that we should also be encouraging risk taking in a balanced and commercial fashion that is going to improve performance or generate growth. Too often, we’re advocating that all risks need to be in the green zone on the heat map, or reduce probably down to a one in several year event. You aren’t going to succeed if you don’t make mistakes from time to time, and learn from them. The same applies to risk – growth does not come by refusing to take risks. Our role must evolve to ensure the right risks are being taken, not to minimise every risk.


Gareth: I wondered what your views are on how easily Risk professionals can work across Asia-Pacific, including Australia. I’d be interested in your views on whether IRM membership can help people transfer internationally.

Byron: I think once that common risk management methods are recognised more broadly, in a similar context to say the Institute of Internal Auditors, there will be more potential for risk professionals to transfer from country to country. Part of this is for people to understand the international benefit of being an IRM member and the value that it can bring. If we decide strategically this is where we want to position the risk profession, we have a bit of work ahead of us – I reckon it’s worth the effort, but it will take some time.


Gareth: I’d like to finish by asking if you are following any particular thought leaders on risk management at the moment, whose work people leading this interview may find of interest.

Byron: Like many people in Australia, I’m following the work of the Financial Services Royal Commission and the various outcomes and discussions that are surfacing regarding the degree to which risk management and corporate governance has contributed to issues and problems which have surfaced through their investigations. There is a lot of speculation regarding the changes that lie ahead in this space, and some organisations are trying to get ahead of the curve by implementing their own improvements. An interim report is due in September 2018 and a final report is due early next year. The outcomes will be interesting to see.


Gareth: Thanks for your time, Byron.