An Interview with Byron Tidswell, General Manager Risk, Assurance and Audit at V/Line (Melbourne, Australia)

Interviewed by: Gareth Byatt, IRM APAC Global Ambassador; Principal Consultant, Risk Insight Consulting

Gareth: Byron, thank you for making the time to talk with me about “where should risk management can and should be heading”.

I’m keen hear what you think about whether risk management is adding enough value in the modern business world, and is the “traditional way of approaching risk management” still relevant, or is it time that we changed it to do something different.

Business is changing at a rapid pace today. I can appreciate that in an organisation like V/Line you have many, constantly moving and changing parts. What do you think this pace of change means for people who work as risk practitioners? Are we agile enough to change? Are we helping our businesses to achieve effective change? Are we integrated enough with the people who manage operations in the businesses we work for?

When we caught up in December, I remember you pointing out that as a profession, we have to stay relevant and engaging, and not simply roll out the same approach and templates that we have always done.

Byron: Yes, that is still “my line”. Businesses, regardless of their industry, size or type (private or public) are facing more change than probably ever before – as just a few examples, consider industry expansion (or contraction, as some predict) within superannuation, increasing competition and disruption from new players in the payments industry, and in general, customers being better connected to information and being on a constant hunt for better products and services which may not be based in their home country. Businesses need to be able to identify the trends that matter, and respond much faster than before in order to stay competitive and, ultimately, viable and sustainable. From a risk practitioner’s perspective, their business’ risk profile is really changing fast and becoming much more dynamic – it’s no longer acceptable to prepare and review a “risk register” once a year and be done with it.

Risk Management has to be aimed at driving business performance and growth and being able to help the C-Suite and Board (if they exist) navigate successfully through its competitive landscape and maximise opportunities that present themselves. This means the risk register, or risk profile as I like to describe it, must be a dynamic tool that drives this conversation – the risk professional needs to be on the “top deck” helping to identify how their business can respond to and improve the performance and growth.


Gareth: Thanks for this, Byron. In December we talked about how a key challenge and opportunity is to make sure the governance and risk management in an organisation is fit for purpose, and that it drives performance and growth. How do you think risk professionals should be approaching this?

Byron: As brutal as it sounds, I think it is a case of “out with the old and in with the new.” The risk management processes and thinking that has got us to this point will not work going forward. The risk assessment processes quoted in industry standards, the composition and use of the risk register and even the risk function’s role in the three lines of defence model (policies, procedures and challenge management) is no longer enough. It’s not commercial, it’s not dynamic and it slows down decision-making to the point where it becomes a “handbrake to success”.

I think that we need to be positioning and marketing risk as a capability that drives performance and growth, and build “a risk operating model” to achieve that.

The risk profile, capturing in strategic and commercial terms what we must get right as business and the impacts if we don’t, is the starting point for the conversation at C-Suite and Board, in my view. Then comes the opinion and recommendation from the Risk Function on what needs to change – simplifying the business from a process, product and technology perspective and growing the business by taking more risk from a products, market, and workforce perspective. The audit capability (which also needs to change) then comes in and provides an ongoing view on whether these changes are working.

In this model, the skills and mindset of the risk practitioner must change – from being about protecting the business from every single event and complying with standards in the hope that a shiny piece of paper saying we’re accredited to a standard will make all the difference, to being growth-focused and having a deep and valuable commercial and business acumen – which engages the business in real terms, not in risk theory. They also need to roll up their sleeves and drive the process and prepare the materials for discussion, not send out templates and mark their stakeholder’s homework!


Gareth: You raise some really interesting points here, Byron. To continue on this theme, what role do you think technology has, in various forms, to the risk professional of today and tomorrow? Will it be an influential enabler to help people take and manage risk in the next five to ten years, and what does this mean for our profession if so?

Byron: Technology is an interesting point. On social media, on any given day, we see someone pushing out a new product – whether it is an integrated solution for GRC or some data mining and analytics software. When I started my career as a graduate business analyst in the early 2000’s, I was taught how you use technology to help solve business problems. Define the business problem first, then articulate the new vision from a process and operating model perspective second, then see if and how technology can support that change. It may not, but often it could. In most cases that approach really worked. These days it seems that, before we even think about operating models for risk, we’re buying some really expensive system driven by workflows only to wonder why, after 12 months, the data doesn’t seem to tell us anything!

In my view, risk software can be useful in generating internal efficiencies within the risk function. It can generate some information faster, and more accurately, but it won’t drive risk management because what drives risk management is people’s thinking and decision-making – connecting the dots. Software cannot do this. It might be able to identify and predict trends using loss data or performance data, but the “so what factor” that people bring to the table still needs to be connected.

And, if I may also say, what you can find with software you buy is that, when the direction of the business changes, an expensive invoice comes from the software vendor for customisation or change because it doesn’t fit what you really need. Faced with a choice of making our process fit the system or modifying the system, we may have to “down tools” and spend time making the software relevant. Meantime, the business continues – and also continues to change to stay ahead and seize the opportunities that present themselves.

So, aside from efficiency gains, I’m not convinced that most “risk technology” really adds anything of value.


Gareth: Thanks for this clarification. What about certification and training in risk management – does it need to change to keep up with where things need to head?

Byron: Keep teaching the basics but emphasise it’s the application from a commercial and practical context that will win the day, not the theory alone. I think that, in this area, more could be done in the way of offering alterative approaches to presenting risk information for decision-making.


Gareth: What role do international risk standards and industry standards have to play now and in future, do you think? We touched upon them the last time we caught up.

Byron: I’m not sure they’re really relevant today, because every business is different and needs a risk capability that meets their needs. A standard is a standard by definition, and therefore it won’t work if implemented cover to cover.

If we look at some of the major issues uncovered in Financial Services (in Australia) over the last 12 months, I dare say some of the issues within risk management was not because of the degree to which industry standards were implemented, but because of other issues.


Gareth: Are we, as a risk profession, collaborating enough around the world? If not, how do you think we can, and should, do more to improve our collaboration and knowledge sharing?

Byron: More roundtable conversations or skype calls focusing on a specific topic or issue might be the way to go. The challenge, of course, is always time to do so.


Gareth: Thanks for these insights, Byron. Let’s check in this time next year to see how things are moving forward!

I’d like to finish by asking whether you are currently reading, and / or finding anything in particular of interest in the world of risk management.

Byron: I’m in the process of taking V/Line’s risk operating model now to the next level, now that our strategy for the first two years has largely been successful in delivering change. I’m reading a bit on decision-making that McKinsey has produced recently. I’m also exploring some books on organisational structure and business transformation. So, less on risk and more on some wider topics!


Gareth: Thank you for your time, Byron. Good to catch up with you, as always.

Byron: Please Gareth, always a pleasure.