Speech to the Association for Women in Insurance Conference
11 October 2013
Michael Pezzullo
Chief Executive Officer, Australian Customs and Border Protection Service
E&OE
Thank you for that kind introduction and for the opportunity to talk with you all. Today I would like to discuss the Australian Customs and Border Protection Service approach to risk and governance, how our risk environment has changed and what we are doing to prepare our organisation and our people for a future border landscape that is particularly challenging.
As Australia's primary border agency we must ensure we are honestly evaluating the risk to both our organisation and to the border as we play a critical role in ensuring the protection and prosperity for our nation.
We have a long and proud history protecting the border and serving the community, having existed in various guises since Federation, when the Department of Trade and Customs was established in 1901.
In the near future our border systems will need to cope with an unprecedented increase in air cargo volumes as well as very significant growth in containerised sea cargo, international mail, and the number of international travellers.
By 2017, we are facing an 85 per cent increase in air cargo, a 20 per cent increase in containerised sea cargo and a 25 per cent increase in international traveller numbers.
This growth in volumes and the increasing complexity of supply chains and travel routes makes the task of assessing threats and risks at the border more challenging. We increasingly use advanced analytical techniques and tools that allow us to focus on high-risk people, goods and environments, but this requires us to work ahead of the border to identify, deter and where possible mitigate those risks. This approach allows us to make informed decisions to reprioritise resources without materially affecting our control of those risks.
Given the future challenges I have just described, risk strategies and sophisticated intelligence will be integral in deterring those that seek to circumvent our controls.
A little over a year ago I was asked to take on the role of Acting CEO. At this time I had been in the organisation for some years and I took the opportunity to consider where the Australian Customs and Border Protection Service was situated in terms of our capability, leadership and culture.
I took the view that for whoever was to be appointed to the role of CEO, there was an opportunity, and indeed an imperative, to internally investigate and consider the organisation from a due diligence perspective.
In my view, and that of others who provided me with wisdom at that time, there was a silence around how the Service made decisions. I naturally asked how could I be assured that those decisions and subsequent resource allocation were correct and appropriate.
This view has been reinforced by the recent Australian Public Service Commission Capability Review into our Service which outlined, “the business model is vulnerable in that organisational design, strategic planning, information and risk management, human resource policies and procedures, intelligence capability and enabling IT have not kept pace with the agency's changing and challenging environment."
I felt at the time that we lacked a strong framework of corporate governance and importantly, we did not understand what underpinned our business decisions and how our culture was driving decision making.
So in applying a due diligence lens, and investigating the broad issues around corporate governance, I cast my mind to the areas of culture and leadership, to our internal governance structures and the mechanisms that support them.
I contemplated our approach to strategy and planning, our internal control frameworks and business model, and lastly, how we engage and manage our stakeholders, both within government and with industry. I will touch upon each of these key elements of governance throughout this discussion.
What I uncovered, as I worked my way through this process of study and reflection, was some very disconcerting gaps around leadership and capability, and at the same time, some uplifting and inspiring examples of innovation and professionalism. To be frank, a pretty big set of issues to be faced with.
This view was reaffirmed by the Capability Review which noted that we had inconsistent leadership strength across the Service and stated that “there is evidence of motivational leadership at various levels, some leaders seem to depend largely on a bureaucratic, impersonal and/or technical style and some seem to lack the leadership skills needed for an operational organisation."
I want to outline what I learned and how I am now, no longer acting but with the honour of being Chief Executive Officer and as responsible for the enterprise, putting into place some of the lessons I have learned over the last year.
Before I do so however, I want to take this opportunity to note that I see corporate governance as integral to an organisation and its culture. Not in the dry sense of compliance requirements, or checklists and 'administrivial' requirements, but in the very real and animated sense of how can we live better practice as an organisation. How can we leverage and embed that governance as 'the right way of doing things' is as much an individual integrity issue as it is at the broader organisational sense.
To give weight to this belief, I have recently established a new division within the Service, the Integrity, Security and Assurance Division, and appointed a new Chief Risk Officer to head up that division. Jan Dorrington, my CRO, is an experienced and high-ranking member of the Service and a permanent member of my senior executive team.
In meeting with Jan, and her senior officers recently, I said that I view the governance, risk and assurance functions as the conscience of the organisation. A function explicitly created to challenge, to test and interrogate not only how we do business, but why we do things the way we do. This 'why' question should be the question no officer should be afraid to ask, our officers need to feel empowered to ask the risk question – we do it every day in our intelligence risk assessment at the border, but not I daresay, in the corporate governance side of our work.
In part, this new division is an outcome of my internal reflection on the broad issues around governance generally, and a realisation that structural change was a necessary precursor to cultural change – at least in terms of empowering an area of the Service to, as Jan so pithily put it, 'get all in the face' of established tradition and unquestioned practice.
I will go to some specifics shortly, but one other key driver informed my approach to revitalising diligence and governance, and that was the spectre of imminent corporate reputational catastrophe caused by the corruption and integrity issues facing us as an organisation. I refer of course to the instances of alleged corruption at Sydney Airport which is an indictment on the good name of this Service. Moreover it is a blemish on the otherwise excellent work of the officers of this Service – the overwhelming majority of whom are honest, hardworking, diligent officers.
The Service was part of the joint operation which led to these arrests, but I needed to understand what the governance and leadership failings were which had placed us in such a state. No one sets out to be corrupt. No organisation plots a course toward scandal. So what went wrong, what did we lack, and most importantly, how could we turn the tide and develop an approach to addressing, rectifying and at one level, curing our organisational malaise.
So what did my due diligence uncover? Well, some very positive findings that I am proud to share. I am of the view that the Australian Customs and Border Protection Service is staffed by intelligent, hard-working and can-do officers. We are superb tactical issues-managers as a whole. We have a wealth of understanding around the transactional functions embedded within border management, a complex and at times bewildering environment as we cater for the regulatory requirements of 40 odd other Commonwealth entities, all with quite different views on what should be regulated, complied with and controlled at the border.
We have a strong and genuine team-based culture and my officers in general demonstrate high levels of organisational commitment and motivation. We are responsive and agile, able to rapidly adjust to the demands of government. We are innovative to accompany that agility, and particularly over the last year or two, are taking a much more considered and long term view of what the future border control environment needs to look like.
This was also supported by the APSC Capability Review, which amongst its criticisms positively observed: “Staff dedication and commitment to their role in protecting Australia's border is widely regarded as a significant agency strength. This dedication is supported by strong loyalty of the workforce, which is directed at the agency and its purpose, rather than the senior leadership team."
Sounds pretty good really. I would like to stop this presentation at this point and rest upon our laurels... But unfortunately, for each of these strengths, there were, and in some cases still are, deeper and troubling limitation around capability, leadership and governance more generally.
It was troubling to me to discover through my conversations that many officers were uncomfortable or unable to raise concerns, to express risks, or to leverage opportunities. In other words, there was a substantial feeling of disempowerment with a strong tendency to push decision making further up the chain. This observation reminded me of the 2010 Management Advisory Report which noted: “Public servants are notoriously regarded as risk-averse. This is not surprising, given the potential for political and media criticism of the government if programmes or policies are seen to fail. It is easier to avoid criticism by not taking risks, particularly as the consequences of risk-taking in the public sector can be severe and can include political damage to the government, public criticism, possible legal consequences, diminished career prospects, and damage to personal reputation." (Empowering Change: Fostering Innovation in the Australian Public Service).
This concept of aversion resonates with my observations. To an extent, our integrity issues have heightened this integral risk aversion and I face an existential battle to push back decision making, to re-legitimise delegated powers within my organisation, and critically, to stop lower level officials seeking to pass accountability for decision making up the chain.
Along that same vein of avoiding accountability, there was a noticeable tendency to emphasise agreement and consensus rather than enshrining decisiveness and decision making. A happy balance must be struck of course between being consultative and taking decisions, but at the heart of my observation was that as leaders and managers, we lacked the will to take the plunge and hold up our decisions as being individually owned.
I have since taken the step of personally writing to each of my senior officers and outlining to them what I expect them to provide in terms of leadership. How I expect them to stand up and be counted, and where their personal accountability for delivery of the functions they command rests – that is, with them. Moreover it is the leaders of the Service who will set the culture for our officers, who have the capacity to influence in a very real way what our people and others working with us think is acceptable behaviour and thus acceptable risk.
These senior managers recognise and engage on the need for substantial improvement in our core governance functions. There is a level of uncertainty and disagreement amongst others as to how far we need to revise our current approach. This ranges from minor process tweaking and business refinement, through to the understanding that as our border control environment changes and grows at ever increasing pace, so must we as an organisation. I appreciate and value this diversity of opinion, but only when it is backed up with reasoned discussion and evidence.
I acknowledge however, that my officers are stretched. Particularly as we both address the ongoing day-to-day challenges we face in border control and enforcement, and overlay the revised policy setting of a new government. I contend however, that it is precisely at this point of pressure, or organisational stress, that we must take the opportunity to review, reconsider and reconfigure how we do our business.
Having touched on leadership, I want to talk briefly about strategy, about planning and resource allocation. We have, in my organisation, a sophisticated and resilient approach to financial management. It is one of our very real strengths that we manage complex and large scale operations in a financially sound way and with minimal error of leakage or material error.
But I have to step back and question, are we managing the right things? How do we know that our resource allocation is correct, and how do we assure ourselves that our associated control framework is appropriately designed and fit for purpose?
Where is the value of strong financial controls and frameworks if our internal understanding of our risk environment is off-centre? How do we apply this fiscal discipline effectively if we lack a coherent sense of our planning needs and our strategic direction? One of the criticisms I have seen is that we do not devote sufficient effort and attention to the systematic and detailed planning necessary to deliver our capability needs into the future.
A lot of work is going into that space at the moment with our recently released Blueprint for Reform. This work is being led by another one of my trusted senior executives, Ms Maree Bridger, my National Director Reform, who is tasked with developing and delivering on our future state, building our business case for the transformational reform of our business model to meet the emerging border environment.
As I outlined in my opening remarks in the not too distant future we will be faced with volumes and complexities at the border which our current operating model will not be able to handle. As Australia has developed and adapted to change as a nation so has our Service.
Our history best demonstrates how as the nation has adapted to change and risks so too has the Australian Customs and Border Protection Service. Allow me to illustrate.
In the Annual Report for the Australian Customs Service 2000-2001, there were no instances of the phrase terrorism. In the following year's report, following the distressing and world-changing events of September 11, there were 24 instances of the word, and now, terrorism is explicitly called out as one of the Australian Customs and Border Protection Service's main Border Risks.
Similarly, in last year's annual report, there were 62 instances of the word 'integrity', and 18 of the term 'corruption'. In the equivalent report from 2009-10, integrity occurred 18 times, mainly in the standard section on integrity and ethics, and corruption only appeared once.
These are two specific examples that highlight how our understanding of the risk and threat environment facing the Service have changed with circumstances and been changed by events.
It would not be overstating the case to suggest that the events of 9/11 annihilated previous understandings of the border risk and national security environments; and the uncovering of alleged corruption issues at Sydney airport fundamentally changed and challenged our understanding of our internal governance frameworks – in both cases, these changes have been both profound, and at a deep level for the Service, distressing.
I have mentioned Jan Dorrington and Maree Bridger as two of my most senior executives in the quest for improving our corporate governance arrangements. I should also make note of the fact that my Deputy Chief Executive Officer and Chief Operating Officer, Ms Marion Grant, has overall responsibility for our entire risk continuum, is in charge of our border management functions, and works side by side with our border enforcement functions. While supported by Jan and Maree, Marion is also assisted in this role by our recently appointed internal auditor including a senior partner to support our approach to risk, and we are lucky to have secured the services of Ms Catherine Friday as our supporting partner for Risk Management.
This means that with the exception of myself, the four most powerful governance related positions within the Australian Customs and Border Protection Service are all held by experienced, intelligent and paradigm challenging women. This is by no means a deliberate act of positive discrimination or affirmative action, but reflects that these individuals are the best people for the job. That they are women is a happy coincidence for this event.
I make the call paradigm challenging, because as you can see from my earlier comments around 9/11 and corruption, we are organisationally driven to fundamentally interrogate our internal perceptions around how we operate and how we are structured – in other words, setting the scene for the long journey of changing our culture. A journey, I fully understand will take many years to deeply embed.
I take the view that cultural change is largely around bringing people with you on a journey. One of the most effective ways to do this is to demonstrate through action, commitment to the changes proposed.
I am reminded in discussing cultural change and corporate governance issues, that risk management as a discipline cannot do our job for us. We need to ensure that we do not over-rely on technical governance frameworks or sophisticated models of heat-mapping as replacements for the application of intelligence and experience, and we need to leverage our sound judgement about risks as long as those judgements are repeatable and captured.
I want to empower my people to question tradition, to revisit strongly held corporate positions and to deconstruct process for efficacy and meaningfulness. This is a critical application of intellect as we enter into a period of reform and will give us an understanding of what works, what doesn't work (and why) and how we can reposition our resources to be more effective in achieving our organisational objectives.
In other words, to consider assurance processes for effectiveness, to discard or modify inefficient controls, enable process redesign to improve outcomes and subsequently align resources to actual areas of need rather than replicating a historical accumulation approach to managing what we do. We need to both build on that history, but look forward to the emerging risk environment and how that impacts our resource needs.
Risk appetite, how much risk can we accept?
No organisation can succeed without taking risks. Indeed, no activity can succeed without accepting and either explicitly or otherwise, managing or tolerating that risk.
We clearly accept a level of risk in the work we do, it is inherent and unavoidable, but we need to develop an organisational understanding of how much risk we will tolerate, and where we need to subsequently direct resources. In addition, we need to be free of the traditional public service fear of risk, and in particular the fear of articulating or raising risk up the chain to our managers, or in my case, to the Minister.
A very real example of this need to understand our risk appetite is occurring right now as we develop our Reform programme for the next few years. We know that Reform is inherently risky, it cannot be otherwise as we look at significantly changing our business model to address the future state of the border.
Our current work in testing our control framework around Border Risks is indicating some areas where we are not making the best use of resources and where design inefficiencies are leading to resource inefficiency. The advantage of this information is clear in setting the future operating environment as we have great opportunity to get the design right and build out these ineffective practices.
An example of this design opportunity exists as we consider our current and future business continuity arrangements. The end state of workforce and operational reform is a border force supported by highly intelligent systems drawing on big data utilising technology.
What happens then, when we get an incident where the server room at a major airport is flooded, leading to the inability to electronically process passenger movements (based on a recent real life event)? In our current business continuity model, we are hardened and resilient to such events, able to swiftly and seamlessly (from the clients perspective) move into manual process which we can then back up into electronic systems once we restore functionality. But are Border Force operatives in a reformed workforce model going to be trained in primary line passenger processes? And we will probably only have half as many officers on the floor due to other knowledge work being increasingly automated and the associated streamlining of staffing.
So we may not have the culture, training or experience in crisis management that we currently have. How do we respond? Do we focus on building more resilient systems (i.e. flood resistant waterproof rooms), do we build secondary recovery sites with real-time and tested fail-over functionality? These are expensive technological fixes.
How does this work in the context of the complex airport environment? Do we have the ability to work with airport management to harden resilience and infrastructure to extremely low risk or failure rates? And how do we align our localised business continuity into the broader organisational and whole of government crisis management models?
These are complex questions which we have not yet answered. I raise them with you today to highlight the importance of starting to think about and articulate our risk environment of the future so we can plan for it, and manage our resource allocation today. As you can see from this example, we really don't have the luxury of being risk averse here, we must consider and build into the future operational model how we will manage these issues.
Border Risk and how we conceptualise risk in terms of border control
I have previously articulated a view where I conceptualise the border as a space where sovereign political units control the flow of people and goods in to and out of their dominion.
In that context, when we speak about Border Risk, we are in fact referring to the commodities or 'things' which move or flow within these spaces. How then do we apply the concept of control to these spaces? Well firstly, by articulating that there are multiple spaces and the controls around and within them vary quite markedly.
Understanding these spaces is a critical step in beginning to understand how we can apply control and associated resource levers to maximise our investment returns and minimise the risk of prohibited or unregulated commodities crossing the border and causing community or political harm.
We debate internally at length how best to conceptualise our approach to Border Risk. We need to have these debates to ensure that when we shift resources into controls, we can actually understand how that expenditure is reflected in border protection outcomes. So while we publicly speak of Border Risks, we internally talk about domains and mechanisms to transit. For example, 'Tobacco' is one of our Border Risks, but when we consider how that, as a commodity, moves across the border, we see shipping containers in the cargo domain, boxes in the post domain, and over-use of duty-free allowances in the passenger domain. In each instance, the Border Risk/commodity is the same, but the controls and detection processes in use vary between the environments being considered. Similarly when we consider the Terrorism Border Risk, our main but not exclusive focus is on the very sophisticated and intelligence led processes in place within the passengers domain to address the risk – and we work very closely with partners across the globe.
I mentioned earlier the statistics around the change of focus after 9/11 and similarly after the corruption incidents. This is reflective of an evolving Border Risk environment, and one that is directed by societal expectations and government direction. As an organisation, it is not our place to choose what to stop or regulate across the border, but we work with over 40 other agencies to manage their risk for them. We know these risks will change, they have multiple times over the history of the Service.
To address this anticipated change, I have recently stood up a future focus function within the Service which is tasked at explicitly looking over the horizon at emerging potential Border Risks, changes to global and transnational supply chains and players, and how we might need to proactively shape ourselves to meet these emerging challenges.
Enterprise risk and how we think about risks preventing us from achieving the policy objectives of the government
We recently raised this as an issue in our ongoing conversations with our external auditors, the Australian National Audit Office. In that discussion, we spoke about the materiality of fraud and integrity risk facing the Service.
The Service has exposure to fraud risk in the areas of internal (financial control) fraud, internal (integrity) fraud, and external (revenue) fraud. We separate the internal and external for convenience, but it reflects the 'material by nature' aspect of integrity issues which generally are of small value in the scheme of things, but substantial impact from a reputational perspective – regardless of the success of 'Border Security' (TV show) as positive publicity!
In those conversations, we took care to articulate that the Service cannot and does not attempt to take the risk of fraud committed by those within the Service or external to the Service to zero. Our response to fraud or integrity risk is commensurate to and relative to other risks for which it is responsible including for example the movement of prohibited, restricted and regulated goods across the border.
Integrity risk is financially immaterial but the reputational risk is of huge significance – the cost of a corrupt officer is low, but the resultant drive for reform, the political and media attention, and the cost of subsequently re-imagining an organisation are immense.
Conclusion
I am reminded, when I think about the change facing the Service both in terms of risk culture and more generally around our broader Reform Programme, of the Greek proverb “a society grows great when old men plant trees whose shade they know they shall never sit in."
While I hope to still be around to sit in the shade of these trees, I appreciate the importance of planting the seeds, directing the growth, and taking a long term view unimpeded by my own desires, one which is directed at growing once more, the Australian Customs and Border Protection Service into a great organisation.
