Article from Raj Hit – General Manager Enterprise Risk Lotto NZ
Lotto NZ – Who We Are
Lotto NZ (officially the New Zealand Lotteries Commission) is a Crown entity that operates New Zealand’s national lottery. Every year, thousands of community organisations benefit from lottery funding, with more than $6.3 billion distributed by the Lottery Grants Board to the community since Lotto NZ was formed in 1987.
Risk Management at Lotto
Our effective risk management provides the structures and the information to support good business decisions. Our approach is to continuously improve how we identify, assess, and prioritise risks, and then manage those risks through appropriate planning and mitigation.
Over the past few years, the Risk& Assurance (R&A) function has focused on developing its risk capacity and capabilities. With our risk hat on, the opportunity was to help the business become more agile and risk-focussed in all areas. The key was to inform the right stakeholders about the risks that exist in their areas and to weigh them up against the overall risk appetite of the business.
The R&A function has focused on developing its risk capacity and capabilities, having a mix of SME specialists and generalist risk practitioners. In other words, each team member (except Controls Assurance) is at least a ‘risk partner’ in terms of partnering with at least one business unit to provide risk advice, guidance, and support.as well as serving as SMEs for technology/cyber risks, fraud/investigations, and harm minimisation. Additionally, we have a fully resourced Controls Assurance Function (CAF) which specialises in internal controls across the business.
What we have adopted a hybrid model in terms of aligning the risk partner/SME roles where these were complementary e.g.our Technology Risk Manager is also the risk partner for Technology and risk SME for technology/cyber risks. We then assign the remaining capacity in our team to general risk partnering to ensure coverage across the entire business. This method has helped us achieve synergies and stops us from having ‘too many cooks in the kitchen.’
In terms of then ‘right-sizing,’we employ a method which helps all team members engage in the process maintaining full transparency of what we were would like to achieve i.e. balancing our finite risk resource supply to the increasing business demand for risk services. This wasn’t a one-off task and some of the key steps we do progressively and iteratively (during Team meetings and off sites for example) and ad-hoc taking stock sessions as appropriate. The risk partners attend leadership off sites for the various division with a view to understand and support divisional initiatives which are supporting the broader strategy of Lotto NZ. This helps the risk partners in terms of focusing their advice, guidance, and support.
We are in the business of managing risk not eliminating risk. As such the R&A team aspires to be a trusted advisor to internal stakeholders to manage risk within established appetite settings, whilst providing oversight of risk activities and helping draw out insights and trends. The language and activity of risk often needs to be demystified and for the business to have better understanding and confidence about how risk-vs-reward decisions are made.
Building internal capabilities and adhering to standards in risk and compliance management is crucial for reducing operational incidents for Lotto NZ. We continuously maintain our information security management systems and invest in and improve our cyber security and cyber resilience. This is underpinned by our ongoing certification to ISO/IEC 27001 and the WLA SCS, as well as maintaining our Payment Card Industry Data Security Standard (PCI DSS) compliance.
Our cyber security programme has recently delivered improvements to security in the cloud, data loss prevention, and the security of end-user devices. Our established IT, network, and security teams responsible for cyber security continue to be supported by subject matter experts, who also provide us with a range of managed security services and access to incident response support.All cyber security risk and control measures are monitored by a committee of senior managers responsible for governance and oversight, along with our executive team and Board.
Over the past year, we have continued to hold crisis simulations across the business. These simulations are a critical component of operational resilience and help us to strengthen our response capabilities and readiness. Testing the response to a significant cyber incident is prudent, given the increasing prevalence of digital threats, and helps in fortifying the business against potential disruptions. Simulations and exercises are now part of our operational work plans, which include cyber, duress, and business continuity related incident.
The R&A team have raised awareness of riskand we have seen an improvement in risk interactions and use of our Risk Management System ‘Risk Central’ which captures all enterprise risks, enabling real-time dynamic risk profile reporting for management and governance purposes. This has made both inherent and residual risks more transparent and enabled initiative-taking risk management with key risks being reported to the Board, Board Audit & Risk and Executive committees on a regular basis for dialogue and targeted business unit deep dives.
The implementation of the ‘Risk in Motion’ dashboard has provided an integrated view of all key metrics across divisions and business units, giving stakeholders oversight of all key risks, controls, and open findings for their particular part of the business and further removing risk management from its traditional silos. All staff have access to Risk Central, to view their business unitrisk profile and to log incidents as they occur (more details below).
To provide independent assurance we have established a Controls Assurance Function to get a view on the operating effectiveness of key controls which mitigate against key risks – i.e. helping the business have more confidence in residual risk reporting. Having formalised Controls Assurance within the 2nd line R&A team at Lotto NZ has provided a pragmatic approach to controls assurance testing in terms of the scope and approach. In addition, Risk Central was complementary to fast-track identification of key risks, and controls, and in capturing controls assurance testing results in a clear and consistent manner. CAF executes the controls assurance program leveraging the risk profiles from enterprise risk management.
Lotto NZ has implemented an Incident Management Policy, and all enterprise incidents are recorded in Risk Central. This helps ‘risk partners’ provide timely response to risk incidents and an overall pulse-check on day-to-day risks, to help fix incident root causes and identity thematic reviews from issues – such as process maturity gaps and training opportunities.
Key things which stand out, include:
- Risk Central (Risk system) – getting this one-way-same-way approach to risk management, across the business has been valuable.
- Risk Partners model – positive feedback from senior stakeholders that having a single person contact has made communications and information flows easier
- Developing Capability in Risk Management Risk NZ Award (2021)
- Insights provided by the Controls Assurance programme, which helps us better understand our control environment
- Improvements in governance structure and methodology to respond to severe incidents
- Retaining critical accreditations and certifications such as ISO27001, the World Lottery Association Security Standard and PCI DSS
- Tabletop Exercise/ training and awareness sessions – Duress, Fraud and Business Continuity
- Introduction of an internal risk champions network (designated individuals across divisions)
- Quarterly recognition awards of good risk behaviour – Risk Heros
Conclusion
Implementing this comprehensive approach to risk management i.e. putting it into the DNA of the organisation, has helped in numerous examples of nimble decision making – including response to significant technology incidents.
As a result, Lotto NZ has a more mature and embedded risk culture. The approach we have actively helped lead has added core risk and compliance aspects to the DNA of our organisation, so people just do it without thinking of it as an additional process – i.e.avoid thinking of risk as an afterthought. This ‘invisible risk framework’ has helped all stakeholders achieve positive outcomes for our people and business. We are strong advocates of adopting and right sizing the key risk frameworks that will help achieve timely results.
All of this does not happen without winning the hearts and minds of people, specifically people who deal with such activity as a predominate part of their roles. Investment in risk leadership capabilities and resilience needs to be a high priority. Part of the journey has been to make the right investments in risk capability within the R&A team and having the right mix of skills, experience, and diversity to provide confidence and consistency in risk outcomes for stakeholders.