- Corporate Security
- Governance, Risk and Compliance
- Information Security
Coming back to Australia, he spent a few more years with Touche before joining Deloitte -as a side note, the two firms never merged in Australia. He became a partner with Deloitte in the risk group spending six years consulting in ERM, Internal Audit, and IT Audit. After leaving Deloitte, David moved to E&Y for six years. If you are keeping up with the math that makes 25 years with big consulting, 10 years as a partner.
David reached a point where the “big firm” wasn’t where he wanted to be. Seven years ago he decided to go out on his own providing services to boards and audit committees. This is where Powell & Co enters the picture.
In Adelaide, the majority of the school system is largely a private versus public system. David found a niche in working with schools in the capacity of providing risk management services. Currently David works with 18 different schools and created an offering called Risk4Schools.
“The school market is an interesting one,” states David. “When speaking to schools, they are at the early stages of risk maturity. Risks may be related to health and safety risks, or risks around school excursions. Typically, schools are not thinking about key strategic or operational risks, or documenting competition and reputational risk”.
In Adelaide, a city of 1.2M people, there are about 120 private schools. These organizations don’t have fulltime risk managers. What David has developed is an approach that works for the school market.
The process starts with a 30 minute “Risk 101” presentation. It explains the key concepts of risk using the ISO 31000 framework. We define risk, risk management, consequence, and likeliness. We document inherent and residual risk
Next, we run a brainstorm session. What are the issues for the school? We describe concerns or risks. Not all are risks, some could be controls, causes or consequences. Then we filter the list down to the risks.
We then do a workshop and vote on the risks using Ballot. Typically there are 4-16 participants. We go right into the workshop from the brainstorm which for me means fast fingers on the keyboard as I enter the risks from the brainstorming session into Ballot in a short window of time. We use then use the “clickers” to capture input anonymously. The process is quick and easy, and keeps the group focused.
David was introduced to Ballot during his years in Enterprise Risk Services at E&Y. He’s continued using the product for the facilitation of risk assessment workshops with his work through Risk4Schools. “The Ballot product is an important part of the risk assessment process” states David. “It allows for anonymous voting which equalizes the dominant voices in a room”. David also comments on the immediate results that are shared with the group. “The instant heatmap visualization keeps up engagement”. While Ballot supports mobile entry, David prefers the RF keypads to keep people focused on the task at hand versus their mobile device, which can lead to distraction.
Following the workshop, David produces report for them, which documents each risk. This report includes a snapshot of the heatmap, and risk template. Essentially a “risk in a page” that includes risk description, who owns it, inherent risk, controls, treatment plans, causes and consequences. The client will take that document and use it themselves to review risks going forward. David checks in with their progress with the goal being to get them to a stage where they can manage and monitor risk on their own.