Trust at the core of public board oversight

More about the podcast

Scott Bridgen is the General Manager of the Audit and Risk Division at Diligent. Scott brings a wealth of experience and unique insights into the critical role of financial and risk oversight in the public sector.

In this episode, we talked about how public sector boards can manage their financial resources responsibly and effectively identify, mitigate and monitor risks.

Scott highlights the need for a risk-aware culture that focuses on objectives and potential obstacles, rather than just the term 'risk.' He also advocates for transparency and clear communication with your community to build trust, and the importance of speaking to that audience in a way that they're going to understand.

We explore leveraging technology for oversight, such as the Diligent One Platform, how to manage and present risk information efficiently, and ensure a single source of truth for operational effectiveness.

Stick around to the end of the conversation to find out what advice he gives for boards that realize they don’t have a good handle on risks.

Resources on financial oversight and risk management for public facing boards

A practical guide to mastering financial oversight for public sector boards

The 5 essentials of financial oversight: A cheat sheet for public sector leaders

Managing risk: An infographic and guide for public leaders

Please see below for a transcript from this episode:

Jill Holtz: Hi everyone, today I am joined by Scott Bridgen, General Manager of our Audit and Risk Division here at Diligent. Welcome Scott.

Scott Bridgen: Thank you very much. Lovely to be here.

Jill Holtz: So Scott, the reason I asked you to join me today is to have a chat about a topic that we are hearing a lot about from public sector boards, those in education and local government. And that is risk. And obviously you head up our audit and risk division. And I'm kind of interested in getting your perspective on a key area of risk management, which is, you know, how do you manage your risk? How do you do your financial oversight? Just as a kind of segue into the topic, because I think particularly for public sector boards, they maybe think, risk management is something for the corporate sector. So I want to get into that with you. And also just to kind of set a bit of context, our own CEO, Brian Stafford, says very much now that governance is an exercise in managing risk. So just to start off with, in terms of a definition, what do you think is meant by financial and risk oversight by public sector boards?

Scott Bridgen: Yeah, it's a great question. It refers to the responsibility of governing boards to ensure that the financial resources are managed responsibly and more importantly that the risks are adequately identified, mitigated and monitored. So it basically involves ensuring financial transparency, compliance and sustainability, whilst understanding and more importantly addressing and being able to demonstrate that you've addressed the risks that impact the organization's ability to achieve its goals and the expected goals of the public. Now this is where the crossover piece comes in because it's about accountability, transparency and long-term financial health.

Jill Holtz: I think that's right. And I think for public sector boards who are kind of responsible ultimately for making sure that the taxpayers' money is well spent, that comes into play maybe more so in the public sector side. Why is this important now? I mean, look, we're in a really turbulent time as we're talking. Obviously, things are changing very rapidly, to use the cliché. But why is that oversight so important for public facing boards?

Scott Bridgen: Yeah, so there's a number of reasons. I mean, obviously the current socioeconomic and political climate and the age of uncertainty that we find ourselves in to be fair, that snowball has been rolling down the hill for a long time already. But the reality is that it's about two key elements. The first one is trust and being able to demonstrate that. So for example, poor financial management or sorry, poor financial and risk management can lead to misallocation of resources, loss of public trust, and even legal and financial consequences. And I think the other problem that we've got is without effective oversight, we need to ensure that we can help get the accountability to continue building that public confidence. And also just the allocation of funds.

If we can demonstrate as organizations that we are using it in the correct way, that we are gaining that trust and more importantly delivering and executing on the objectives and outcomes, it's easier to justify additional spend, additional conversations and at the end of the period when we come to review, it makes having those conversations much easier going into the next financial years.

Jill Holtz: Yeah. I wonder if some public sector board members, you know, they've stood for election because they're passionate about their school district or their kind of local municipality. They might think that, you know, financial oversight, risk management, those are more of a corporate board responsibility. How do you think board members in the public sector should think about these things in relation to their own governance oversight?

Scott Bridgen: Truthfully, risk is risk. That's the great thing about it. Now, not all risk is created equally. And yes, there are different drivers. But the reality is, is that we still have our audience. So the people that we hold ourselves accountable to and the way that we explain it in a language that they're going to understand. But secondly, there is a responsibility portion where we have to be able to demonstrate that. being on sitting on a public board and being able to talk about financial risk management and the delivery and the execution of that. Actually, it's even more important than a traditional corporate board, because the corporate board, what you'll often find is there is a certain type of language that people already understand. So you don't have to become an interpreter. you know, whereas here, we have to ensure that we are speaking to the language of our audience in a way that they're going to understand.

Jill Holtz: I think that's very insightful, Scott, because ultimately when you're talking about a public board and they're making decisions on behalf of their constituents or students, to be able to translate that into language that the community who will hold them accountable for those decisions can understand is really important. actually communication around financial oversight and risk management is really key, isn't it?

In your experience working with both private and public sector. What are the main differences? Are there any differences?

Scott Bridgen: Yeah, so what you tend to find is within the corporate world, there is a traditional set of objectives that the business needs to achieve and are normally being held accountable to. That will be a specific type of growth, say for example, or making additional money or whatever, shareholder or stakeholder. There's normally like a financial or making widgets or buying a new company or whatever it may be. The big things that the organizations are normally saying are their key and core objectives. In the public sector, however, what you tend to find is, is there's going to be a number of aspects to this. There is the operational piece. So the risks associated with running our operational board and organizations that sit below us that effectively we provide oversight to. The second piece is there are key deliverables that our stakeholders, whether it's the public or others, are expecting from us. So we have to be able to break down the operational portion. So how we run as an organization from a governance perspective and looking at the risks associated with that.

So people, functions, processes, our extended enterprise, so who we rely on, contractors, third parties, et cetera. So that's the kind of the operational enterprise piece. And then it's the key deliverables. What is the expectation in quarter, in year, in five years, 10 years? Because obviously some of these projects don't run a traditional calendar year. That's a big difference as well. The projects that often we're involved in from a public perspective are long term, know, rebuilding something, a building, a road or a set of services or whatever it may be, or even a long term education initiative, say for example. So the terms of those change, the risk is still, you know, a risk is still a risk. It is something that can prevent you from achieving your objective. And you need to be able to ensure that you can, as I said before, just understand exactly what that looks like and put the right measures and controls in.

Jill Holtz: Yeah.

Scott Bridgen: Not to prevent it from occurring, because you're not going to stop a risk potentially from occurring unless you stop doing the thing that's going to cause the risk in the first place. But you can at least demonstrate some kind of mitigating measures and adequacy from that perspective that you can justify should questions arise.

Jill Holtz: So just to kind of take that a step further, then the best thing that public board members can do is really have a good handle on kind of the projects that are being run for the strategic plan and also to be able to come prepared to the meetings and to be able to ask questions around those risks that you mentioned. What's going to stop delivery? What do we need to do to mitigate these risks? Maybe even holding workshops together around key projects that they're running as well. What are potential consequences? I know this is maybe an obvious question, but if you're not managing your finances and risk, let's just go back to that in public sector. Ultimately, you're not going to be able to deliver the projects that you want, but there are other consequences, aren't there? I think you touched on that earlier, the trust, et cetera. Talk to me a little bit about your perspective on that.

Scott Bridgen: Yeah, so I often use a quote when it comes to these kinds of questions. And there's a great quote that doesn't actually I'll use it first and explain the meaning behind it. In the time of universal deceit, telling the truth is a revolutionary act. And I think a lot of the general public and just whoever our audience may be, there is a level of mistrust and distrust that we are already facing.

Regardless of whether or not we have or haven't done something already, the levels of cynicism globally are running really, really high. So not only are you, even if you didn't address the risks properly, you are actually probably running behind already. That loss of trust is probably either bubbling or certainly the snowball rolling down the hill that I mentioned previously, certainly on its way.

So if you are able to manage them correctly, that building the trust and being able to understand, like you mentioned in the workshops of the project side of things, if you have a great understanding of what could prevent you from achieving those objectives. And it's not just about the day-to-day and the operation side of things. A big factor of this is our reliance, as I mentioned previously, on our third parties and extended enterprise. Because again, if we say, well, the contractor wasn't able to deliver or this person wasn't being able to deliver. The public just won't accept that. Students, public, whoever our audience may be, again, it becomes tricky. But then we have the legal and financial consequences. We have the class lawsuits. We have individual lawsuits that could be brought. But more importantly as well, there could be regulatory aspects that we haven't considered as well.

Jill Holtz Yeah, compliance. Yeah, yeah. There's a lot of financial risk, reputational risk, trust risk, never mind the actual service delivery risk. There's a lot in risk. That could maybe be overwhelming. So maybe one of the things that I really took from there is being transparent to the stakeholders about how you're overseeing the risk, how you're managing that. Do you think that's something that public sector boards need to do? And kind of a second part of that question is what are good ways to communicate that information? Because we talked about that making it relatable.

Scott Bridgen: Yeah, it's a great question again. So should we be more transparent in that communication? 100%. However, there is a level of diplomacy and delicacy that's often required. We have to ensure that the way that we communicate things is very, very clear. And also we're not setting ourselves up for a fall. And the way that we do that to answer the second portion of your question.

Traditionally, I've seen really successful public sector boards look at this from an enterprise risk perspective all the way down to sort of operational and cyber and info sec risks that kind of build up to it. Is they say, right, the operational part of our organization, let's look at people process technology. And then let's look at the what, the so what and the now what. Great ways of doing it. That will get you to all of the operational aspects associated with what you need to do.

Then you look at your key deliverables and what you do there is you provide insights into, for our key deliverables that you're expecting us to do with the public funds or funds that have been donated or whatever the source may be from that perspective, this is what we're going to deliver off the back of it. These are our considerations that could prevent us from achieving them. However, here are the steps that we're intending to take.

Now, you don't necessarily have to communicate it in that sense, but what you need to be able to do is be able to reassure people that you've got it covered. It sounds quite surprising, but it's not the board's responsibility to communicate that. There will be another mouthpiece doing that on your behalf. So as long as you've got a way to translate that down, again, have someone then put that into the language of the audience, it makes life much easier. The biggest issues in risk. I worked in risk personally for 10 years myself.

And the biggest issue I found was the inability to speak the language of the audience that I was talking to.

Jill Holtz: That holds everywhere doesn't it? Yeah, I love that. I just want to touch a little bit on what role you see internal audit and I know it's a little bit different in the public sector to kind of private sector but internal audit and audit committees and how they can help the board with the oversight.

Scott Bridgen: It does. Yeah, so this is where actually public sector can really take advantage of the assurance portion. So the ability for internal audit and external audit to provide valuable insight and to provide the traditional, know, is everything operating effectively and the tests that they design and they designed effectively. That's kind of standard stuff. Where the real value comes in is actually sitting down and listening to audit about some of the guidance that they can provide off of the back of what they find. So the ability to be able to understand, okay, here's the outcomes. A lot of people see audit and the assurance in general as, you know, something to sort of fear almost because it's, testing, it's pushing, it's pressure testing, it's AB testing, it's looking at actually, do we have robust mechanisms in place? And more importantly, what are we going to do about it if we don't? And actually we can use this to our advantage and especially from a public sector board, they can actually look at the recommendations off of the back of that and then use that. And normally it's more than one and you can formulate some level of A-B testing with the internal stakeholders that have that responsibility. So it gives you great intelligence, not just information. It's not just information that you look at and talk about and then repurpose for something else.

It's actually something highly valuable that we can use to our advantage strategically with the people that we expect to be able to do or complete the things.

Jill Holtz: So I think you've just answered a question which I was going to ask, which was how could a board or council start to integrate a risk mindset into their strategic planning and decision making? So one thing is to do that, leaning on what that intelligence is coming out of the assurance. Is there anything else that you think that public sector boards should do to foster this culture of financial responsibility and risk awareness?

Scott Bridgen: Yeah, so culture is a tricky aspect in the land of risk management. It's banded around a lot. The reality is, and this isn't just kind of a Scott Bridgen theory, the psychology of culture within organizations, both large and small, public and private, is tribal. And this is the thing that we have to remember. So there are pockets of people that will operate culturally, normally to the north star or the rough strategic direction that they have been given.

But actually, if you want to be able to foster a true risk awareness culture, and more importantly, get that intelligence from the organization up at board level, it's about encouraging and empowering people to be able to communicate anything and everything that could prevent them from achieving their objectives. So actually, one of the best ways of doing this is starting from the ground up. Don't talk to them about risk. Never talk to people about risks. It sounds crazy when you say this out loud, but the average human being, whilst we are phenomenal risk management machines, and we really are, our brain is making millions and millions of decisions every second to keep us alive, to operate and function just as human beings.

In that sense, we are a phenomenal risk management machine, but our natural human biases for making other decisions and actually understanding consequence and being able to apply limitations, controls, and that side of things we are terrible at because our biases kick in. So actually what we, the best way to get that kind of intelligence, get that information is at ground level or a field level, depending on how deep you want to go, get them to talk about what could prevent them from achieving their objectives. And then you start to roll that up. And as you start to roll that up, you'll begin to see actually, you could do it the opposite way. In the commercial world in cybersecurity, say for example, we kind of call it a kill chain.

And we start with an objective, we work backwards, look at the process, look at the technology, look at the provider, and then look at, you know, from a risk and resilience perspective, how we keep the lights on and how we ensure that that can be delivered. You can apply exactly, you can apply that in exactly the same way, but just go deeper. So from a culture standpoint, if people are constantly thinking about their objectives and what could prevent them, not just the metrics they're being held accountable for, that begins to change people's mindset subtly.

Jill Holtz: Yeah, where the weaknesses, yeah.

Scott Bridgen: I mean, you can do, you know, different types of risk workshops and that side of things. But the minute you talk about bias, there's something called the Hawthorne effect, which is really interesting. Now the study itself, unfortunately, was a load of rubbish, but what it actually came off the back of it was, well, people will change their ideas and way of thinking with a preset of bias going into whatever the title of the activity is they got to do. So if you say risk, they'll come in with a preconceived idea about risk.

Jill Holtz: That's interesting

Scott Bridgen: Remove some of those biases. That's a great way of doing it. I promise.

Jill Holtz: And I love that framing it as you want to reach your objective of what's going to prevent you rather than, what are the risks? Because there is a thing, there is a bias straight away when you hear the word risk, you instantly go negative, don't you as well? And sometimes risk can be opportunity for organizations as well. Let's not forget that, you know.

Scott Bridgen: Exactly.100%. Yeah, sorry, I'm gonna have to jump in there because this is the great thing about it. So 99 % of the world focuses on negative risk and understandably so. But actually, you're the opportunity portion, being able to work out actually based on us as a board, our appetite and tolerance, we could actually potentially do more. We could say, for example, reduce the timeframe.

We could take more risk because we will be able to make informed decisions because we understand the depth that we need to go to be able to make and take those decisions. So the opportunity side of things is actually, I mean, ultimately that's what we're trying to do, make and take better business decisions. And both sides of risk management give us the ability to do that.

Jill Holtz: So let's talk about technology because obviously we sell Diligent Community, that's now part of the Diligent One platform. We're passionate about how the software helps publicly facing boards. Talk to me about why technology such as Diligent Community and the platform, why are they a must have, not just a nice to have when it comes to this board oversight in your opinion?

Scott Bridgen: Yeah, it's a must have mainly and primarily because Microsoft Office products and spreadsheets will only get you so far. The thing to remember is this level of work and effort to do it right and be able to demonstrate that you are doing it right. But more importantly, to do it efficiently, you need to be able to have technology that allows you to collaborate, but more importantly, present the information in a way that is necessary.

It is very, very difficult to have multiple and different segmented data sources effectively in lots of different silos and then trying to bring all of that up. Just from an operational efficacy perspective, it is a nightmare and it can take a huge amount of time to prepare your board materials, your board deck, your policies, your standards, your procedures, you know, and on top of that, you then have to use additional tool sets to then stream and do your live side of things. I mean, multiple tools cause multiple issues. A single tool, single source of truth, the ability to have that, again, from an audit perspective, audited and having that trail and evidence, and then report off the back of it. Technology just brings so much.

Jill Holtz: Yeah, I see that. And what I'm excited about personally with the Diligent One platform is getting these dashboards now that are coming and also the purpose built AI that we're bringing in to really surface those key things to the board. How do you, what are you excited about when it comes to the next things that are either already there on the platform or are coming that you think are going to really help public boards?

Scott Bridgen: Yeah, so look, AI and analytics are huge and that will fundamentally change the way that we look at, interpret and use effectively and efficiently the data that exists within our solutions. What I'm excited about personally from a diligent perspective and something from a public sector standpoint is we are launching a tool called AI Risk Essentials. It is basically an ERM solution that can be set up and delivered within seven days. That is so simple and straightforward. It's that stop gap between a spreadsheet to a full GRC solution, which is often too cost prohibitive, takes too long to implement, too complicated to use, and doesn't often actually give you what you need. This solution is designed for the users to be able to provide the boards the information about what are my enterprise risks.

What are we doing to mitigate and reduce that? And how do we report on it in context? And that's it. It can be shown within five or six minutes. And as I said, implemented within a few days. It is a revolutionary opportunity for organizations to take that evolutionary step in their maturity journey.

Jill Holtz: And I think for public board members, it's going to be fantastic because it's really visual and easy to understand. And as we talked about earlier, putting risk information into a format that people can really absorb easily is going to be so valuable. Scott, just to finish off, I've got three quick fire questions. Are you ready? OK. So what's the number one thing that public facing board should be doing to manage their financial and risk oversight?

Scott Bridgen: Understanding the core and key objectives that they need to achieve and what could prevent them from doing so.

Jill Holtz: What advice do you have for public leaders and board members for managing risk?

Scott Bridgen: Don't be afraid to have the conversation, the difficult conversation with the business about how and what they're doing to tackle the risks associated with after we talk to them about their objectives first, what they're actually doing to mitigate and reduce that.

Jill Holtz: And what should a board do if they realise they don't actually have a good handle on financial and other risks?

Scott Bridgen: Not panic. Actually, that's one of the most interesting ones. And a lot of people probably won't have the best take on it. And that's okay. The reason why it's okay is it gives you the opportunity to either level up, start afresh, or even start from the beginning from that perspective. Wherever you are on that maturity journey, as I mentioned before, the simplest thing you need to do, let's work our way backwards. The key deliverables that we need to achieve both operationally, so people process technology and the key deliverables that are expected of us. So the projects or the other aspects that, that may be, and then let's look at what is going to prevent us from achieving those. And again, I say this a lot, but I promise you, if you work that way backwards, it'll give you the ability to do so. And technology is one of the best ways actually to start or to at least mature and level up on that journey as well. Cause it kind of guides you and holds your hand through that process as well.

Jill Holtz: Excellent advice. Thank you so much for your time today Scott. I know you're really super busy, so really appreciate you taking the time to talk to me. Thank you.

Scott Bridgen: Thank you.