2022 Essential Director Update Presentation by David Thodey AO FAICD


    For his EDU22 presentation, David Thodey AO FAICD spoke about using technology to improve business practices, building a healthy culture in the workplace, how to achieve climate-related goals and more.  

    EDU 2022 - David Thodey AO25:13

    Well, good morning and thank you very much, Adam. It's really great to be here. Good turnout as well. We've been around the country and we're getting near the end, but we're still fired up and ready to go. So, it's been a real pleasure to share, the stage with Ann. Look, it's really been great to hear Justin and Joan this morning. I'm guilty of giving an acknowledgement and it sort of becomes a bit sort of “what you do.” And yet, in recognising our indigenous people, having been brought up in New Zealand, seeing how Maoridom became a part of who we were as a nation. By the way, I am Australian. But it's something different. And so to reflect about, recognising, the Gadigal people who've been the traditional owners and actually thinking about what that means, is so important.

    And I do want to pay my respects to the elders past and present and the wonderful legacy that they have left us. So great. So Justin and Joan, I think Joan's left. But it really is worth a lot, what you said. 

    Well, Angus is here, who got me into this, and then Mark's here and it's great to have Mark in the role. So, it feels like we've got the family here today, which is really great. 

    As we reflected on what topics we should cover in these 25-minute slots, there's such a lot going on. I mean, Ann's given you a wonderful, I think, purview of some really relevant points. And then I went through a list of you know, the global economy, got the G20 going on and the Prime Minister meeting with President Xi, inflationary pressures are very real. Anyone who's in a board at the moment, trying to work through your budgeting process and then the whole geopolitical supply chain issues. Labour law reform is getting warmed up, down in Canberra and I think a lot of us are going to be impacted by that. And then we just had COP 27 in Egypt and the whole question around global warming and what impact that has on us,

    We’re still in the COVID – well, we say “post-COVID” and my wife said to me this morning: “Are you're taking a mask?” Because you're thinking about, is this next strain coming through, is it going to be pervasive again? And then monetary policy, the list goes on. But I decided that there were about five things I wanted to touch on and they’re sort of tried and true.

    First of all, is around culture and I may not talk about this first, but the first one was culture.  I do want to talk around climate change and how we respond. And this applies to us, no matter what sort of organisation: small, large, not-for-profit, profit, whatever. I do want to talk around cyber and I can't resist talking around innovation and digital technology because it still is very, very relevant to what we need to be doing as board directors.

    And then finally, I understand Chanticleer wrote a little article about ways of working. I'm not sure they actually said what I said, but anyway, I'll give it another go and see how we go. But again, like Ann, I as a board director, have realised just how important good governance is and how good governance can avert a lot of pain. Because good governance makes you well-prepared for when there are difficult times or there's issues, or even opportunities, that you know what to do.

    So that's why governance is so important. I mean, I don't think of myself as an expert in governance, but I take it very seriously. And I think it is something that all of us must continue to really educate ourselves in, and make sure that we're across. Okay. So, I gave you the five and we're going to start with cybersecurity, which was number three, just to keep you on your toes.

    Cyber Security

    So cyber security, what can I say that hasn't been written in the last couple of months? Gee, there's been a lot said. And but by the grace of God, we all go with those challenging large corporations that are really, I think, being challenged by how to respond when you've got a serious attack and you have a ransom being requested of you.

    It was interesting in the directors survey, it was said by you that cybercrime was the number one issue that you were facing. But it was really interesting, when you were asked do you have sufficient oversight, 60% of you said: “Yeah, we're okay.” I was in the 40% saying: “I'm not sure.” Because I think the reality is every one of us is going to, in some way, be the victim of some cybercrime, individually, as an organisation or in some way in the involvement of what we have in society.

    So, I think the truth is that you are going to be attacked and you need to be ready. You are going to be attacked and you need to be ready. Now, I know many of you will have it on your risk register. Many of you will have had education. Many of you would have done, ticked all the boxes.

    But I can assure you that when you are faced with a major cyber incident and you are being asked to pay a ransom, it is not an easy situation to be in. And with all the things have been written about it, it is very, very important that you are well prepared. So, I would just encourage you today, because I don't feel like I've got my hands around it, but I do make sure every board's got the, what they call the Essential Eight that the Australian Cybercrime Centre has got in place. We do do simulations, we bring experts into the room, but even when I've done all that, I'm not sure. I'm not sure and I'm afraid, either can you be sure? 

    I have learnt to ask three very simple questions on the boards that I’m on. And they are quite telling. And in every situation the management team haven't been able to answer them off the cuff. The first one is: what data do we hold? Why do we hold it? And if we do hold it, is it encrypted? Simple questions, aren't they? And yet whether I'm a not-for-profit or if I'm a listed ASX company, they are very telling questions. Because if you know the answers to those questions, you can avert the significant risk of a cyber incident. 

    And then you need to think through about if you are asked to pay a ransom, what you will do? Now I know my ethical position is I will never pay a ransom, never. However, if I'm responsible to shareholders and the value creation and shareholders, and to the customers that we have, under what situation could I become comfortable that that was in the best interests of the organisation? I can’t answer that question for you, and I can't even answer that question for me. But you need to balance that, and you need a good legal counsel involved in those decisions making, because it is not straightforward. And yes, I do know the government is planning on putting legislation through around penalties and what people should do in terms of paying ransoms. And I want to stress, I fully, believe in being compliant and lawfully abiding. But remember what your responsibilities are. 

    The report, that I think Mark mentioned, which was the one that the AICD did with the Cyber Security Cooperative Research Centre is very good. I mean, what's beautiful about it is, it's simple and it's quite easy to understand and it doesn't get into too much complexity. And then it really ends up with five very clear recommendations that I'll read out. But it just reminds you that sometimes these things are not done. 

    Firstly, just be really clear about who is responsible in the organisation and how the communication process works to the board, should you ever be in this situation. Do have a strategy, think it through, at least go through how you would respond. Make sure that it is on your risk register because that's the way it will continue to be brought to attention. And I'm sure many of you, on risk committees, will be doing that. Make sure you've done rehearsing, make sure you've done some simulation. And look, the last one that I think is so important, is creating a cyber aware culture. I'm going to talk about culture in a moment because I'm not sure we can write the rules for this anymore.

    But if you have a cyber aware culture where everybody is responsible, including the programmer who's been doing some testing on live data, who may be down on the organisation thinking they're doing a really good job. You've got to create a culture where everyone says: “Well gee, could this become an issue?” So, cybersecurity is very, very important as we go forward. 

    Climate Change Governance

    Let me quickly move on to climate change and all the responsibilities we now have. Firstly, you all know climate creates risk in our organisations. Doesn't matter, again, what sort of organisation it is, it should be on your risk register. But you also have a responsibility to be proactive in some way around managing your carbon footprint.

    And I think, more and more we're going to be required to put it into our reporting. We already have it under ESG. But as TCFD comes through and the International Standards Board starts to ask us to actually report on this, this is going to become very important that you need to be across. It is one of the most important things that comes up in the surveys around our long-term considerations for boards. And the Climate Governance Institute, that the AICD has now set up, I think, is going to be really a lot of help in terms of determining what is the right reporting, how we should best do it, etc. And I'm very impressed with some of the work that is being done there. 

    As some of you may know, I'm also co-chair of a thing called the Climate Leaders Coalition, and it is a group of, well, probably the top 20 ASX companies, maybe 50 ASX companies. It's a group of CEOs who come together just to talk about the reality of decarbonising their companies. And we do have Rio and BHP there. Just like the Government's commitment to 47% reduction by 2030, I got to tell you, this is very hard. Anyone who has really looked at how to decarbonise their company, small or large, and to do it to truly get to net zero without buying offsets, realises this takes hard thinking and investment.

    I'm not sure how we're going to get to 43% reduction by 2030, as a nation. You look at our energy supply, look at all the challenges, in terms of how that supply chain works, the escalating costs, it is very, very difficult and it's the same in our organisations. So, I think it's very important that there's a real light shone on these issues as you sit around the board table. Now, I am sure that you've all got on your risk register, I'm sure you've had discussions about it, and you've probably got science-based assessments of what your carbon footprint is, and you have strategies in place, and I commend you for that. 

    What I often find in my own organisations is, unfortunately there's no business case. I.e., where's the capital coming from? What's going to be the impact on the operating costs and what is that long term impact, in terms of the value of the company? Now I've got to take my hat off to BHP and also Rio who have stood up and said, I think it was Rio who said US $9.5 billion or thereabouts, they’re going to invest out to 2030. You can start to see the scale of the investment required. And I know all our organisations are at different stages and different sizes, but relatively speaking, it's really important. At CSIRO, we had I think 65 old buildings built in the forties and fifties that did not lend themselves well to decarbonisation and the cost of putting in clean energy was enormous, as we looked at it. And of course, that, for us came out of operating costs, not out of capital. 

    So, this is important government or non-government, very, very important terms of what we're doing. And then do understand some of these new reporting standards. TCFD is going to be important. I mean, I was with Ken Henry the other day looking at his nature-based accounting. And with Xero, we're now looking at how we put environmental reporting into the Charter of Accounts. And so that's a bit of a change, isn't it? And of course, if you look at Europe at the moment, most big European companies are more interested. They’ve moved from what their carbon footprint is to what their true environmental footprint is, as they try to look at a bigger picture.

    So, climate change, decarbonisation, sounds simple. And yes, I think there's a lot of energy and commitment to it. However, the reality is that it is not straightforward, and you really do need to lead into it. 

    Innovation and Technology

    So that was only the second one. So, I’ll speed up a bit so we can get onto the Q&A. Part of this, I do just want to mention, is all around innovation and technology. I worry sometimes that we're, sort of, somehow thinking that the digital transformation world's passed us by, we can move on to new things. And maybe in a way, that's right. Because technology is an enabler, not an end point. It's about how you create better companies, how you deliver better products and services, how you deliver or access, more wonderful members for your organisation. It’s how you deliver better government services. 

    But let me assure you, technology is not stopping. And the enablement of running better businesses through the good use of digital technology is very important. And I think that every board needs to be across that. Now, I also have seen boards who say: “Well yes, that's great and we're going to hire a digital expert to be on the board.” Every time I've seen that happen, I'm afraid I think it doesn't end in a good place because it's like understanding the balance sheet. You've got to understand where technology's going for your organisation. But you've got to understand what the impact is for you and how you can take advantage of it.

    That's why I don't really like this term “digital transformation” because I think it doesn't really tell you what you're talking about. Because really what you're trying to do is, you're trying to move the business forward by using this technology. It might be Web 3.0, it might be AI, it might be blockchain, whatever it is. But you need to understand this technology and how it is going to enable you to deliver better outcomes. Or your business could be under serious threat. And all of us, and me included, have been running wonderful companies where suddenly value goes out the door. I mean, at Telstra, remember the Yellow Pages? They were worth $12 billion. I had the great pleasure of selling it for $1 billion. So, this is very real, and we need to be across what's going on. 

    In terms of government service, I know there's a number of directors from government organisations here, very important. I'm doing this review of MyGov and all of you've used MyGov ID because you have your director ID, right? Yes, I’m sure. So MyGov is how we get access to government services and transactions. MyGov ID is the identification and verification process. But how do we create a compelling experience for all citizens, of all walks and social status? How do we deliver better services as governments, both state and federal?

    Why do I have to have a separate sign-on for Service New South Wales and MyGov? I thought we were -- well, we are a Commonwealth, a Federation. But maybe we could be radical? Maybe we could come together, this little, small country of 25 million people, and actually work together? Would be great, wouldn't it? So maybe, maybe we could do some wonderful things in terms of using technology to create a better experience, a better outcome, and improve the very livelihoods of the people that we want to serve. So, a little bit on technology.

    Building Culture

    Last two, just a little bit on culture. You all know how important culture is. I don't even need to say it. But I was reflecting the other day, there's been a couple of companies, actually more than a couple, that have really wonderful board directors, I mean, I know them personally. They are good, diligent, hardworking board directors. And yet, somehow within their organisation, the behaviours of their staff was not what they expected. And I sit there and I think: “Well gee, what have I been any different, what have I seen It?” And I've got to say, when I reflect on some of the boards I'm on, I'm not sure I really know.

    Yes, I get a report. I may even get a quarterly one now because we don't wait for a whole year and do one, and then it takes three months to get to the board. You actually get it real-time, which is good. We may even have a different culture report. We may even have management come in and talk to us and the board table, and we get a sense of it.

    But the truth is, I'm not sure. I'm not sure. So, I struggle with this one. And I and I think, well, how do I get to know? Do I go and spend more time in the business? And of course, quickly, people say: “No directors, you should not be near management. Don't go near them. You are a director, do not stand in the way of management!”

    And yet I'm not sure that’s right. Now, all of you would have read the Netflix way, where they actually get board directors to sit in on management meetings. I'm not sure that's right. But what I have concluded and maybe we can talk about it, is I do need to spend time in the business. Just getting to know what's going on. Not making decisions around what management should be doing. But I need to feel what's going on. I need to ask questions. I need to triangulate. I need to look at social media, Glassdoor, to see when people are leaving, what they actually say about the company. Everything that comes to the board always has got just a little bit of a rosy tint to it. They don't necessarily tell you all the problems.

    Now, that's not true of every management team, but it is. So, I do think that culture is very important. And then the other thing is, just reflect on the culture you create in your boardroom because it sends signals. Just how you turn up, what you say, how you ask those questions. Do you ask it with positive intent or negative intent?

    You know, and I'm sure you all ask nice open-ended questions that are for the greater betterment of the company or the organisation. But I do reflect on that and often will get one director just to keep an eye on us through a meeting, because sometimes it gets a little bit fiery or something.

    The New Ways of Work

    So that's just a little bit on culture. Lastly, new ways of working. Just very, very quickly. Look, we’ve proven to ourselves that we can work in many different ways. And when I go into these meetings and we've still got this discussion going on: do we do we like work from home or should we bring everyone back? And there's sort of a very wide group of opinions. I'm not sure that's the right question anymore. I think every company or organisation is different. Every role in a company is different. I'm not sure we can dictate how people work. There's sometimes, if I'm in manufacturing or, in health care, in the operating theatre, we need nursing staff there.

    They can't do that remotely. Though, we do do some operations remotely now, we bring in specialists. However, the nursing staff need to be there. So there are certain roles that need to be there, but there's a lot of flexibility. And I worry that we try to prescribe too much to them, rather than asking our people: “What's the best way for you?” And actually, letting the organisation find what is the right way. Now, within lawful behaviour, compliance, etc. 

    So, I do think that flexible work is with us forever and I do think the way we run our board meetings should be changed. I'm on a couple of global boards and well, we can't get everyone together anymore. So, we use technology, we get papers that are, the person speaks to it on a video, then it's only a one page and it's far more productive.

    We find new ways, not sit in a Zoom meeting for a whole day. We break it up into a few three-hour slots over a couple of days. And that's really good, especially if you're on an international board. You can do it 6 to 9 and then have the whole day free. So, I think we need to be really creative and innovative in this, because technology or this enablement of being able to do things differently is really great.

    Okay. So, with 1 minute and 13 seconds to go, let me just wrap up. So look, what I've just tried to say is, the world is a changing place. And as directors, we really need to keep on the critical issues and really make sure that we're engaging in all these complex set of issues that we have to deal with.

    But look, firstly, culture does remain critically important. It can cover a lot of mistakes. Get the culture right, then you get a sort of confidence for people to do the right thing in the organisation. Climate change. One, it's a real risk to many of the businesses you're presiding over. But also, you have this responsibility in how you are going to get to net zero. Cybersecurity, what do I say? Just, it's going to happen, so you better get ready. And you just don't know how broad that's going to be.

    Don't forget about the incredible opportunity for technology to create incredible companies, great Australian companies, global best practise. Be it a not-for- profit or delivering great outcomes for governments. And be innovative, find a new way the way you work, change the game. But do that with management, by the way. Very important. So thank you very much. Look forward to the conversation.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.