From Audit Assistant to General Manager
Chyselle Oh makes it a point to learn from each and every one of the jobs she has held over the past 15 years, and has to teach her. With a Bachelor of Science in Applied Accounting, she lost no time in taking up an audit assistant position in her hometown straight out of university. But bigger things were in store. Within six months she made a move to the big city and landed an executive position with Leong Hup Holdings Bhd’s group internal audit function. She then moved to Taylor’s Education Group’s group internal audit, where she stayed for seven years through a managerial position.
She was with the first two places only “for a short time” she said, but went on to spend her early career years in education. She learned a lot during her Taylor’s stint, about audit, controls and frameworks. “This is where I obtained the knowledge of control processes and governance,” she said. “When the opportunity arose to join Hartalega, I took a leap of faith and made the change to another industry. I like challenges!” One of the leading manufacturers of nitrile gloves in Malaysia, Hartalega had, up to that point, outsourced its internal audit function to a consultancy firm. Chyselle had the opportunity of joining a newly established Internal Audit Department that also facilitated risk management.
With an attitude that prioritises adding value to the organisation through working hand in hand with management, her rise was meteoric. She went from Manager of Internal Audit to Senior Manager heading the internal audit department, reporting to the CEO and Board Audit Committee. Subsequently, she was redesignated as Hartalega’s Deputy General Manager for Governance, Risk and Compliance. Now, she is Hartalega’s General Manager, Strategy, Sustainability & Corporate Department. Part of her current portfolio requires her to oversee risk and compliance, sustainability, corporate strategy and communications, and government affairs. But was she able to apply anything culled from her seven years in education, to the vastly different position of GM in one of the leading glove manufacturers in the country and the world.
“Personally, I think the profession of internal audit and risk management involves developing a skill set of its own,” she said. “It’s not about the industry. The work of audit – checking on controls and processes – requires a skill set of its own. When I first went from education to manufacturing, there was a sharp learning curve. But when it comes to the actual work of auditing and establishing a risk profile, for instance, learning about the industry is one of the things we definitely need to do. But the skill set required to identify and assess risk, or checking on control processes – these are things that you can leverage on.”
What matters is how the skill set acquired in the course of gaining experience in different industries, is applied to the industry one is working in. “If I were to explore the property industry, for instance, the skill set will still be relevant. But I’d have to learn how to apply the skills appropriately,” she explained. In addition, she is working on taking the lead on sustainability for her company, viewing it as very closely related to risk management. She sees a great need to look into risks as well as opportunities as these are interlinked. Sustainability has always been a part of the Hartalega mindset although this may not have been aggressively communicated.
Hartalega has long practised many aspects of sustainability, such as energy efficiency, but until now, has not locked these practices into a framework. But this was one of the things that she addressed upon taking up her current position, starting the sustainability function and establishing a framework that looked into the risks and opportunities of sustainability. These efforts have already garnered awards and improved the company’s rating in various assessments. But in recent years, the Malaysian glove manufacturing industry has been cast in a negative light at home and abroad, accused of unfair labour practices and falling short of international standards.
Out of this experience, a task force was established as part of managing the risk. A social compliance department was set up, championed by the CEO in collaboration with the risk management team. Together, they look into compliance issues, and how to upskill in terms of labour practices. “In fact, we have implemented a host of different efforts before this,” she said. “For instance, when we were building our NGC Sepang, we were also building a workers’ hostel that met ILO standards. This was in 2012, even before labour issues were highlighted. ”
She emphasised that Hartalega takes its labour practices very seriously as it wants to take care of its employees and continue to provide a safe and conducive work environment. This extended to regular testing of thousands of employees every two or three days, in efforts to contain the spread of the Covid-19 virus at the height of the pandemic, and segregation of employees according to function where they worked, to further curb the spread of infection. “This allowed us to continue to operate the plants where employees were not infected,” she said. “The practice of mask-wearing and WFH was implemented, and a vaccination centre was set up for employees and the general community.”
This, she said, was an example of how risk management supported informed decision-making, enabling the company’s management to work hand in hand with the community. While risk management has certainly given her a career advantage, it has been supported by her personal belief that she needs to learn something new to broaden her knowledge and stay relevant, regardless of the circumstances. Being a chartered accountant was not enough; she attributed further enlightenment to the risk management course which she took, and how pathways opened up through the IERP’s certification which provided a better understanding of frameworks, and via networking opportunities.
She found the Institute’s networking sessions particularly beneficial as she learned through shared experiences, and gained deeper insights of what other companies were doing. This has been invaluable when it comes to implementing risk management in her own organisation. Familiarity with risk management has stood her in good stead, and enabled her to identify both challenges and opportunities in an increasingly difficult environment. For risk professionals, management support and buy-in are essential nevertheless, or implementation cannot succeed. Risk managers don’t manage risk; they monitor its management.
“You’re successful if management believes that things that you do, is helping the business to achieve its objectives,” she said, adding that it was imperative to be able to exploit opportunities at the right time. One of the biggest challenges, she has found, is getting everyone on the same page where understanding risk management is concerned. Readily conceding that auditors and risk managers see things from different perspectives, she said that internal auditors tend to focus on historical and control processes, while risk management tends to be more forward-looking.
“The objective of an internal audit is to bring a very objective, systematic and disciplined approach to evaluate and improve on the effectiveness of governance,” she explained. “Risk management, on the other hand, is about the preempting future. To provide assurance, the audit looks back at historical records to ascertain if the control processes are in place. Risk management looks at the bigger picture.” Audit looks at controls to ensure that measures are in place; risk management works with management to focus on the results and outcome by crafting risk engagement/management strategy, and exploits opportunities that become available, she added.
This inevitably involves a shift of mindset from control process compliance to more forward thinking. Internal audit may take a very different approach but it can strengthen control processes and develop a very good understanding of the organisation’s practices, she stressed. “Most of the time, these control processes are a part of mitigation measures or strategies,” she said. “The knowledge and skill sets of an internal auditor, in terms of control processes, if used in risk management, for instance, will help craft better strategy, and better advice management. If we are able to leverage both IA and RM, that’s the sweet spot.”
