It may be argued that Dunstan Maurice was already well into Enterprise Risk Management even before he accepted an IERP invitation to speak at one of its conferences. A seemingly natural aptitude for ERM made him the ideal person to develop and spearhead the risk management function for GHL Systems Berhad – no small task, considering that GHL, a payment service provider, has offices in Australia, Cambodia, Indonesia, Malaysia, Philippines and Thailand, and processes over RM1.5 billion in payment transaction value every month.

As its Group Chief Risk Officer, all GHL’s value-added services, payment network solutions, consumer loyalty products, prepaid solutions, Internet payment processing and purpose-built backend merchant applications come under his purview. GHL’s core operations is its third-party acquiring business, also known as transaction payment acquisition (TPA). GHL facilitates merchants’ acceptance of e-payments and transactions via its terminals through its partnerships with global schemes, card payment acquirers, e-wallet issuers, telcos and billers.

The firm has worked with some high-profile clients like CIMB Bank, MyDebit, Global Payments Inc and Bangkok Bank for card payment services, as well as next-generation payment services such as Touch ‘n Go, Alipay, Beep and WeChat Pay. For CIMB Bank, the firm acts as a Third-Party Acquisition (TPA) which enables merchants to accept payments from various international card associations.

For Amanah Ikhtiar Malaysia (AIM), the firm established cashless collection electronic payment infrastructure to enable AIM’s clients to make regular loan repayments through 5,000 service centres and terminals nationwide. For budget airline Firefly, GHL integrated the airline’s booking system with a range of banks, allowing it substantial savings in time and costs.

There were no ERM systems in place when he took up the position, he says, but “We did have an operations risk process which used a “check list” method.” Then came the IERP invitation, and things started to fall into place. But even with the availability of the expertise to establish the necessary processes, it has taken three years to establish a framework that really works for his organisation.

“The process involved getting the buy-in from senior management and the Board, before getting the other employees, like the Heads of Department, to understand ERM,” he said, adding that he introduced the Operational Risk model as it was the most appropriate for GHL’s business model, which was operations- and sales-centric. “I also had a supportive Group CEO who was receptive to the implementation, and an experienced Board Chairman who understood the importance of implementing the framework.” His Malaysian team also underwent a Strategic Risk programme with IERP, which produced greatly encouraging results. “Their level of understanding improved tremendously,” he said. “The team developed its Risk Registers, which were later applied to GHL’s operations in other countries.”

Taking this approach, he found, was key to successfully developing an appropriate organisational risk culture for GHL’s employees which number more than 1,000. Despite the extensive responsibility for risk across the organisation, Maurice operates a small unit – just three people, including himself. But the work is detailed and ongoing. “A typical day starts with the review of the follow-up items from the RCSA and ITSA,” he said. “There may also be multiple engagements with business units to discuss their respective risks and mitigative measures. Then there’s reviewing of new business risks for the group as a whole.”

Despite his previous work experience with risk, and his focus on ERM now, he finds that challenges still abound. “Previously, my role was one of managing merchant performance risk,” he explained. “The challenges now are different because ERM is holistic.” But there are other considerations as well. Even with a framework firmly in place, he frankly admits that alignment of risk management where all units in the organisation are concerned is still a work in progress. His responses show that he recognises that there are definitely more challenges ahead.

What were your initial reservations about ERM?

Getting the buy-in from the Board and senior management.

What have been your greatest challenges with regards to ERM in your present position?

Firstly, embracing ERM as a strategic tool rather than a fault-finding tool, and secondly automation.

From your perspective, what is the biggest ERM challenge facing your industry?

The introduction of new regulations in the payment space. As a non-financial payment facilitator, we are either missed out or burdened with having to implement regulations that are meant for financial institutions, leading to overkill.

What pitfalls should organisations be aware of, when implementing ERM?

Implementing it as a paper exercise just to fulfil the criteria. When implemented effectively, ERM can bring great focus to the organisation, and improve revenue.

What kind of ERM training do you recommend for non-executive level staff?

Strategic Risk training is ideal for all employees.

In your experience, how long does education, awareness and training have to be implemented before a viable risk culture develops?

About three to five years. It also depends on the receptiveness of the management and staff of the organisation where it is being implemented.

In addition to awareness and education, Maurice believes that for ERM to be more comprehensively and quickly adopted, there needs to be some sort of regulation that requires it, and industry players have to come together to encourage it. He acknowledges that budget constraints are always the most difficult to deal with but advises a practical approach when trying to mitigate risk. “Implementation also needs to be followed up with monitoring,” he stressed. Also, industries themselves have to take it up. Firms must want to do it, if it is to be workable and successful. There needs to be internal and external cooperation, and open channels of communication.

“When the ERM framework was developed, the objective was to ensure that there would be no silos,” he explained, referring to the GHL environment. “All similar functions, sectors and departments have been grouped for better alignment. We haven’t reached perfection but compared to where we were three years ago, we’re getting there!”