Cover Story: Paul Schroder
Risk versus return
The pursuit of member outcomes is a fine balancing act of maximising returns and managing risks for AustralianSuper chief risk officer Paul Schroder. Karren Vergara writes.


As chief risk officer for the nation's largest superannuation fund, there is one misconception about Paul Schroder's line of work that needs to be clarified.

"I am the chief risk officer, not the chief risk reduction officer," he says.

When I think about risk, it is the balance of risk and return and how we manage these under the banner of trustworthiness.
Too often, people synonymise the word 'risk' with something that is 'bad'.

"That's not right. Risk can be positive or negative. There is good risk and there is bad risk. The challenge for organisations is to balance the risk and return - to increase the likelihood of returns and reduce the likelihood of negative events over time," he explains.

Schroder often has to strike the right balance, juggling how the super fund manages its risk individually, interdependently and in aggregate - and ultimately - if it has taken the right amount of risk.

Since 2019, the $203 billion super fund has ramped up its commitment to risk and compliance, appointing Schroder as its inaugural chief risk officer in October of that year.

It also created a risk committee, which meets six times a year, to elevate the importance of risk across the fund.

Such initiatives reflect the seriousness and growing interest from members and the community to ensure funds are doing the right thing in a prudent and careful way, Schroder says.

"[It is also] a reflection of how seriously the super fund takes risk management and its discussions with APRA about the best way to consider and manage risk," he says.

Part of his role is to think about risk strategically - that is the risk philosophy, risk-management strategy and enterprise-risk management framework.

He often asks himself: "Are we taking the right level of 'Goldilocks' or optimal risk - not too hot or too cold - is the level of risk undertaken just right? Is the risk management framework commensurate with the size and complexity of the fund?"

Another aspect of his role oversees the super fund's four growing risk departments.

Head of governance Narelle Smith, and head of enterprise risk and compliance Nevein Versace report directly to Schroder.

Emergent risks, a new department led by Andrew Mantello, who took on the role in mid-2020, is tasked with anticipating potential issues that can surface. One example is COVID-19 and its related issues such as working from home and returning to work, as well as any other unforeseen events and risks that may occur in the future.

Finally, Tom Garcia is the head of the financial crime, security and resilience unit, responsible for data governance, anti-money laundering, security and privacy.

Schroder describes the latter as an "exciting and important area" because a member's data is their asset.

"We are in the business of helping members grow and protect their growing member assets - this is a logical extension of that," he says.

Garcia's team was established based on the concept of "converged security", which links information security with premises security and personnel security.

"Converged security makes logical sense, and we believe it will be expected more and more from organisations, especially as it connects to the Security of Critical Infrastructure Act," Schroder explains.

"The resilience means if an unforeseen or bad event happens, the organisation can recover quickly and can continue to serve members."

The Office of the Australian Information Commissioner reported 539 data breaches between July and December 2020; more than half (58%) related to malicious or criminal attacks which included cyber incidents.

Most of the breaches, or just under a quarter, came from the health sector, followed by the finance industry, which notified 15% of the incidents.

With $3 trillion in assets and rising, there is a lot at stake for the superannuation industry, underscoring the imperative to protect members' data and retirement savings with ironclad safeguards against loss, modification and unauthorised access.

A new report compiled by The Gateway Network Governance Body (GNGB) and PwC found that the industry is in need of minimum cybersecurity control standards to combat the most common breaches: phishing emails (82%), identity theft (56%), human error or negligence (55%) and malware (46%).

Almost all the C-level superannuation and cyber experts canvassed in the survey agreed that baseline standards should be introduced - but many (62%) admitted they have limited understanding of cyber risks and how to tackle them.

AustralianSuper's initiatives in the area of risk, Schroder says, are very important to members, the community and regulators.

"We understand why it is so important because we are talking about intergenerational trustworthiness. What members expect from us is to be trustworthy - which means to be competent, benevolent, and act in the interest of the beneficiary and demonstrate a character that people can respect," he says.

"When I think about risk, it is the balance of risk and return and how we manage these under the banner of trustworthiness."

Security and privacy threats are indiscriminate. No country, industry or organisation is immune to potential breaches that can compromise sensitive information.

Last year, the US Securities and Exchange Commission sounded the alarm to financial companies about the spike in ransomware attacks, urging the firms it oversees to fortify their cybersecurity preparedness and operational resiliency.

ASIC was a recent victim of a cybersecurity breach that likely exposed personal information of credit licence applications.

Quant fund manager Levitas Capital shut its doors less than six months ago after falling victim to a fake Zoom invite that began a chain of events culminating in its administrator, Apex, and trustee AET authorising a payments of about $8.7 million, forcing its biggest client, Australian Catholic Super, to withdraw its mandate.

Two years ago, about 11,000 AustralianSuper members became the target of a data security breach.

At the onset of the pandemic, the superannuation sector became vulnerable to fraud as the government opened the floodgates to the early release of super (ERS), leaving providers struggling with high volumes of requests, an opportunity many bad actors seized to make fake applications.

Over the following months, however, APRA commended the majority (75%) of super funds for strengthening their practices to curb fraudulent activities.

By October 2020, just 1703 (0.04%) of fraudulent ERS payments out of 4.5 million were detected.

APRA's Prudential Standard SPS 220 Risk Management, while not a silver bullet, is perhaps the industry's guiding light in managing risk.

Trustees should have systems in place for identifying, assessing, managing, mitigating and monitoring material risk, or as Schroder likes to call it, "I AMMM risks".

At a minimum, trustees must have a solid framework that covers: governance risk, investment governance risk, liquidity risk, operational risk, insurance risk, and strategic and tactical risks.

"We know that there are threat actors and things can go wrong," Schroder says.

"But the key to being able to manage these is to be clear about our risk philosophy and risk-management framework which we call our 'enterprise-risk management'. It comes down to culture, strategy, structure and practice."

This isn't the first time Schroder has dealt with security and handling important information in his career.

At the turn of the century, when most banks were buying their wealth business, he had a front row seat while working with the Financial Sector Union (FSU). Back then, offshoring operations and handling sensitive data and security were major issues.

Schroder spent some 15 years at the FSU, elected in 1994 as trustee director of a super fund in a contested election, and representing the rights of bank and insurance employees.

"It was a privilege to serve those members and engage with intelligent chief executives at the banks at the time such as David Morgan (Westpac), John Stewart (NAB) and John Macfarlane (ANZ)," he says.

He joined AustralianSuper in 2007, fresh from the merger of the Australian Retirement Fund and the Superannuation Trust of Australia, and over the years, oversaw the new entity's growth agenda, the insurance book, strategy, brand, sales and reputation.

Schroder has worked with a number of high-profile leaders who have made their mark in superannuation like Elana Rubin, Heather Ridout, Mark Delaney, Ian Silk, Don Russell, Innes Willox, to name a few, and the Australian Council of Trade Unions' (ACTU) Dave Oliver, who mentored him and have been generous with their time.

As a fresh graduate from the University of Melbourne armed with an economics degree, Schroder's first job assisted migrants and refugees in settling into the workforce and learning English on the job.

He then went into rehabilitation work, joining the Victorian Trades Hall Council, where he worked closely with a young David Atkin, Cbus' former chief executive and now the deputy chief executive of AMP Capital.

"He has been a long-time friend and mentor and we first worked together in 1990 on rehabilitation and compensation matters," he says.

Reflecting on his work history, championing for the greater good is an evident thread that strings his career, made more meaningful by the connections he's made along the way.

"I have had the privilege of working for member organisations. When I look back, there is a clarity, simplicity and purpose in that, which is very energising. Everywhere I have worked there is always the purpose of achieving member outcomes," he says.

Not one to take relationships for granted, Schroder avoids the traps of judging a book by its cover because he knows that first impressions are never right.

Behind the exterior is the story where "the depth and beauty is and complexity is", he explains.

"If someone had told me that when I was younger, I probably would have made better judgements about people, and perhaps got and appreciated the richness of those relationships sooner."

Even in work mode, rarely does he take any form of risk that comes his way at face value, embracing the tug-of-war between risks and returns, and continuously seeking to gain the best benefits for members.

"You cannot have benefits for members without taking risk," Schroder says.

"You cannot achieve your strategic ambition without taking prudent, considered risks." fs

Link to something TfQ3mWh2