Latest Products

For the good of the profession

Wednesday 14 March 2018

Graham Caddies, Principal Consultant, Trainer and Auditor for Advance ProfitPlan (APP), speaking the GRC 2017 Conference Awards Dinner.

interview with Graham Caddies 

* This interview was originally published in the In the GRC Professional Magazine 

Graham Caddies, Principal Consultant, Trainer and Auditor for Advance ProfitPlan (APP), was awarded the Lifetime Member Award at the 21st Annual GRC Conference.

At the Gala Dinner, Naomi Burley, Managing Director of the GRC Institute, said the Lifetime Member Award is presented to members who have contributed to the GRCI and its members in a material, ongoing and sustained way.

“Our recipient for this year’s award is a very worthy person who has consistently, since being a member, and a member of a number of other associations, given of his time, intelligence, and experience with a wide number of organisations to ensure other GRCI members have access to resources, challenge themselves and help build resources,” Burley said.

On receiving the award, Caddies referred to the importance of having a professional body to support both the professional and the profession.

“Those who have seen me at conferences or seen me presenting at conferences have probably gathered: I believe in the profession and I believe that the profession has to have a professional body.”

The GRC Professional got a chance to catch up with Caddies a week after the conference. An emphasis on GRC has been an integral part of every facet of Caddies’ career, and he has taken all these pieces to develop what he has come to see as the ‘big picture’ of GRC.
I have been in uniform as an Army Reservist for 40 years. I started as a digger and worked my way up to a major, so you can see where leadership and compliance and risk all played a major part. I joined at 17 and retired in 2010.

The second part of my career was my paid jobs, and all the way through that, I’ve often held positions where I have had to start new departments, or had my own business. Also, I was a consultant for the National Safety Council in the ‘80s. I ended up becoming the North Queensland Manager, establishing the North Queensland office. So, once again, you can see governance, compliance and risk being a part of all that, even though my focus at the NSCA was mainly on safety, consulting and auditing.

In addition, in my community, I have been involved with schools and governance boards, and was a chairman for a not-for-profit board for 15 years. So once again, governance, risk and compliance formed a major part of that.

I have also been actively involved with my church, including running and being on leadership committees organise and leading camps which also involved governance, compliance, risk.

So, you have a lot of experience in the GRC space
What started me on the road was my first two professional memberships in the Safety institute of Australia and the Australian Institute of Management. I became a member of both in ‘83 and ’84 respectively, mainly because that’s where all my work was, and they were about the only the professional associations around that I was aware of at the time.

It was when I got the job at the National Safety Council I realised that, if I was going to make any workplace safety changes—in safety and in health and welfare and all that—then I needed to get involved with compliance and risk and to understand management and Boards, and that’s when I started seeking out other avenues.

I joined the Australian Institute of Risk Management back in 1992 because I knew I needed more information in the area of risk. Then I became a fellow of the Safety Institute in 2001, and a fellow of both the AIM and RMIA in 2002.

I did the RMIA’s Certified Risk Manager course back in 2002, and was awarded the Certified Practising risk manager (CPRM) certification. I have also been a member of the Environmental Institute of Australia & New Zealand since 1997.

The reason I chose to become a member of all these professional bodies is because they covered the areas I was working across, whether as a consultant or while working within a company. My work expanded, covering everything from governance, compliance and risk, to assurance and continuity, but initially with an environmental or management, or safety focus, or a combination.

I became a member of the Australian Institute of Company Directors (AICD) and completed their diploma, the Company Directors’ course, in 2004. I have been a graduate member of theirs ever since.

After that, I still wasn’t happy, even though the AICD course gave me a good overview of governance, risk and compliance, assurance and continuity from a directorial point of view. It was a good course and they covered it very well, but I started searching for more depth and I was tossing up between the old Australian Companies Secretaries Institute—now the Governance Institute—and the,  at the time, Australian Compliance Institute (ACI), which is  now the GRCI. I ended choosing ACI because they had the seven-day Residential CCP course which covered governance, compliance, risk and assurance to the level I was looking for.

So, in 2009 I became a member of the ACI and completed their CCP course, and was awarded the CCP certification in 2010. I still was not 100% satisfied so I completed the Business Continuity Institute’s (BCI) Certificate in Continuity in 2009 and became an Associate Member of the BCI in 2011.  Thus, my career led me to become a member of nine professional bodies which all interrelate. I believe that a broad depth of knowledge is an important part of being an effective governance, compliance or risk manager. You need to have an understanding across those multi-disciplined areas.


Has it been challenging to be a part of so many different professional bodies?
Actually, I have found it very rewarding. Indeed, one of the best things I have found is that their professional publications and electronic information, is my main source of staying up-to-date. Being a part of these bodies also provides a way of seeing and understanding the interrelationships. I have always approached my work looking at the underlying principles, foundations and concepts—whether it be a piece of legislation or compliance standards or training.

For example, when I look at 19600 (3806), the compliance standard, or 31000 (4360), the risk management standard, I always look at the underlying intent, principles and foundations, rather than getting lost in the nitty gritty. I always look at the business as a whole and its interrelations. If you look at and understand the human body, you will see a range of systems that are vital in their own right and independent, but which are interconnected. The body would not function without these systems or functions working together, and that is no different from a business and its inter-related functions.

It has been frustrating to me, in every profession in which I have been in involved, to know that people tend only to look at what I call the ‘stove-pile effect’—that is, they only look at one piece of information instead of exploring how that piece fits into the whole picture.

When I was at the GRC2017 conference this year, I heard people saying, ’How do I get a seat on the board? How do we get a seat on senior management?’ Well, quite frankly, if they took off their compliance hats and started engaging with the people and being a part of the team, they would soon be there.

When you heard you were being awarded the Lifetime Award, what did that mean to you?
I only found out on the Wednesday, when I met with Naomi to work out the workshop she and I ran on Friday.  

I have never done anything in my life purposefully. I keep hearing people saying, ‘You’ve got to have a plan,’ or, ‘You have to network if you want to move up the ladder; then, you have to make yourself known.’ My whole life has been: if I see a need, then I get stuck into it. Because of that, I’ve progressed and created a reputation for myself, and when the ACI and the RMIA sort of came together, I thought at long last, we can have two separate professional bodies, but we are basically doing stuff together from a conference point of view.

I was hoping we would stay together but still keep our separate bodies. However, when they split again, I threw my weight behind the RMIA to help get them going.  I was part of a team developing their new three level certification and the risk body of knowledge and part of a team developing their Continuing Professional Development (CPD) Program.  Once again, I couldn’t believe I was working with a group of professionals who have been senior risk officers for a long time where some of them did not fully understand the full scope of risk.  

At the same time I got behind everything the GRCI is doing because of our understanding governance, compliance and risk. I got involved with the IT Risk forum and I got sick and tired of the group being a ‘talkfest’ without any outcome for the profession. This is why I suggested to Naomi that we put together a whitepaper, as a professional body, to give guidance to our members and to other professionals. This gave the IT Forum something to focus resulting in the White Paper.   Hopefully, it can stop the profession from being hoodwinked by multinational accounting and legal firms putting out their theories, and those theories being adapted by regulators. The ‘three lines of defence’ is a good example.

I am passionate about helping the GRCI to really take charge of this need by putting out well-thought-out pieces and directing where we are heading to give people the whole picture, rather than focussing on just one thing. An example of this is in IT, where everyone is focussing on the big risks, rather than looking at the risks as an opportunity. With opportunity, there is potential risk.

So, I was blown out of the water because I didn’t do it for any reward. It’s the second time I have received professional recognition—the first being the Australian Institute of Management Excellence Award  for Owner Manager category in 2002—but that’s not what drives me.

This life membership means a lot to me, however, and if I can use it to help budding or even mature professionals see the bigger the picture and be more effective, I’ll be happy!

If the award becomes a way to use me to get out there and spread the word, then that would make me happy also.

What do you hope for the future for the GRC Profession?
The biggest thing—as you have probably gathered from the conference—is that whether it be governance, compliance or risk, most in the profession, don’t understand the full scope of compliance. They focus on regulatory compliance; yet one of the biggest starting points when you read 3806, and the new standard 19600, is that it clearly states compliance is also the business values, the business objectives, and the business strategy. They are all required to be complied with.

That sets the scene. And then you’ve got the conditions of licenses, the conditions of assurance policies, the conditions of MOUs, all of which, in many cases, are more critical than regulatory requirements.

If people only looked at it holistically, they would find that they can do one or two things and fulfil five or six compliance areas instead of doing 5 or 6 separate things, if that makes sense?

Thus, I can use my enthusiasm to help Naomi and the team, as well as other professionals and even the board to grasp hold of that picture and ensure our webinars, podcasts, and conferences have got that as their theme.

This year’s conference was excellent in expanding our focus. We started to touch on that area of ‘audacity’; however, I believe the second thing I would like to see the GRC doing—and I hope I can help drive this—is to produce more white-papers and to work in unison with other professional bodies to engage with regulators and those who set the scene in Australia and who oversee governance, compliance, risk, assurance and continuity policy to establish effective holistic and integrated GRC.

I am not saying we should lose our identity. But, for example, the GRCI and the Governance Institute could work together to negotiate with regulators and others to stop those policies and guidelines coming out that push only part of the picture.

We’ve got to get this holistic approach across. It’s like a jigsaw puzzle: if you have this 1000-piece jigsaw puzzle but you haven’t seen the finished picture, it’s very hard to put it all together. However, if you have the full picture in front of you, then you can start to see how and where the whole picture fits together—and, more importantly, if there is a piece missing or damaged.

Any advice for emerging GRC professionals?
The one thing I would like to get across is that it doesn’t matter what area you are in, whether you’re in compliance, or just risk, or just governance or whatever it is. The starting point, if you want to be a GRC professional, is that you’ve got to understand how organisations and businesses work. You’ve got to understand the roles and functions of the board, the management committee and senior management, right down to frontline managers and the work force. Then, you need to develop the skills to understand how to engage with, empower and walk the journey with them as the internal professional. To me, that is the critical component.