Episode 5: John M. Green - Artificial intelligence risks, what to ask on cyber security, and lessons from the pandemic
John M. Green is a director at Challenger and board member with the Cyber Security Cooperative Research Centre. He’s also a former Deputy Chair at insurance giant QBE. John talks about the risks around the increasing use of artificial intelligence, questions for directors to ask on cyber security, and lessons for boards from the pandemic. Plus, we discuss John’s career as a novelist and his role as chair of a social purpose book publisher.
Show notes
Click here to read the Cyber Security Governance Principles from the AICD and the Cyber Security Cooperative Research Centre
https://www.aicd.com.au/risk-management/framework/cyber-security/cyber-security-governance-principles.html
Click here to read the Essential Eight from the Australian Cyber Security Centre
https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
Click here to find out more about John’s novels
https://www.panterapress.com.au/book_author/john-m-green/
Transcript
Welcome to Boardroom Conversations, a podcast from the Australian Institute of Company Directors. I'm Bennett Mason and thanks so much for listening. And each episode of the show will have candid conversations with some of Australia's leading directors, delving into their background journey to the boardroom and a few of the challenges they faced along the way. Our guest this time is John M. Green.
John is a director with Challenger, board member for the Cyber Security Cooperative Research Centre and the chairman of book publisher, Pantera Press. He was also formerly the Deputy Chair of insurer QBE and a director with WorleyParsons. John, thanks so much for joining us.
JOHN M. GREEN
I'm thrilled to be here. Thanks Bennett.
BENNETT MASON
Now John, you were a lawyer and a banker before you became a company director. That's not an uncommon background for a director. But how do you think your career in the law and finance prepared you for the boardroom?
JOHN M. GREEN
I think it was like a 30-year crash course in corporate crisis management. The reason I say that is because I was often the guy, or one of the people, who were called in when companies faced an existential crisis. Whether it was major litigation, whether it was a capital raise, whether it was takeover defence or a takeover or a major acquisition. And so, I got to see hundreds of boards in my time, good boards, great boards, bad boards, in operation. And I was their advisor. And I learnt a lot from that, by observation and experience. And you see, for example, directors who roll up their eyes in a crisis and other directors who roll up their sleeves. And there's a major difference. And you kind of think: if I was a director, who would I want among them? You see, the old adage is people don't always rise to your expectations of them. They often fall to their experiences. And that tells you that what you want is a very good diversity of experience on your board. So, we talk about diversity a lot these days, and that's a very good thing. One of the things we don't talk about a lot is diversity of experience and diversity of thinking, cognitive diversity. Now, I’m a big exponent of those. That you want people who've come from quite different backgrounds, they might not necessarily be the kind of people that you think: “Oh, that's an absolutely good fit with this company.” But they bring something that you don't have that will challenge you. So about, ten or 15 years ago, I wrote an article for Company Director called “Contestable Collegiality.” And for me, that's one of the key things for what makes a good board, that you've got people around the room who have got different experience, who aren't afraid to speak up, who are encouraged to speak up, and who, when they ask what appears to be the dumb question, everyone around the room knows it's not a dumb question. Because if it was dumb, they wouldn't be there, and the questions are treated with respect. So there are no dumb questions. There are just dumb answers. The idea of this contestable collegiality, you don't want to be just collegiate because then you get groupthink. So, it was a very good experience for me in seeing how boards act, don't act. One of the really big lessons that I learned was that we never have perfect information. We are making decisions as directors in deep uncertainty. We don't know what the market is doing or thinking. We don't know what competitors are doing or thinking. We think we know what customers are thinking but often we don't. We don't know always what's going on in the bowels of our organisation. We saw, to all of our horror, the Royal Commission into Financial Services a few years ago where, in quite a number of companies, bad things were going on. And what we know is that good people often do bad things. And you say, is it a question of culture? Very often it's a question of culture. Is it a question of uncertainty? Very often it's a question of uncertainty, and they’ve just made mistakes. Or they're the boiling frog, where you do a little thing, and a little thing, and you don't notice what it is that you're doing. So, the ability for people to step back and think is really important. And I think having been through many, many crises as first a lawyer, then as an investment banker, you get an appreciation of all of that. It doesn't stop you having crises though because everything is different.
BENNETT MASON
Was it ever difficult, as an executive director at Macquarie or partner at the law firm, you can be very hands on. But being a director is a different sort of role. Was that challenging? Making the adjustment?
JOHN M. GREEN
Not for me, not for me. It is for some people, absolutely it is. It's particularly difficult in my observation, more for people who've been executives or CEOs in companies, than it is for people who've been advisors. Because the advisors, while they've got their hands on in their own business, they don't have the hands on in their customers’ business, in their clients’ business. So, you're much more used to giving the advice, asking the, what I call the “what if” questions. Because the “what if” question for me is probably the most important question. When you recognise you're dealing in uncertainty, you're saying, “But what if this happens? What if that happens? What is it that we don't know? What else out there is there that we might face?”
BENNETT MASON
We talked a little bit about your career. You've obviously had a very diverse portfolio of boards. Financials, a global engineering company, but also you were on the board of the National Library. What factors do you look at when you're considering whether to join a board or not?
JOHN M. GREEN
The two factors that I look at are the people involved. Do I like them? Can I trust them? Are they wise? Have they been through wars? Because I've found that very often people who look terrific have never actually been through the mire. And when the mire hits them, they're not actually always that good at dealing with it. So, I would prefer to have on a board with me people who have lots of scars and have dealt with the scars and have learnt from the scars, than people who just look like they've come out of The Bachelor. So, the first thing is the people. The second thing is: can I be passionate about the business and the strategy? Do I see that this business has an exciting and interesting way forward? If it does, I'm really interested. If it doesn't, it's not for me. It might be for somebody else. Everybody is different. It's like art or any form of art. You would look at a painting by Vincent Van Gogh and you might say: “That's very childlike to me. I don't like it.” I would look at it and say: “I think it's a masterpiece.” Everybody looks at things differently. So, they’re the two things for me. I've recently got involved with education, so I'm now chairing the University of Wollongong’s Global Business. I didn't even know they had one when they asked me. They've been in the Emirates for 30 years, they're in Malaysia, they're in Hong Kong. We've just had approval from Prime Minister Modi in India to open in India and we're looking at a number of other things. Education is just such an important, I wouldn't like to say industry, but vocation.
BENNETT MASON
Sector maybe?
JOHN M. GREEN
Sector. Thank you, sector. Where you actually are changing people's lives every day. And for me, that's one of the most exciting things I've been involved with.
BENNETT MASON
You don't have to name names, but are there times where you've had to decline a position on a board?
JOHN M. GREEN
You mean where I've been asked and I've said no? Or when I'm on the board already?
BENNETT MASON
No, you’ve been asked and have politely declined.
JOHN M. GREEN
There have been a lot of occasions where I've been asked to join boards, where they haven't satisfied my two tests. But that's not hard. I think lots of people are in that position, but they would decline for different reasons. I mean, it might be: “I don't have the bandwidth at the moment.” That's possible. It might be there's a conflict of interests with something else that you're doing, or it might be you don't like the people, or you're not interested in the business. I mean, there's a whole bunch of different reasons why that would be the case.
BENNETT MASON
We talked earlier about shocks and crises. Perhaps the most significant crises we've had in recent years was COVID and the pandemic. Do you think there were learnings from the GFC that you and your boards were able to apply to COVID?
JOHN M. GREEN
Learnings from the GFC? Gosh, I can tell you maybe a slightly different learning. Which was that COVID did for us and did for the world something that we were pregnant with but hadn't done anything about. What it did was, it forced us to use all the technology that had been available that people weren't using. And so, we could go from 100% working in offices to 0% working in offices in virtually the snap of a finger. That was extraordinary. So just a few weeks ago, I read an article by Paul Krugman in the New York Times who said, and he gave evidence to this, but it shocked me. He said that the Internet has not led to any improvement in productivity in the whole 20-plus years that it's been around. And I thought that can't be right. And then I was talking to a futurist friend of mine about this. And he said: “Well, he was right. But in 2020, we actually grabbed all the tools that were available, and we used them virtually for the first time.” And so now we have jumped forward dramatically in terms of how we operate our lives and our businesses. And we are using all of those technologies. The learning from that is actually we should pay more attention to what we already have, and we shouldn't kind of think about: “Oh, it'll take us five years to develop this thing.” Whereas in fact it took us five minutes. When I was on the board of QBE at the time of Covid, we had some business processing centres in the Philippines. And they had to close down. And we had to operate them and people went back to their villages, remote villages, and so on. And they didn’t have broadband, they didn’t have computers, but we managed to get them all that. And then we carried on. And that happened really, really quickly. And you think: “Gosh, if you’d been thinking about that as a normal business project before Covid it might have taken a year or two, but it didn't.”
BENNETT MASON
Just sticking with COVID and the pandemic and your time at QBE. You were the chair of the risk committee there. A lot has been said about whether the pandemic was a foreseeable risk or an unforeseeable risk, but do you think Covid and the pandemic changed how boards see risk?
JOHN M. GREEN
Absolutely. Yes, I do. Everybody had “pandemic” on their emerging risks list, I think. Most people I knew anyway. But it was never within the next year or the next two years or the next three years. And I don't think anybody really had seriously put in place plans to deal with an existential crisis like that. So, we learnt a lot from this. I think we're dealing with another one right now that most of us haven't quite worked out is an existential crisis potentially. And that's artificial intelligence. So here we have a technology that has become widely available in a matter of months that can do extraordinary things already. I don't know if you've been using it. I use it every day, and it has so many great opportunities that will come out of it. But there are some really, really fundamental risks that we need to resolve. And so, at a micro level, boards need to think about what we do with artificial intelligence in our own organisations, how people use it, how they don't use it. We all know about how there are biases and all sorts of other things in it. Exposure of information, what they called hallucination, which is basically the AI lying to you. For example, a couple of days ago I asked ChatGPT just as a test: “Tell me about Tori Swift”, who is a character in several of my novels. And I thought: “Well, I know the answer, so let's see what it says.” So, it came back and said: “Tori Swift is this extraordinary female spy slash superhero kind of character in the novels by John M. Green. And her sidekick is Bennet Mason from the AICD, a mild-mannered guy who used to work at the ABC, etc, etc.” And it was wrong.
BENNETT MASON
I would be a great sidekick.
JOHN M. GREEN
You'd be a terrific sidekick. And you look exactly like him. He's Pakistani, but that's by the by. So, I said to ChatGPT: “You've got it wrong.” So it said: “I apologise, I got it wrong. It's not Bennet Mason, it's Anthony Albanese.” Or some other name. And it kept on giving me all these wrong names so I said: “Can you tell me what your source for this information is?” And it says: “I can't tell you the source because I'm a large language model and I don’t know.”
BENNETT MASON
AI is going to get more powerful, and it certainly is going to get more widely used. So how can boards start to put in safeguards around how their organisations use that?
JOHN M. GREEN
I think we're going through a similar phase that we did with cyber security. So, if you go back ten or 15 years ago, no one was talking about cyber security on boards. When I was on the board of Worley, we were already talking about it back then. Because we were in many, many different countries. We were involved, for example, in Iraq during the war there, in working with the Americans. And so, a lot of confidential stuff had to be dealt with. And that tweaked my interest in cyber security as a board director. And it also tweaked my interest in cyber security as a novelist. So, I ended up writing my first cyber thriller was called “The Trusted” because I was in a QBE risk committee, which I was chairing, and we had a session on cyber. I asked the Head of Risk: “Is there a super password that, if people you need to get into someone's system, that we can get into the system, because bad people can do things?” And he said: “Yes, I have this, I have this.” So I said: “Well, Why do I trust you? What’s the check and the balance when you're the only person who has this? You could be a disgruntled employee, you could be blackmailed, you could just be stupid, or negligent.” Right? So, it really got my interest into what had become then known as the malicious insider, which is not always the malicious insider. It can be the stupid insider. So, I wrote a book about it, and I started advocating that directors needed to educate themselves more about cyber security. I wrote a number of articles for Company Director about it. And we've done a lot in that space over the last few years, and the AICD has been at the forefront of this. So, the AICD together with the Cyber Security Cooperative Research Centre, which I'm on the board of, we jointly put together the principles for company directors and released them only a few months ago. And I commend those to every company director to read, big and small companies. Because it's a terrific set of guidelines for how to approach what is, for many people, a very unapproachable subject. So, you kind of say, we've gone through that whole process with cyber and we're still going through it. You add AI to cyber security and you give the bad guys the AI, our cyber security risk has just gone up dramatically. Now you can have a three second clip of your voice. Someone can ring you and you can say: “Hello, Bennett Mason here.” And that's all they need. And the AI available now means that they can duplicate your voice and ring your wife, your lover, your parent, whatever, and say: “Hi, it's Bennett here. I've lost my wallet. Can you wire me 10,000 bucks straight straightaway?” And they'll think it's you. That's available now.
BENNETT MASON
Let's keep talking about cyber security, because this is an area where, as you mentioned, you've long had an interest. You talked about that question you asked the Chief Risk Officer at QBE. What are some other questions that directors should be asking management about cyber?
JOHN M. GREEN
So the first question usually is: “What have we got that's important to us?” You know, what's often called the crown jewels. “So, what are our crown jewels? Where are they? How secure are they? What happens if someone gets their hands on them? What do we do about it? And so on. What information do we have that we don't need?” That actually is really important. So, people used to think pre-Optus and pre-Medibank that the more data we had, the better off we were. This was a huge asset and now we're all thinking, actually a lot of this data is a huge liability. Because if we don't need it, but someone gets their hands on it, we've got major, major embarrassment and reputation risk. The world has changed through these horrible experiences that people have had. So, I think, as I say, what do we have that's important? What do we have that we thought was important, but isn't important? How do we get rid of it safely? I think they're two of the really, really key questions. And what are we doing on an ongoing basis to keep everybody safe? And one of the key things is education. So, if I come back to the insiders. Probably our biggest risk is from the inside, not from the outside. The weaknesses, the human error and so on. The clicking on the wrong spam email that brings malware into the system. So constantly being vigilant about educating your staff and your boards. Boards and the C-suite are often the worst people because they can be a little bit arrogant about: “Oh, I know what I'm doing, etc. I don't need the education.” We do.
BENNETT MASON
John, you've obviously been at some quite large and significant organisations. We mentioned QBE and Worley. What about for smaller companies, SMEs or even NFPs, who maybe don't have a lot of resources. How can they start to come to grips with cyber, because it is such a complex issue?
JOHN M. GREEN
Well, again, I would say go to the AICD principles. It is just such an easy read. It gives a lot of very, very good advice almost on a step-through basis. It's not quite what I would call a checklist, but you can adopt it in a way. “Are we doing this? Are we doing this? Are we doing this?” Also the ACSC, the Australian Cyber Security Centre, Essential Eight is a fantastic checklist for people to do. It's very straightforward, very easy, very simple, you know. Patch things, all of that kind of obvious stuff. In small organisations that I'm involved with, they will every month, for example, shoot out a message to everybody saying: “Have you updated the software on your laptops and your phones and your iPads?” Just to remind people to do these things. Of course, you should have them set automatically, but not everybody does. You can encourage people to do that, and you should. But you need to keep reminding people.
BENNETT MASON
You mentioned data earlier and obviously that's linked to these questions around cyber security. Companies like QBE or Challenger have huge amounts of data on their customers. Are there steps that boards can take to ensure that that data is safeguarded?
JOHN M. GREEN
The boards can't do as we know, but the boards can check. And I think one of the things that I've observed, certainly with cyber over the years, is that you need to have fresh eyes every so often. Because the old “we know what we're doing” - sometimes you don't. So, I had an example in one company, I won't mention which one, where we were getting the usual dashboard reports on how our cybersecurity maturity rating was on the various topics that were important, compared to where we should be, where our industry peers were and so on. And there were a lot of greens and oranges on that traffic light kind of approach. So it was looking pretty reasonable. A couple of reds and action plans about those. And for one reason or another we changed the CISO, relevant executive, and we got in another guy from somewhere else. And he phoned me up, because I was the person who was on the board most concerned about cyber. And he said: “I've got some really bad news.” What's the bad news? “The bad news is everything is red. Everything.” And I kind of reeled back a little bit and the next thing I said to him was: “Well, I don't think that's bad news. It's actually good news. Because if what you're telling me is true, and I don't know if it's true, we’ll check. But if it is true, it's the first time we've got truth.” And we need truth. Because as I said at the beginning of this podcast, we're dealing in uncertainty as directors, and the more certainty we have, the better. And we were living in a situation where what we were being told was not correct. So that was a case where we'd already had external parties auditing the internal process that hadn't picked anything up, which was surprising. Having different ways to review what you're doing on an ongoing basis, I think can be quite helpful.
BENNETT MASON
You've obviously spent a lot of time and energy learning about cyber and thinking about cyber. Some directors probably aren't at that stage yet. Are you concerned that maybe some boards just don't know enough about this issue?
JOHN M. GREEN
That's possibly the case. I think if you're talking about what's colloquially called the “big end of town”, I think they're all over it really. Or most are. I know that we still make mistakes, and bad things still happen. We've seen them: Optus, Medibank Latitude, etc. Bad things will still happen. And the thing to recognise and I think this is really, really important, is that with cyber you have to have a mentality that it's not if, it's when. And we've got to stop blaming people for getting attacked by cyber criminals. They have been attacked by criminals and the criminals only have to get in once. You have to keep them out 100% of the time. It's an asymmetric war. And you just cannot keep them out all the time. So, what you have to do is your best. And I think recognising that the blame game is not the way to deal with this. We have to recognise that it happens, it's a bad thing and how we deal with it is what's actually important.
BENNETT MASON
John, we've talked a lot about your career in finance and on boards. But I also wanted to talk about your other career because you're also an accomplished writer and you've spoken a bit about some of the books you've written. I think you've published, is it six books so far? The latest, I should add, is Framed, which came out last year and is available in all good bookstores. What made you start writing novels?
JOHN M. GREEN
I've always been an avid reader and I've also written a lot. But in the days prior to writing novels, it was short things and lots of papers and speeches and articles. And I've always enjoyed writing and I thought: “Hmm, I wonder, I think I've got a novel in me.” Now as a publisher, what I would often tell people who say, “I've got a novel in me”, is that most people should keep it there. Because most of them aren't that good. But I decided I'd give it a go. But what motivated me was a leadership course that Macquarie sent me on, ironically. And ultimately, it's what led me to leave. So, at the end of the leadership course the organiser of the course said: “Now, we're going to do a little session with everybody here. I want you to write down on a piece of paper something that you haven't done for yourself that you would like to do.” And we were all investment bankers from Macquarie. We all wrote down different things and we had to do three pieces of paper actually. One was for ourselves, one was for our family, one was for our community. So, it was a really good task. And he said: “Now you're all bankers, so put a deadline at the end of the page, as to when you're going to get it done by.” And I wrote down on the one for me: “I'm going to write a novel.” So, I wrote a deadline. And he said: “Now, fill in the next steps, starting at tonight.” I thought: “Hmmm. This is interesting.” So, tonight was: “I'm going to go home and tell my wife that I'm going to take three or six months off work and I'm going to write a novel. And for the family, what we're going to do is, for the first couple of months, we're going to go on a big trip.” Because I had not had a holiday for a couple of years, and they hadn't seen me. So, take the kids out of school, see if my wife would take leave from work. We'll have a holiday then I'll take this other period to write the novel. And so, I went home that night and said: “What do you think?” And she said: “I think it's a great idea.” So the next day I went in to see my CEO and said: “What do you think?” And he shocked me by saying, it's a great idea. And I thought: “Gosh, maybe he wants me to leave.” But I did it. And I really enjoyed that period. I didn't finish the novel. It was much harder than I thought it would be, and it took me quite a bit longer to do, but it really set me on the path. And I just found it one of the most exhilarating things that I did. And what I loved about it particularly, what I still love about it, is you talk to a lot of artists, whether they’re musicians, painters, sculptors, or writers, that when you're doing the work, you're in the zone and you're not actually thinking about anything else. You're really focussed in that world that you're creating. And I quite like that. I really enjoy that. But oddly, it helps me a lot with my boards. Because while you're doing all of that, once you've put on the author hat, it's a bit like going back to being the investment banker or the lawyer. If you're writing thrillers, which is what I do, you're actually creating situations that could happen and you're asking those “what if” questions.
BENNETT MASON
Scenario planning?
JOHN M. GREEN
Correct. You’re scenario planning. And in a number of my novels, they’re corporate situations and things that I might be sitting in a board meeting wondering about. “Gosh, could that happen?” So another example, a novel I wrote called Double Deal, I think it was. No, The Tao Deception. The Tao Deception came about from the QBE Risk Committee. Again, I was chairing that committee at the time. It was the emerging risks discussion and there was this emerging risk called EMP. What the hell was EMP? Electromagnetic pulse or solar flare. So, if there's a big solar flare, it can generate gamma rays which come down to Earth and basically fry anything that's electrical or electronic. And this has happened a few times, not very often. But what they were telling me about and what I saw in some papers by Swiss Re and Lloyd's of London was that there was now the capacity for small nukes to be on satellites. And if one of those was exploded, say 300 kilometres above Kansas, you could wipe out the entire US grid. And I thought: “Gosh, that'd make a good novel.” So, I decided to write a novel based on that.
BENNETT MASON
Scenario planning in a way.
JOHN M. GREEN
Which they have to, right? They have to.
BENNETT MASON
It's also fascinating that our largest insurers are thinking about those sorts of emerging risks. Now, as well as being a successful novelist. You're also the chair of Pantera Press, a book publisher. How did that come about?
JOHN M. GREEN
It came about around the kitchen table about 15, 18 years ago. My daughter, who is the CEO of Pantera Press, at the time said: “What if we were to put together a for-purpose, a social purpose business? A business that kind of brought together our family’s interest in the arts, in writing, reading, in philanthropy?” We were very much involved with a number of literacy programs back then and business. And I said: “What kind of business is this?” And she said: “Book publishing.” And I said: “Why? Why did you raise that?” I'd been on the board of a book publisher a couple of times already in the years previously. So, I had experience. And she said: “Well look, you're writing these novels and you've been on book publisher boards, and we could find and nurture new Australian writing talent. And do it in a way different to other book publishers. As well as that, if we make money, we can invest in literacy programs and so on.” So, this really tweaked the whole family's interest and the four of us sat around the table. My wife, my son, who was at school still at the time, he now works in the business as well. And my daughter and we said: “Well, let's think about this.” So, Ali and I went all around the publishing industry, people I knew, and other people here and overseas, talking about whether we should do this. And what the risks were and so on. Everyone said we'd be mad to do it, but we went ahead and did it. Ali and Marty have now led this business to a point where we are one of the fastest growing independent book publishers in Australia. We've got around 100 authors on our books, many of them bestselling, award-winning and so on. We have great partnerships with programs focussed on literacy, with writers’ festivals, etc. We've nurtured, it's something like 70 or 80% of our authors were debut authors when we found them, and we've published multiple books for them. I think we have one author that we've published 13 books for. She's won many, many awards, Sulari Gentill. Wonderful, wonderful historical fiction writer. So, it's a fantastic business. And one of the other things that it gives me, is that being at the bigger end of town and also at the tiny end of town, because it's a small business, it helps me on my larger boards. Because it keeps you very grounded to what matters at the core. And thinking about some of the smaller things, not just the bigger picture. Because in a small business, small things really matter. And also, being around young people, which in this business I am, I am constantly prompted to think differently. In the publishing business, you're very exposed to so many of the cultural shifts that are going on. And that helps me when I come back into the boardroom elsewhere.
BENNETT MASON
Elsewhere, just to bring it back to governance for a moment. Family businesses have their own governance issues. You mentioned that your daughter is the CEO, and your son is also involved. Is that challenging sometimes, with you as the chair?
JOHN M. GREEN
Funnily enough, it hasn't been that challenging. If you'd asked me 20 years ago, would I ever be involved in a family business, I would have laughed you off. Because I'd advised many of them and seen how difficult they can be. We haven't had that. It's been extraordinary. We get on really, really well. We have a fantastic collaborative relationship. I think it's one of strong mutual respect for each other's opinions. I learnt very quickly that both of my children often knew more than I did on something. And I think this is something that as directors we need to keep in mind. We don't know everything. So often in a board someone will say: “But this is how I've always done this.” Well, we're not always fighting the last war. There's often another way to look at something. And so being around younger people, who can be very challenging, is a really wonderful prompt for someone like me, at my stage to keep myself alert but not alarmed.
BENNETT MASON
Thank you, John. We might leave things there. So John M. Green, thanks so much for joining us on Boardroom Conversation.
JOHN M. GREEN
Thank you for having me.
Latest news
Already a member?
Login to view this content