Worth the risk: Analysing the role of Chief Risk Officer in gaming

Consultants sometimes get a bad rap – usually with the gutter press rumpeting how much this or that government department spends on them – but you wouldn’t put a plumber on your payroll to fix a busted tap, you’d bring them in to deploy their skills and then leave. The same theory applies to consultants. So, firstly I spoke with Andrea Lazenby, a Consultant with Betsmart Consulting, about the all-round support people like her can offer.

A different animal

She told me, “first and foremost we can help operators be assured they have a robust governance setup, turning a large raft of policies (and the interpretation of those policies (not always the same thing) into a workable set of procedures. That’s a task in itself, and we both help people with setup and also offer a ‘spot check’ with our PrepSmart concept. It can be overwhelming trying to make sense of changes in the regulations or approaches to regulation, but as consultants we have a range of experience across a number of different jurisdictions, so there aren’t many situations where something’s completely new to us.”

This does ring true to me – half my professional life is as a casino consultant on the operational side, and much of the value I offer is from seeing how a huge range of operators tackle problems and using that knowledge to help clients. But compliance is in some ways a different animal.

Lazenby said “it’s important for clients to realise they have options – it’s rarely as cut and dried as ‘do this to be compliant’.  Attitudes to risk mean there’s a spectrum of how you set up your compliance framework, and we are in a good position to help operators decide how much risk they want to bear in the various areas”.

Lazenby, and both the other consultants we’re featuring in this article, have actually sat in the hot seat of compliance in various ways, and that has a value too. She added “we think part of the value we offer is that we’ve been involved in these decisions in our past roles, both mapping out the framework within which we work, and answering to the regulators when they ask the awkward questions”.

That’s sure to add value in terms of being able to work empathetically, including understanding the inevitable politics within complex organisations.

A career saver

The second person I spoke with was Josie Preston, founder of Ophion Risk.  I wanted to get a particular insight into what kind of support a CRO might need from a consultant in the AML part of their role.

One of the first things Preston pointed out was the situation as regards to internal investigations. Not every person at CRO level will have conducted detailed investigations, and in the world of betting and gaming there’s plenty of detail to be had. It can also be useful to take some of the personal connections out of an investigation situation by bringing in an external.

Preston also echoed Lazenby’s point about policies and procedures. She told me: “

If, for example, a CRO is newly appointed to the role, it can be helpful for an experienced consultant to give the complete risk framework a once-over to ensure all regulatory requirements are met, and policy or procedural points are not out of date due to legislative and/or regulatory developments”

Preston was also keen to get into detail as regards SARs – Suspicious Activity Reports.  “They’re a critical part of particularly the AML part of the Risk function, presenting personal legal liability. While consultants can’t be directly involved in their generation, they can provide support and training to MLROs in management of the internal SAR regime, investigation and processing of SARs. This advice – based on experiences elsewhere – can be invaluable in providing the operator’s CRO with board-level assurance.”

Consultants can also support Nominated Officers/MLROs to manage their workload or areas where they may have limited experience, but which present significant risk to the operator. 

For example, Preston continued: “The UK’s ECCTA 2023 legislation requires a Fraud Prevention framework to be implemented to directly protect the operator from the corporate ‘failure to prevent fraud’ offence. Additionally, a lack of experience or understanding of Counter Terrorist and Proliferation Financing is a commonly observed area of development for both MLROs and CROs alike; and a lack of expertise in these areas may leave CROs, and subsequently the operator, exposed to the commission of criminal offences.”

Presto concluded: “With Operating licences at risk along with Personal licences, bringing in targeted expertise can be a career saver – as consultants we’ve seen huge numbers of different environments; and can pick up on weaknesses that aren’t apparent to people who work with the same framework every day.”

Separating staff, management and executives

My final discussion was with industry veteran David Mills, Managing Director of Casino Compliance. I wanted to better understand which aspects of regulatory training were considered most significant in his view. “Firstly, I would say staff, management and executive training must be considered from different perspectives.  Staff training, for instance, is about specific issues they may need to develop a uniform knowledge of to properly perform their roles, such as the licensing objectives, safer gaming measures and anti-money laundering controls. For training purposes, it is important that staff understand the rules in place and are aware of the reasons why these controls are deemed necessary. A consistent understanding across all staff is imperative, which will help them identify potential harm or concern”. 

This makes sense – all staff should have a standardised level of knowledge about core aspects of the regulations, so what about management and executives, how is that different?  “Well, to start with, the nature of the management role is usually part of the delivery of the gaming service, they are often at the front line with face-to-face contact with customers; so are therefore best placed to assess concerns, apply policy controls and other harm-mitigation tools. It is important that management have a deeper understanding of the regulations, industry guidance and corporate policies. This training should be targeted, practical, challenging and, importantly, use shared learning from all parties. I prefer these sessions to be less formulaic and free-flowing, with a greater level of dialogue. We use personal experiences and case studies to stimulate discussions, often including topical issues raised by the Compliance team. The intention is to build genuine knowledge and help create practical solutions, while ensuring that customer interaction, suspicious activity reports and other internal reports are delivered at the highest possible standard”.    

How about executives, who will generally be a step more removed from the front-line action? “This is a more evolving area of training and of course it includes an understanding of both staff and management training, which is important, but we are now looking to apply corporate governance, validation and operational oversight. Each role will have its own structures and formal responsibilities; some are laid out in the LCCP and within Guidance, but include ownership, board, senior executive, finance, marketing, compliance and MLROs. The purpose of this training is to draw these roles and responsibilities together, adjust and align the corporate governance policies to ensure there are appropriate checks and balances within the business that are regularly reviewed, stress-tested and monitored, with a clear and consistent message and demonstrable outcome. It really can be that simple”.

Mills also told me he does a lot of work with pre-audit/mock Gambling Commission audit, so I asked him how effective the combination of training and pre-checking tends to be. He told me: “

I am pleased to say none of our clients have been subject to any regulatory action since our inception in 2011, a standard we aim to maintain!”

Bridging the gap

It’s tough enough working a job like a Chief Risk Officer, and you don’t always have the in-house expertise to feel 100% sure you are protecting your employer. Bringing in consultancy help can bridge the gap, both in terms of a fresh pair of eyes to overlook your setup and training your people to be more effective. It may just be worth the Risk.