At the helm in uncertain times: A risk management guide for directors
Momentous global upheaval and recent high-profile corporate failings where risk management has been identified as a contributor have provided important reminders to always be prepared for potential risks, no matter what the current conditions are.
The pandemic, with its corresponding impacts on supply chains and its acceleration of new patterns of work and cyber security threats, has fundamentally challenged how boards identify, mitigate and monitor risk.
Royal commissions into financial services and aged care and APRA’s prudential inquiry into CBA have had a significant impact while heightening board focus on risk management.
Such risk mismanagement examples have only served as a reminder of the value and importance of board oversight in challenging situations.
As a result, Governance Institute has updated and revised its popular 2016 risk publication, addressing the risk challenges boards and directors can expect in coming years, and how to best address some of the current, most imperative risks.
Risk management for directors: A guide
Launched today, Risk management for directors: A guide outlines the importance of an integrated approach to risk management, which in turn is central to good governance.
The guide examines the risks associated with some of the issues currently making many directors nervous including digital technology, ESG, clinical issues (ie: those uncovered by the aged care royal commission), and recovery from the pandemic.
The guide will also be the subject of a series of panel discussions later this month to help directors and management navigate complex market conditions and increased scrutiny from regulators and stakeholders.
Growing pressure on directors to manage risk
Shareholders, investors and customers increasingly expect boards to demonstrate and publicly disclose effective oversight of risk management, especially on climate and cyber risks.
Public sector entities with boards also face increasing scrutiny from parliaments, ministers, departments, integrity bodies, ombudsmen and auditors general.
There is growing recognition that the board’s ability to effectively manage and disclose risk impacts a wider array of stakeholders and the majority of risk professionals consider brand or reputational damage to be among the top five risks facing organisations in the immediate future.
Boards have become increasingly systematic, adopting more structured risk management processes for daily operations and there’s been considerable advances in risk management techniques and technologies.
The relaunched guide provides insights into how these improvements can be applied to emerging areas of risk such as culture and non-financial threats such as cyber security and climate.
We take a look at some of the key themes outlined in the guide.
Foundations of a risk framework
Uncertainties come with both ups and downs, however well-prepared organisations that manage risks can minimise and limit the impact of threats while taking advantage of opportunities.
Creating a framework for managing risk is critical for defining a strategy, achieving objectives, making informed decisions and potentially avoiding loss events. It also protects an organisation’s partners, clients, customers and vulnerable stakeholders from harmful impacts, such as those investigated by the recent royal commissions into the financial services and aged care sectors.
Defining key elements and responsibilities
A risk framework must first consider the organisation’s appetite and tolerance for risk to clarify impact, inform decision-making and define accountabilities.
Defining the elements that ensure the delivery of the board’s regulatory obligations should also start with an understanding of the personal and collective liabilities subject to risk.
Open communication identifies how this extends from board to management and beyond.
The establishment of contingency plans for major risk events and emergencies that may occur and regular assessments of the risk management’s efficacy and adequacy are also key to components.
Top-down risk awareness
Instilling a risk-aware culture should be treated as a subset of organisational culture and is integral to a board’s oversight responsibilities and strategy. Directors must be able to effectively manage and disclose risk impacts and regularly review training and development needs to maintain the skills, knowledge and familiarity required to fulfil their roles.
Accountability is critical as is maintaining the best interests of the organisation and its members as a whole rather than those of individual members or interest groups.
Directors should ensure they have sufficient time to meet the obligations of their role and consider how they personally contribute to a probing risk culture in the boardroom.
The new face of risk
Climate change poses significant challenges for Australia, affecting its society, economy and natural environment. Australia’s vulnerability to drought and bushfires may be exacerbated by climate change, which challenges biodiversity.
Investors and other stakeholders such as regulators are increasingly seeking disclosure from organisations about their exposure to, and management of climate change risk. There is also increasing regulatory focus on climate change risk.
The increase in global online activity during the recent pandemic has been a source of opportunity and growth for many organisations, opening up new products and markets and increasing their ability to connect with stakeholders.
However, this trend, combined with a significant escalation in global conflict, has also dramatically increased the number of cyber-attacks and heightened the focus of this risk among boards and directors.
Many organisations use the Australian Cyber Security Centre’s Essential Eight Maturity Model as a first step towards improved their cyber security risk profile.
A robust monitoring of incidents to proactively identify broader systemic issues or system deficiencies and developing and implementing improved compliance measures immediately once a deficiency has been identified are now required by some organisations.
Non-financial risks, such as the COVID-19 pandemic, global attention on workplace sexual harassment, and reputational damage, have boards in all sectors grappling with this rapidly expanding area.
According to the World Economic Forum’s Global Risks Report (2022), the top 10 risks facing businesses in the next decade are predominantly environmental, geopolitical and societal.
Non-financial risk is a broad and fluid concept generally defined by exclusion. Some organisations prefer terms such ‘pre-financial’ or ‘emerging’, to recognise these risks which often have financial impacts. For this reason, it is important for organisations to develop a shared taxonomy of risk that includes a definition of non-financial risks.