An ability to govern through periods of intense volatility has become a bigger asset for boards. Domini Stuart considers how identification, assessment and understanding of a growing range of risks has become paramount.
Uncertainty and the pace of change are challenging boards around the world. KPMGâs 2015 Global Audit Committee Survey suggests that directors are struggling as much with the impact of technology on the business environment as with political and economic volatility.
âDigital disruption and the growth of social media are affecting businesses in ways that no-one predicted,â says Kevin Smout GAICD, KPMG partner and head of risk consulting in Perth. âCyber security, the use of data analytics, big data and what you do and donât store on the cloud are also becoming bigger and bigger areas of risk.â
And directors canât be sure of how digital disruption will play out for their company, he says. âI have a few clients with business models that may not exist in a year or so if they donât evolve,â says Smout. âIf the directors donât respond quickly to a new and changing digital environment they wonât have a business.â
They canât even take refuge in traditional planning processes. âPlanning is becoming more a process of continuous evolution,â says Smout. âWhen things are moving this quickly you need the flexibility to respond to fast-changing markets. You can no longer hand a static three-to-five year strategic plan to management and expect them to be able to roll it out.â
A third dimension
For much of Smoutâs career, the prevailing approach to risk has been two-dimensional â assessing how likely it is that an event will occur and its potential impact. Now convergence has added a third.
âEffective boards are starting to think about the interconnectivity between risks,â he says. âUntil you understand the effect one event could have on other areas of your business, you canât put appropriate business treatment plans in place.â
An FTI Consulting survey has identified increasing risk convergence in emerging markets.
âMost directors are aware of the three major areas of risk â breach of regulations; bribery and fraud; and reputational damage,â says Dawna Wright MAICD, FTI Consultingâs senior managing director, forensic accounting and advisory services.
âThey may be less aware that developments such as increasing investment, greater international cooperation between regulators and the rise of social media and shareholder activism are blurring the boundaries.â
Wright continues: âThe worst case scenario would, of course, be a confluence of all three risks yet itâs easy to see how this could happen.
âFor example, if a company were the subject of a regulatory action they may be tempted to pay a bribe to resolve it and this could cause reputational damage if it became public.â
Tax burden
Globalisation has left governments around the world fighting for their fair share of tax. âThere isnât a single jurisdiction that doesnât have a revenue challenge,â says Tony Katsigarakis, commercial director, corporate reporting solutions, at global information services company Wolters Kluwer. âThe biggest issue right now for multinational enterprises is uncertainty in the wake of intense scrutiny of their international tax arrangements.â
Katsigarakis hears two distinctly different messages from top-end companies. âOne is âwe want to be a good corporate citizen and pay our fair share of taxâ,â he says. âThe other is âweâre operating within the lawâ. The second group clearly has a bigger appetite for risk and so are more likely to be affected if the legislation changes.
âThey should be thinking carefully about what would happen if the Australian government followed the UKâs example of imposing a diverted profits tax â the so-called âGoogle taxâ.â
The âGoogle taxâ is a levy imposed on company profits â excluding those of small and medium-sized enterprises â that are routed via âcontrived arrangementsâ to tax havens.
Katsigarakis continues: âWhile country by country reporting is still a couple of years away, they should be searching out any issues that need to be dealt with before international information becomes public.â
Large companies arenât the only ones with tax on the agenda. âDirectors arenât interested in discussing tax issues at a granular level but, whatever the size of their business, they do want transparency around emerging risks and to be sure they have appropriate systems and resources in place,â says Katsigarakis.
Supply chain challenges
When he was chief procurement officer of a mining group and then a utility company, Owen Westâs primary concerns were costs and safety. Two decades later the risks have become far more challenging, he says.
âRapid and continuing changes to global and local supply chains have left very few businesses unaffected by ever more complex risks,â says West, who is now managing director, Australia/Asia Pacific, of BROWZ contractor management systems. âThe combination of volatile markets and changing geo-political circumstances means that directors need to be much more aware of potential supply chain risks and confident that they are being appropriately managed.â
Today, supplier relationships must be managed on a global scale. âItâs no longer good enough to check the credentials of your main suppliers, you need to be sure that best practice extends down the supply chain,â West continues. âIf thereâs a weak link, sooner or later someone will hear about it and social media will do the rest.â
Outsourcing deepens the risk, as do relationships with unknown contractors and sub-contractors. However, technology can help to manage the process. âThe latest supply chain management software compiles data about contractors, suppliers and sub-suppliers,â says West. âYou can then tailor the parameters to ensure you only do business with companies that comply with your companyâs standards and values.â
A new governance approach
Effective boards regularly review the way they govern risk. âBanks and other financial institutions governed by the Australian Prudential Regulation Authority (APRA) are required to separate the risk committee from the audit committee,â says Smout.
âThis practice is quickly flowing on to other large organisations and I donât think it will be long before mid-caps follow suit. The trick then is to coordinate the different committees so that everything is reported correctly to the board without repetition.â
Most boards undertake a strategic risk- planning process every one or two years but surprisingly few ensure that strategic risk is integrated with operational risk. âIt sounds obvious, but itâs actually not that easy to drive a process whereby management takes all of the strategic risks identified by the board and links them back into the business,â Smout continues.
In Wrightâs experience, the companies that do best when things go wrong are those that have made compliance a priority. âEven when theyâre focusing tightly on growth the most successful organisations manage to balance investment with a strong compliance culture,â she says.
Proactivity, reactivity and remediation can provide an effective compliance framework. âBeing proactive means taking active steps to improve compliance and having zero tolerance,â Wright continues. âThis stage should also include extensive scenario testing â itâs much too late to start thinking about how youâre going to handle a crisis when youâre already in the middle of one.
âScenario testing can also help you to respond appropriately in the reactive stage, where your aim is to contain the problem and manage your shareholders and wider stakeholders. Remediation is using the experience you have gained to close the circle by adjusting your proactive processes, practices and controls,â she adds.
Wright also recommends a combination of what she calls deep and shallow dives. âA shallow dive involves scanning the horizon for emerging risks,â she continues. âIdeally, the board will have directors from different disciplines with diverse views and experiences who can identify a spectrum of emerging threats and then discuss the potential for interaction.â
A deep dive involves searching out more detail. âDirectors might need to talk to someone outside the organisation who can give a robust opinion without fear of retribution,â Wright adds.
Smout also encourages boards to look beyond management for information. âThe longer youâve been on a board the easier it is to become complacent and go along with what youâre being told by senior management,â he says. âI think itâs vital that directors have their own process for being professionally sceptical. That isnât being distrustful, itâs just a way of ensuring you have the full picture.
âFor example, many successful boards invite members of the broader management team into the boardroom for discussions or meet them in a less formal setting. Site visits can also help directors to form their own view. This should corroborate what youâre hearing from management and, if it doesnât, you can ask further questions.â
Making use of technology
It is ironic that directors who take their responsibility for managing the companyâs risk very seriously can be blind to their own risky behaviours.
âI have often walked into the business centre of a hotel and seen a board-like document sitting on a printer when someone has forwarded last-minute information to a director who is staying there,â says Brian Stafford, chief executive officer of Diligent Boardbooks. âItâs also common to see files and folders lying around in an airport lounge.â
Digital portals are far more secure than paper. An administrator can lock information so that only the intended recipient can read it and ensure that it canât be printed or emailed. If a device is lost or stolen, sensitive information can immediately be wiped. Digital portals even make life easier for directors by allowing them to carry any number of board papers on a single tablet or laptop â yet still the majority of boardrooms are paper based.
âA total of 85 per cent of our new sales are replacing paper and printers,â says Stafford. Katsigarakis tells a similar story. âThere are tools that can provide multinational organisations with a real-time view of exactly what their company looks like everywhere they have a presence, yet many of our clients still use spreadsheets and ad hoc systems to manage their international reporting,â he says.
âRisk management is increasingly complex and demanding. Directors should be taking advantage of all of the processes and systems that can help them to do the best possible job.â
Risk management 10-point checklist
1. Keep up with the new digital environment. Whatever the industry, directors must understand social media and new and emerging delivery models.
2. Consider separating the risk committee from the audit committee to reduce the audit committeeâs workload and ensure risk gets the attention it deserves.
3. Make sure that management is linking strategic risks with operational risks.
4. Donât rely on information provided by senior management. Draw on as many sources as you need to ensure you have the full picture.
5. Encourage diversity of thinking by making sure the board includes men and women with different skills, backgrounds and experience.
6. Use scenario planning to prepare for an event and consider how one event could flow on to another.
7. Prioritise compliance and a compliance culture within the organisation and across the supply chain.
8. Set up a framework of proactivity, reactivity and remediation.
9. Combine a âshallow diveâ of scanning the horizon for emerging risks with a âdeep diveâ of acquiring more detailed information when you need it.
10. Keep up to date with technology that can help boards to log, measure and monitor risk in real time.
Latest news
Already a member?
Login to view this content