Risk is inherent in all human endeavours – including the activities of all organisations. The role of the board is to understand the organisation’s risk factors, to make decisions based on this understanding and to oversee a risk management framework to manage risk on an ongoing basis. Risk is not something to be avoided, but to be understood and leveraged in pursuit of an organisation’s purpose.
For a board, having a strong risk appetite and tolerance is integral to an organisation's success. All organisations must take risks to create value. The question is how much and what types of risk should they take? And how should they manage business risk? Risk is not something to be avoided, but to be understood and leveraged in pursuit of an organisation’s purpose. The International Organization for Standardisation gives a risk management definition as “the effect of uncertainty on objectives” (AS/NZS ISO 3100 Risk management).
Importantly, risk is not inherently bad. It arises because the future is unknowable and therefore the outcomes of decisions are always uncertain to some extent. Key factors for business in enterprise risk management are typically characterised by considering examples of events that could occur, their likelihood and the consequence of their impact. Boards have to deal with a range of risks, including hazards (asset management, safety, environmental, social, regulatory), financial risk, cyber security risk, operating risk, organisational risk (governance, performance, culture and conduct), legal risks such as class actions, non-financial risk and strategic risk. Risk management should be integrated into executive and board-level decision-making, largely as part of strategic planning, and also in key tactical decisions. However, risks will vary enormously from business to business and industry to industry.
Corporate Governance and Risk Management
The board’s role is to set the risk appetite — given its capacity to bear risk, core purpose and the expectations of shareholders, members and other stakeholders — and to ensure it has a risk management framework to identify and manage risk on an ongoing basis. While ultimate responsibility for a listed entity’s risk management framework rests with the full board, board committees can also play a significant role.
Risk and security management encompasses the culture, processes and structures directed towards taking advantage of potential opportunities while managing potential adverse effects. The goal of the risk management process is to increase certainty that a decision’s intended outcome will be achieved. It involves identification, evaluation and prioritisation of risks.
Risk governance should not be considered a discrete activity, but should be embedded in the practices, processes and policies within an organisation concerned with making decisions, and ensuring these decisions continue to be valid. Risk and strategy are inseparable.
One of the most important roles of the board is in developing a mutual understanding with management on the nature and extent of risk the organisation is prepared to accept in pursuit of its purpose. A risk appetite statement provides parameters for management to pursue the organisation’s purpose. Defining and documenting risk appetite bolsters the development of an appropriate risk culture aligned to and supporting the purpose and strategy.
The AICD’s Not-for-Profit Governance Principle 5 on risk management says: “Boards must be careful that they are not so concerned with negative risk that opportunities are missed, but they can also not have such a disregard for risk as to expose the organisation to serious harm. Striking an effective balance between the two is the hallmark of a sound risk appetite.”
Board role in risk oversight
Put broadly, below are the main responsibilities of a board in governing an organisation's risk:
- Board decision making is informed by an understanding of risk and how it is managed under a risk management policy.
The board oversees a risk management plan that aligns to purpose and strategy.
Directors seek and are provided with information about risk and how it is managed.
The board periodically reviews the risk management framework.
Benefits of risk management
The purpose of risk management is to support more informed decision making and to help an organization achieve its purpose. Risk management enables the organisation to:
Challenge assumptions in decision-making;
Take actions to increase the chance that a desired outcome will be achieved;
Identify early signs that an undesirable event may occur and take pre-emptive action to address it;
Learn from successes and failures in a way that improves decision-making over time; and
Consider whether previous decisions remain valid and, if necessary, revise them.
Board risk management committee
For larger companies, one way for the board to focus on risk management is to establish a risk management committee. The ASX Recommendations suggest that a board risk committee can be an efficient and effective mechanism to bring transparency, focus and independent judgement needed to oversee the entity’s risk management framework. The role of the risk committee is to provide board risk reporting, including making recommendations to improve the framework and to bring any issues to its attention. The committee would, in practice, work closely with management to ensure that the board and/or the committee receive adequate reporting on the organisation’s risks.
Internal audit risk assessment
Establishing an internal audit function is another important consideration in designing an effective risk management framework. An internal audit risk assessment can assist the board in overseeing the effective implementation and operation of the organisation’s risk management framework. In particular, an internal audit function can provide a board with valuable assurance that key risk mitigating strategies including internal controls are operating effectively. A proactive internal audit function can also provide valuable benchmarks and insights into how to improve the effectiveness of the organisation’s risk management framework.
What are some choices for dealing with risk?
Determining the most appropriate method to deal with the risks facing an organisation will depend on the nature of those risks. In general terms, an organisation will have a choice between:
- Avoiding the risk by discontinuing the activity that generates it;
- Preventative control that reduces the likelihood of the risk occurring (for example, only allowing new business initiatives to proceed if they have been assessed and approved from a business risk perspective);
- Corrective controls that reduce the consequences of the risk if it occurs (for example, contingency planning, back-up systems, business continuity plans);
- Transferring the risk to another party (for example, by contract, insurance, outsourcing, joint ventures or partnerships); and
- Accepting the risk and having plans in place in case the risk eventuates.
What are the types of risks to be considered?
The types of risk which have to be considered will vary enormously from business to business and industry to industry. Common sense indicates that the risks faced by an organisation should be categorised in relation to what the organisation does.
By definition, they include things that are not easy to predict. For example, until recently, few members of the travel industry would have worried about ash from volcanoes in Iceland. The best way to approach this is to classify the categories of risk. The following list of frequently used risk categories.
- Financial – includes cash flow, budgetary requirements, tax obligations, creditor and debtor management, remuneration and other general account management concerns.
- Equipment – extends to equipment used to conduct the business and includes everyday use, maintenance, depreciation, theft, safety and upgrades.
- Organisational – relates to the internal requirements of a business, extending to the cultural, structural and human resources of the business.
- Security – includes the business premises, assets and people. Also extends to security of company information, intellectual property, and technology.
- Legal and regulatory compliance – includes legislation, regulations, standards, codes of practice and contractual requirements. Also extends to compliance with additional ‘rules’ such as policies, procedures or expectations, which may be set by contracts, customers or the social environment.
- Reputation – entails the threat to the reputation of the business due to the conduct of the entity as a whole, the viability of products/services, or the conduct of employees or others associated with the business.
- Operational – covers the planning, daily operational activities, resources (including people) and support required within the a business that results in the successful development and delivery of products/services.
- Contractual – meeting obligations required in a contract including delivery, product/service quality, guarantees/ warranties, insurance and other statutory requirements, non-performance.
- Service delivery – relates to the delivery of services, including the quality of service provided or the manner in which a product is delivered. Includes customer interaction and after-sales service.
- Commercial – includes risks associated with market placement, business growth, product development, diversification and commercial success. Also to the commercial viability of products/services, extending through establishment, retention, growth of a customer base and return.
- Project – includes the management of equipment, finances, resources, technology, time frames and people involved in the management of projects. Extends to internal operational projects, business development and external projects such as those undertaken for clients.
- Workplace safety – Every business has a duty of care underpinned by State and Federal legislation. This means that all reasonable steps must be taken to protect the health and safety of everyone at the workplace. Workplace health and safety is integrated with the overall risk management strategy to ensure that risks and hazards are always identified and reported. Measures must also be taken to reduce exposure to the risks as far as possible.
- Stakeholder management – includes identifying, establishing and maintaining the right relationships with both internal and external stakeholders.
- Client - customer relationship – potential loss of clients due to internal and external factors.
- Strategic – includes the planning, scoping, resourcing and growth of the business.
- Technology – includes the implementation, management, maintenance and upgrades associated with technology. Extends to recognising critical IT infrastructure and loss of a particular service/function for an extended period of time. It further takes into account the need and cost benefit associated with technology as part of a business development strategy.
How important are non-financial risks?
In the wake of the final report of the banking Royal Commission, the issue of non-financial risks and how to monitor and measure them has become a vexed topic in the Australian board and management community. Both the Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) have put a focus on culture and remuneration.
The consequences of non-financial risks, if left unaddressed, can become distinctly financial in nature. The 2019 ASIC Corporate Governance Taskforce on Director and Officer Oversight-of-Non-Financial Risk Report identified three types of risks: operational risk, compliance risk and conduct risk. This classification sits alongside that of the ASX Corporate Governance Principles (4th edition 2019) which sees non-financial risk as including environmental and social risks (recommendation 7.4). It defines social risk as “the potential negative consequences (including systemic risks and the risk of consequential regulatory responses) to a listed entity if its activities adversely affect human society or if its activities are adversely affected by changes in human society”.
In seeking to distil the company’s culture into a set of non-financial performance measures, one challenge is to identify the relevant measures; a number of these relate to “social” performance.
“Social performance” is considered to be human capital, workplace health and safety, labour relations and standards, human rights, demographic changes, supply chain, and community impacts. The range of performance indicators used to capture “social performance” is classified into six categories as summarised in the table below.
Corporate Governance Principles
The ASX Corporate Governance Council Principles and Recommendations provide the benchmark against which all companies should measure and evaluate the effectiveness of their corporate governance policies, procedures and practices. Governance risk and compliance are the focus of the recommendations.
The ASX Recommendations contain a number of recommendations concerning risk and the board. Principle 7 of the ASX Recommendations provides that: “The board of a listed entity is ultimately responsible for deciding the nature and extent of the risks it is prepared to take to meet its objectives. To enable the board to do this, the entity must have an appropriate framework to identify and manage risk on an ongoing basis. It is the role of the management to design and implement that framework and to ensure that the entity operates within the risk appetite set by the board. It is the role of the board to set the risk appetite for the entity, to oversee its risk management framework and to satisfy itself that the framework is sound.”
For more detail on risk management for boards, see our Risk Management Director Tool or visit our tools and resources page.