In the wake of the Crown Resorts matters, risk adviser Peter Deans GAICD considers five practical steps directors can take to oversee the management of risk efficiently and effectively, while avoiding a risk management “lite” outcome.
Well-publicised, high-profile corporate governance and risk management failures highlight the downside risks of not getting risk governance right. However, lessons from these large, complex organisations often do not readily translate into practical actions that directors of smaller organisations can take to ensure sound risk management practices are in place.
There is no shortage of guidance on risk governance and risk management available for directors. A simple internet search of risk management will yield millions of results. Industry associations and professional bodies, including the AICD, publish regular and insightful updates for directors on risk governance and risk management. The Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) periodically publish guidance on the management of risks for their respective universe of regulated entities. The major accounting and consulting firms also produce extensive risk management materials. Perhaps there is too much guidance and too much material to work through.
The ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations sums up the dilemma for directors. Principle 7 (Recognise and manage risk) of this document only provides a series of brief, high-level statements and recommendations on risk management and starts with the statement that “a listed entity should establish a sound risk management framework and periodically review the effectiveness of that framework”.
It goes on to state that the board or a committee of the board should “review the entity’s risk management framework at least annually to satisfy itself that it continues to be sound and that the entity is operating with due regard to the risk appetite set by the board”.
Sounds simple. Principle 7 doesn’t assist with the strategy for managing risk, the design of the risk management frameworks and systems, or setting risk appetite. This reinforces the point that it is the role of directors and management to agree on what is appropriate and fit for purpose. The approach to managing risk needs to be bespoke to each organisation. The organisation’s ownership structure, the nature and geographic reach of its business activities, and its operating environment will all influence this.
In this context, there are five areas directors should look at when assessing if the governance and oversight of risk management are fit for purpose.
1. Board governance and committee structure
Board governance is the first place to start to assess if risk governance structure is fit for purpose. It is common for many smaller ASX- listed companies, private groups and not-for- profit enterprises to have a combined audit and risk management committee.
On one level, this is an efficient use of board resources and can ensure there is a good level of awareness of risk issues across both audit and risk committees. However, it is important to ensure there is not a bias towards finance and audit matters. Risk management can sometimes be relegated to second cousin status. A well- written committee charter will assist. Members of a combined audit and risk committee must constantly ask if the balance is right.
If a combined committee is not working, ultimately the solution may be to set up a dedicated risk management committee.
The volume and nature of risks facing all organisations — particularly strategic and non- financial risks — arguably warrant a standalone risk management committee for many.
2. Meeting agendas
Board agendas and regular management reporting will inevitably guide the discussions. However, a too rigid or structured approach to discussing risk management can result in some material business risks not being discussed at all.
For example, it is commonplace to discuss workplace health and safety in scheduled board reporting, including accidents and compliance issues. However, this can lead to the discussion being backward-looking, and solely on the matters reported. When meetings run behind schedule, insufficient time can be devoted to discussing emerging and/or external issues in the broader area of the labour market or upcoming legislative change. A disciplined approach to the agenda for each meeting is critical to success.
Rolling agendas also have an important role to play in identifying, assessing, and managing risk. In the Expert Report on Crown Resorts Limited (Crown) Risk Management Frameworks and Systems for the Victorian Royal Commission into Crown, I recommended the risk management committee of Crown implement a schedule of a regular agenda of items for meetings during a year (a rolling agenda).
This practice has been adopted by many organisations. The increasing cybersecurity threat has prompted many to schedule, as a minimum, an annual deep dive on cybersecurity. These deep dives and thematic updates require planning on behalf of both the board and management. Lead times are required to arrange for the appropriate industry or subject matter experts. However, the power of these deep dives cannot be underestimated. The pace of change and emergence of new risks warrants board and management spending sufficient time gaining a deep understanding of these risks and developing a response.
3. Risk management frameworks and systems
Documenting how the organisation manages risks is a key foundational activity. An overarching risk management framework or strategy document should encompass:
- The governance of risk across the organisation, including an outline of the roles and responsibilities
- The processes for risk identification and assessment, risk appetite setting and risk mitigation
- The monitoring, reporting and escalation of risk matters.
These frameworks need to be well understood by all stakeholders, including the directors, executive management, auditors and employees. Importantly, they also need to be brought to life and become embedded and effective over time.
4. Risk management capability and resourcing
Assessing the resourcing and adequacy of any risk management function is an activity that boards often neglect. It is not common to see this documented in the charters of many audit and risk management committees. Often, it is only boards operating in more regulated industries and publicly listed companies that formally assess the adequacy of the resourcing of the risk management function. This usually reflects a legislative or regulatory requirement to do so. An agenda item should be scheduled to periodically review the adequacy and resourcing of any risk management function.
In addition, even before the advent of the “Great Resignation”, there was a shortage of experienced risk professionals. Being able to carve out a budget for risk management roles and then to identify and retain this talent continues to be a challenge.
5. Independent perspectives
It can often be difficult for directors to describe or understand the exact state of risk management, including risk culture, within an organisation. Receiving management reports and listening to the risk insights of executive management often cannot fully complete the picture. Insights can also be gained from meeting with the general counsel or legal team, the finance team, and internal and external audit. These functions will be dealing with and observing pan-organisation risks every day. However, a comprehensive independent review may often be warranted. This comes with a financial cost and involves significant management time compiling review materials and attending briefing meetings. These reviews can be conducted externally or internally — with external consultant support, if desired.
Rio Tinto disclosed in an interim report on the circumstances that led to the destruction of the rock shelters in Juukan Gorge, WA, in 2020, that it had undertaken “a detailed review of the group’s overall system of risk management and controls” by Group Internal Audit and Group Risk Management, with oversight from the audit committee. The conclusions and recommendations from this review were presented to the board in October 2021. Reviews can also take the form of a risk maturity assessment. This assessment can inform the board and management on areas for future investment in risk management capability. Periodic board effectiveness reviews can also be commissioned with a specific focus on risk governance and risk management. This can be another way to gain insights into best practices and to benchmark the board’s effectiveness in risk governance.
Time spent reflecting on how “lite” or otherwise risk governance is at their organisation will be time well spent for directors.
Practice resources — supporting good governance
Examples of the AICD’s contemporary governance practice resources for members:
- 7 steps to consider when reviewing risk management
- Risk management: Role of the board
- How is your board managing risk?
Already a member?
Login to view this content