Facing mounting strategic and operational risks, senior directors discuss the lessons they've learned in building resilience in this special Company Director-FM Global roundtable.
COVID-19 erupted after a record drought and savage bushfires had already disrupted businesses across the country, with the successive crises making demands that few could have predicted or prepared for. The experiences shared by the Rethinking Risk roundtable participants point to the ability of companies with well-prepared risk and crisis management plans to respond with agility, minimising not only the damage to business operations, but also any consequent loss.
St Vincentâs Health Australia was on the front line when the pandemic hit and, according to CFO Ruth Martin GAICD, while regular risk profiles had been prepared for the board, they hadnât routinely rated a âpandemicâ as âhighly likelyâ. Said Martin, âWhatâs interesting is that while you have all the planning in place, sometimes it can be a little dusty.â
COVID-19 erupted after a record drought and savage bushfires had already disrupted businesses across the country, with the successive crises making demands that few could have predicted or prepared for. The experiences shared by the Rethinking Risk roundtable participants point to the ability of companies with well-prepared risk and crisis management plans to respond with agility, minimising not only the damage to business operations, but also any consequent loss.
St Vincentâs Health Australia was on the front line when the pandemic hit and, according to CFO Ruth Martin GAICD, while regular risk profiles had been prepared for the board, they hadnât routinely rated a âpandemicâ as âhighly likelyâ. Said Martin, âWhatâs interesting is that while you have all the planning in place, sometimes it can be a little dusty.â
The organisation learnt three important lessons under pressure from the crisis: the need to respond with agility from the board down; being prepared to hear bad news to enable quick responses; and having business fundamentals in good order, including cash reserves. Insurer FM Global helps companies minimise risk to mitigate against losses, but it also came under pressure with the shutdowns. Onsite assessments, critical to its underwriting, were threatened.
While the company had occasionally used remote engineering servicing for this purpose, after border closures the technology had to scale up quickly, said operations manager Lynette Schultheis. âThis past six months, weâve applied it 13,000 times. In theory, it was in place, but to be that agile and nimble to enact it so quickly, there were some growing pains.â The climate and virus disasters came at the same time as Australian-listed global energy company Worley was dealing with other significant changes: integrating a new CEO, the energy transition, geopolitical tensions and falling energy prices.
Worley managed the situation by establishing a dedicated project management office to respond to the COVID crisis.
âWe had to move more than 40,000 people around the world to work from home as our pandemic response plan kicked in,â explained senior group director Tony Frencham MAICD. The priorities were staff safety first, then business continuity, followed by customersâ needs. Frencham said the companyâs robust risk culture was vital. âYou have to have your core values, purpose, systems and beliefs in place before a crisis. You canât be tinkering with those things when the crisis happens.â
Risk muscle
Penny Winn GAICD, a director of Coca-Cola Amatil, Goodman Group, CSR and Ampol, said some companies honed their risk culture in the years after the banking Royal Commission and other high-profile regulatory cases. âI call it ârisk muscleâ because, effectively, it is something you build up, just as an athlete practises for the Olympics.â
Winn said the duration and multiple layers of disruption, all interconnected, were a big test in 2020. âWhat it brought to bear was about 10 risks all at once: economic risk, health risks, operational risks, etc.â She said her boards relied on their risk muscle to get them through, with Coca-Cola Amatil convening weekly instead of monthly and stepping up information flow.
Risk adviser Peter Deans GAICD developed an open-source framework, called 52 Risks, to help organisations identify, assess and manage their risks. He said 2020 has accelerated many trends and jolted companies that didnât have a deep understanding of risk in their business: âThey will look back now and say, âOne of the lessons to come out of this difficult period is that an investment in risk management does actually pay off.ââ
Company self-harm
Several high-profile companies suffered enormous reputational damage and business losses in 2020, escalating the importance of identifying and governing risk. Serious problems â such as those exposed by the casino licence inquiry into Crown Resorts, Westpacâs breaches of anti-money laundering laws and Rio Tintoâs destruction of a sacred Indigenous site â have rippled through the nationâs boardrooms.
Deans said it comes down to âa complete breakdown of the governance of risk management, despite having the resources and some good people in the chainâ.
Winn likened the failures to the âboiling frogâ fable â the temperature in a pot of water rises from lukewarm to boiling without the frog noticing until itâs too late to jump out. âIn a lot of cases, there is a culture of acceptance of small breaches and these breaches then build up and you get the Westpac situation,â she said. âIn isolation, none of them seem extreme and management will say, âWeâve got it all under controlâ. But thatâs where boards need to sweat the small stuff. Boards have a responsibility to review, to see, to question and to dig their heels in and say, âWe are not good enoughâ⌠I think thatâs critical.â
Climate change risk
The disruptive forces of climate change threaten a new era of uncertainty and, warned Schultheis, itâs a mistake to lose sight of this. âClimate change can be just as big an issue for a client as a pandemic.
If you were to lose a location, if a cyclone takes it down, then your competition is more than happy to just step in and take your place.â
There are many low-cost practical measures that can mitigate against catastrophe, she added âJust very basic things for a bushfire, such as removing your ignitable liquids to a safer area and elevating your expensive equipment in a flood.â
The climate challenge risk varies for different businesses and requires specific responses. Alongside planning for extreme weather events, companies need to think in broader strategic terms, said Deans. âDoes my business look the same? Do my consumers and customer segments look the same in three, five and 10 years, and what should we do strategically to respond to that?â
He cited the Australian Prudential Regulation Authorityâs new requirement, in 2021, for banks to complete financial vulnerability assessments to evaluate the impact of climate change on their business. âThat will be a wake-up call, I think, for many banks. There is a question around business model sustainability. That should be the strategic discussion company directors are having right this minute.â
According to Winn, assessing future business sustainability raises a forensic transition risk. â[Ampol, for example] can mitigate the climate change risk, but at the expense of lowering demand and lowering our viability in the longer term,â she said. âItâs really hard to do both, but it is critical that boards do have that longer-term view.â
Frencham said climate risk mitigation has been a key focus at Worley. âEven though weâve been going through all these crises, weâve accelerated our climate change position statement to be net zero by 2030 and our customers have all done the same thing,â he said. âItâs the right thing to do, the science is compelling and the stakeholders expect it. It has been highly energising in a very anxious year for our people and itâs allowed us to get on the front foot... with customers who youâd think would be distracted. But itâs front of mind for them, too.â
Cyber attack
When the COVID-19 shutdowns forced health services online, relocated workforces to their homes and revolutionised meetings via videoconferencing, it reinforced that all businesses are now dependent on technology. No company can make, supply, deliver or market products or services efficiently without it. And the risk of cyber attack has multiplied.
Malicious cyber activity is one of the most significant threats impacting Australians, according to Australiaâs Cyber Security Strategy 2020. Released in August, the report states that 2266 cybersecurity incidents â at a rate of almost six per day â were referred to the Australian Cyber Security Centre in the 2019â20 financial year.
Deans said spending on mitigating the risk of cyber attack is no longer discretionary. âI think those days are over,â he said, pointing to severely disabling hacks experienced in 2020 by Toll and Travelex. âThe downside risks are quite high â potentially catastrophic financially â and the reputation will take years to recover. So, itâs really just a case of getting the experts in and spending some money, and probably spending a little bit more.â
Schultheis said directors also need to consider the risk to plant and equipment from cyber attacks, with most machinery computer-controlled and connected to the internet. Hence, FM Globalâs cyber assessments now include software security. âI donât want to say hackers are smart, but theyâre smarter than we are most of the time,â she said.
With more people working remotely, computer network security risks have increased. Worleyâs Frencham said thereâs the added complexity of being hosted by different systems on multiple customer sites. âWe have to meet their standards and protect their assets, people and systems, and then also do the same for us.â
The health sector has become a target for cyber attacks, with data worth a fortune on the dark web, which is why St Vincentâs Health employs an ongoing testing regime. âCyber risk is huge in health â health is the new banks. Thatâs a big issue for us...â said Martin, noting that cybersecurity reports are prepared for every meeting of the boardâs audit and risk committee.
âOur first and best line of defence is our people,â she added. âWe send out dummy phishing to see who will actually click on the link, then notify that person and instruct them to do training.â
Boards need digital technology capability and directors who can educate themselves on the threats, said Winn. âItâs a matter of being connected. Directorsâ roles are not just about looking inwardly to the organisation, but also scanning the environment and learning from the incidents.
You have to make sure management has the people, capability and resources to do it correctly, and that you know enough to ask the right questions.â
Opportunities and resilience
There are significant lessons to take forward, noted Frencham. âI think the biggest risk in 2021 is not taking up the opportunities. Weâve moved a decade in the past year in terms of a lot of improvements. Itâs very clear that sustainability, energy transition, climate change and circular economy are front and centre. and we have to lean in to those. Yes, digitalisation has been accelerated and we have to continue that progress. The one area of risk among all that, that weâre concerned about, is our people. We [need] new pathways to develop our people.â
Martin said the culture of leadership is evolving, allowing more flexible decision-making where appropriate. âI think leadership is changing and having people that can make decisions in more agile working groups has been something other companies could potentially learn from.â
The pandemic has also brought home the fact that companies operate in a society that depends on them to function well. A focus on maximising shareholder value now seems to be broadening to include the health and resilience of the company.
âReputation is very slow to be earned, but very fast to be lost,â said Winn. âIn the digital world, itâs on hyperdrive... effectively, the customer is in control. Reputations have been hooked into whatâs happening on social media and itâs so important.â
According to Frencham, in 2020, Worley relaunched the companyâs purpose and values after holding more than 100 workshops around the world with its employees.
âIt all goes to culture, and the culture certainly comes from leadership,â said Martin, recognising the value of independent, questioning voices.
âIt is accountability and clarity of roles and responsibilities,â agreed Winn. âItâs become apparent that the board is ultimately accountable and has to be very comfortable with the risk profile, and make sure that management accountabilities are fully understood throughout the organisation. This will be one of the learnings out of the last couple of years, with some of these governance failures.âÂ
Roundtable participantsÂ
Penny Winn GAICDÂ â Non-executive director. Winn is a director of Coca-Cola Amatil, Goodman Group, CSR and Ampol. She chairs the safety and sustainability committee at Ampol and the workplace health, safety & environment committee at CSR, and is a member of the Coca-Cola Amatil boardâs risk and sustainability committee.
Tony Frencham MAICDÂ â Senior group director, Worley. Frencham is head of strategy and execution planning for the refining & chemicals sector at the global engineering company. He previously had charge of group leadership on energy transition.
Ruth Martin GAICDÂ â CFO, St Vincentâs Health Australia. Martin has financial responsibility for St Vincentâs â the largest not-for-profit health organisation in Australia â plus 20 yearsâ experience in senior finance roles across a diverse range of sectors, including with the Sydney Airport Corporation, Microsoft, Ruralco and Stockland.
Peter Deans GAICDÂ â Principal and director, Notwithoutrisk Consulting. Deans, a former chief risk officer for the Bank of Queensland, has more than 32 yearsâ experience in banking and finance. He has been named Chief Risk Officer of the Year four times.
Lynette Schultheis â Operations manager, FM Global. Schultheis sets the strategic direction in Australia and New Zealand and ensures regulatory compliance at FM Global, an insurance mutual with 185 yearsâ experience of reducing business risk to minimise losses.
Latest news
Already a member?
Login to view this content