As the world continues to grapple with economic headwinds, geopolitical tensions, and technological disruptions, directors are spending more time than ever on risk management. With uncertainty at all-time highs, organisations must be prepared to make swift strategic course changes to avoid threats and seize opportunities.
Key Points:
- CFOs' risk appetites have ebbed to record lows due to a combination of sticky inflation, high interest rates, global conflicts, trade tensions, and cyber threats.
- Boards and management teams are engaging in more frequent scenario analyses to prepare for quick strategic adjustments.
- Open communication, leveraging board members' diverse experiences, and a willingness to rethink assumptions are crucial for effective risk management.
- Boards must strike a balance between managing negative risks and pursuing growth opportunities.
How Can Stress Testing Help Manage Risk?
For companies like AGL, Australia's largest electricity generator, the race to decarbonise the economy tops the risk management agenda. CFO Gary Brown GAICD notes that the energy transition comes with a multitude of unknowns, from supply chain bottlenecks to regulatory approvals. To navigate these hurdles, AGL's board and management regularly stress test various risk scenarios, considering factors such as procurement prices, EV uptake, and the speed of the transition.
"We don't have all the answers, so we spend a lot more time in discussions around the different scenarios that could play out, and constantly evolve, where possible, to future-proof ourselves," says Brown. This may involve taking on more risk than historically palatable, such as proceeding with renewable or firming generation asset investments before securing all approvals, in order to maintain flexibility.
What Levers Can CFOs Pull to Manage Risk?
At REA Group, a global online real estate advertising company, CFO Janelle Hopkins GAICD emphasises the importance of planning for scenarios with multitudes of outcomes and being prepared to tweak plans quickly. The past two years, which saw 13 interest rate rises, demonstrated how the scale of possible outcomes has expanded compared to the pre-COVID era.
To manage this, Hopkins works with her board to set benchmarks for investments and keeps a steady watch over which investments to dial up or down based on market conditions. "If the market turns against us, we'll say, 'These are the three things we would stop doing or where we'll slow our investment', but if the market is ahead and we can see a pipeline of future revenue, we might say, 'Now's the time to accelerate our execution and look to the next three things'," she explains. However, she cautions against underinvesting simply to satisfy short-term market fluctuations, emphasising the importance of long-term growth.
Why Is Reinvention Important for Risk Management?
Dr Saranne Cooke FAICD, chair of Racing NSW, believes that scenario planning potential causes of organisational collapse can help companies shift their business models to generate revenue from new products and services. With 85% of Australian CEOs saying their business would still be viable in 10 years even if they stay on the same path, compared to just 53% globally, there appears to be a lack of urgency around future-proofing among Australian companies.
"You can't simply coast along when the world is changing so much," says Cooke. "You need to be re-testing assumptions, talking about tolerances, putting in guardrails so the CFO knows which levers they can pull — and how far."
How Does Communication Impact Risk Management?
Open, honest, and frank discussions among board and management are vital for successfully navigating uncertain terrain. The CFO and CEO must feel free to air concerns and admit when assumptions were wrong or things are not going as planned. Joanne Gorton MAICD, managing partner of audit and assurance at Deloitte, observes that this collaborative approach between the board and management has become more common in the past decade, likely leading to better risk management outcomes.
"The C-suite will know their organisation in a level of detail that a board member doesn't, and that's to be expected, but the amount of experience around any board table is huge," says Gorton. "At the end of the day, managing risk is about judgement. Without the benefit of hindsight, there is technically no right or wrong answer. Therefore, having rigorous debate, with different views and experiences around the table is essential for the organisation to have a good feel for their risks and how best they can manage those risks."
How Can Boards Rise Above the Chaos in Risk Management?
Boards should be prepared to pull back, rethink, and reset organisational strategy when required, even outside of regular budget or strategy review cycles. Dr Saranne Cooke suggests using techniques like "deep diving" into one or two risks at every risk committee meeting and holding sessions where everyone imagines the company no longer exists in a decade, then considers the top three things that could have caused its demise.
"It's a healthy practice that gets better engagement in your risk discussions," she says.
What Is the Board's Role in Risk Management?
Effective risk management is linked to an organisation's purpose and refers to the culture, processes, and structures that help manage potential adverse effects. The board's role is to set the risk appetite and develop a risk management framework to identify and manage ongoing risks. Key responsibilities of the board in governing an organisation's risk include:
• Ensuring board decision making is informed by an understanding of risk and how it is managed under a risk management policy
• Overseeing a risk management plan that aligns with the organisation's purpose and strategy
• Seeking and being provided with information about risk and how it is managed
• Periodically reviewing the risk management framework
What Are the Benefits of Effective Risk Management?
Benefits of effective risk management include:
• Challenging assumptions in decision-making
• Taking actions to increase the chance of achieving desired outcomes
• Identifying early signs of potential issues and taking pre-emptive action
• Learning from successes and failures to improve decision-making over time
• Considering whether previous decisions remain valid and revising them if necessary
For larger companies, establishing a board risk committee and an internal audit function can help bring transparency, focus, and independent judgement to oversee the risk management framework and provide assurance that key risk mitigating strategies are operating effectively.
How Can Organisations Deal with Risk?
The most appropriate method for dealing with risks will depend on their nature, but generally, organisations can choose between:
• Avoiding the risk by discontinuing the activity that generates it
• Implementing preventative controls to reduce the likelihood of the risk occurring
• Implementing corrective controls to reduce the consequences if the risk occurs
• Transferring the risk to another party through contracts, insurance, outsourcing, or partnerships
• Accepting the risk and having plans in place in case it eventuates
What Types of Risks Should Organisations Consider?
The types of risks an organisation must consider will vary greatly depending on its industry and specific activities. Some common risk categories include:
• Financial risks
• Equipment risks
• Organisational risks
• Security risks
• Legal and regulatory compliance risks
• Reputation risks
• Operational risks
• Contractual risks
• Service delivery risks
• Commercial risks
• Project risks
• Workplace safety risks
• Stakeholder management risks
• Client-customer relationship risks
• Strategic risks
• Technology risks
Why Are Non-Financial Risks Important?
In the wake of the banking Royal Commission, non-financial risks have become a key focus for Australian boards and management. The consequences of unaddressed non-financial risks can become distinctly financial in nature. The ASIC Corporate Governance Taskforce identified three types of non-financial risks: operational risk, compliance risk, and conduct risk. The ASX Corporate Governance Principles also include environmental and social risks in their definition of non-financial risk.
Social performance, which encompasses human capital, workplace health and safety, labour relations and standards, human rights, demographic changes, supply chain, and community impacts, is a key component of non-financial risk. Boards must seek to distil the company's culture into a set of non-financial performance measures, identifying relevant indicators across these categories.
What Are the Key Corporate Governance Principles for Risk Management?
The ASX Corporate Governance Council Principles and Recommendations provide the benchmark for evaluating the effectiveness of corporate governance policies, procedures, and practices, with a focus on governance risk and compliance. Principle 7 states that the board is ultimately responsible for deciding the nature and extent of the risks it is prepared to take to meet its objectives, and must have an appropriate framework to identify and manage risk on an ongoing basis. Management's role is to design and implement that framework and ensure the entity operates within the board-set risk appetite.
In Summary
By engaging in rigorous scenario planning, fostering open communication, and being willing to rethink assumptions and reset strategies, boards and management teams can better identify and mitigate risks while still pursuing growth opportunities.
Already a member?
Login to view this content