I have often wondered why the level of understanding and experience of Risk Management is so varied at Board level. And where there is only a basic understanding of Risk Management, why directors do not seek guidance and advice from Risk Management professionals to help them meet their obligations? Boards generally have a wealth of accounting / audit firm thinking (often harvested from the professional services firms) and plenty of legal knowledge but there is a dearth of experienced risk professionals.
We must remember after all that the key purpose of Risk Management is to improve the likelihood of the organisation achieving its objectives – anything else must be secondary.
It then begs the question: Do directors have an adequate understanding of Risk Management to enable them to meet their obligations as directors?
Royal Commissions and Inquiries have regularly identified the issues – ‘The oversight of risk by boards featured prominently in the 2003 HIH Royal Commission, 2018 APRA Prudential Inquiry and 2019 Hayne Royal Commission... The 2019 Hayne Royal Commission highlighted the importance of strategic oversight of non-financial risks such as compliance risk, conduct risk and regulatory risk [1] , and highlighted the importance of organisational culture.
The revelations of the Hayne Royal Commission prompted the establishment of the ASIC Corporate Governance Taskforce, which identified [2] numerous weaknesses in the practices of large listed (ASX) financial services companies. Importantly, the taskforce highlighted the relevance of its findings and the importance of non-financial risks across the ASX more generally.
The recent release of the Royal Commission into Aged Care Quality and Safety has reinforced the message on the importance of risk management and risk management culture more generally, but will it make a difference?
We don’t seem to have progressed much in spite of the heightened focus on risk and culture and it still appears to be a blind spot for many Boards. My concern was alarmingly reinforced when a recent issue of one of the large Director association magazines featured a quote from a director expressing frustration that ‘…Risk maps are now key. There is a risk lens rather than a growth lens…’. Unfortunately, a graphic example of another organisation that does not understand that Risk Management is about strategy, growth, realising opportunities and taking smart risks. It is the ‘create value’ component that is the flipside of the ‘protect value’ responsibility that all directors and senior executives have. Risk Management as a facilitator of business, not as a handbrake.
On a positive note, we have seen many organisations respond very well to the challenges thrown at them by the COVID-19 pandemic. This has shown that with the right motivators, Directors and Management can achieve satisfactory outcomes for the business even in the most challenging circumstances. Will this capability and mode of working survive the pandemic?
We should be able to rely upon the requirements of ASX Corporate Governance Principles to ensure the effectiveness of Risk Management, but these are open to interpretation, and there is often a gulf between what is in place and its effectiveness. Accountability for the accuracy of these important declarations is perhaps not what it should be.
We all know that some organisations, or individuals within them, simply close their minds to anything that doesn’t fit their existing paradigm and / or unconscious biases. But could the problem be caused by the influence of Professional Services, especially the big Accounting and Advisory firms, and how they perpetuate incorrect understanding and application of Risk Management?
Many directors and executives come from a Professional Services background, with their many areas of core competency (Tax, Audit, M&A, etc.). Some Risk Managers come from Professional Services backgrounds, but most do not. Professional Services talk Risk Management, but it is rarely well understood or comprehensive. This is likely because it is not an area of core competency, and is often about Audit, or Compliance, both important, but not to be confused with Risk Management. Unfortunately, many Directors understand Risk Management to be what they have experienced themselves, or been told by others, in Professional Services.
Whilst it would be convenient to rely on this background in reference to Risk Management, the ‘template’ approach often used by these firms, neglects to understand and recognise that every organisation is unique and at a different stage of Risk Management maturity. We wouldn’t use a blanket approach to strategy for different organisations and astute Directors understand the same limitation applies to Risk Management.
As a Risk Management professional, I rarely find deep understanding and hands on experience of Risk Management coming from Professional Services. Theory is good, but it isn’t enough. What sounds good in writing isn’t always going to work in practice, and every organisation needs a bespoke approach to Risk Management. Lack of experience and understanding, together with the misconception of Risk Management held by some Boards means that many Risk Managers simply don’t get the support they need to develop and enhance their organisation’s Risk Management capability.
Of course, I generalise. Many directors understand the importance of Risk Management, recognise that effective Risk Management is a facilitator of opportunities not a handbrake, and seek support from independent experts to support continuous improvement in their Risk Management activities and culture. These Boards understand the importance of asking the important questions:
• what needs to go right?
• what can go wrong?
• how are we ensuring that controls to manage risks are effective?
Mature Boards will accept the need to challenge their approach to Risk Management, recognising the opportunity to enhance their capability. Other, less mature Boards will shrug off the criticism as unnecessary noise, and continue on their own well-trodden path, missing the wealth of opportunity that effective Risk Management provides as they go.
We need to ask the question about whether the problem is the lack of understanding of Risk Management, or the criteria against which directors are selected. Again, challenge the way things are done, and look outside the traditional director talent pool.
Boards have a responsibility to regularly assess the competency of the Board as a whole, which in turn is made up of the skills and experience of the individual directors. Are they giving Risk Management due consideration?
If you are looking for an open and frank discussion about Risk Management and its effectiveness in your organisation, contact us at ABM Risk Partnership.
At ABM, we believe that from risk comes opportunity.
[2] Corporate Governance Taskforce – Director and officer oversight of non-financial risk report, October 2019
Comments