Survey Reveals Not All Risk Management Frameworks Are Embedded in Australian Companies

Tuesday, 23 August 2005. The majority of Australian companies have taken positive steps to formalising risk management practices and are implementing robust risk management frameworks. However, more work needs to be done in terms of strengthening the "softer" elements of these frameworks in areas such as corporate culture and communication before companies will be able to fully reap the benefits of their significant investments, according to a recent survey conducted by Ernst & Young.
Ernst & Young recently surveyed Company Directors from Top 500 ASX companies with the support of the Australian Institute of Company Directors (AICD) on leading practices of Australian public companies in risk management.

The survey identified that companies are increasingly integrating risk management into their business planning and reporting processes and using risk management as a tool to improve their performance and communications with key stakeholder groups.

."The good news is that of the sixty six companies that participated in this survey, the vast majority have "begun the risk management journey" and are actively committed to implementing risk management to some degree within their organisations," Mr Matruglio said.

"Approximately 68 percent of respondents indicated that boards and executives are working together to agree acceptable attitudes to risk taking as part of the strategic and business planning process and that 70 per cent of respondents have clearly defined "trigger points" at which risk should be escalated directly to the board." he said

"Directors take risk management very seriously as a key part of monitoring the success of the strategy of the company," said Australian Institute of Company Directors Chief Executive, Mr Ralph Evans. "The survey shows a vast improvement in risk management practices, as boards, in their role as the body that oversees and evaluates management, refine their risk management polices and procedures."

However the findings also indicate that for many companies there is still a lag between "form" and "substance" within their companies.

"It is clear that there is some confusion regarding the board's role in managing risk. It is not the board's role to identify individual risks or to carry out the processes of analysing or assessing them." Evans said. "It is the board's role to satisfy itself that these processes have been carried out properly."

"More specifically in managing risk, boards must:
Set risk management policies and procedures,
Employ the right people to implement them,
Monitor the results and conduct regular reviews; and most importantly
Set a strong culture that underpins all policy, procedure, structures and systems supporting responsible risk management."

"Setting a strong culture is one of the most effective risk control tools directors can employ. By providing a clear context for all the activities of the company that actively rewards and penalises specific behaviours, it makes the risk management systems that are in place all the more effective. It means that when activities in the company near the boundaries of acceptability set by the board, the governance structure will be alerted with sufficient time to act."

"Directors are elected by shareholders to preserve and enhance the investment entrusted to their care, not only in the short term but in perpetuity; therefore it is only natural that creating a meaningful and visible culture that supports prudent risk management is an area of focus for directors."

Other results showed that 27 percent of boards don't have a risk management expert and 13 per cent of boards haven't increased their focus on risk in the past twelve months.

Almost 20 per cent of boards have also not articulated their expectations regarding the assurance and information they require from their CEO and CFO to support the CEO/CFO representations required under ASX Principles 4 & 7.

The survey findings also suggest that some companies are yet to make the explicit link between risk management and shareholder value.

"An effective risk management framework ensures that companies explicitly identify what is important in terms of the achievement of corporate objectives and that the risks associated with the achievement of these objectives are systematically identify, measured and managed " Mr Matruglio said.