Risk assessment

An ability to govern through periods of intense volatility has become a bigger asset for boards. Domini Stuart considers how identification, assessment and understanding of a growing range of risks has become paramount.

Uncertainty and the pace of change are challenging boards around the world. KPMG’s 2015 Global Audit Committee Survey suggests that directors are struggling as much with the impact of technology on the business environment as with political and economic volatility.

“Digital disruption and the growth of social media are affecting businesses in ways that no-one predicted,” says Kevin Smout GAICD, KPMG partner and head of risk consulting in Perth. “Cyber security, the use of data analytics, big data and what you do and don’t store on the cloud are also becoming bigger and bigger areas of risk.”

And directors can’t be sure of how digital disruption will play out for their company, he says. “I have a few clients with business models that may not exist in a year or so if they don’t evolve,” says Smout. “If the directors don’t respond quickly to a new and changing digital environment they won’t have a business.”

They can’t even take refuge in traditional planning processes. “Planning is becoming more a process of continuous evolution,” says Smout. “When things are moving this quickly you need the flexibility to respond to fast-changing markets. You can no longer hand a static three-to-five year strategic plan to management and expect them to be able to roll it out.”

A third dimension

For much of Smout’s career, the prevailing approach to risk has been two-dimensional – assessing how likely it is that an event will occur and its potential impact. Now convergence has added a third.

“Effective boards are starting to think about the interconnectivity between risks,” he says. “Until you understand the effect one event could have on other areas of your business, you can’t put appropriate business treatment plans in place.”

An FTI Consulting survey has identified increasing risk convergence in emerging markets.

“Most directors are aware of the three major areas of risk – breach of regulations; bribery and fraud; and reputational damage,” says Dawna Wright MAICD, FTI Consulting’s senior managing director, forensic accounting and advisory services.

“They may be less aware that developments such as increasing investment, greater international cooperation between regulators and the rise of social media and shareholder activism are blurring the boundaries.”

Wright continues: “The worst case scenario would, of course, be a confluence of all three risks yet it’s easy to see how this could happen.

“For example, if a company were the subject of a regulatory action they may be tempted to pay a bribe to resolve it and this could cause reputational damage if it became public.”

Tax burden

Globalisation has left governments around the world fighting for their fair share of tax. “There isn’t a single jurisdiction that doesn’t have a revenue challenge,” says Tony Katsigarakis, commercial director, corporate reporting solutions, at global information services company Wolters Kluwer. “The biggest issue right now for multinational enterprises is uncertainty in the wake of intense scrutiny of their international tax arrangements.”

Katsigarakis hears two distinctly different messages from top-end companies. “One is ‘we want to be a good corporate citizen and pay our fair share of tax’,” he says. “The other is ‘we’re operating within the law’. The second group clearly has a bigger appetite for risk and so are more likely to be affected if the legislation changes.

“They should be thinking carefully about what would happen if the Australian government followed the UK’s example of imposing a diverted profits tax – the so-called ‘Google tax’.”

The “Google tax” is a levy imposed on company profits – excluding those of small and medium-sized enterprises – that are routed via “contrived arrangements” to tax havens.

Katsigarakis continues: “While country by country reporting is still a couple of years away, they should be searching out any issues that need to be dealt with before international information becomes public.”

Large companies aren’t the only ones with tax on the agenda. “Directors aren’t interested in discussing tax issues at a granular level but, whatever the size of their business, they do want transparency around emerging risks and to be sure they have appropriate systems and resources in place,” says Katsigarakis.

Supply chain challenges

When he was chief procurement officer of a mining group and then a utility company, Owen West’s primary concerns were costs and safety. Two decades later the risks have become far more challenging, he says.

“Rapid and continuing changes to global and local supply chains have left very few businesses unaffected by ever more complex risks,” says West, who is now managing director, Australia/Asia Pacific, of BROWZ contractor management systems. “The combination of volatile markets and changing geo-political circumstances means that directors need to be much more aware of potential supply chain risks and confident that they are being appropriately managed.”

Today, supplier relationships must be managed on a global scale. “It’s no longer good enough to check the credentials of your main suppliers, you need to be sure that best practice extends down the supply chain,” West continues. “If there’s a weak link, sooner or later someone will hear about it and social media will do the rest.”

Outsourcing deepens the risk, as do relationships with unknown contractors and sub-contractors. However, technology can help to manage the process. “The latest supply chain management software compiles data about contractors, suppliers and sub-suppliers,” says West. “You can then tailor the parameters to ensure you only do business with companies that comply with your company’s standards and values.”

A new governance approach

Effective boards regularly review the way they govern risk. “Banks and other financial institutions governed by the Australian Prudential Regulation Authority (APRA) are required to separate the risk committee from the audit committee,” says Smout.

“This practice is quickly flowing on to other large organisations and I don’t think it will be long before mid-caps follow suit. The trick then is to coordinate the different committees so that everything is reported correctly to the board without repetition.”

Most boards undertake a strategic risk- planning process every one or two years but surprisingly few ensure that strategic risk is integrated with operational risk. “It sounds obvious, but it’s actually not that easy to drive a process whereby management takes all of the strategic risks identified by the board and links them back into the business,” Smout continues.

In Wright’s experience, the companies that do best when things go wrong are those that have made compliance a priority. “Even when they’re focusing tightly on growth the most successful organisations manage to balance investment with a strong compliance culture,” she says.

Proactivity, reactivity and remediation can provide an effective compliance framework. “Being proactive means taking active steps to improve compliance and having zero tolerance,” Wright continues. “This stage should also include extensive scenario testing – it’s much too late to start thinking about how you’re going to handle a crisis when you’re already in the middle of one.

“Scenario testing can also help you to respond appropriately in the reactive stage, where your aim is to contain the problem and manage your shareholders and wider stakeholders. Remediation is using the experience you have gained to close the circle by adjusting your proactive processes, practices and controls,” she adds.

Wright also recommends a combination of what she calls deep and shallow dives. “A shallow dive involves scanning the horizon for emerging risks,” she continues. “Ideally, the board will have directors from different disciplines with diverse views and experiences who can identify a spectrum of emerging threats and then discuss the potential for interaction.”

A deep dive involves searching out more detail. “Directors might need to talk to someone outside the organisation who can give a robust opinion without fear of retribution,” Wright adds.

Smout also encourages boards to look beyond management for information. “The longer you’ve been on a board the easier it is to become complacent and go along with what you’re being told by senior management,” he says. “I think it’s vital that directors have their own process for being professionally sceptical. That isn’t being distrustful, it’s just a way of ensuring you have the full picture.

“For example, many successful boards invite members of the broader management team into the boardroom for discussions or meet them in a less formal setting. Site visits can also help directors to form their own view. This should corroborate what you’re hearing from management and, if it doesn’t, you can ask further questions.”

Making use of technology

It is ironic that directors who take their responsibility for managing the company’s risk very seriously can be blind to their own risky behaviours.

“I have often walked into the business centre of a hotel and seen a board-like document sitting on a printer when someone has forwarded last-minute information to a director who is staying there,” says Brian Stafford, chief executive officer of Diligent Boardbooks. “It’s also common to see files and folders lying around in an airport lounge.”

Digital portals are far more secure than paper. An administrator can lock information so that only the intended recipient can read it and ensure that it can’t be printed or emailed. If a device is lost or stolen, sensitive information can immediately be wiped. Digital portals even make life easier for directors by allowing them to carry any number of board papers on a single tablet or laptop – yet still the majority of boardrooms are paper based.

“A total of 85 per cent of our new sales are replacing paper and printers,” says Stafford. Katsigarakis tells a similar story. “There are tools that can provide multinational organisations with a real-time view of exactly what their company looks like everywhere they have a presence, yet many of our clients still use spreadsheets and ad hoc systems to manage their international reporting,” he says.

“Risk management is increasingly complex and demanding. Directors should be taking advantage of all of the processes and systems that can help them to do the best possible job.”

Risk management 10-point checklist

1. Keep up with the new digital environment. Whatever the industry, directors must understand social media and new and emerging delivery models.
2. Consider separating the risk committee from the audit committee to reduce the audit committee’s workload and ensure risk gets the attention it deserves.
3. Make sure that management is linking strategic risks with operational risks.
4. Don’t rely on information provided by senior management. Draw on as many sources as you need to ensure you have the full picture.
5. Encourage diversity of thinking by making sure the board includes men and women with different skills, backgrounds and experience.
6. Use scenario planning to prepare for an event and consider how one event could flow on to another.
7. Prioritise compliance and a compliance culture within the organisation and across the supply chain.
8. Set up a framework of proactivity, reactivity and remediation.
9. Combine a “shallow dive” of scanning the horizon for emerging risks with a “deep dive” of acquiring more detailed information when you need it.
10. Keep up to date with technology that can help boards to log, measure and monitor risk in real time.