Boards that implement effective risk and compliance processes put themselves in a strong position when a crisis or serious issue emerges, writes Alexandra Cain.

Proper risk management processes at the board level are absolutely critical, given the growing regulatory focus on the behaviour of large corporations, the increasingly litigious nature of society and the large number of emerging risks with which boards must grapple.

As such, if risk management is not top-of-mind for all boards, it should be. The onus is on directors to ensure they have the right risk identification systems in place, to ensure they know what their main risks are. They must also have robust systems to ensure that once they have identified their major risks, they are able mitigate them.

Jim Edwards, director at information services company, Wolters Kluwer, says one of the greatest risks directors face presently is related to regulatory compliance, especially when it comes to tax auditing. This is especially the case given the Organisation for Economic Cooperation and Development’s (OECD) focus on base erosion and profit shifting (BEPS).

The purpose of the OECD’s project is to evolve international tax laws to reduce the opportunity for businesses to shift profits to low-tax or no-tax jurisdictions. The OECD estimates governments lose between US$100 billion to US$240 billion of tax revenue annually as a result of tax avoidance strategies employed by multi-national corporations (MNCs).

“This is driving demand for much more transparency. But the problem is that many companies are really poorly organised in terms of understanding where profits are earned and taxes are paid around the world,” Edwards says.

The OECD is pushing for much greater transparency around this and will require businesses to disclose profit and information, such as headcount, by country.

“There will be a rapid increase in audits and a heightened focus on financial reporting,” he says, noting the OECD’s work is just one of a number of initiatives around the world that are focused on making big business more transparent.

For instance, in Australia there is now more emphasis on large, private businesses releasing their financial statements.

As to what boards need to be doing around this, Edwards says the first step is to ensure they have access to high-quality data they can use to make informed decisions.

“Every corporation is facing the issue of disconnected people, processes and systems,” he says, adding that until now the issue of information sharing has not reached board level.

Edwards says boards must be exploring solutions that can deliver accurate underlying data about their businesses. “One of the challenges of boards is making sure the chief information officer (CIO) has a seat at the table and is listened to because the CIO is ultimately accountable for delivering accurate data.

“Sometimes CIOs can find it difficult to articulate the benefits of different solutions, which can lead to decision failure. Which means businesses are not investing to solve the transparency-of-information problem,” he says.

But in light of the increased regulatory focus on transparency, Edwards says boards must put risk-management frameworks in place to deal with this emerging risk and appropriately delegate responsibility to the business to address this issue.

They need to consider how to communicate appropriately to staff and finance executives located in other markets, and invest in data collection technology, to give them the peace of mind that they have transparent access to business information.

“More education and awareness about data and technology at the board level would also be worthwhile,” Edwards says.

Tony Katsigarakis is a commercial director at Wolters Kluwer. He agrees that the push for global businesses to be more transparent also means there will be greater public examination of their activities.

“An emerging issue for boards is not understanding what the business looks like to the outside world,” he notes.

This flows through to the actions of tax offices, such as the ATO, which has been very clear that organisations it perceives as not paying enough tax are going to be under increasing scrutiny.

“More organisations are going to be asked to support their position, which means businesses must have the evidence ready to support their argument, or they risk undermining themselves,” Katsigarakis notes.

He says relying on a patchwork of legacy systems to deliver the right information to the board and management is inherently risky. This is particularly the case given many organisations are downsizing their risk and compliance teams.

“As teams shrink, people are being pressed to do more and those systems are an accident waiting to happen.”

According to Katsigarakis, in a board context, they need to understand their key areas of exposure and have a handle on how effective or robust their existing systems are.

“If you’re using legacy systems, chances are something will break,” he warns.

Katsigarakis adds that this can often be a problem in global organisations.

“This is especially the case for MNCs. Even if they are operating globally, they often won’t apply the same rigour to their overseas operations; they usually don’t have a global view of the way the business is managed.”

Across the risk spectrum

Compliance and tax risk may be one of the most pressing issues facing boards today. But there are many other risks with which they are also dealing.

As John Kelly, a senior partner with financial services and insurance consultancy McDougall Kelly & Martinis explains, these include operational issues such as cybersecurity breaches and external stakeholder issues such as the rise of shareholder activism, plaintiff law firms and litigation funders.

Boards are also grappling with the ongoing complexity of managing a business through this current extended period of economic volatility.

“There is a convergence of events and stakeholders are on the lookout for any error in judgement, either actual or perceived. So there is less tolerance for mistakes,” says Kelly.

Within this context, he says the source of the litigation against boards has not changed and includes breaches of continuous disclosure obligations, failure to disclose material information and alleged misleading or deceptive representations and conduct, particularly within a prospectus.

“From speaking with a large number of directors, the two most pressing concerns facing boards are whether they have sufficient, accurate information to make an informed decision and how and when to communicate with stakeholders,” Kelly explains.

His first piece of advice to boards is to identify incidents that can escalate into a crisis. “This is one of the most fraught areas for listed and unlisted company boards. The question to ask is at what point does normal business friction, that is, the inevitable risks that are a by-product of competing, lead to something more serious. They must know that, once identified, how quickly anomalies are categorised as either fixable, systemic or problematic.”

Kelly says achieving this involves three steps. The first is ensuring the business has the right process and structures to enable the identification and classification of an issue, and the ability to progress an issue up the hierarchy in a timely and accurate fashion.

The second involves culture at the board level and understanding the attitude of the board to genuinely seek to identify and understand issues, and focus on them until they are resolved.

The final plank is culture at the executive level. Boards must be satisfied the business has employed sensible people capable of making good judgement calls on issues.

Says Kelly: “If you have scared people, afraid to make decisions, then a board can be inundated with problems that can overwhelm them through volume, not complexity. Alternatively you can have bullish people that hide problems from view because of a belief they can fix it. This runs the risk of issues blowing up out of control.”

So the question for boards is to get people and processes right in the organisation that can balance the two perspectives.

According to John Wayland from i2V, it’s unwise to depend too much on statistics and data when assessing the probability of a potential risk coming to fruition.

Aside from the fact that human error often contributes to a risk being realised, directors should also consider the personality types of those making recommendations about how to approach both risks and opportunities.

“More assertive personalities look at risk one way, whereas conservative people tend to view risk a different way. Similarly, those who refer decisions to a committee and are more consultative have another approach to risk,” says Wayland.

He explains individuals’ reasoning depends on their personality spectrum, which impacts the ability to assess risk.

“Businesses need teams with different personalities. No one person or personality type should be completely responsible for risk in a business. The risk-taker who is determined to push forward and worry about the consequences later has to be balanced by the conservative manager, who tests the concept and verifies the business model. This applies to all risk, be it innovation risk, environmental, fraud, fire and design failure.”

Finding a solution

Faced with disruptive new business models that are turning industries upside down, companies are under more pressure than ever to take more risks to compete successfully in hyper-competitive markets. As such, they need to manage risk in a deeper and more integrated way, says Tessa Court, CEO of IntelligenceBank. This is a software firm providing board portals and risk registers to Australian companies and government departments.

“Management should not be a sideshow concerned with only physical and financial risks. Rather, risk analysis should start with strategy and run throughout business planning and operational processes,” Court argues.

“The volume and severity of risks are increasing because businesses are becoming more complex, especially around transactions, technology and the speed of product development,” she adds. Therefore, all boards must prioritise risk identification and mitigation.

When it comes to identifying incidents that can escalate into a crisis, Court suggests using an electronic risk register with alerts to make it easy for the board to be advised of incidents that have the potential to escalate into a crisis. “This is easily done by scoring risks not only based on their severity, but also as their potential to develop into a crisis,” she advises.

According to Court, there is a strong movement to ensure ethics is a top priority for boards and senior management teams.

“Setting the tone from the top is crucial as risk management practices and ethics tend to trickle down the organisation when senior managers embrace it first. We have also seen a rise in the participation of board members in the number of meetings they attend each year and an increasing workload at board level, such as participating in more specified committee meetings.” This is positive, as engaged board members will assist businesses to properly address risks.

She says it’s absolutely essential for boards to place risk at the heart of the strategic agenda. “Strategic risk management has become a major focus for most leading companies. Rather than boxing risk management into simply looking at physical, financial and compliance risks, strategic risk analysis must form part of overall business strategy, procurement and planning processes.”

Technology must play a key part in this. Says Court: “I find it unbelievable that so many boards and risk managers use spreadsheets to keep track of risk registers, incidents, conflicts and other types of governance initiatives. A spreadsheet is actually a risk in itself as there isn’t version control, it’s not auditable, it’s not integrated with alerts and calendars and most disturbing, it can easily be lost or deleted.”

As such, it is vital that companies use risk management technology not only to ensure their risk management program is systematised, but also to take advantage of automation technologies to make managing governance processes seamless.

“Using governance risk and compliance software enables boards and risk managers to score risks, alert management and directors when risks reach a certain threshold, as well as undertake granular reporting,” Court explains.

Boards that have access to this put themselves in a strong position when a crisis or serious risk emerges. Those that don’t leave their companies and their shareholders exposed, a position in which no director wants to be.