assessing risk

The concept of risk management has seen a rapid evolution in corporates in developed economies. While you could argue that risk management, at least in an intuitive sense, has been with us forever, two things have definitely changed.

One is the need for transparency. The second is the expectation that directors must be able to defend their decisions by demonstrating that they made a decent fist of anticipating reasonably foreseeable positive and negative outcomes and made judicious use of resources to optimise them. Boards aspiring to achieve more than their standard oversight obligations should go further and see the quality of their risk and opportunity management as a cornerstone of their “value add” as directors.

The notion of explicit or objective risk analysis and management is something that has evolved concurrently through the efforts of engineers, lawyers, accountants, medical professionals and others. This has coloured how we now perceive, frame and oversee risk in the boardroom. We can see their fingerprints in how risk and audit committees function, how their risk reports are prepared and where they focus our gaze. Enter the notion of strategic risk and its management — which is a vital, but often overlooked, aspect of enterprise risk management.

Top 10 risks as opportunities

  1. Labour model disruption
  2. Lagging digitisation
  3. Pace of change
  4. Digitisation misconceptions
  5. Climate change liability
  6. Remote workforce
  7. Dated policies/procedures
  8. Talent shortage
  9. Sustainability
  10. Retaliatory tariffs/trade wars

A number of studies over the past decade or so have shown mismanagement of strategic risks were most responsible for destroying shareholder value, contrary to prevailing wisdom that compliance issues are a major cause. Global tech research company CEB/Gartner Group’s analysis of share price shocks in 2014 drew attention to research that showed a poor correlation between where boards and organisations spent their time and resources on risk management, and the risk events that actually hurt them. So what are characteristics of strategic risk?

Scenarios that threaten strategic intent

Every time we choose a strategy we are making a promise to someone. Inherent in those promises is a degree of risk associated with them not being the best promise we can make. Additional to this is the risk associated with the realisation we may not deliver on the promise — either because we did not know that we couldn’t, or we knew, but could not perform any better. Recent studies by major strategy and accounting firms suggest this latter element represents as much as one third of the value not delivered against the promise made at strategy formulation stage.

Understanding the drivers aggregated into scenarios, which identify the reasons why we might not deliver on our promises, therefore represents considerable value if we have the wherewithal to manage them effectively.

Organisational risks

These emanate from organisational culture and capability, corporate structure and ownership, quality of board and executive governance, and focus of leadership. How we are organised and connected within our organisations amplifies or moderates strategic risks. Recent examples of risk management failure in this area have been well exposed through the banking Royal Commission.

Over the horizon

Strategic risks require a capability to foresee and play out scenarios that may be many years ahead. This may be necessitated by the need to plan and prepare years in advance. These may be risks with no — or poor — tactical solutions, therefore it’s necessary to take a strategic (holistic, integrated and long-term) view of solutions.

Externally triggered/imported risks

This includes susceptibility to risks emerging from the decisions and actions of clients, regulators, competitors, contractors, providers and an array of government stakeholders, as well as the community. This is an acknowledgment that to a large degree, the risks with the greatest potential for harm are not triggered within the organisation, but potentially outside it. We don’t necessarily control the causes, but will suffer the consequences. How good are we, then, at anticipating the actions of others who deliberately or inadvertently cause us harm?

Game-changing scenarios

These are systemic and structural shifts in the operating environment stemming from disruptive technology or a significant shift in regulatory environment or policy, client behaviour or expectations, or market-disruptive competitor offerings.

Critical operational risks

These come with lasting impact for core assets — people, tangible assets, brand, and reputation with multiple stakeholder groups. They are not risks that can be managed within an annual financial cycle, but those that blow up like a grenade and take many years to recover from.

Large transactions, capital expenditure programs and transformations

These can have a cascading impact of transformational initiatives, inorganic growth, or aggregate risk from management of portfolios of projects, operationally sensitive capital expenditure programs, or outsourcing arrangements. They tend to hurt far more than operational risks because most organisations are far less skilled at their assessment and management. Reflect on the track record of complex IT implementation projects to deliver on time, to budget and to scope. Gartner Group’s 2018 ERM (enterprise risk management) survey found few ERM teams are involved in strategic initiatives such as digital transformations.

Integrated approach

Unlike operational risk that we might be accustomed to seeing in a typical risk register, strategic risks are almost exclusively the domain of senior management. Only senior management and directors are experienced enough to have reliable insight into these risks — and only their judgement can be relied upon for a commercially sensible and pragmatic response.

Strategic risks are often interdependent and therefore require an integrated approach to management in contrast to operational risks, which can often be managed discretely. This also implies the severity of risks may be more significant than those indicated individually, due to the correlation of risks, if not managed in an integrated manner.

Strategic risks are often managed through decision-making rather than process controls. Therefore, effective strategic risk management involves integration of risk management into executive and board-level decision-making, largely as part of strategic planning, but also in key tactical decisions.

The implication is that the competency of a board to discern strategic risks is tightly bound into strategic thinking and the strategic planning process. It’s also a complicating factor in that being able to identify and scale strategic risks often results in a level of iteration of strategy. How ambitious you want to be with your strategy is directly affected by your tolerance of the failure to deliver your promise.

Experience also suggests that identifying and responding to strategic risks is an advanced managerial skill set that requires practice. Executives and directors need to hone it over time.

One challenge is that there may be a naïve presumption that all directors and executives have a similar level of appetite for strategic risks and opportunities. Experience again shows this is almost never the case. An ability to properly frame and negotiate risk appetite among the board towards new strategy — and aligning that appetite with the executive — is also a challenge requiring perseverance and a willingness to negotiate and compromise. But it can also require a readiness to change tack when circumstances change. Strategic risk profiles have a “shelf life”, which, in most sectors, is shortening all the time.

Strategic risk thinking

What are the lessons from the past 10 years to help boards go about strategic risk assessment and apply it to their decision-making?

  1. Make time to set out the most pertinent and recent internal and external events, drivers of performance, sector health and organisational (people) strengths and weaknesses.
  2. Find a process to glean insight independently and without bias from the executive and the board on scenarios that concern them the most. Build scenarios with plausible likelihoods of realisation and clear material implications. Be careful not to confuse issues (things that have already happened) with risks (things that may or may not happen). Encourage members of the board and management to lift their gaze from issues that are preoccupying them this quarter.
  3. Collectively stress test the scenarios and resolve what the most significant ones are that generate uncertainty, for better or for worse. Bear in mind, this is rarely an objective exercise and it’s a real test of the experience and judgement of those in the room. Focus on the most significant dozen or so.
  4. Consider current mitigating factors that may or may not include internal controls, whether there is an adverse, stable or positive trend with time for the scenario, and the limit of your appetite for that risk scenario.
  5. There are three alternatives:
    • Accept the risk and do nothing more. There is no practical or commercially sensible response to the scenario; it becomes a volatile feature of our strategy.
    • Do nothing more yet. We accept the risk is real and warrants action, but we are uncertain of an optimal response. Research an optimal response and execute.
    • Do something now. The scenario as represented is currently unacceptable without further mitigation, so act now.
  6. Hold the CEO and executive team accountable for changing the risk/reward balance at a sensible frequency — rarely longer than six-monthly.

Arash Rashidian GAICD is a principal with Lighthouse Advisory and an AICD facilitator.

Risk Awareness

Not adapting to changing legislative environment

The introduction of the National Disability Insurance Scheme (NDIS) in July 2016 has had a seismic impact on approximately 10,000 disability service providers around Australia. Among significant changes is the distribution of financial support to clients, as opposed to service providers directly. This has shifted the balance of power.

The strategic risk for bigger entities lies in the dramatic impact it may have on their business models. They now have to value and account for each client individually. This has implications for internal accounting systems, choices on types of disability to support, capital investment decisions, difficult potential choices in turning away clients who make a “loss” for the entity, and clients who can more easily turn to an alternative provider if they are not satisfied.

The boards of these entities must fully comprehend the changed paradigm and ensure operations are aligned with this, or be swept away by those that do. The proposed Royal Commission into disability services will probably further amplify this as a strategic risk.

Initiatives become missteps

Australia has a history of successful companies which succumb to failures overseas. NAB’s failed expansion in the UK, the abandoned ANZ South-East Asia strategy, Lendlease’s Wembley Stadium challenges, to name a few.

A more recent example is the widely reported writedown associated with Wesfarmers’ venture into the UK to replicate the successful Bunnings Australia model. In 2016, Wesfarmers paid $700m for the UK Homebase chain and started rolling out Bunnings stores. But the company fundamentally misjudged the UK market. It replaced local management with Australian executives and sold products ill-suited to the market.

In February 2018, Wesfarmers reported a $1b writedown on the venture and in May, CEO Rob Scott announced it had sold the businesses to private equity group Hilco Capital. “The investment has been disappointing, with the problems arising from poor execution post-acquisition being compounded by a deterioration in the macro environment and retail sector in the UK,” said Scott.

Freight train coming

Power distribution companies are still waking up to the fact that the accelerating momentum of adverse trends — combining the rapid uptake in solar panels, now sponsored by some state governments, rapid technological developments and the reduction in cost of battery technology — is slowly but surely destroying their business models. How could a board not see this coming and plan for it?

An example of a board that has had greater success is the RACV, which famously recognised that the growing reliability of motor vehicles was progressively destroying its primary business of emergency roadside repairs. Diversifying its offering to encompass insurance, travel, accommodation, home, lifestyle and leisure as well as motoring, the RACV became viable then flourished. Successive boards had seen the freight train coming and were able to plan and execute a timely transformation.