The modern practice of risk management has been evolving since the 1950s. At first, it was all about insurance but the high cost of widespread cover soon inspired specialists to look for ways of minimising risk, such as staff training and safety programs.

Since then, globalisation, technology and social media have spawned new risks and enhanced the potential for more traditional threats, such as fraud or bad behaviour, to cripple a company or a brand.

“In an environment of rapid change and disruption, maintaining a clear view of an organisation’s appetite for risk is increasingly relevant,” says EY partner Catherine Friday MAICD. “The board must act on behalf of shareholders to set the ambition for the organisation.

“That means translating the owners’ vision into a tangible strategy for say, growth, identifying the risks involved and producing a practical plan for execution.

“In doing this they are balancing the owners’ ambition with their role of stewardship to ensure the enterprise will survive and prosper.”

Risk varies according to context and the organisations’ stage in the business lifecycle – start up, growth, maturity or potential decline.

“The risks and rewards of a mature entity are usually symmetrical in nature because the risks are mostly known or knowable – an investment in resources may bring a predictable reward,” says Friday. “But the start-up lives in an asymmetrical world where a small investment may bring enormous rewards and success in a short time. Equally, failure will mean sudden and total loss. The role and competency profile of the board will also reflect the nature of the organisation, the ambition of the owners and the probability of success. Strategy and risk is, after all, a game of chance.”

Once the risk appetite has been expressed as an effective risk management framework, this must be monitored and maintained. “It requires vigilance by competent and engaged directors,” says Friday.

The ASX Corporate Governance Principles and Recommendations require that boards of listed entities have a committee to oversee the effective operation of the risk management framework.

“I believe that every board would benefit from having a group that meets formally to review existing and emerging risks,” says Tessa Court, chief executive officer (CEO) of IntelligenceBank, which provides online board portals and governance, risk and compliance software.

The impact of globalisation

There’s nothing new about global risk – Lloyd’s of London has been insuring ships and their internationally-traded cargoes for more than three centuries. But over the past 20 years, a rapid acceleration in worldwide interconnections has changed its nature and complexity.

“The more interdependent we become, the faster and further risks can be transmitted,” says Tom Kent, managing director of TK Speciality Risks. “Globalisation has made it so easy for companies to reduce the costs of labour and raw materials by doing business offshore that they might not give due consideration to the risks involved.

“For example, it can be hard to keep track of fast-changing regulations and policies in unfamiliar jurisdictions. And, if language and cultural differences are not fully understood, they can have a negative impact on negotiations, contracts and, ultimately, profitability.”

The globalisation of information has also magnified the risks associated with intellectual property (IP).

“Innovation and entrepreneurialism are playing an increasingly important role in terms of national productivity and we are registering more patents and trademarks here than ever before,” Kent continues. “Information is many companies’ most valuable asset – yet boards often overlook the question of how best to protect their IP. I believe that every board should schedule regular reviews of where the risks lie and how well they are being mitigated.”

Emerging risk

Boards need to be aware of the three broad areas of emerging risk – technological, crystallising and aggravating. “New technologies will continue to help businesses of all sizes to innovate and operate more profitably but they can also help competitors to win market share,” says Court.

“And, of course, they can be used by hackers to access payment data, implement denial of service attacks, extort funds, inflict reputational damage and threaten business continuity or the supply chain.”

She believes that directors should already be discussing artificial intelligence and its potential to influence human decision-making.“This is a big-picture technical risk that is little understood, but it is bound to have an impact on the way we do business,” she says.

There is inherent risk in introducing any new technology, while systems – old and new – can fail. The recent Australian Taxation Office debacle, which left all of its external websites, client portals and tax agent portals unavailable for days, appears to have been caused by problems with a storage area network that had been upgraded less than two years before.

“We are constantly engaging with new platforms and means of communicating our business propositions, but we tend to forget that emerging technology is bound to have inherent flaws,” says Kent. “From a governance perspective, one trend that concerns me is an over-reliance on third party providers from the IT sector. Directors don’t need to know how to code but they do need to understand enough to ask the right questions.”

Crystallising risks are those which are known to the board and which, for some reason, are escalating into an event. “Firing a rogue senior employee or changes in the regulatory environment could both be classified as a crystallising risk,” says Court.

Aggravating risks are well known, but the how, when and where of the impact is not. “This term is usually used for geopolitical issues such as the implications of the recent US election, terrorism and climate change,” Court continues. “Regulation follows innovation so as economies rely more and more on technology, new regulations will inevitably emerge.”

Regulation and reputation

For some time, the hyper-connected world of mobile devices and social media has been subject to increasing scrutiny from regulators, shareholders, the media and the public.

“The Australian Privacy Act spells out that it is the responsibility of boards and CEOs to secure their customers’ identity and financial data and to protect them from the external threats of cyber-hacking and data theft, even when customer data is stored in the cloud outside Australian borders,” says Terry Michael MAICD, CEO of TLMCyberStrategy.

“The Corporations Act states that the board and individual directors are responsible for protecting the reputation of an organisation, and now mandatory data breach notification laws are being introduced to bring Australia in line with much of the US and Europe.”

Growth in cyber crime and changes to the Australian Privacy Act in 2014 have boosted interest in cyber insurance to protect the board from statutory and online fraud. As Michael points out, however, this can do little to safeguard reputation and brand.

“More businesses are moving their payments and operations online as a way of getting closer to their customers, but once a company’s reputation has been tainted by a data breach, those customers will be more reluctant to hand over their personal and financial information,” says Michael.

“This happened after a breach of the data held by Sony’s PlayStation multimedia site and it helped to trigger a 55 per cent drop in share price. It also enabled the Microsoft Xbox multimedia platform to gain significant market share and establish itself as a serious competitor.

“When there was a data breach at Yahoo recently, the knock-on effect destroyed its market worth at the time it was up for sale. Once the reputations of these huge online companies had been damaged it could never be fully repaired.”

Start-up companies that went on to disrupt entire industries, such as Uber and Airbnb, go to great lengths to protect the integrity of their brand.

“They understand that, regardless of how revolutionary the business idea and how innovative their use of digital technology to leverage global growth, their success ultimately depends on the strength of their reputation and having their customers’ trust,” says Michael.

Looking beyond the specifics

John Kelly MAICD, senior partner at McDougall Kelly & Martinis Insurance Partners, is less concerned by specific risks than how well the board responds to risk in general. “Activists, litigation funders, shareholders and regulators all expect boards to assess risk in all of its forms and deal with it appropriately,” he says. “In my opinion this increasing emphasis on accountability is the emerging risk for directors rather than the underlying triggers.”

The board should be thinking beyond the company itself to stakeholders and their various agendas.

“This is the best way to identify and manage an incident that might have an impact on your reputation or your brand before it escalates into crisis,” Kelly continues.

“For example, your company could have had good reason to fire three people but stakeholders might not see it the same way. One of the sacked employees might put a post on social media suggesting that the action was unfair and that his young family is likely to suffer. The media could pick up on and develop the story as a way of boosting its sales.

“A politician might see an opportunity to build his or her profile by making an example of your company. And if a photograph should emerge of you getting into your luxury car, you’re suddenly the fat cat that doesn’t care about the fate of your workers.

“These reports can range from totally accurate to exaggerated and biased but that doesn’t affect the speed with which they can spiral out of control. Dismissing any agenda as irrational or irrelevant is a serious risk in itself.”

Effective boards understand this process and take the time to put themselves in their stakeholders’ shoes. “In any situation, people with training will respond better in a crisis and that’s why scenario planning plays such an important role,” says Kelly.

“For example, when we’re working with clients who are facing a class action, we draw up a list of all possible stakeholders including employees, investors, the media, people on social media, regulators, government and the opposition, the competition and even the directors’ own families, then work through each scenario. It can easily add up to 10 or 15 stakeholders and it gives a real sense of the need for vigilance on multiple fronts.”

Court encourages directors to learn from other people’s experiences. “Case studies from both colleagues and outside experts can be very informative,” she says.

“It’s also a good idea to talk to external chief risk officers and members of other boards who have experienced a crisis such as denial of service, an attack on the supply chain or fraud. You can learn a lot by hearing what went wrong and how the companies could have been better prepared.”

Kelly agrees that the most effective boards are curious and willing to learn. “Some boards are very alpha-orientated, populated by directors who consider themselves to be experts on every subject,” he says.

“This is a very dangerous position to take. I believe that the best boards accept that, collectively, they don’t know everything, and that the best directors maintain an enquiring mind.”


Value Killer Events

Global research by professional services firm Deloitte found that during the decade to 2014, 38 per cent of companies in the MSCI Global 1000 index experienced a “value killer event” – a loss of 20 per cent or more in market capitalisation over 20 days or less. In 2 per cent of those companies, the loss was more than 50 per cent. Deloitte identified 36 contributing risk factors that drove these 142 distinct loss events across four broad categories – strategic, financial, operational and external.

The table below shows these loss events and, in brackets, the frequency with which they occurred. Some loss events are included in more than one category.

Strategic risks (178) Financial risks (50) Operational risks (84) External risks (176)
  • Demand shortfalls
  • Customer losses/problems
  • M&A problems
  • Pricing pressures
  • Product/services competition
  • Product problems
  • Regulation
  • R&D
  • Management change
  • Corporate governance
  • Miscommunication/false guidance
  • Poor financial strategies
  • Asset losses
  • Goodwill and amortisation
  • Liquidity crises
  • High debt and interest rates
  • Earnings shortfall
  • Cost overruns
  • Poor operating controls
  • Accounting problems
  • Capacity problems
  • Supply-chain issues
  • Employee issues and fraud
  • Noncompliance
  • High input costs
  • IT security
  • Supplier losses
  • Declining commodity prices
  • Ratings impacts
  • Industry crises
  • Legal risks
  • Country economic issues
  • Weather losses
  • Partner losses
  • Political losses
  • Terrorism
  • Foreign economic issues
  • External risks

When the future of the business is at risk

Sometimes the future of a business pivots on the success of one project. “Directors who may have no in-depth experience of governing major projects must develop a very clear understanding of how risk is likely to evolve from conception to completion,” says Marc Vogts, CEO of the John Grill Centre for Project Leadership and former vice president, projects of BHP Billiton and project director at Rio Tinto. “As negative events rarely occur in isolation, they need to understand the broader risk portfolio rather than focusing on individual risks.”

He suggests that directors plan their interrogation of the project by thinking about the 10 most important questions they could ask along the way – and, just as importantly, the best time to ask each one.

“For example, at the start of a project there is very little information to draw on, so there is little point in asking for detail,” he says.

“In the early stages there is also a tendency for the people who are putting the proposal together to downplay risk and overstate opportunity. What they describe as a very clear and solid business case might well be optimistically skewed so, at this stage, the board will want to know whether the project team has honestly explored all alternatives and challenged their proposed solution.”

Information technology projects present a particular challenge because the technology can move faster than the project itself. They also tend to be customer-focused, so the board must try to imagine what customers will want or need in the future.

“This can be very challenging, but techniques are being developed that take an iterative approach based on frequent customer interaction,” says Vogts.

There are some threats to success that no project manager can control.

“Something like a sharp fall in commodity prices could kill the best-designed project,” says Vogts.

“And a big infrastructure project might be driven more by political intent than optimal results. Boards must find a middle ground – not overly optimistic but not so pessimistic that every project appears to be too risky to take on. That isn’t easy in today’s turbulent world.”

The board’s overriding responsibility is to know that the risk exists.

“You can then call on techniques that can be very successfully adapted to things like a shifting political environment,” says Vogts. Every board should be prepared to draw on expert advice.

“On a business-defining project I would certainly look for some form of independent review,” says Vogts. “Appropriately skilled people can facilitate the right conversations and provide a sense of whether the project is moving in the right direction. Good boards understand the value of running an independent peer review and the positive impact this can have on the culture within a project.”

A good board also knows when it’s time to stop. “It takes a great deal of courage to make a decision that could give the impression of failure,” says Vogts. “In fact, calling a halt at the right time is a sign of effective oversight.”