COVID-19 erupted after a record drought and savage bushfires had already disrupted businesses across the country, with the successive crises making demands that few could have predicted or prepared for. The experiences shared by the Rethinking Risk roundtable participants point to the ability of companies with well-prepared risk and crisis management plans to respond with agility, minimising not only the damage to business operations, but also any consequent loss.

St Vincent’s Health Australia was on the front line when the pandemic hit and, according to CFO Ruth Martin GAICD, while regular risk profiles had been prepared for the board, they hadn’t routinely rated a “pandemic” as “highly likely”. Said Martin, “What’s interesting is that while you have all the planning in place, sometimes it can be a little dusty.”

The organisation learnt three important lessons under pressure from the crisis: the need to respond with agility from the board down; being prepared to hear bad news to enable quick responses; and having business fundamentals in good order, including cash reserves. Insurer FM Global helps companies minimise risk to mitigate against losses, but it also came under pressure with the shutdowns. Onsite assessments, critical to its underwriting, were threatened.

While the company had occasionally used remote engineering servicing for this purpose, after border closures the technology had to scale up quickly, said operations manager Lynette Schultheis. “This past six months, we’ve applied it 13,000 times. In theory, it was in place, but to be that agile and nimble to enact it so quickly, there were some growing pains.” The climate and virus disasters came at the same time as Australian-listed global energy company Worley was dealing with other significant changes: integrating a new CEO, the energy transition, geopolitical tensions and falling energy prices.

Worley managed the situation by establishing a dedicated project management office to respond to the COVID crisis.

“We had to move more than 40,000 people around the world to work from home as our pandemic response plan kicked in,” explained senior group director Tony Frencham MAICD. The priorities were staff safety first, then business continuity, followed by customers’ needs. Frencham said the company’s robust risk culture was vital. “You have to have your core values, purpose, systems and beliefs in place before a crisis. You can’t be tinkering with those things when the crisis happens.”

Risk muscle

Penny Winn GAICD, a director of Coca-Cola Amatil, Goodman Group, CSR and Ampol, said some companies honed their risk culture in the years after the banking Royal Commission and other high-profile regulatory cases. “I call it ‘risk muscle’ because, effectively, it is something you build up, just as an athlete practises for the Olympics.”

Winn said the duration and multiple layers of disruption, all interconnected, were a big test in 2020. “What it brought to bear was about 10 risks all at once: economic risk, health risks, operational risks, etc.” She said her boards relied on their risk muscle to get them through, with Coca-Cola Amatil convening weekly instead of monthly and stepping up information flow.

Risk adviser Peter Deans GAICD developed an open-source framework, called 52 Risks, to help organisations identify, assess and manage their risks. He said 2020 has accelerated many trends and jolted companies that didn’t have a deep understanding of risk in their business: “They will look back now and say, ‘One of the lessons to come out of this difficult period is that an investment in risk management does actually pay off.’”

Company self-harm

Several high-profile companies suffered enormous reputational damage and business losses in 2020, escalating the importance of identifying and governing risk. Serious problems — such as those exposed by the casino licence inquiry into Crown Resorts, Westpac’s breaches of anti-money laundering laws and Rio Tinto’s destruction of a sacred Indigenous site — have rippled through the nation’s boardrooms.

Deans said it comes down to “a complete breakdown of the governance of risk management, despite having the resources and some good people in the chain”.

Winn likened the failures to the “boiling frog” fable — the temperature in a pot of water rises from lukewarm to boiling without the frog noticing until it’s too late to jump out. “In a lot of cases, there is a culture of acceptance of small breaches and these breaches then build up and you get the Westpac situation,” she said. “In isolation, none of them seem extreme and management will say, ‘We’ve got it all under control’. But that’s where boards need to sweat the small stuff. Boards have a responsibility to review, to see, to question and to dig their heels in and say, ‘We are not good enough’… I think that’s critical.”


Climate change risk

The disruptive forces of climate change threaten a new era of uncertainty and, warned Schultheis, it’s a mistake to lose sight of this. “Climate change can be just as big an issue for a client as a pandemic.

If you were to lose a location, if a cyclone takes it down, then your competition is more than happy to just step in and take your place.”

There are many low-cost practical measures that can mitigate against catastrophe, she added “Just very basic things for a bushfire, such as removing your ignitable liquids to a safer area and elevating your expensive equipment in a flood.”

The climate challenge risk varies for different businesses and requires specific responses. Alongside planning for extreme weather events, companies need to think in broader strategic terms, said Deans. “Does my business look the same? Do my consumers and customer segments look the same in three, five and 10 years, and what should we do strategically to respond to that?”

He cited the Australian Prudential Regulation Authority’s new requirement, in 2021, for banks to complete financial vulnerability assessments to evaluate the impact of climate change on their business. “That will be a wake-up call, I think, for many banks. There is a question around business model sustainability. That should be the strategic discussion company directors are having right this minute.”

According to Winn, assessing future business sustainability raises a forensic transition risk. “[Ampol, for example] can mitigate the climate change risk, but at the expense of lowering demand and lowering our viability in the longer term,” she said. “It’s really hard to do both, but it is critical that boards do have that longer-term view.”

Frencham said climate risk mitigation has been a key focus at Worley. “Even though we’ve been going through all these crises, we’ve accelerated our climate change position statement to be net zero by 2030 and our customers have all done the same thing,” he said. “It’s the right thing to do, the science is compelling and the stakeholders expect it. It has been highly energising in a very anxious year for our people and it’s allowed us to get on the front foot... with customers who you’d think would be distracted. But it’s front of mind for them, too.”

Cyber attack

When the COVID-19 shutdowns forced health services online, relocated workforces to their homes and revolutionised meetings via videoconferencing, it reinforced that all businesses are now dependent on technology. No company can make, supply, deliver or market products or services efficiently without it. And the risk of cyber attack has multiplied.

Malicious cyber activity is one of the most significant threats impacting Australians, according to Australia’s Cyber Security Strategy 2020. Released in August, the report states that 2266 cybersecurity incidents — at a rate of almost six per day — were referred to the Australian Cyber Security Centre in the 2019–20 financial year.

Deans said spending on mitigating the risk of cyber attack is no longer discretionary. “I think those days are over,” he said, pointing to severely disabling hacks experienced in 2020 by Toll and Travelex. “The downside risks are quite high — potentially catastrophic financially — and the reputation will take years to recover. So, it’s really just a case of getting the experts in and spending some money, and probably spending a little bit more.”

Schultheis said directors also need to consider the risk to plant and equipment from cyber attacks, with most machinery computer-controlled and connected to the internet. Hence, FM Global’s cyber assessments now include software security. “I don’t want to say hackers are smart, but they’re smarter than we are most of the time,” she said.

With more people working remotely, computer network security risks have increased. Worley’s Frencham said there’s the added complexity of being hosted by different systems on multiple customer sites. “We have to meet their standards and protect their assets, people and systems, and then also do the same for us.”

The health sector has become a target for cyber attacks, with data worth a fortune on the dark web, which is why St Vincent’s Health employs an ongoing testing regime. “Cyber risk is huge in health — health is the new banks. That’s a big issue for us...” said Martin, noting that cybersecurity reports are prepared for every meeting of the board’s audit and risk committee.

“Our first and best line of defence is our people,” she added. “We send out dummy phishing to see who will actually click on the link, then notify that person and instruct them to do training.”

Boards need digital technology capability and directors who can educate themselves on the threats, said Winn. “It’s a matter of being connected. Directors’ roles are not just about looking inwardly to the organisation, but also scanning the environment and learning from the incidents.

You have to make sure management has the people, capability and resources to do it correctly, and that you know enough to ask the right questions.”

Opportunities and resilience

There are significant lessons to take forward, noted Frencham. “I think the biggest risk in 2021 is not taking up the opportunities. We’ve moved a decade in the past year in terms of a lot of improvements. It’s very clear that sustainability, energy transition, climate change and circular economy are front and centre. and we have to lean in to those. Yes, digitalisation has been accelerated and we have to continue that progress. The one area of risk among all that, that we’re concerned about, is our people. We [need] new pathways to develop our people.”

Martin said the culture of leadership is evolving, allowing more flexible decision-making where appropriate. “I think leadership is changing and having people that can make decisions in more agile working groups has been something other companies could potentially learn from.”

The pandemic has also brought home the fact that companies operate in a society that depends on them to function well. A focus on maximising shareholder value now seems to be broadening to include the health and resilience of the company.

“Reputation is very slow to be earned, but very fast to be lost,” said Winn. “In the digital world, it’s on hyperdrive... effectively, the customer is in control. Reputations have been hooked into what’s happening on social media and it’s so important.”

According to Frencham, in 2020, Worley relaunched the company’s purpose and values after holding more than 100 workshops around the world with its employees.

“It all goes to culture, and the culture certainly comes from leadership,” said Martin, recognising the value of independent, questioning voices.

“It is accountability and clarity of roles and responsibilities,” agreed Winn. “It’s become apparent that the board is ultimately accountable and has to be very comfortable with the risk profile, and make sure that management accountabilities are fully understood throughout the organisation. This will be one of the learnings out of the last couple of years, with some of these governance failures.” 

Roundtable participants 

Penny Winn GAICD – Non-executive director. Winn is a director of Coca-Cola Amatil, Goodman Group, CSR and Ampol. She chairs the safety and sustainability committee at Ampol and the workplace health, safety & environment committee at CSR, and is a member of the Coca-Cola Amatil board’s risk and sustainability committee.

Tony Frencham MAICD – Senior group director, Worley. Frencham is head of strategy and execution planning for the refining & chemicals sector at the global engineering company. He previously had charge of group leadership on energy transition.

Ruth Martin GAICD – CFO, St Vincent’s Health Australia. Martin has financial responsibility for St Vincent’s – the largest not-for-profit health organisation in Australia – plus 20 years’ experience in senior finance roles across a diverse range of sectors, including with the Sydney Airport Corporation, Microsoft, Ruralco and Stockland.

Peter Deans GAICD – Principal and director, Notwithoutrisk Consulting. Deans, a former chief risk officer for the Bank of Queensland, has more than 32 years’ experience in banking and finance. He has been named Chief Risk Officer of the Year four times.

Lynette Schultheis – Operations manager, FM Global. Schultheis sets the strategic direction in Australia and New Zealand and ensures regulatory compliance at FM Global, an insurance mutual with 185 years’ experience of reducing business risk to minimise losses.