Meeting room with staff around a table looking at documents

Risk management has taken the spotlight in the wake of the COVID-19 crisis and there is huge demand now at a global and Australian level for boards to better evaluate, manage and report on risks, according to KPMG’s Kevin Smout, who is also KPMG’s Global Leader for Governance, Risk & Assurance Services.

“I think all the boards I'm speaking to would say they were under-prepared (for the crisis),” he told the AICD in an interview.

As we saw after the Global Financial Crisis (GFC), over the next two years or until the economy picks up, boards and executives will focus much more on strategic risk identification, management and measurement, he says.

“In terms of managing risk and understanding the (flipside of) opportunity, what we're seeing now is more and more boards requiring risk management as a frontline activity,” he adds.

“Demand for maturing risk management at the frontline, at a global level, has absolutely taken off, whether it’s for huge manufacturers in the US, or corporates in banking or wealth management in the UK, through to Australian entities I'm working with now in this space.”

Smout, who sits on not-for-profit boards and works with at least two boards a month, saw firsthand that those boards were under-prepared for the size of the crisis and the speed at which it unfolded. He adds that business leaders in general often have a poor understanding of how risks are identified, measured, reported on and then managed.

“So much of the reporting we see delivered to boards…is still numerous pages of two-dimensional risk reporting with a risk matrix, a likelihood and severity matrix, and a colour table reflecting the risk as green, amber or red.”

Smout says risk management needs to reach way beyond compliance and be elevated to the strategic board level. “If you deal with risk just as a compliance and regulatory issue, you're probably never going to get the right outcome. If your reporting isn't identifying and connecting particular risks together that result in a certain scenario or event that the business manages, then your reporting is not effective enough.

“Your risk may be increasing without you being aware of the escalating situation and you're not going to know about it until it's too late. You need to have the right risk culture embedded across the organisation.”

Identify the four dimensions of risk

A four-dimensional risk management approach should be taken which reports on risk likelihood, severity, contagion and velocity, says Smout. Contagion looks at how one risk may connect with other risks and spread through the organisation and velocity measures the speed at which a risk can escalate and threaten the business.

Take the current COVID-19 situation as an example. A business should try to understand the:

  • Connectivity between the lockdown and physical distancing regulatory rules
  • The specific flow-on impacts to top line revenue and customer demand
  • Related cash flow impacts
  • Operational and supply chain impacts, and
  • The flow-on to their workforce and digital connectivity.

In understanding these impacts, businesses can make better decisions faster and stay ahead of competitors by identifying areas of priority in terms of further risk mitigation and opportunities for recovery that can be made.

Test your three most likely risk scenarios

Organisations should start out by identifying the two or three most likely risk events and plan and test scenarios around those, says Smout. For some organisations, that may be a terrorist or cyber-attack, or a major threat from a competitor.

While risks vary from business to business, in general there are three main risks which would apply overall.

  1. Digital risk (Cyber-attacks, artificial intelligence, online retail, a VPN network for remote workers)
  2. National/geopolitical risks (Sudden policy, regulatory and funding changes)
  3. Mental health and wellness of staff and customers (Trust and the people elements that go with it).

“I strongly believe that what we're going to see for the next two years and hopefully longer, is government, business and risk professionals putting time into trying to understand how you identify what you think are the most likely events to impact your business, and then working across the board or at a management level on what your scenarios might be, and how you'd manage the scenario,” says Smout.

Even if the example scenarios don’t eventuate, the risk management practice and impact on risk culture within the business of going through this process will provide a significant positive business differentiator to those who don’t do this in the long term.

This practice will help to better prepare for, mitigate and manage future risk. Businesses should look at all aspects of their operations from a connected network perspective, says Smout.

Testing your crisis plans

“It’s a high-risk strategy to run your business without testing crisis plans,” declares Wesfarmers non-executive director Sharon Warburton FAICD. “I have always subscribed to the ‘practise makes perfect’ phrase. It applies here.”

An Australian survey published in May by the Governance Institute of Australia (GIA) shows 40 per cent of businesses were not regularly testing risk and crisis plans, leaving them exposed and under-prepared for a major crisis.

Only 11 per cent of those surveyed were regularly running scenarios around risk events to test how the organisation and employees would respond.

The 2020 Risk Management Survey by the GIA showed that 60 per cent of respondents considered damage to brand or reputation to be among the top five risks over the next three years, with 59 per cent concerned by the impact of policy change and regulatory intervention.

Cyber-crime also featured strongly in the top 10 risks (with 50 per cent nominating this as among the top five risks over the next three years), as did talent attraction and retention (48%), disruption and failure to innovate (44%), economic shock (40%), employee conduct (39%) and risk from increased competition (37%).

Risk lessons for boards

Warburton says there is a greater appreciation now by boards of economic connectedness and how this affects supply chains and makes business vulnerable. “There are many businesses that have had these effects because of COVID-19. Scenario planning has been valuable in these areas.”

Every board should have a risk committee and a risk management framework in place, as these are a core function of any board, not only to ensure compliance with regulatory requirements, but also because it is good corporate governance to do so.

The size of the organisation will dictate whether a separate risk committee is required or whether risk forms part of a broader board committee, for example the Audit & Risk Committee or Risk and Sustainability Committee.

Here in a question-answer interview, Warburton comments on risk lessons for boards in the context of COVID-19.

What lessons do you think have been learned by directors in general on risk as a result of the COVID-19 crisis?

Those ‘low probability, high consequence’ risks do happen, so planning for them is important. Also, the wellbeing of our people is a risk that should not be underestimated. When we think we have adequate mitigation strategies, find more. The interconnectivity of risks should also not be underestimated, especially when you have a business that operates globally. Through the crisis, we have learned we can make technology changes and big shifts in the way we work quickly. In fact, I think directors are rightly now asking whether we were being too risk adverse in non-crisis times.

Have you personally taken on board learnings about risk in recent months?

Yes. Look forward, envisage scenarios and promptly return to the tangible mitigations you can activate immediately. Do not be paralysed by catastrophising. And that from risk can come opportunity. I am constantly reminding myself to look for the opportunity from the new environment in which I find myself.

What should boards be doing now on the risk front at this stage of recovery for the crisis and beyond?

The recovery pathway remains unclear. Boards should be of the mindset that this crisis is far from over. Boards should be seeing and considering various scenarios, which should be regularly updated. They need to regularly reassess key risks and mitigating strategies, because what was a key risk earlier in the year is not necessarily today or tomorrow’s key risk. Yesterday’s risk may even be tomorrow’s opportunity. It is also important to revisit previously identified risks, to check as we migrate to the new normal, whether these risks will re-emerge or whether they are no longer relevant.

What specific measures do you advocate on risk for your boards?

There is a breadth of risk appetite statements for global businesses. I encourage a balance of both leading and lag indicators in risk reporting wherever possible. And I encourage flexibility in measures, given the fluidity of the environment in which we are operating.

Do you think boards in Australia were well-prepared or under-prepared for the risks generated by COVID-19?

When we have hindsight, it is easy to identify areas where boards could have been better prepared. And we should learn from those. Notwithstanding this, I have seen key risks being managed extremely well – mostly due to the flexibility, nimbleness and creative thinking of the businesses I work with.

Three risk questions directors should be asking

  1. Do we understand the dependencies and central vulnerable points in supply chains in a post COVID-19 environment?
  2. Do we understand the velocity and connected impacts of potential technology failure in a remote working environment?
  3. Do we understand how COVID-19 has changed the directional flow of risk impacts across the business, which risks are the greatest emitters of contagion and those which are most greatly impacted? (Source: KPMG)

Understanding the answers to these questions and defining scenarios based upon connected risk events allows for stress testing business resilience and risk mitigation within the COVID-19 environment. It allows leaders to proactively challenge strategic responses.

More about Sharon Warburton FAICD

Warburton sits on the Wesfarmers Board and is Chair of the Audit and Risk Committee. She is also a director of Gold Road Resources and Worley and is active in the not-for-profit sector, including as a director of the Perth Children’s Hospital Foundation.