CORPORATE GOVERNANCE Risky Business – How Australasian boards measure up

New management practices constantly emerge from the swamp of ideas that feed into everyday organisational life. Some evolve while others fade and die. What kick-starts them into life probably determines their survival prospects.
Take risk management for instance. In sense it has always been around. Risk is, after all, part of the DNA of enterprise. Corporate risk is little like libido. It drives organisations to reproduce and grow. But like sex, if practised indiscriminately, it can produce nasty side effects.
So now, the promoters of best practice management are flogging the idea and the virtues of “risk management”. In other words, controlling the urge to take risks, ensuring that the risks are worth taking and thinking through the possible outcomes.
There is, of course, nothing like bit of glitz, glamour and promise of harsh treatment to make management practice tad more sexy. The rash of headline-hugging corporate collapses, the revelations of multi-billion-dollar executive frauds and the consequent application of greater regulatory pain for the over-indulgent who get caught is, as recently published KPMG Strategic Risk Management Survey of 80 major corporates in New Zealand and Australia found, “forcing many organisations to reassess their risk appetite, management systems and controls”.
The survey found, understandably, that boards are indeed embracing risk management as “key component of effective corporate governance”. The secret of successful risk management practice however, lies in how directors and executives both view and practise it.
Directors apparently understand its strategic importance, but the survey suggests risk management practices are “overly focused on compliance” rather than being used to enhance business performance. The challenge, say the report’s authors JoAnne Stephenson of KPMG Australia and Jeremy Bendall the Auckland-based partner, is to find the right balance.
Risk management is not about eliminating risk or, heaven forbid, not taking risks at all. That approach is, say the authors, “a strategic dead end”. It is, instead, about “intelligent risk taking to generate value and business confidence”.
So while risk in business has been around for ever, understanding that it should be subject to strict and well-conceived management disciplines is new, except in the minds and practices of small number of very enlightened and visionary management thinkers and organisational leaders.
It is therefore not surprising that, given the relatively short life span of this particular management practice, many boards and executives still haven’t yet got their acts in sync. Nearly half the survey’s respondents did not believe their organisations’ risk management strategies were well aligned with their business goals.
The inescapable conclusion the authors came to is that the practice of risk management has not been fully integrated into many organisations. Lots of opportunities here for consultants to put boards and their management teams straight.
Boards need to understand and clearly define their “risk appetite” or their tolerance for risk. board’s clear understanding of its “risk appetite” is fundamental to determining how an organisation will handle its risks, say the authors. “It guides the organisation in deciding how much risk it can accept, manage and optimise effectively.”
Directors and executives use strategic risk management to build organisational resilience and flexibility in what is increasingly an uncertain business environment. It is, say the authors, about leadership, making informed choices and intelligent risk taking.
And while most directors’ eyes are turned to better risk management practices because they personally suffer the consequences of non-compliance with new and tougher rules, well-executed strategic risk practices can enhance organisational performance and drive value.
“A risk management strategy which reflects balanced approach to business improvement and compliance can lead organisations to achieve sustainable value and greater business confidence,” say Stephenson and Bendall.
The KPMG survey targeted directors and senior executives of both Australia’s and New Zealand’s top 200 companies as well as government and private organisations. They were asked questions about five areas of risk management:
• policies and frameworks
• structure
• risk optimisation
• portfolio management
• measuring and monitoring exposures.
On risk policy and strategy, 85 percent of respondents said their current risk management practices supported strong corporate governance and they believed an effective risk management strategy was either critical or very important to achieving business goals and objectives.
However, nearly half said their risk management strategy was either only partially aligned, or not aligned at all to their business goals; 46 percent did not perform any risk/return analysis; 33 percent were either negative or unsure about whether their organisation’s risk appetite and tolerance was clearly set out in the risk management policy; only 44 percent of respondent organisations formally evaluated the effectiveness of existing risk management controls and their cost; only 40 percent had developed integrated risk management systems and, 35 percent did not perform any entity-wide strategic risk assessments.
When it comes to structure, most organisations reported multiple accountabilities for risk management processes including reporting to: boards (70 percent); the CEO (70 percent); the board audit committee (62 percent); the CFO (48 percent) and the chief risk manager (31 percent).
More than half said their organisations had set up board risk committee which, in 70 percent of cases, was combined with the board audit committee. About 40 percent of respondent organisations had also established an executive risk committee.
The activities of risk management systems and processes included:
• Reporting to boards on risk management activities and incidents (86 percent).
• Business unit risk assessments (78).
• Compliance audit functions (73).
• Internal audit functions (71).
• Early warning reporting to escalate material risk to boards (66).
• Integrated risk management systems (40).
Interest in risk management is driven by boards. solid 52 percent of respondent organisations thought their board’s “ownership” of risk management was “excellent”, while 41 percent put executive ownership in the same category, and at line management level only 17 percent thought ownership of risk management practices was excellent.
Operational, financial and information technology related risks are at the top of the portfolio of risk assessment activities organisations undertake at 94, 85 and 81 percent of activity respectively. Other risk assessments included projects (69), legal and regulatory (69), entity-wide strategic (65), business contingency (65), environmental (58), fraud (52), transition/change risk (27) and programmes (22).
And while 78 percent of respondents said risk assessment was conducted as part of business case justification for key strategic projects and initiatives, the lack of enterprise-wide risk assessment suggests business case risk assessments were not undertaken as part of an integrated and holistic risk management system, according to the authors.
The survey results show that whilst risk assessments were widely performed, the use of scenario planning is less prevalent, even in our largest enterprises. Only 41 percent of respondents said scenario planning was big component of their risk management programme.
The survey authors’ view that risk management frameworks have not yet been fully embedded and integrated into management and board processes is, they said, reinforced by the finding that only 55 percent of respondents reported using key performance indicators to measure the performance of the risk management process.
Reporting organisational risk management activitie

Visited 8 times, 1 visit(s) today
Close Search Window