In a recent risk and governance forum held by the Governance Institute of Australia, experts declared that organisations must undertake rigorous review of non-financial risks. Turlough Guerin provides a detailed report.
While sectors such as banking and agriculture were directly called out in terms of their impact, there were implications for all sectors of industry, including facility management.
This distils the key findings from this forum and identify critical questions that non-executive directors must ask to ensure they are acting in the interests of their organisations and clients.
The main areas covered in the conference and reported on here are:
- Corporate view of risk and culture
- regulatory view of risk and culture
- the future of work
- cyber risks
- climate-related risks and opportunities, and
- other learnings, lessons and take-home messages.
Corporate view of risk and culture
Cultural change in corporate Australia was the clarion call of the conference. Boards must define purpose, code of conduct, remuneration aligned with risk appetite. Codes of conduct are usually more detailed than core values as they specify behavioural expectations. Management should draft these for board approval and they should be more than a poster on a wall. In summary, directors must take responsibility for culture.
In terms of actions to be taken, management reports should include non-financial requirements and their management. Reporting of material misconduct is now critical. An interesting insight and development at the conference was that an organisation can now measure and predict culture automatically using algorithms (i.e. dynamically). This can lead to the identification of ‘culture carriers’ who should be positively recognised. The essence of this is the need for social belonging, which in this session was more important than the conventional wisdom espoused in Maslow’s hierarchy of needs.
Questions for directors:
- What is the tone that is being set at the top?
- Does the organisation’s culture support long-term shareholder value?
- Does it increase brand loyalty and bolster reputation?
Regulatory view of risk and culture
Culture needs to focus on more than short-term performance. Culture reflects thinking and behaviour. The corporate regulator in Australia, ASIC, is interested in how standards of behaviour and culture are set. Directors need to embrace constructive challenge and professional scepticism and call out unethical behaviour. Companies need to ensure that the customer is put at the centre of all cultural conversations. A key recommendation was the need for a more rigorous view and assessment of non-financial risks.
Questions for directors:
- Directors should ask management: what does good culture look like and how can it be measured?
- How mature is the organisation’s view on risks?
The recently published APRA report inquiring into the shortcomings of the Commonwealth Bank of Australia (CBA) has been a watershed moment for risk managers and directors. Commended by presenting experts, it is highly recommended that directors read the report (a link can be found in the ‘recommended reading’ section at the end of this article). It highlights the need for greater transparency, greater trust, accountability to customers and the need for a change in culture to focus on professional and ethical standards.
While this inquiry by APRA examines the performance and behaviours of a large bank, there are considerations for industries beyond banking, such as:
- The financial success experienced by the bank was making it harder for the bank to hear the critical ‘voice of risk’ and the ‘voice of the customer’ – success dulls the moral senses.
- Another was the reactive, rather than the proactive and pre-emptive approach, in dealing with risk. The organisation had become insular, not reflecting and learning from its mistakes and those of others.
- Risk managers need to bring risk to life in their organisations. Organisations must take care not to put the desire for collaboration over the need for challenging and addressing real issues. The pursuit of consensus can be dangerous.
- Finally, a widespread sense of complacency had developed throughout the organisation’s culture and, particularly, around non-financial risks.
The report provides a good overview of corporate governance. It has brought focus to corporate Australia although there is little new reported in this regard. For example, read the findings of the HIH insurance failings in the inquiry into the same organisation from 2003. The same or similar traps and missteps can, however, befall any number of businesses, professionals and sectors.
The future of work
The risk and opportunities from the nature of changing work practices were highlighted. A key point made was that it is hard to differentiate when employees are working or not. An example was given of Shell, which is trying to bring people back into its offices.
There is also a pressing need to separate work from recreation in a digital world. The point was made that 60 percent of workers switch roles after four years. Therefore, boards need to consider their posture towards disruption.
An interesting (and worrying) observation given was that most fraud occurs after hours; therefore, it is important for organisations to be on the lookout for trends, which can now be enabled by big data applications. It also raises the importance of privacy and the need for boards to be aware of the complexity in designing and monitoring privacy in an organisation.
Questions for directors:
- Where are your people? What are they doing? Boards should ask what the organisation’s digital strategy (note: not IT strategy) is and whether it supports operations and workforce wellness.
- Considering the mobility of the workforce, how can a company prove where its data is?
One thing is certain: every industry will be impacted by blockchain. It is expected to massively reduce the cost of handling, verifying and auditing in any supply chain. The take-home message on blockchain risks and opportunities was “don’t jump in, but keep a close eye on developments” as they arise in the sector. Remain open to it. It will have teething problems, but organisations must be ready for this technology and its application. Otherwise, playing catch up will be too expensive.
Questions for directors:
- In terms of its application, how do we solve today’s problem with blockchain?
- How does the board prepare for it?
- Where is it going to go in the facility management sector?
During the conference, the topic of cyber risk was broached numerous times. The point was made that directors should remember cyber risk is not a technology risk – it’s a people risk.
The Equifax cyber breach was discussed. Equifax, which owns the credit history and personal information of 800 million people around the world, confirmed in late 2017 that the data of 143 million of these people had been hacked. This catastrophic breach of Equifax’s systems was inevitable because of systemic organisational disregard for cybersecurity and cyber-hygiene best practices, as well as Equifax’s reliance on unqualified executives for information security. While Equifax’s breaches have been proven, it is reported that other irresponsible data custodians may be just as vulnerable and may have already been compromised.
Phishing attacks are increasingly being ‘tailor made’ for executives. This is easy to do with so much information about executives now readily available online via social media. Insurers are going to become more selective about who they will insure. Premiums for cyber insurance are likely to increase rapidly. Organisations are urged to look hard at the details of the cyber risk coverage in insurance policies. This is an area where boards should seek external advice. Companies should be asking executives responsible for IT what risks are being identified and how they are being managed and, where necessary, reported.
Questions for directors:
- Are the cyber risks to the organisation understood?
- Is the organisation monitoring cyber risks?
- What cyber risks are the organisation willing to accept?
- Are penetration tests being conducted routinely?
Climate-related risks and opportunities
Although this risk has been perceived as an environmental or sustainability risk for many years, it has become clear that it is a financial, legal and operational risk for all organisations – not just those with direct carbon liabilities. So-called ‘black swan’ events (major events that have a tremendous impact, only to be inappropriately rationalised in hindsight) are becoming more frequent. Three such events occurred in South Australia in the recent past.
The Hutley Opinion (‘Climate Change and Director’s Duties’) has made important progress in clarifying the responsibilities of directors and officers. This opinion states that directors will be liable for failing to ask about the risks facing their organisations.
APRA has also come out with a position, indicating that organisations would be wise to comply with the TCFD recommendations regarding climate risk disclosures. While the Federal Government has not set targets for net zero emissions, state governments have, to varying extents of regulatory authority. Being ready for further legal regulation is prudent governance. The critical first step is for organisations not yet engaged with this issue to disclose carbon emissions and climate risks.
Parallels were drawn between the Royal Commission Into Misconduct in the Banking, Superannuation and Financial Services Industry and the handling of climate risks – the common consideration being that victims now have a voice and will act. The audience was reminded that Earth is currently experiencing a one-degree increase in global temperatures. Change from a one- to two-degree increase is exponential and not linear. The point was also made that Millennials are voting with climate-related issues in mind and are therefore influencing the flow of capital.
Primary producers are being impacted now as a result of changing climatic conditions. The availability of water is probably the most significant issue facing Australian farmers. Day Zero events – such as the one Cape Town is hoping to prevent as its water supplies run close to empty – are becoming more frequent. Evidence of the risk crystallising was reported with examples of large corporations like Nestlé and Coca-Cola having operations impacted due to issues with groundwater availability and quality. It’s becoming increasingly clear that water is no longer ‘free’. The rural sector is taking action, with Meat Livestock Australia setting a goal for the red meat industry to be net carbon zero by 2030.
BlackRock chairman and CEO Larry Fink’s open letter to shareholders in 2017 made it clear as to what his organisation’s view was to social purpose. As the world’s largest investor, this has particular significant for company directors.
Questions for directors:
- What are the organisation’s climate-related risks and opportunities?
- Do we know how the organisation could be impacted under various future legal, market and other scenarios?
- How are we protecting our balance sheet from the potential of our assets becoming stranded?
- Does the organisation knows its pathway to zero emissions?
Other learnings, lessons and take-home messages
Organisations can’t eliminate risks, but they can mitigate them. It was noted by risk experts that the classic 5 x 5 risk matrix is no longer fit for purpose. Rather, the audience was challenged to seek to understand the quality of risk controls in place in their organisations.
Interestingly, according to the experts presenting, risks across organisations and sectors don’t vary greatly, but the quality of the controls do. Start internally and with actual risk controls, then work backwards when mitigating risks.
Everyone should be involved in risk identification and mitigation, not just those delegated its form ownership, such as risk committees and risk managers. At the same time, people in organisations need to be held to account for failing to mitigate risks.
“Individual risk events do not necessarily repeat, but they do rhyme” was a point made by one of the presenters.
Other important messages included:
- Success in the past (in risk management) does not necessarily mean success in the future.
- Directors should look closely at customer or stakeholder complaints. These are a gold mine in terms of gaining insight into real risks for an organisation.
- Ask what is the ‘invisible thing’, above the organisation’s offering, that keeps customers coming back. For banks and most organisations, this ‘invisible thing’ is trust.
- Look to where the incentives in an organisation. This will give hints as to where risks will be hiding.
- Increasing transparency on the what and how of incentives in your organisation is critical. The more that people can these incentives, the more others can point out the emerging and/or likely risks.
- Don’t forget about ‘long tail’ risks in an organisation. These could and often do manifest to cause current operations problems.
Questions for directors:
- In having risk discussions regarding issues, are you asking what must go right?
- What are we afraid of happening as an organisation?
- What is the worst thing that could go wrong?
Regulators are increasing their focus on non-financial risks. Non-financial risks, such as those that are climate related, are increasingly being considered mainstream in the governance of organisations within particular industries.
A strong impression from the conference was that the lessons learned from the finance and banking sectors should be considered by professionals in whatever sector they are active in, including facility management.
The following quotes from the Governance and Risk Forum capture the essence of the importance of risk:
- “Wrong is wrong, even when everyone is doing it. Right is right, even if no one is doing it.”
- “Do the basics. Do them well.”
- “Good risk done well is a proxy for good management.”
- “As risk managers and non-executive directors, be courageously authentic.”
- “The recent APRA report into the behaviour of CBA didn’t find out much new, but it has reminded us where the bar is.”
- “The future [of organisations and their governance] is about moving away from complacency.”
- “Individual risk events do not necessarily repeat, but they do rhyme.”
Summary of highlights and insights
|Banks||Regarding the APRA report into CBA, the financial success being experienced by the bank was making it harder (for the bank) to hear the critical “voice of risk” and the “voice of the customer.” A culture of chronic ease set in. Governance was running well below acceptable practice. |
|Blockchain||Organisations must keep a close watch on the application of blockchain to their businesses. Failure to do so means it will be too expensive to catch up when required. It will have teething problems. The key message is to remain open to it. |
|Communication||The old quote still holds true: “The single biggest problem in communication is the illusion that it has taken place” – George Bernard Shaw. This applies at the board level with respect to risk where the message may start as the tone at the top that becomes the mumble it the middle and finally degrades to a groan on the ground. |
|Culture||An overarching theme was the need for a more rigorous view of non-financial risks such as culture. |
|Climate-related risk||No longer viewed as an environmental or sustainability issue but a financial and strategic risk and opportunity. Directors are now recognised as being liable for addressing these foreseeable risks. Water availability and pricing are good examples. |
|Cyber Risks||Organisations are urged to look hard at the details of the coverage of cyber risks. This is an area where boards should seek external advice. |
|Incentives||Look to where the incentives are in an organisation and this will give hints as to where risks will be hiding. |
|Insurers||Insurers are going to become more selective about who they will insure. Premiums for cyber insurance are likely to increasing rapidly soon. |
|Risks||Everyone should be involved in risk identification and mitigation, not just those delegated with its formal ownership. At the same time, everyone in an organisation needs to be held to account for mitigating risks. Of critical importance in this regard is to seek to understand the quality of risk controls. Remember that what is happening with respect to risks in other organisations could apply to your organisation. |
Managing Culture – A Good Practice Guide, https://www.iia.org.au/technical-resources/publications/managing-culture—a-good-practice-guide
APRA’s final report on the CBA, https://www.apra.gov.au/media-centre/media-releases/apra-releases-cba-prudential-inquiry-final-report-accepts-eu
The Hutley Opinion, https://cpd.org.au/2016/10/directorsduties/
Blackrock CEO Larry Fink’s open letter to shareholders, https://www.blackrock.com/corporate/investor-relations/larry-fink-ceo-letter
Turlough Guerin is a non-executive director of on several boards, including Bioregional Australia Foundation, a champion of the global One Living Planet framework. He is an advocate for sustainable business, strong and effective climate governance and is a fellow of the Governance Institute of Australia.