At a glance
- Recent survey data shows that only 11 per cent of companies in Australia run regular scenario analysis around risk events to plan how to respond to a crisis.
- With even the most financially robust companies facing the harsh effects of the current economic uncertainty, risk management issues are increasingly in the spotlight.
- Risk mitigation is not simply about shoring up finances to weather a downturn, but also about working out a buffer based on risk appetite and tolerance.
By Nina Hendy
The current economic tsunami has blindsided even financially robust companies.
As we wait to switch gears into recovery mode, many organisations are facing up to the fact that they had been prioritising profits over long-term business sustainability.
While money makes the world go round, the decision not to spend on risk assessment and mitigation has cost many dearly. It is hard for a company to admit it was ill-equipped for unforeseen risks that are part and parcel of being in business.
Many companies scrambling to stem the financial losses in their own business are now pondering how to implement risk tolerance assessments and wondering whether these assessments could, in fact, hold the key to surviving whatever the economy might throw at them next.
Too little, too late
Recently in Australia, companies have been hit by a string of crises – the drought, a Banking Royal Commission, devastating bushfires and major construction industry woes around dodgy cladding. Last but not least, there’s been the COVID-19 pandemic that is still causing chaos.
Globally, the past six months have dealt a body blow for many in business. The World Bank predicts that the global economy will experience the deepest recession since the end of World War II, with a 5.2 per cent contraction in global GDP in 2020 alone. The economic impact varies by region, but no country has remained untouched.
While risk assessment is recognised as part of good business practice, a new survey reveals that almost 40 per cent of Australian businesses are not regularly testing their risk and crisis plans.
The Governance Institute Risk Management Survey Report 2020 also reveals that just 11 per cent of companies are regularly running scenario analysis around risk events to test how to respond to a crisis. The survey, conducted in March, garnered 393 responses from C-suite executives, and half of those surveyed focused on governance and risk in their role.
The research reveals that damage to brand or reputation is among the top five perceived risks for executives over the next three years (60 per cent), while 59 per cent are concerned about the impact of policy change and regulatory intervention on their business.
Other top risks include cybercrime, talent attraction and retention, disruption and failure to innovate, economic shock, employee conduct and risk from increased competition.
The results of the survey prompted this stern warning from Governance Institute CEO Megan Motto: “Organisations cannot afford to be underprepared any longer. Risk is under the spotlight like never before, and it’s essential this is recognised within organisations.
“Risk management issues have been pushed high up the agenda for so many organisations,” she adds.
“It has been an extraordinarily difficult year, with new risk challenges being thrown in the mix almost constantly.”
The fact that risk tolerances have long been hopelessly underestimated by businesses should be a collective concern in the business world, says Jeffrey Luckins FCPA, director, audit and assurance, of Melbourne-based William Buck.
“The whole risk management function has taken a back seat to the naked greed of businesses, which has prioritised current trading profitability over the longer-run balance of protecting the sustainability of businesses for the long term,” Luckins says.
Mario Bekes, managing director of corporate investigations and risk management firm Insight Intelligence Group, reveals that the oversight is far more common than many think.
Bekes predicts that, as we head into recovery mode, risk tolerance assessments will be top of mind around boardroom tables.
However, mitigating risk is about much more than simply squirrelling away enough finances to survive a downturn. It is about working out a buffer based on your risk appetite and tolerance, Bekes says.
Tackling the problem
The best risk management policies and practices are the ones owned by the people who are most affected by them.
“There’s no quick fix here, but what Australian businesses can do is re-evaluate the level of risk that they are prepared to tolerate against the return on investment expected, and then decide whether the current business strategies are consistent,” Luckins suggests.
“Unless those charged with governance of the business are prepared to conduct a comprehensive assessment of risk and how it interacts with the business objectives... there’s no point in getting started at all,” he adds.
Ill-equipped from the outset
A major challenge is that most modern operating systems used in business are based on Industrial Age thinking.
Anyone conventionally entrenched in old-school management is less equipped for the modern world and is not well-suited for the volatile, uncertain, complex and ambiguous world we live in, according to Dr Gavriel Schneider, CEO at Risk 2 Solution Group.
In fact, a white paper on risks published before the string of crises facing businesses now points out that businesses have become too bogged down in processes, procedures and paperwork in the effort to avoid loss or damage.
As businesses bounce from one disaster to the next, they are forced to make critical decisions amid each crisis, and often risk management due diligence has been overlooked, Schneider says.
“We now live in a world of fast governance, where critical decisions that previously would have taken a medium to long-term period to execute are now occurring immediately.
“The fundamental weakness with resilience is the idea that we’ll bounce back to where we were before the disruption happened. But that thinking is flawed in several ways.
“If we’re operating on ‘just-in-time’ ordering, or we have just enough cash flow to operate for a month, and there’s a disruption that causes us to not operate for two months, our business isn’t really sustainable,” Schneider says.
Better planning is key. “A business has got to be a good business because it stands up on its own, not because it’s been easy to do,” he says.
Improving risk culture
The Governance Institute of Australia’s Risk Management Survey 2020 reveals that better reporting tools and raising the voice of risk could improve risk cultures, followed by board leadership and clarity of purpose.
The bigger the organisation, the more likely it is to believe that suitable reward systems are helpful.
This is because the bigger the company, the more likely it is to have a dedicated risk department.
Motto also suggests that businesses set up a “risk register” outlining all potential risk outcomes and what is being done to manage them.
“Review your risk register regularly and consider how you will respond to an escalation of your risk, and how you will convey information about those changes,” she says.
When measuring a client’s risk tolerance to a crisis, it is important to consider it from a holistic point of view, particularly within a rapidly evolving business landscape that has been tranformed by COVID-19, adds Victor Saw CPA, PwC deals partner and leader of business recovery services, based in Kuala Lumpur, Malaysia.
“The pandemic has brought upon fast-moving and unforeseen variables, some of which existing crisis plans and teams were not adequately equipped for,” Saw says.
“Evaluating risk should include the following as key considerations: crisis management and response, workforce, operations and supply chain, finance and liquidity, tax and trade, and strategy and brand,” Saw says.
Saw predicts that businesses may still feel the impact of continuing economic shock and unavoidable exposure to risk such as supply chain disruptions, vulnerable cash flow projections and liquidity challenges over the next 12 months.
“Businesses may also be required to navigate tax, legal and regulatory changes. There will be a pressing need for [companies] to innovate and transform workforce culture as a means of retaining key talent in the foreseeable future,” Saw adds.
Preparing for "presilience"
Schneider is an advocate for a new approach that he dubs as “presilience”, which sets companies up to withstand the volatility of the “new normal”.
Presilience isn’t a process: it is more about flexibility and adaptability in responding to incidents in the future. It is about constant learning and adaptation to seize an opportunity to grow.
The future should be less about prescriptive plans and processes, and more about enabling people through building our own natural human skills of perseverance and developing effective leaders and teams, Schneider says.
“Given the scale and pace of major events we’ve seen occurring, driven by climate change and an increased global movement of people, we need to get better at responding to what is unfolding in front of us,” he says.
In terms of costs, assessing risk is probably cheaper than some might believe. Schneider predicts that his clients spend about 2 per cent to 4 per cent of the budget on risk management activities when operating in a low-risk environment.
“Remember also that risk is sometimes opportunity and innovation. Companies may include innovation in their R&D budget. It may even be an innovation hub – that’s an opportunity to consider, too,” Schneider says.
CPA Library resource:
Treat it like an emergency
Bekes urges businesses to learn to respond to a crisis in a way similar to that used by emergency room doctors.
“Having a clear triage process instils increased willingness into employees and broader stakeholders to fight the fear, uncertainty and anxiety that accompany a crisis – especially the current one,” Bekes says.
Corporations should also devote more resources to the strength of their “human firewall”. Consider whether recruitment, training and due diligence activities pay enough attention to the fact that security breaches, cyber or otherwise, are easiest when someone opens the door or provides a key, Bekes says.
“Most organisations’ human firewalls have been compromised through changes in home working and communication practices,” he says.
When Bekes was working with the government in Croatia in the 1990s, his team had an apt phrase that illustrates the fight businesses have ahead of them: “‘Enjoy the war, because when the peace comes, it will be a horror show’ – which essentially highlights the big challenges left over after a crisis ends,” he says.
What could help an organisation improve its risk management culture:
52% Better reporting tools
52% Raising the “voice” of risk
43% Leadership from the board
42% Clarity of purpose/strategy
26% More financial resources
20% Better advice (external consultants, legal advisers, etc.)
16% Suitable reward systems
Source: Governance Institute of Australia