Thanks again to Lexis Nexis for making my most recent article available from the latest issue of Risk Management Today.

As the ASX Corporate Governance Council gears up for its next round of review, the IIA has got on the front foot with their list of demands.  This brief article gives Risk Management Today readers a brief sense of what’s happening, where practices are lagging and the importance of risk assurance.

Key points

• The 2007 revisions to ASX Corporate Governance Council Principle 7 (in particular) Recommendation 7.2 shifted the emphasis from process to content
• This requires management to provide a full and frank view of the group’s material business risks to the board
• Material business risks at the group level tend to be strategic in nature and wouldn’t normally be expected to be identified through a bottom-up process
• IIA suspects that practices in this area are lagging outside the ASX/S&P top 50 listed companies (a view I agree with)
• Providing a comprehensive view on material business risks is a challenge for most companies, it is outside normal skill sets
• Internal auditors will also need to up-skill to fulfill their role in this

Material business risk (in particular strategic risk) is a complex topic and one which I’ve touched on many times on at todddavies.com.au.  Articles and presentations are tagged for those who are interested and can be found here.

Please feel free to download the current RMT article. (Download, pdf, 1 page, 100kB).  More information on this publication can be found here.

And of course, if you need assistance on determining where your company is at, feel free to call.

To subscribe to this series of occasional articles and case studies, please click here.

About 12 months ago I wrote the feature article for the Institute of Internal Auditors’ global e-zine on the top 10 risks for 2010.

I received an email this week about the article which prompted me to have a look back at what I’d said, and also some of the comments which had been made in response.

My focus at the time was on ‘strategic risks’ a risk category which is often not focused on because they are hard to pin down. These risks tend to move from inconceivable to possible and probable moving quickly on your risk matrix over time and with increasing consequence. And as these things are often unprecedented, its often not clear how these will manifest themselves. As such, some of my top themes tended to be underlying drivers rather than specific risks which can be put in clear focus.

I’ve been talking and writing about this area – strategic risk, black swans, emerging risk, risk foresight and unknown unknowns for a few years now. This has led me down a range of paths including working with futurists, former futurists, board members, CRO’s, CAE’s, and even being on a debating team with people from the WEF’s global risk team. The results of this work can be confronting, particularly as it often challenges fundamentals and norms that we’ve taken for granted during the latter phases of industrialisation.

The human response

What has become more interesting and evident to me over time hasn’t just been the risks specifically but the usual responses I normally get when pointing out some of the big strategic risks as I see them:

1. These risks are not present today, and I’ve got bigger things to deal with in the near term, so please don’t waste my time with this lala land stuff (fair enough, but risk is a business of uncertainty rather than certainty)
2. I don’t believe these risks are going to manifest during my tenure, and they’re not in my role description or KPIs, so they’re not my problem (fair enough, this is not easy stuff to deal with, but raises some issues)
3. You’re right, there are some blind spots, and thanks for pointing some new ones out so I can find out more. (Ureka!)
4. Yes, I agree, and here’s some YOU’VE missed. (Very exciting, let’s talk)

My work is deliberately focused working with people in category 4 and sharing what I learn with those in category 3. In my view, these are the people who will avert massive destruction in shareholder value and create competitive advantage and possibly even market strength as a by product.

Where does strategic risk capability lie? Where should it lie?

Thematically with some notable exceptions, the greatest capability in being across strategic risks seems to lie at the board. Management, risk management and internal audit are mostly focused in the day to day. Their tenures often don’t align with the unfolding nature of these risks over time, whereas ultimately these will come home to roost with the board. This means a good board, and a diverse and well networked board with varied experiences and world views is key, and has been the basis of my arguments for board diversity including but beyond gender.

The challenge is when risks emerge which are not within the experience of the board, possibly because these risks are unprecedented. This is when risk forecasting capabilities are essential to avoid blind spots, which has been the crux of my argument since the GFC. Simply if organisations don’t have this capability in house, boards need to get someone in occasionally to challenge the organisation’s thinking on strategic risks and risks which will manifest themselves beyond the CEO’s tenure.

So how did the crystal ball do?

It is worth looking back to see how the top 5 themes list fared 12 months later with the benefit of hindsight, some of which were refuted by some who commented on the article. Here’s a few thoughts.

1. Energy prices. Forecasters are saying we’re still 12 months away from $100/barrel, but this week world leaders are leaning on OPEC to increase supply to try and postpone the rise. Coal prices are increasing quickly. Governments are strategically positioning around energy security as they understand the consequences to be catastrophic. This continues to be one to watch.
2. Industrialised world atrophies while the emerging economies grow. There are clear signs of this. Have a look at the Europe vs China story.
3. Population pressures and constraints on commodities. Notice that the resource companies are the ones driving economic growth in the developed world over the past 12 months? Seen what’s happening with food prices lately, and why Canada and Australia are now economies and currencies of preference in the developed world?
4. Structural currency rebalancing? Yes, many were in denial on this one, but I’m very happy that I advised my clients to unwind their exposures to certain currencies. The consequences for them would have been more than material and in some cases catastrophic leading to a crisis of confidence in management and the board, with potential knock on effects into the broader community.
5. Climate change. Sure, I’ll agree, not a risk in itself, but on at least half of the boards and audit and risk committees I sit on, it’s a key driver which those organisations will need to deal with creatively if they are to keep achieving at the rate they’re used to.  And although not yet mainstream, there are some disruptive innovators doing some things in carbon markets which previously were unheard of.

So in some of these risks resulted in a material impact for some organisations, industries and countries. Some did not. But it’s fair to say that all five themes did drive changes in the risk profile, and are increasing in likelihood and impact.

Final thoughts

I guess all of this raises a philosophical question about who should be responsible for keeping an eye on strategic risk. In my experience the board and independent risk committee tends to do okay at it, but management is very much immersed in delivering this year’s plan. Taking your eye off these can be devastating. We’ve seen too much of this as I’ve written and spoken about many times.

At the time of the article, the internal audit profession was positioning itself to provide assurance over the risk frameworks and risk reporting of organisations. This article introduced a few ideas on what this actually means, including the provisions of Principle 7 of the ASX Corporate Governance Principles in relation to material business risk. For me, internal audit’s role is to see whether this emerging risk capability is in place and working well. If it isn’t internal audit has an obligation to let the most senior people in their organisation know, including the board.

I hope this has stimulated debate, including people who don’t agree with me, and if it has, then this has been very worthwhile. I’d love to to rekindle the debate, including from those who believe these risks are right, and those who still think it’s all a bit fluffy.

The original article and space for comment can be found here: http://www.theiia.org/intAuditor/free-feature/2010/february/a-look-ahead-top-risks-for-2010/index.cfm

For those who are keen to find out more, I’d also welcome people to trawl my archives of articles, papers, presentations and video on the topic and join the mailing list for future updates.  Where available, these are on this site free of charge.

To subscribe to this series of occasional articles and case studies, please click here.

So what does all this mean?  Well three things really:

• Great governance should be common sense
• Great governance shouldn’t be difficult to implement
• You shouldn’t have to spend large sums of money on compling or writing disclosure statements.

Our offering is really simple and is aimed at small and mid-cap companies:

• We’ll tell you quickly whether you comply already – and make sure you get credit for what’s already in place
• In the areas where you don’t comply, we’ll see if you already have mechanisms which address the spirit of the principles – again making sure you get credit for being a well governed organisation
• If you don’t comply and don’t have a good mechanism, we’ll give you guidance on whether this matters to your company, to the market and what easy and quick solutions are available to you.
• In rare cases when the answer isn’t a simple one, we’ll give you the answers straight and steer you to a cost effective path.

There are many quick wins in this area, and we’ll make sure you’re across them.

Why TDA?

Todd Davies has been a practitioner representative on the ASX Corporate Governance Council since shortly after the first principles and recommendations were released and was a member of the working group on Principle 7 (Recognise and Manage Risk).  He has deliberately positioned himself as a pragmatist on the group with a sense of how to make the principles useful in practice, and practical to implement.

Perhaps more importantly, Todd believes that this should be an area which common sense prevails and not one where consultants generate large fees.  We encourage you to hold us to that!

To subscribe to this series of occasional articles and case studies, please click here.

There was a particular interest in what this will mean to other sectors.  While it’s difficult to predict in detail, I’d suggest that the one to watch is the new recommendation 7.2.  The crux of the wording of this is that rather than just going through a process, management now need to form a view on whether their risks are being effectively managed and report this through to the Board.  This means that risk management can no longer suffice as a standalone process, but must be truly embedded into the governance processes of the organisation, and that due diligence will have to be done on the output of any risk process.  As I found in my last head of audit & risk role, such a signoff requires significant gear changes in thinking to make it effective and relevant.  It’s going to be an exciting time for risk management for those people on the front foot.

Download the presentation here:
Updated ASX Corporate Governance Principles & Guidelines

If you are looking for assistance with compliance with the Principles & Recommendations, please click here.

To subscribe to this series of occasional articles and case studies, please click here.

• Clarity and unity of vision and sponsorship by internal stakeholders
• Clarity of responsibility between the various assurance, risk and compliance functions
• Efficiency in delivery
• Optomisation of risk and assurance coverage
• Increased risk-sensing ability
• Streamlined implementation with minimal false-starts

In short, bigger bang for buck and more engaged and satisfied stakeholders.

Please click on a link below to find out more about the type of work we typically get involved with.

Vision

• Vision setting
• Benchmarking
• Internal audit self assessment
• Enterprise governance framework

Enabled by High Performing Teams

• The Virtual Chief Audit Executive
• Getting the most out of internal audit sourcing
• Coaching for rising stars
• Getting the right staff on board

Powered by Leading Practices

• Internal audit transformation
• Audit committee best practices
• Assessing the adequacy of your risk framework
• Understanding GRC software solutions
• Strategic risk and emerging risk capability
• Stress testing your risk profile
• Compliance with the ASX Corporate Governance Council Principles and Recommendations

To subscribe to this series of occasional articles and case studies, please click here.