As the developed world pulls itself away from the abyss of the global financial crisis, many around the globe are breathing a sigh of relief. Having dodged a major bullet, organizations are now returning to business as usual. But if the crisis was a wake-up-call for the world, did business leaders and internal auditors pay attention or just hit the snooze alarm? What’s the next “black swan,” or significant unforeseen risk, and what should internal auditors be doing about it?

In this free feature from IIA’s global magazine, Todd summarises several key areas should be on all company watch lists for 2010 and beyond.

http://www.theiia.org/intAuditor/free-feature/2010/february/a-look-ahead-top-risks-for-2010/

A lot has been happening with the Resilient Futures Forum this year. Resilient Futures has been kind enough to record some of their work and make it available to the public free of charge.  Highlights from Todd’s work with resilientfutures.org are set out below.  Click on a heading to watch / listen.

Risk and Responsibility (AHAUCHI Conference, September 2009)

[Streaming video: YouTube - 3 parts, 22 minutes total]

Presented as part of a three day strategy and leadership conference on the future of residential colleges, Todd Davies provides insights into the nexus between governance, leadership and risk, and provides a whole systems perspective into regulatory reform, avoiding the next GFC and the future of leadership on these dimensions.

A Leader’s Responsibility: Governance, Risk and Resilience (AHAUCHI Pre-conference, August 2009) [Streaming and downloadable audio: Resilientfutures.org - 1 part, 26 minutes total] As part of the lead up to the AHAUCHI sessions, Todd discusses the new context for the governance and risk responsibilities of leaders, especially directors and managers; the breakdown of conventional methods of risk and governance management in dealing with these conditions; the consequences of such a breakdown; new processes for more realistic governance, risk and resilience.

The Real Risks of Business as Usual  (Resilient Futures Forum event – “Planning for Growth: Water? Climate Change? Economic Shocks?, August 2008)

[Streaming and downloadable video: Resilientfutures.org - 1 part, 15 minutes total]

This is essential viewing for anyone in a governance, leadership, assurance or strategy role in a large organisation – corporate or government. This presentation is particularly timely given current conditions, increasing market turbulence, and the move by stock exchanges and regulators around the world who are beginning to expect CEOs and Boards to have a strong understanding of ‘material business risk’, and hence strategic risk.

There is also a lot of great material on the resilientfutures.org website and their Youtube channel.  If you are interested in understanding the future, complexity and the challenges and opportunities arising from this, these sites are well worth a look. Enjoy. TDA

Strategic risk capability is one of the key capabilities of our time.

As part of their ongoing roles, Directors and CEOs need to have a deep understanding of the strategic risks and opportunties facing their organisations.  Increasingly they are looking to their internal audit team for a view on whether their company’s risk management systems are adequate, and complete which needs an understanding of strategic risk as well as traditional areas of compliance, reporting and operations.

Strategic risk management is an area which is vital to the long term prosperity and performance of any organisation, yet it is an area which is not well understood or applied.  While auditors and managers are often comfortable with operational, reporting and compliance risk, it is often strategic risk that leads to material and irreversible business disruption. Internal audit teams are now expected to have an understanding of strategic risk and evaluate their organisation’s capabilities in this area as emphasised in Principle 7 of the ASX Corporate Governance Principles & Recommendations.

As part of the Institute of Internal Auditors ongoing work to enhance the capabilities of their members they have engaged TDA to facilitate a series of half-day public courses on strategic risk.   The course covers strategic risk as a distinct segment on the COSO framework, sources of strategic risk, strategic risk capability and a range of concepts to help understand and assess strategic risk.

Developed for Chief Audit Executives, by the end of this course, participants should be able to:

• Differentiate strategic risk from other risk types in the overall risk universe
• Recognise how strategic risk manifests itself
• Assess their organisation’s ability to identify, assess and manage strategic risk
• Identify areas of strategic risk vulnerability in their organisation
• Interact confidently with those responsible for leadership in this area.

Dates for the rest of the year are:

Melbourne: Thursday, September 10 2009

Perth: Friday, September 25 2009

Sydney: Friday, November 6 2009

For more information go to the Education & Events section of www.iia.org.au or call the IIA on (02) 9267 9155.

If you are not an internal auditor and would like a briefing session for your organisation, please contact us at info[at]todddavies.com.au or contact Todd on (0) 422 000 913.

This week I was fortunate enough to join with some of the leading minds on governance at a joint meeting of the International Corporate Governance Network (ICGN), World Economic Forum (WEF) and the UN Principles of Responsible Investment (PRI) to discuss a range of issues on where governance needs change in order to avoid another Global Financial Crisis (GFC)… or worse.

The length and extent of debate was extensive ranging from the structure of the financial system, through to regulatory structuring, regulatory arbitrage, global regulatory frameworks, rules vs principles vs supervision and enforcement, Australia’s twin peaks and quadruple peaks model, ESG and a range of other useful debate, as well as the old chestnuts of shareholder input into executive remuneration.

I was encouraged by comments early in the meeting by Jules Muis, former Vice President and Controller of the World Bank saying that there are really only two key issues which need attention – strategic risk and systemic risk, and if we can get accountability for assessing and managing these at different scales, then we will be set for success in the future.

Lindsay Tanner, Federal Minister for Finance explained that conditions had changed and global markets can only be regulated through global coordination, while Anne Simpson, from CalPERS representing one of the largest pension funds in the world told us simply, that “we needed more joined up thinking”, eluding to the need for a wholistic, multi-faceted approach to systems thinking.

Al Gore reminded us that “we often confuse the unprecedented with the unlikely”, and Professor Mervyn King SC reminded us that “companies do not operate in a vacuum.”

Despite this sage counsel that we need an approach which allows us to think properly about strategic and systemic risk, and predict the “unprecedented but increasingly likely”, unfortunately these threads were not actively picked up, perhaps because this is an area which is not yet well understood.

In the area of risk management, boards are concerned about false comfort in risk systems – whereby companies hire a small army of risk experts who go away and implement risk frameworks such as COSO ERM, A/NZS 4360 or ISO 31000, and assure them that everything is okay, that their risk systems are sound, and the board and management can sign off.

The problem of course is that while routine bottom-up approaches to compliance, operational and reporting risk are good at managing the bread and butter of businesses, it’s rarely these areas which cause the material problems. Despite strategic risk and systemic risk now starting to be recognised globally by policy setters as the daddy of them all, people don’t have the capabilities in place to understand what these are, let alone manage them. Intuitively, boards know this.

The result is that a significant proportion of companies which experienced significant value destruction and earnings surprises in the last 18 months came out with the standard rhetoric “no one could have seen this coming”, leading to an inference that either the risk systems are not as we’ve been told (deceptive conduct) or the boards were incompetent (negligence).

I’ve been giving briefings and training on these areas internationally, including in public fora around Australia and the United States in order to help companies govern responsibly. In my mind, strategic and systemic risk are the elephants in the room which are still being overlooked and not understood.

I asserted in a public session at the meeting in front of some of Australia’s leading directors and experts that it might take someone to launch a class action in a move to get traction on this issue. After the session, one of the leading shareholder class action lawyers from New York suggested to me that being his expert witness could be very lucrative in the short term as long as I had no intention of ever being employed again, and perhaps I should stick to helping companies rather than suing them.

In Australia, internal auditors are being asked to give advice to boards on whether their company’s risk management framework is effective, and whether the risk profiles prepared by management give a true and complete picture. The advice I’m giving my clients is that if the organisation doesn’t have good capabilities around strategic and systemic risk, then the answer has got to be no, and therefore their public statements on this issue have to be qualified.

In an effort to raise awareness of strategic risk internationally, I’ve been speaking in public fora around Australia and the United States as well as through the Resilient Futures Network (RFN). The good news is that I’ve been getting traction with industry associations, community groups, pension funds, boards and large companies… and we’re beginning to prove that strategic risk doesn’t have to be difficult as long as you’ve got a good model and a diversity of perspectives (thanks to the RFN for their involvement with that).

If you’re an internal auditor trying to get your head around this, the Institute of Internal Auditors in Australia is running half-day training workshops on this topic nationally, which means you can get your head around this and bank some CPE credits at the same time. If they aren’t running near you, or if you want to run a session in-house, get a group together and The IIA will be happy to organise these.

If you’re a non-executive director and want to find out about the strategic risks which aren’t on your radar and should be, I’d be happy to give you a briefing. Please feel free to watch this primer and get in touch.

Todd

Todd Davies & Associates
Specialists in strategy, governance and step change

Web: www.todddavies.com.au
Email: todd@todddavies.com.au
Tel: +61 (0) 422 000 913

It seems that my piece in the June edition of Risk Management Magazine caused some contraversy, and even drew a letter to the editor from the President of the Risk Management Institution of Australia.  This is all healthy debate as it forces us to assess whether learned approaches are still relevant, or whether we’re just keeping a wary eye on the deckchairs (while forgetting to look out for icebergs).

To see the rebuttal, have a look at page 3 of the July edition of Risk Management Magazine here.  And to see the original article which caused the contraversy, click here for page 3 fo the June edition.  (Now locked down, here’s the web version).

For more information on how strategy, risk, governance and assurance come together, please click here.

Success is a lousy teacher. It seduces smart people into thinking they can’t lose.  Bill Gates

Most managers feel well equipped to understand and respond to the regular crises that emerge day to day in the business as usual environment. Risk management processes have permeated most organisations which give middle management a sense of comfort that they have things broadly under control.

But those who read the financial press will be aware of emerging state changes which are not picked up by their normal risk management processes.  As such, Directors and Chief Executives reviewing their risk profiles often feel that all of this effort in risk management is missing the big picture.

Emerging risks are known by many names.  Strategic planners call them external shocks.  Resilience practitioners call them discontinuities.  Risk practitioners call them strategic risks.  Economists call them corrections. Taleb calls them Black Swan events.  Greenspan calls it the age of turbulence.

Whatever you call them, an understanding of emerging strategic risks is critical to leading any organisation.

We have a habit of confusing the unprecedented with the unlikely.  Al Gore, Sydney Hilton, July 15, 2009

Todd Davies & Associates draws on a broad range of experts from a range of fields to provide briefings, training and advisory services on:

• Making sense of emerging and interconnected structural shifts, and how to turn these from strategic risks into strategic opportunities
• Making sense of unprecedented risks which are becoming increasingly certain
• Detailed briefings on each of these structural shifts
• Assessing and developing the capabilities in organisations to assess strategic risk on an ongoing basis.

To find out more, call Todd on 0422 000 913, or email us to arrange a meeting.

What our clients are saying

“We brought Todd Davies in to conduct the “Understanding Strategic Risk” training sessions and they proved to be very worthwhile. Our audit staff appreciated the insights into sources of strategic risk from a local to a global level. No less than six methods of developing strategic capability were discussed providing something for everyone dependent upon your methodology, fit and preferences. Sound value.”  Allan Reidy | Head of Westpac Retail & Business Banking and Product & Operations Audit, Westpac Banking Corporation

Find out more first

Watch a 15 minute video presentation from Todd on gaps arising from typical risk management processes

Listen to a 25 minute audio interview with Todd on some of the key issues for leaders today

Read a brief article on strategic risk and how this fits in with regulation and standard setting

I’m really pleased to announce that the Resilient Futures website went live today.

Resilient Futures was formed in April 2008 as a result of a number of practitioners in various fields believing that the current thinking in their respective professions was inadequate in dealing with the problems of tomorrow, and that resilience thinking and the concepts underpinning it provide much needed clarity in a rapidly changing interconnected world.

The Resilient Futures partnership consists of a divergent practitioners in strategy, risk, urban planning, leadership development and networked systems.  There is a range of innovative but practial thinking coming out of this one and I encourage you to have a look around, read a few articles, download a whitepaper or two, and subscribe to the RSS feed.

I particularly encourage you to have a look at my recent article Are you being a reckless leader without realising it? which gives a feel for where some of the thinking is heading, or our offering on emerging risk analysis here.

Resilient Futures can be found at www.resilientfutures.org.

Due to popular demand, our presentation on Futurecasting is now available at the bottom of this post. 

The presentation was delivered at the NSW ACL user group forum to a group of data analytic and IT audit experts to give them some insights into what the future might hold.

One of the key insights from the presentation is that predictive models now hold less certainty and that 1 in 20 year company transforming events are now looking like 1 in 5 year events, potentially with greater force than previously. 

There are a number of things that can be done about this in terms of creating opportunities and preparing for change based on information in this slide deck, but perhaps a more important theme is the need to create dynamic and flexible organisations which can anticipate and cope with the extent of change that will become even more a fact of life.  Those managers and entrepreneurs who are able to do this will be the winners in the decades to come. 

Watch this space for related discussions in resiliance theory, 21st century capability, open platfrom innovation systems and related topics, or better still, read Larry Quick’s work at http://www.newcommons.com/.  Larry is our man for future thinking and has an amazing tendancy to predict things like the internet and climate change 5-15 years before they reshape the planet.  We are great fans of his provocative and insightful thinking and proud to have an alliance with him.

For a copy of our presentation from the TDA conference, click here.

Postcript

Larry and I are now partners in Resilient Futures.  Resilient Futures is a group of strategists, urban planners, environmentalists and a range of other practitioners who are using resilience thinking as a model to develop resilient organiations.  I’m very excited about this work, and encourage you to find out more at http://www.resilientfutures.org.

If you downloaded the futurecasting presentation and find it insightful, then you’ll want to subscribe to the Resilient Futures newsfeed.  Just follow the prompts on the RF website.

Note: Larry assures me that he is not a futurist, but what I do know is that the Resilient Futures model has an uncanny predictive capability that I do not normally see in risk, scenario planning or policy environments.

Thanks to everyone who attended the Canberra meeting, it was great bunch of people with some great questions and discussion and a relaxed format. 

There was a particular interest in what this will mean to other sectors.  While it’s difficult to predict in detail, I’d suggest that the one to watch is the new recommendation 7.2.  The crux of the wording of this is that rather than just going through a process, management now need to form a view on whether their risks are being effectively managed and report this through to the Board.  This means that risk management can no longer suffice as a standalone process, but must be truly embedded into the governance processes of the organisation, and that due diligence will have to be done on the output of any risk process.  As I found in my last head of audit & risk role, such a signoff requires significant gear changes in thinking to make it effective and relevant.  It’s going to be an exciting time for risk management for those people on the front foot.

Download the presentation here:
Updated ASX Corporate Governance Principles & Guidelines

If you are looking for assistance with compliance with the Principles & Recommendations, please click here.

Strategy, risk, governance and assurance

“Corporate governance, sustainability and strategy have become inseparable.  They are inextricably linked.” Mervyn E. King

A lot of firms specialise in strategy, risk, governance or assurance, but few seem to bring them all together. In everything TDA does, we bring the other disciplines to it, whether using risk management to underpin delivery of your strategy, or getting strategic alignment with these areas.

Please click on a link below to find out more.

Governance & Leadership

• Enterprise Governance – getting everyone on the same page
• Enterprise Resilience – positioning for prosperity in the face of dramatic change
• Compliance with the ASX Corporate Governance Council Principles and Recommendations

Strategy

• Relevance regained – strategic planning for NGOs
• Emerging Risk Analysis – seeing what’s around the corner before it hits

Risk & Assurance

• Fine tuning your Internal Audit function – Internal Audit transformation & quality reviews
• Getting the most out of internal audit sourcing – outsourcing, cosourcing and partnering
• Navigating the GRC maze – understanding GRC solutions and software selection
• Getting what was promised – project assurance and project risk management