Thanks again to Lexis Nexis for making my most recent article available from the latest issue of Risk Management Today.

As the ASX Corporate Governance Council gears up for its next round of review, the IIA has got on the front foot with their list of demands.  This brief article gives Risk Management Today readers a brief sense of what’s happening, where practices are lagging and the importance of risk assurance.

Key points

• The 2007 revisions to ASX Corporate Governance Council Principle 7 (in particular) Recommendation 7.2 shifted the emphasis from process to content
• This requires management to provide a full and frank view of the group’s material business risks to the board
• Material business risks at the group level tend to be strategic in nature and wouldn’t normally be expected to be identified through a bottom-up process
• IIA suspects that practices in this area are lagging outside the ASX/S&P top 50 listed companies (a view I agree with)
• Providing a comprehensive view on material business risks is a challenge for most companies, it is outside normal skill sets
• Internal auditors will also need to up-skill to fulfill their role in this

Material business risk (in particular strategic risk) is a complex topic and one which I’ve touched on many times on at todddavies.com.au.  Articles and presentations are tagged for those who are interested and can be found here.

Please feel free to download the current RMT article. (Download, pdf, 1 page, 100kB).  More information on this publication can be found here.

And of course, if you need assistance on determining where your company is at, feel free to call.

To subscribe to this series of occasional articles and case studies, please click here.

About 12 months ago I wrote the feature article for the Institute of Internal Auditors’ global e-zine on the top 10 risks for 2010.

I received an email this week about the article which prompted me to have a look back at what I’d said, and also some of the comments which had been made in response.

My focus at the time was on ‘strategic risks’ a risk category which is often not focused on because they are hard to pin down. These risks tend to move from inconceivable to possible and probable moving quickly on your risk matrix over time and with increasing consequence. And as these things are often unprecedented, its often not clear how these will manifest themselves. As such, some of my top themes tended to be underlying drivers rather than specific risks which can be put in clear focus.

I’ve been talking and writing about this area – strategic risk, black swans, emerging risk, risk foresight and unknown unknowns for a few years now. This has led me down a range of paths including working with futurists, former futurists, board members, CRO’s, CAE’s, and even being on a debating team with people from the WEF’s global risk team. The results of this work can be confronting, particularly as it often challenges fundamentals and norms that we’ve taken for granted during the latter phases of industrialisation.

The human response

What has become more interesting and evident to me over time hasn’t just been the risks specifically but the usual responses I normally get when pointing out some of the big strategic risks as I see them:

1. These risks are not present today, and I’ve got bigger things to deal with in the near term, so please don’t waste my time with this lala land stuff (fair enough, but risk is a business of uncertainty rather than certainty)
2. I don’t believe these risks are going to manifest during my tenure, and they’re not in my role description or KPIs, so they’re not my problem (fair enough, this is not easy stuff to deal with, but raises some issues)
3. You’re right, there are some blind spots, and thanks for pointing some new ones out so I can find out more. (Ureka!)
4. Yes, I agree, and here’s some YOU’VE missed. (Very exciting, let’s talk)

My work is deliberately focused working with people in category 4 and sharing what I learn with those in category 3. In my view, these are the people who will avert massive destruction in shareholder value and create competitive advantage and possibly even market strength as a by product.

Where does strategic risk capability lie? Where should it lie?

Thematically with some notable exceptions, the greatest capability in being across strategic risks seems to lie at the board. Management, risk management and internal audit are mostly focused in the day to day. Their tenures often don’t align with the unfolding nature of these risks over time, whereas ultimately these will come home to roost with the board. This means a good board, and a diverse and well networked board with varied experiences and world views is key, and has been the basis of my arguments for board diversity including but beyond gender.

The challenge is when risks emerge which are not within the experience of the board, possibly because these risks are unprecedented. This is when risk forecasting capabilities are essential to avoid blind spots, which has been the crux of my argument since the GFC. Simply if organisations don’t have this capability in house, boards need to get someone in occasionally to challenge the organisation’s thinking on strategic risks and risks which will manifest themselves beyond the CEO’s tenure.

So how did the crystal ball do?

It is worth looking back to see how the top 5 themes list fared 12 months later with the benefit of hindsight, some of which were refuted by some who commented on the article. Here’s a few thoughts.

1. Energy prices. Forecasters are saying we’re still 12 months away from $100/barrel, but this week world leaders are leaning on OPEC to increase supply to try and postpone the rise. Coal prices are increasing quickly. Governments are strategically positioning around energy security as they understand the consequences to be catastrophic. This continues to be one to watch.
2. Industrialised world atrophies while the emerging economies grow. There are clear signs of this. Have a look at the Europe vs China story.
3. Population pressures and constraints on commodities. Notice that the resource companies are the ones driving economic growth in the developed world over the past 12 months? Seen what’s happening with food prices lately, and why Canada and Australia are now economies and currencies of preference in the developed world?
4. Structural currency rebalancing? Yes, many were in denial on this one, but I’m very happy that I advised my clients to unwind their exposures to certain currencies. The consequences for them would have been more than material and in some cases catastrophic leading to a crisis of confidence in management and the board, with potential knock on effects into the broader community.
5. Climate change. Sure, I’ll agree, not a risk in itself, but on at least half of the boards and audit and risk committees I sit on, it’s a key driver which those organisations will need to deal with creatively if they are to keep achieving at the rate they’re used to.  And although not yet mainstream, there are some disruptive innovators doing some things in carbon markets which previously were unheard of.

So in some of these risks resulted in a material impact for some organisations, industries and countries. Some did not. But it’s fair to say that all five themes did drive changes in the risk profile, and are increasing in likelihood and impact.

Final thoughts

I guess all of this raises a philosophical question about who should be responsible for keeping an eye on strategic risk. In my experience the board and independent risk committee tends to do okay at it, but management is very much immersed in delivering this year’s plan. Taking your eye off these can be devastating. We’ve seen too much of this as I’ve written and spoken about many times.

At the time of the article, the internal audit profession was positioning itself to provide assurance over the risk frameworks and risk reporting of organisations. This article introduced a few ideas on what this actually means, including the provisions of Principle 7 of the ASX Corporate Governance Principles in relation to material business risk. For me, internal audit’s role is to see whether this emerging risk capability is in place and working well. If it isn’t internal audit has an obligation to let the most senior people in their organisation know, including the board.

I hope this has stimulated debate, including people who don’t agree with me, and if it has, then this has been very worthwhile. I’d love to to rekindle the debate, including from those who believe these risks are right, and those who still think it’s all a bit fluffy.

The original article and space for comment can be found here: http://www.theiia.org/intAuditor/free-feature/2010/february/a-look-ahead-top-risks-for-2010/index.cfm

For those who are keen to find out more, I’d also welcome people to trawl my archives of articles, papers, presentations and video on the topic and join the mailing list for future updates.  Where available, these are on this site free of charge.

To subscribe to this series of occasional articles and case studies, please click here.

Insanity is doing the same things over and over and expecting different results.

Albert Einstein

Thanks to Lexis Nexis for making my most recent article available from the current issue of Risk Management Today to my clients and readers.

The editorial panel was asked to cast their mind back to the most significant risk events over the last 12 months. For mine it was a thematic observation that despite strategic risk being the risk class which causes the greatest long term destruction and creation of shareholder value, it the class of risk most poorly handled. There are many reasons for this, but perhaps the greatest is that these tend to be slowly unfolding events over multiple years and therefore tend to not grab our attention in the same way that a sudden shock does.

The good news is that this risk class is starting to get the attention of the mainstream at the big end of town. The bad news is that there are many spruikers who are apparently suddenly well equipped to deal with this class of risk. My assessment is there’s very little substance to much of what’s on offer. This article offers a festive perspective and (hopefully) a little humour to a serious topic as well as a few pragmatic suggestions on how to get on top of this important risk class.

I hope you enjoy it as a light read during the quiet period and I look forward to catching up with you in the new year.

Key points

• ASX Principle 7 requires a focus on material business risks rather than being swamped by process. At the time of drafting the current Principles, the Corporate Governance Council was concerned that companies were being dragged into the minutia by risk processes rather than using them for strategic insights. From a shareholder perspective it seems their concerns were correct.
• Most risk assessments work on the assumption that all things remain the same. The biggest risk of all is that all things don’t remain the same. This is where black swans often are hiding.
• Here’s a bunch of things to think about over the Christmas break.

Please feel free to download the article and pass it on. (Risk Management Today Issue 6 -Black swans, 3 pages, 132kB)

More information on this publication can be found here.

Seasons greetings,

Todd

To subscribe to this series of occasional articles and case studies, please click here.

As part of their ongoing roles, Directors and CEOs need to have a deep understanding of the strategic risks and opportunties facing their organisations.  Increasingly they are looking to their internal audit team for a view on whether their company’s risk management systems are adequate, and complete which needs an understanding of strategic risk as well as traditional areas of compliance, reporting and operations.

Strategic risk management is an area which is vital to the long term prosperity and performance of any organisation, yet it is an area which is not well understood or applied.  While auditors and managers are often comfortable with operational, reporting and compliance risk, it is often strategic risk that leads to material and irreversible business disruption. Internal audit teams are now expected to have an understanding of strategic risk and evaluate their organisation’s capabilities in this area as emphasised in Principle 7 of the ASX Corporate Governance Principles & Recommendations.

As part of the Institute of Internal Auditors ongoing work to enhance the capabilities of their members they have engaged TDA to facilitate a series of half-day public courses on strategic risk.   The course covers strategic risk as a distinct segment on the COSO framework, sources of strategic risk, strategic risk capability and a range of concepts to help understand and assess strategic risk.

Developed for Chief Audit Executives, by the end of this course, participants should be able to:

• Differentiate strategic risk from other risk types in the overall risk universe
• Recognise how strategic risk manifests itself
• Assess their organisation’s ability to identify, assess and manage strategic risk
• Identify areas of strategic risk vulnerability in their organisation
• Interact confidently with those responsible for leadership in this area.

Dates for the rest of the year are:

Melbourne: Thursday, September 10 2009

Perth: Friday, September 25 2009

Sydney: Friday, November 6 2009

For more information go to the Education & Events section of www.iia.org.au or call the IIA on (02) 9267 9155.

If you are not an internal auditor and would like a briefing session for your organisation, please contact us at info[at]todddavies.com.au or contact Todd on (0) 422 000 913.

To subscribe to this series of occasional articles and case studies, please click here.

Success is a lousy teacher. It seduces smart people into thinking they can’t lose.  Bill Gates

Most managers feel well equipped to understand and respond to the regular crises that emerge day to day in the business as usual environment. Risk management processes have permeated most organisations which give middle management a sense of comfort that they have things broadly under control.

But those who read the financial press will be aware of emerging state changes which are not picked up by their normal risk management processes.  As such, Directors and Chief Executives reviewing their risk profiles often feel that all of this effort in risk management is missing the big picture.

Emerging risks are known by many names.  Strategic planners call them external shocks.  Resilience practitioners call them discontinuities.  Risk practitioners call them strategic risks.  Economists call them corrections. Taleb calls them Black Swan events.  Greenspan calls it the age of turbulence.

Whatever you call them, an understanding of emerging strategic risks is critical to leading any organisation.

We have a habit of confusing the unprecedented with the unlikely.  Al Gore, Sydney Hilton, July 15, 2009

Todd Davies & Associates draws on a broad range of experts from a range of fields to provide briefings, training and advisory services on:

• Making sense of emerging and interconnected structural shifts, and how to turn these from strategic risks into strategic opportunities
• Making sense of unprecedented risks which are becoming increasingly certain
• Detailed briefings on each of these structural shifts
• Assessing and developing the capabilities in organisations to assess strategic risk on an ongoing basis.

To find out more, call Todd on 02 9043 1719, or email us to arrange a meeting.

What our clients are saying

“We brought Todd Davies in to conduct the “Understanding Strategic Risk” training sessions and they proved to be very worthwhile. Our audit staff appreciated the insights into sources of strategic risk from a local to a global level. No less than six methods of developing strategic capability were discussed providing something for everyone dependent upon your methodology, fit and preferences. Sound value.”  Allan Reidy | Head of Westpac Retail & Business Banking and Product & Operations Audit, Westpac Banking Corporation

Find out more first

Watch a 15 minute video presentation from Todd on gaps arising from typical risk management processes

Listen to a 25 minute audio interview with Todd on some of the key issues for leaders today

Read a brief article on strategic risk and how this fits in with regulation and standard setting

To subscribe to this series of occasional articles and case studies, please click here.

So what does all this mean?  Well three things really:

• Great governance should be common sense
• Great governance shouldn’t be difficult to implement
• You shouldn’t have to spend large sums of money on compling or writing disclosure statements.

Our offering is really simple and is aimed at small and mid-cap companies:

• We’ll tell you quickly whether you comply already – and make sure you get credit for what’s already in place
• In the areas where you don’t comply, we’ll see if you already have mechanisms which address the spirit of the principles – again making sure you get credit for being a well governed organisation
• If you don’t comply and don’t have a good mechanism, we’ll give you guidance on whether this matters to your company, to the market and what easy and quick solutions are available to you.
• In rare cases when the answer isn’t a simple one, we’ll give you the answers straight and steer you to a cost effective path.

There are many quick wins in this area, and we’ll make sure you’re across them.

Why TDA?

Todd Davies has been a practitioner representative on the ASX Corporate Governance Council since shortly after the first principles and recommendations were released and was a member of the working group on Principle 7 (Recognise and Manage Risk).  He has deliberately positioned himself as a pragmatist on the group with a sense of how to make the principles useful in practice, and practical to implement.

Perhaps more importantly, Todd believes that this should be an area which common sense prevails and not one where consultants generate large fees.  We encourage you to hold us to that!

To subscribe to this series of occasional articles and case studies, please click here.

There was a particular interest in what this will mean to other sectors.  While it’s difficult to predict in detail, I’d suggest that the one to watch is the new recommendation 7.2.  The crux of the wording of this is that rather than just going through a process, management now need to form a view on whether their risks are being effectively managed and report this through to the Board.  This means that risk management can no longer suffice as a standalone process, but must be truly embedded into the governance processes of the organisation, and that due diligence will have to be done on the output of any risk process.  As I found in my last head of audit & risk role, such a signoff requires significant gear changes in thinking to make it effective and relevant.  It’s going to be an exciting time for risk management for those people on the front foot.

Download the presentation here:
Updated ASX Corporate Governance Principles & Guidelines

If you are looking for assistance with compliance with the Principles & Recommendations, please click here.

To subscribe to this series of occasional articles and case studies, please click here.

• Clarity and unity of vision and sponsorship by internal stakeholders
• Clarity of responsibility between the various assurance, risk and compliance functions
• Efficiency in delivery
• Optomisation of risk and assurance coverage
• Increased risk-sensing ability
• Streamlined implementation with minimal false-starts

In short, bigger bang for buck and more engaged and satisfied stakeholders.

Please click on a link below to find out more about the type of work we typically get involved with.

Vision

• Vision setting
• Benchmarking
• Internal audit self assessment
• Enterprise governance framework

Enabled by High Performing Teams

• The Virtual Chief Audit Executive
• Getting the most out of internal audit sourcing
• Coaching for rising stars
• Getting the right staff on board

Powered by Leading Practices

• Internal audit transformation
• Audit committee best practices
• Assessing the adequacy of your risk framework
• Understanding GRC software solutions
• Strategic risk and emerging risk capability
• Stress testing your risk profile
• Compliance with the ASX Corporate Governance Council Principles and Recommendations

To subscribe to this series of occasional articles and case studies, please click here.