The single thread in nearly all of these cases is simple — the conditions changed and the organisation failed to keep pace with that change.

When thinking about the most significant business risks facing an organisation, failing to keep pace with change is the biggest. It outstrips anything on your risk register. It is a death sentence waiting to happen.
In some cases the decline will be rapid, but in many cases, without a big intervention it will be slow and painful. Other risks will hurt; they may cause embarrassment, legal recourse, short-term financial loss, or the loss of a few executives, but they probably won’t kill the organisation.

The most recent analysis from the ASX Corporate Governance Council tells us that 95% of the ASX 200 companies believe they have the systems in place for their boards and management to be across their most material business risks.

In reviewing the risk reports from of a range of organisations, we see that the most material business risks — the risks arising from external change — are often not explicitly stated or well understood.

In part, this is due to narrow time horizons used in framing their risk assessments. In part, this arises from being unable to distinguish weak from strong signals. In many cases, it’s an inability to think beyond business as usual.

Often, the only way to tackle a strategic risk is to take a big risk and change course. Many organisations shy away from this and, in doing so, will end up on the scrap heap.

While it is risky to change and adapt, not hedging your bets is even riskier.

Ironically, for many organisations, a conservative approach to risk in the short term is likely to be the greatest risk of all.

Three questions you should ask:

• What could cause our business model to be defunct or unviable?
• What weak signals do we need to be paying attention to today?
• What risks are apparent now which could take several years to unfold?

This article first appeared in the December 2011 edition of Risk Management Today.   Part two of this article is linked below.

2012 Prophecy – The End of the Industrial Age

To subscribe to this series of occasional articles and case studies, please click here.

I’ve been deleting the word strategic from a lot of documents lately.

And it’s assisting immensely.

You see I’ve got this idea that the more times a person uses the word strategic, the more likely it is that the person is puffing or bluffing.

In the risk and assurance space using the word strategic usually does little to aid understanding.  In most cases it’s just misleading.

Take the term ‘strategic risk management’ (SRM) which is cropping up everywhere these days.

Somehow SRM has ended up in the accountabilities template for NSW Government agencies.  Apparently they’re now supposed to be responsible for strategic risk management as rather than good old fashioned risk management.  Now this would be fine if anyone knows what SRM is.

I know what risk management is, I even know what enterprise risk management is, but strategic risk management?  Is it the management of strategic risks perhaps?  Or something other than tactical risk management?

The Risk Management Society in New York had a go recently at defining SRM.  They’ve got a discussion document out on it in fact.  The discussion document is useful.  It says that SRM is an evolving discipline – in other words, they don’t know what it is either.

And then take the term ‘strategic audit plan’ which I still see regularly.

These documents are usually a standard audit universe spread over three years.  They tend to ignore external conditions or do other things that strategic documents tend to do. But because their focus is on more than this financial year, the documents must be strategic.  The reality is that it’s often anything but.

So when I see the term strategic appear in a charter, article, brochure or job title I get wary.

So the simple solution, delete the work strategic.  I do.  It adds amazing clarity.

Better still add the letters ‘un’ to the front – ‘unstrategic’, or delete and put ‘tactical, but with a time horizon of slightly longer than 12 months but not longer than my current tenure or bonus timeframe’ in front of it.

I think you’ll find this clarifies many things immensely.

This opinion piece was one of the cover stories in Issue 86 of Risk Magazine, July 2011.  Todd Davies has been championing a better understanding on strategic risk for many years and taught the IIA’s first courses on this topic.

He contends that strategic risk is a class of risk in it’s own right and needs a dedicated identification process involving external viewpoints.  TDA’s other articles on this topic can be found here.

To subscribe to this series of occasional articles and case studies, please click here.

Thanks again to Lexis Nexis for making my most recent article available from the latest issue of Risk Management Today.

As the ASX Corporate Governance Council gears up for its next round of review, the IIA has got on the front foot with their list of demands.  This brief article gives Risk Management Today readers a brief sense of what’s happening, where practices are lagging and the importance of risk assurance.

Key points

• The 2007 revisions to ASX Corporate Governance Council Principle 7 (in particular) Recommendation 7.2 shifted the emphasis from process to content
• This requires management to provide a full and frank view of the group’s material business risks to the board
• Material business risks at the group level tend to be strategic in nature and wouldn’t normally be expected to be identified through a bottom-up process
• IIA suspects that practices in this area are lagging outside the ASX/S&P top 50 listed companies (a view I agree with)
• Providing a comprehensive view on material business risks is a challenge for most companies, it is outside normal skill sets
• Internal auditors will also need to up-skill to fulfill their role in this

Material business risk (in particular strategic risk) is a complex topic and one which I’ve touched on many times on at todddavies.com.au.  Articles and presentations are tagged for those who are interested and can be found here.

Please feel free to download the current RMT article. (Download, pdf, 1 page, 100kB).  More information on this publication can be found here.

And of course, if you need assistance on determining where your company is at, feel free to call.

To subscribe to this series of occasional articles and case studies, please click here.

The article reviews the latest benchmarking study from IIA and Protiviti of 160 heads of internal audit from around Australia and draws out three key themes of interest to those charged with oversight of internal audit and risk management.

Key points

• It is now the norm for internal audit to be independent from management. If you are not in line with the IIA’s Policy Agenda, you may be an outlier.  Given that these are simple mechanical mechanisms, we recommend benchmarking your function against these areas and taking action accordingly.
• Internal audit still struggles to demonstrate compliance with professional standards.  Given that these matters are relatively straight forward, organisations should insist that their internal audit functions and outsourced providers comply with the IIA’s International Professional Practices Framework.
• Quite rightly, strategic risk has entered the top 5 priorities for heads of internal audit, however the reality is that capabilities in this area are embryonic at best. Organisations should assess whether have this capability in-house, and if not take steps to develop it, or periodically engage professional assistance to fill this gap. The first step is to understand what strategic risk is, and this article takes some initial steps towards defining this.

Please feel free to download the article and pass it on. (Download, pdf, 3 pages, 113kB)

For more information on this publication can be found here.

Todd

Related links

Strategic risk and emerging risk capability assessment

To subscribe to this series of occasional articles and case studies, please click here.

The good folks at Lexis-Nexis have been kind enough to invite me to be on the editorial panel of their new magazine Risk Management Today, and to have the lead article in the inaugural edition.  They’ve also been kind enough to make this article available free of charge to my clients and readers for a limited time.

The article aims to get beyond the literature and standards, and give insights on some of the key things to look for when assessing the adequacy of an organisation’s risk framework.  It is pitched at those who are not necessarily experts in risk management per se, but rely heavily on an organisation’s risk management framework.

Key points

• Despite organisations making significant investments in risk management, they still fall short in dealing with disruptive change.
• Regulatory changes seem unlikely to get to the heart of what really matters in avoiding significant destruction of shareholder value in the future.
• Seven key areas of risk management areas are discussed that investors, boards and the C-suite should be looking for.

Please feel free to download the article and pass it on.

Download the article (pdf, 3 pages, 86kB)

Also this publication is shaping up to be a very good one, and I’d encourage you to have download the inaugural issue and have a look (free download for a limited time).

Todd

To subscribe to this series of occasional articles and case studies, please click here.

As the developed world pulls itself away from the abyss of the global financial crisis, many around the globe are breathing a sigh of relief. Having dodged a major bullet, organizations are now returning to business as usual. But if the crisis was a wake-up-call for the world, did business leaders and internal auditors pay attention or just hit the snooze alarm? What’s the next “black swan,” or significant unforeseen risk, and what should internal auditors be doing about it?

In this free feature from IIA’s global magazine, Todd summarises several key areas should be on all company watch lists for 2010 and beyond.

http://www.theiia.org/intAuditor/free-feature/2010/february/a-look-ahead-top-risks-for-2010/

To subscribe to this series of occasional articles and case studies, please click here.

Risk and Responsibility (AHAUCHI Conference, September 2009)

[Streaming video: YouTube - 3 parts, 22 minutes total]

Presented as part of a three day strategy and leadership conference on the future of residential colleges, Todd Davies provides insights into the nexus between governance, leadership and risk, and provides a whole systems perspective into regulatory reform, avoiding the next GFC and the future of leadership on these dimensions.

A Leader’s Responsibility: Governance, Risk and Resilience (AHAUCHI Pre-conference, August 2009) [Streaming and downloadable audio: Resilientfutures.org - 1 part, 26 minutes total] As part of the lead up to the AHAUCHI sessions, Todd discusses the new context for the governance and risk responsibilities of leaders, especially directors and managers; the breakdown of conventional methods of risk and governance management in dealing with these conditions; the consequences of such a breakdown; new processes for more realistic governance, risk and resilience.

The Real Risks of Business as Usual  (Resilient Futures Forum event – “Planning for Growth: Water? Climate Change? Economic Shocks?, August 2008)

[Streaming and downloadable video: Resilientfutures.org - 1 part, 15 minutes total]

This is essential viewing for anyone in a governance, leadership, assurance or strategy role in a large organisation – corporate or government. This presentation is particularly timely given current conditions, increasing market turbulence, and the move by stock exchanges and regulators around the world who are beginning to expect CEOs and Boards to have a strong understanding of ‘material business risk’, and hence strategic risk.

There is also a lot of great material on the resilientfutures.org website and their Youtube channel.  If you are interested in understanding the future, complexity and the challenges and opportunities arising from this, these sites are well worth a look. Enjoy. TDA

To subscribe to this series of occasional articles and case studies, please click here.

As part of their ongoing roles, Directors and CEOs need to have a deep understanding of the strategic risks and opportunties facing their organisations.  Increasingly they are looking to their internal audit team for a view on whether their company’s risk management systems are adequate, and complete which needs an understanding of strategic risk as well as traditional areas of compliance, reporting and operations.

Strategic risk management is an area which is vital to the long term prosperity and performance of any organisation, yet it is an area which is not well understood or applied.  While auditors and managers are often comfortable with operational, reporting and compliance risk, it is often strategic risk that leads to material and irreversible business disruption. Internal audit teams are now expected to have an understanding of strategic risk and evaluate their organisation’s capabilities in this area as emphasised in Principle 7 of the ASX Corporate Governance Principles & Recommendations.

As part of the Institute of Internal Auditors ongoing work to enhance the capabilities of their members they have engaged TDA to facilitate a series of half-day public courses on strategic risk.   The course covers strategic risk as a distinct segment on the COSO framework, sources of strategic risk, strategic risk capability and a range of concepts to help understand and assess strategic risk.

Developed for Chief Audit Executives, by the end of this course, participants should be able to:

• Differentiate strategic risk from other risk types in the overall risk universe
• Recognise how strategic risk manifests itself
• Assess their organisation’s ability to identify, assess and manage strategic risk
• Identify areas of strategic risk vulnerability in their organisation
• Interact confidently with those responsible for leadership in this area.

Dates for the rest of the year are:

Melbourne: Thursday, September 10 2009

Perth: Friday, September 25 2009

Sydney: Friday, November 6 2009

For more information go to the Education & Events section of www.iia.org.au or call the IIA on (02) 9267 9155.

If you are not an internal auditor and would like a briefing session for your organisation, please contact us at info[at]todddavies.com.au or contact Todd on (0) 422 000 913.

To subscribe to this series of occasional articles and case studies, please click here.

The length and extent of debate was extensive ranging from the structure of the financial system, through to regulatory structuring, regulatory arbitrage, global regulatory frameworks, rules vs principles vs supervision and enforcement, Australia’s twin peaks and quadruple peaks model, ESG and a range of other useful debate, as well as the old chestnuts of shareholder input into executive remuneration.

I was encouraged by comments early in the meeting by Jules Muis, former Vice President and Controller of the World Bank saying that there are really only two key issues which need attention – strategic risk and systemic risk, and if we can get accountability for assessing and managing these at different scales, then we will be set for success in the future.

Lindsay Tanner, Federal Minister for Finance explained that conditions had changed and global markets can only be regulated through global coordination, while Anne Simpson, from CalPERS representing one of the largest pension funds in the world told us simply, that “we needed more joined up thinking”, eluding to the need for a wholistic, multi-faceted approach to systems thinking.

Al Gore reminded us that “we often confuse the unprecedented with the unlikely”, and Professor Mervyn King SC reminded us that “companies do not operate in a vacuum.”

Despite this sage counsel that we need an approach which allows us to think properly about strategic and systemic risk, and predict the “unprecedented but increasingly likely”, unfortunately these threads were not actively picked up, perhaps because this is an area which is not yet well understood.

In the area of risk management, boards are concerned about false comfort in risk systems – whereby companies hire a small army of risk experts who go away and implement risk frameworks such as COSO ERM, A/NZS 4360 or ISO 31000, and assure them that everything is okay, that their risk systems are sound, and the board and management can sign off.

The problem of course is that while routine bottom-up approaches to compliance, operational and reporting risk are good at managing the bread and butter of businesses, it’s rarely these areas which cause the material problems. Despite strategic risk and systemic risk now starting to be recognised globally by policy setters as the daddy of them all, people don’t have the capabilities in place to understand what these are, let alone manage them. Intuitively, boards know this.

The result is that a significant proportion of companies which experienced significant value destruction and earnings surprises in the last 18 months came out with the standard rhetoric “no one could have seen this coming”, leading to an inference that either the risk systems are not as we’ve been told (deceptive conduct) or the boards were incompetent (negligence).

I’ve been giving briefings and training on these areas internationally, including in public fora around Australia and the United States in order to help companies govern responsibly. In my mind, strategic and systemic risk are the elephants in the room which are still being overlooked and not understood.

I asserted in a public session at the meeting in front of some of Australia’s leading directors and experts that it might take someone to launch a class action in a move to get traction on this issue. After the session, one of the leading shareholder class action lawyers from New York suggested to me that being his expert witness could be very lucrative in the short term as long as I had no intention of ever being employed again, and perhaps I should stick to helping companies rather than suing them.

In Australia, internal auditors are being asked to give advice to boards on whether their company’s risk management framework is effective, and whether the risk profiles prepared by management give a true and complete picture. The advice I’m giving my clients is that if the organisation doesn’t have good capabilities around strategic and systemic risk, then the answer has got to be no, and therefore their public statements on this issue have to be qualified.

In an effort to raise awareness of strategic risk internationally, I’ve been speaking in public fora around Australia and the United States as well as through the Resilient Futures Network (RFN). The good news is that I’ve been getting traction with industry associations, community groups, pension funds, boards and large companies… and we’re beginning to prove that strategic risk doesn’t have to be difficult as long as you’ve got a good model and a diversity of perspectives (thanks to the RFN for their involvement with that).

If you’re an internal auditor trying to get your head around this, the Institute of Internal Auditors in Australia is running half-day training workshops on this topic nationally, which means you can get your head around this and bank some CPE credits at the same time. If they aren’t running near you, or if you want to run a session in-house, get a group together and The IIA will be happy to organise these.

If you’re a non-executive director and want to find out about the strategic risks which aren’t on your radar and should be, I’d be happy to give you a briefing. Please feel free to watch this primer and get in touch.

Todd

Todd Davies & Associates
Specialists in strategy, governance and step change

Web: www.todddavies.com.au
Email: todd@todddavies.com.au
Tel: +61 (0) 422 000 913

To subscribe to this series of occasional articles and case studies, please click here.

Can your organisation continue to prosper as conditions change?

Organisations are facing greater challenges than ever before.  As a leader if you feel that you are facing more change than ever before, you are not alone.  The nature, scale and frequency of change is increasing which is putting tests on the resilience of all organisations.

Increasingly, the term resilience is popping up with a number of variants – enterprise resilience, organisational resilience, business resilience and others.  Some variants are narrow dealing only with a part of the problem.  Resilience from a HR perspective often talks about personal resilience – in other words, the ability of an individual to bounce back in the face of adversity – something akin to personal tenacity.  Resilience from a risk perspective is often limited to business continuity or crisis management.  Both models tend to plan for and react to disaster rather than empowering organisations and leaders to navigate strategically.

TDA takes a holistic view of resilience using the models embodied in the Resilient Futures Network models to answer the simple question for leaders – “How can we continue to prosper as conditions change?”.  Our models bring together the key aspects of strategy, risk, governance, leadership and assurance to allow for organisational resilience and transformation.

We can assist in a range of ways depending on the needs of the organisation with a range of modules and entry points including:

• Primer – introduction to the concepts of resilience and and understanding of why this is business critical and a potential source of ultimate competitive advantage for your organisaton
• Initial diagnostic – initial assessment of key conditions and capabilities required
• Strategic risk assessment – a deep understanding of emerging conditions, key depedencies and how this will affect the organisation’s business model going forward
• Resilience capability assessment – does the organisation have embedded resilience?  What maturity level is the organisation at now?  Where does it need to be?
• Catalytic projects – demensioning catalytic projects to transform the organisation
• Resilient leadership – training leaders within the organistation on key capabilities to allow for organisational transformation
• Program and project management – ensuring what needs to happen does actually happen

After nearly 20 years working in risk and organisational transformation roles I’m convinced that the next five years will be the most disruptive we are likely to see for a generation.  Those who understand and embrace the concepts will be incredibly well placed to create shareholder wealth and outcomes for their stakeholders.  Those leaders which don’t get their head around resilience are likely to preside over  significant value destruction and be the case studies for poor governance of the future.

For a briefing, please contact Todd Davies on (02) 9043 1719.

Need more information first?

Read Todd’s latest articles on the Resilient Futures Network which demonstrate how key events are unfolding today and how outcomes could be different by embracing organisational resilience.

To subscribe to this series of occasional articles and case studies, please click here.