Thanks for taking time to open our infrequent newsletter and our apologies for the long period between editions.
There are a number of issues and trends that are hot in the risk and assurance space which we wanted to make you aware of.
1. New requirements kick in for listed companies (Principle 7)
2. Updated audit & risk framework for NSW Government
3. Disruption / strategic risk
4. Risk appetite
5. Internal audit best practices
1. Listed Companies – Getting Principle 7 ready
While the most recent changes to the ASX Corporate Governance Principles and Recommendations have been effective from 1 July 2014, many of those changes will come home to bite for the first time as part of the 14/15 reporting season. We have been working with clients to help them to early-adopt and get ready for their disclosures to the market.
Of particular interest is ASX Principle 7 which asks boards to ask themselves whether they consider that their risk framework is sound, considerations on risk appetite as well as imposing if-not, why-not reporting on internal audit.
There will be many interpretations of what “sound” means. Some will be taking a view that sound is “ISO 31000 compliant”, or maps well against a selected maturity model. While this is a solid foundation, in our view it doesn’t necessarily address what is being asked either in intent or substance and can leave organisations exposed. Our standing advice is that the relevant test is whether the risk framework is effective, which is a more pointed question. Listed companies will want to be clear on their framework and approach to this question and put a sustainable process in place. There is still time. Talk to us to find out more.
Internal Audit gets a disclosure trigger this year, and our standing advice is that analysts will be looking to see that this is more than a token effort. We’ve worked with the Institute of Internal Auditors to develop their model guidance on this area, and you can access this by providing your details here. If you need assistance with function design, sourcing or model disclosures, give us a call.
The latest Recommendation’s also puts the question back into the debate as to whether a separate risk committee is required. Our standing advice is that the committee structure needs to be fit for purpose, and there is a structured series of questions that should be answered before forming a view on this.
Irrespective of structure the designated committee needs to consider a range of issues, in particular, the soundness of the risk framework, and whether the organisation is operating within risk appetite set by the board. More on this below.
Lastly there is a somewhat cryptic discussion of sustainability risks. This is a tentative step towards consideration of external risk impacts rather than only focusing on the impacts internal to the organisation. Our advice is that steps towards integrated and streamlined reporting that considers value in a broadest sense including extended forms of capital and social license will be time well spent.
Call us if you need assistance.
2. Updated audit & risk framework for NSW agencies (TPP 15-03)
NSW Treasury has just released its updated Audit & Risk Policy, applicable to all NSW agencies. This covers the areas of internal audit, risk management and audit and risk committees (formerly TPP 09-05).
There are a range of subtle changes in the policy from the previous version, most of which seem sensible and minor fine tuning. Of particular note is the recommendation to appoint a Chief Risk Officer with responsibly for design and oversight of the agency’s risk framework. While this is not mandatory, it is a strong signal that agencies require someone at a senior level to drive and oversee the framework to ensure it is fit for purpose rather than just ticking the boxes.
We expect a step change in many agencies and for the sector as a whole as agencies move beyond the minimum requirements to a focus on effectiveness and return on investment. Given this will happen at the same time as the requirements for listed companies, we expect a number of developments in the design, operation and evaluation of risk frameworks. Watch this space.
3. Disruption / Strategic Risk
Regular readers of this newsletter are aware that we’ve been very focused on strategic risk since 2007.
Consistently around the world strategic risk is ranked within the top five priorities for audit and risk committees, generating twice as much value destruction as all other risk categories combined. Given the level of business model change being experienced by all sectors, this is only likely to increase.
Managing strategic risk requires a different set of capabilities to traditional risk management, bringing the discipline of risk management but firmly anchored in and bridging with strategy and sustainable value generation.
We’ve been working with a range of companies on getting the frameworks right for strategic risk, building their internal capability, identifying and understanding emerging strategic risks and stress testing their response plans to those issues. This is profound and important work and if we’re not talking to you about this we should be.
Talk to us to find out more.
4. Risk Appetite
Risk appetite is very much on the agenda for boards and audit and risk committees in all sectors.
While the notion of risk appetite was originally conceived as something separate and distinct from risk tolerance, tolerance and capacity have dominated the discussion and thinking.
While this is an important perspective for setting minimum limits, it largely misses the intention of risk appetite statements and is resulting in risk averse organisations.
Using today’s framing, instead of saying “I’d really love to go out for an interesting meal”, today’s risk appetite statement would say “we don’t want to drive across town, or to get caught in the rain or get food poisoning.” The conclusion to which is “let’s just stay home.”
During a period of disruption, standing still is a recipe for value destruction.
Paradoxically, the risk profiles of conservative organisations are often higher than those of active risk seekers, and over time downside risk only increases. You only need to think of organisations with significant restructuring costs or asset write downs to see this in effect.
In many respects the risk appetite statement is the master delegation instrument of the board. When done well it is a clear guideline for empowerment and not just setting limits. During periods of disruption and necessary agility this is even more crucial than ever and is very much in focus for Australia’s top directors.
We’ve been working with several companies to refresh and reframe the discussion on risk appetite. This is empowering boards and management to focus on value creation, opportunity and urgency in the context of strategy while also dealing with managing risk downside.
Talk to us to find out more.
5. Internal Audit trends
We’ve been delighted to work again this year with the IIA and Protiviti to conduct their annual survey of internal audit trends from the perspective of internal audit functions and informed by a regular survey of stakeholders.
For a summary of key themes, please provide your details here and we will email you a link to the content.
Our current focus
Our current focus is very much on risk and internal audit effectiveness, in particular ensuring that in-house teams are focused on the right areas and initiatives. We’ve been working with a number of listed companies in this area as a sounding board, facilitator and coach with a particular focus on supporting the next generation of audit and risk leaders to achieve their full potential.
In addition, through our work with Resilient Futures we’re very excited about the upcoming launch of Disrupted later this quarter and the programs designed to help organisations develop strategic capability to allow them to deal with sustained periods of disruptive change.
If either of these areas are of interest to you, please get in touch.
We look forward to talking with you soon.
Best regards,
Todd Davies & Associates
Is any of this of interest to your colleagues and stakeholders? If so, pass it on.