The Davies Report – November 2019

The Davies Report - black swans

Foreword: Insecure animals are the ones that bite you

In the lead up to this edition, I find two separate comments keep replaying over and over in my mind.

The first one comes from an experienced dog trainer who once told me that she was fearful of insecure animals and refused to train them. “They are the ones that bite unexpectedly.

The second one comes from one of Australia’s most respected Chairmen. He told me “Tell me everything I need to know… and nothing I don’t.”  

It’s a simple yet profound request and reminds those at the apex of organisations that it is their responsibility to drive the information torrent through the proverbial eye of a needle and make sure the most important messages are received loud and clear.

Today many watchdog regulators are under pressure to bite those that they regulate. Some routine accreditations feel more like a modern tax audit that can take additional twists and turns than the traditional rubber stamps of days gone by. Preparedness, clear communication and documentation are essential.

As regulatory change and other change comes galloping at us, the need to communicate well is higher than ever. This is the theme for this edition. We hope you find it useful.

In this edition:

  • The regulators are revolting
  • Cognitive overload – time for a prune?
  • ASIC slams risk reporting
  • Is internal audit reporting also losing its way? 
  • Are your RM, IC, and A effective and appropriate? 
  • Where we fit in the market
  • Let’s talk
  • Postscript for our regional and international readers

The regulators are revolting

In the last few years I’ve been looking at the work programs and practices of regulators across a range of sectors – aged care, disability, early childhood, education, health, transport, corporate, the listed sector and financial services.

The thing that strikes me is the commonality of experience and pattern of response:

  1. Regulators caught wanting, often surfaced as a result of media scrutiny and/or a royal commission
  2. Regulators scrambling to act, often before time for deep thinking or new capabilities are put in place
  3. Affected companies scrambling to get on the front foot, often with skittish regulators, stakeholders and their staff making decisions on the run
  4. Increased investment and prescriptions that don’t get to the root causes
  5. Limited certainty of outcomes or if the original issues will be fixed
  6. Cottage industries sprouting like mushrooms after spring rains.

Many of the proposed solutions propose the same old approaches that failed last time, possibly with a bit of extra flavour around culture. 

The deep reflection and breakthrough thinking of previous corporate governance scandals haven’t happened this time around. Incrementalism and cobbling together on the run seems to be the solution of the day.

I’ve lamented this previously and publicly. One that surprised us was to see the early childhood model lifted and applied to a big bank and held up as an exemplar when flaws in that model are well known and being worked on as we speak. Surely we can do better.

We’ve been working with some organisations to put a different approach in place that leverages what’s already in place, but gets back to fundamentals from the Canadian Criteria or Control, excellence and effectiveness models and the joining up of values, conduct and brand integrity.

We signposted some of this in our webinar for the Australian Institute of Company Directors during the Hayne Royal Commission, but our work has progressed significantly since then in theory and practice.

If you are facing regulatory uncertainty, would like to get on the front foot with brand integrity, and get higher engagement on these issues, or would like to find out why our AICD webinar received a NPS of 9 and is permeating mainstream thinking and practice, please get in touch via the links below.

Cognitive overload – time for a prune?

The July to September period is always a heavy load for those on the committee circuit. It’s the time of year where many things need to be signed off, often all at once.

At this time of year meetings can bunch like trams. Directors can be required to digest thousands of pages of material in compressed timeframes. They need to do so in a way that allows them to digest and retain it, stand back from it all, discern the things that matter, do their own due diligence and direct the organisation. 

This is not an easy task even for those who are well tested. But this year is different. As regulators, advisors and professional bodies individually crank up their printing presses, their detailed, prescriptive and often competing guidance is causing information overload, all potentially with heightened consequences. 

Getting the information flows right on complex matters is a perennial challenge. There is nothing new in this, but the current environment is different.

Competing guidance and policy on the run is prolific and this adds to the task.

It’s my view that in a period of information overload, combined with a period of regulatory change, many stakeholders in governance roles have cognitive overload as well heightened anxiety as the watchdogs get ready to bite. 

Uncertainty + lack of clarity + overload is not a good recipe for anyone in leadership roles.  If you’re seeing different behaviours from your stakeholders then possibly this is one of the causes. 

Great reporting and summaries remain critical now, possibly more so in the past. Getting it right at the apex of an organisation is an art akin to “driving a camel through the eye of a needle”. Having said that there are many tried and true methods.

But caution is warranted before implementing change. As we often say, risk lessons are often universally applicable, templates less so. In fact, in all the assignments we’ve run over the years, it’s very rare that we’ll use the same templates or reporting constructs without at least a 20% tweak, or wholesale customisation to make them work. Methods are and have to be contextual.

Now is a great time for a fresh set of eyes on your committee packs, particularly if you want to get a clear and unified direction that drives results. Call us if you’d like some help.

ASIC slams risk reporting

Just as the global financial crisis was the watershed moment for banks to focus on financial risk, we see this as a watershed moment for boards to focus on their on non-financial risks. James Shipton, Chair ASIC

ASIC’s recent report on non-financial risk slammed risk reporting in financial services. In an era of cognitive overload we decided to summarise James Shipton’s launch speech on Twitter to make it easy to digest. You can find our summary here. It’s an important read with strong signalling.

While some of ASIC’s prescriptions are debatable, their findings on risk reporting and board risk committees are unequivocal. ASIC concluded that in an era of cognitive overload, committee packs are too big (300 pages plus), not well synthesised and not allowing boards to do their job well. Based on what we’re seeing we agree with those findings. 

ASIC also indicated that they will be shifting into supervisory mode in this space. It is time to get on the front foot before you get an unannounced visit.

If you are experiencing any of the following, it’s time for a check up. 

  1. Limited committee engagement, or engagement on the wrong thing
  2. Risk reports noted but limited progress quarter to quarter
  3. Clear or apparent confusion by stakeholders
  4. Lack of retention of content or decisions
  5. Unclear delineation and roles between audit and risk teams and agenda items
  6. Audit & Risk Committee packs more than 300 pages.

We have been working with a range of organisations to tweak how they report risk to board committees with great results. We can help with a quick assessment and practical advice on your board risk reporting and forward program for under $10k. Contact us to find out how.

Internal audit reporting also losing its way?

Many years ago I was appointed as an independent expert to do a technical review for a major internal audit function’s work. I was asked to form a view on whether there was a systemic problem with the way that work was performed and the ability to rely on the reports provided. While I can’t disclose the results, my conclusion wasn’t positive despite the work being of a high standard relative to most peers.

I’ve been surprised lately at the quality and variability of internal audit reporting. The craft seems to have slipped and moved away from its anchors and backbone in many places.

I’m not talking about the quality of writing or use of prose. What I’m talking about is report summaries that present clear, readily digested conclusions and summaries for executives and boards – apex reports. 

Many are long-form meandering narratives which “bury the lead”, requiring readers to hunt for the important details. Others provide summaries that are so brief that important details are omitted. Getting this right is a balancing act, but as the most important work product this is critical. This is consistent with ASIC’s findings. 

Leaving readers to “choose their own adventure” or conclusion is unacceptable. Alas, it is widespread.

Much of this goes back to underlying methodology, whether desired conclusions and opinions are well defined during scoping, and whether the work program then aligns to support these opinions. Much of what I see does not meet these tests, including practices by respected in-house teams and some of the biggest service providers.

After many years of trying to remedy this within the professional bodies through guidance, national roadshows and masterclasses on this topic I’m increasingly of the view that internal audit is incapable of self-regulation and it may be time for regulators to step in. This won’t go well. Self help is always better if there’s sufficient drive. There’s time.

As with the other matters there are proven pathways. I’ve been pleased to help both large and small teams to put the fundamentals in place and hone their work product within a fee range that works with them. Those IA shops get constantly high satisfaction scores and would pass an ASIC or TDA review with flying colours. There’s no rocket science in it, but it requires focus, discipline and some fit for purpose tailoring.

If you would like to know if your assurance reports are hitting the mark or whether you can rely on them, please get in touch.

Note: This is a focused question and is different from a standard quality review of your internal audit function against IIA Standards. It is important to understand the distinction. If you’re unclear on this please feel free to get in touch.

ARC pack reviews

Thanks to everyone who took up our offers for the ARC pack reviews. They went even better than expected with some great feedback. Two of our clients got promoted within 3 months of working with us too. We can’t take credit for this but there is a recurring pattern here. Here’s some of what people said.

“It was useful to get above the individual papers and get a perspective on the full year’s program in a holistic way. Possibly the best bit was being able to workshop ideas and solutions – to quickly explore the ones that made sense and get advice on how to make them work in practice. We now have energy behind making the changes.” Company Secretary & Chief Risk Officer, ASX 100

“I was really happy with what I got. It was great to have a mature discussion about my work with someone of Todd’s experience and intelligence.” NPS of 9. Small government agency.

The offer very simply is an intensive review of the ARC’s work program and pack in two very compressed days for under $5k.  The value is compelling, particularly right now. Contact me for a fact sheet or just click the button below.

Are your risk management, internal control, and assurance effective and appropriate?

Working around the country I see a lot of different regulatory frameworks and have had a hand in some of the better ones over the years (ASX and various state governments). 

The NSW government regime is often held out as an exemplar for government and as a case study for driving sector-wide uplift in capability and performance in audit and risk. It is now recognised internationally and I’m pleased to have had a hand in its original constructs.

There are two things that make it work that are sometimes overlooked:

  1. Changing the way government works with Audit and Risk Committees – upping the expectations, the talent pool, using these highly experienced driven people as the catalyst for change and paying them fairly for doing so
  2. Enough prescription in the rules, guidance and reporting until people master the latest versions of the craft.

From 1 July 2019 the relevant legislation in NSW changes with a simple but profound requirement. Risk management, internal control and assurance must be effective and appropriate.

This language sits incredibly well with me. Regular readers will be familiar with our relentless focus on fit for purpose approaches that get the job done. 

While these terms are not yet defined in their legislation or guidance, the intention is pretty clear. 

Appropriate means that the approach is fit of purpose – no more complex or process-heavy than it needs to be for each risk category. And also no less. 

Effective is pretty simple. The job gets done and shows up in the results. Again, there are great opportunities in this space, to move from box ticking to driving results in a manner that’s fit for purpose and drives improvements in risk profile, control effectiveness and strategic thinking. 

There’s a role for everyone in this, but in particular the annual review of risk management effectiveness at the leadership and governance layers is an important starting point. There are also great opportunities in risk competency, internal standards and champion accreditation.

We are working clients in both areas. If you would like to benchmark what you’re doing or put something in place in a cost-effective way, please get in touch.

Where we fit in the market

We realise that there’s a lot of competition for your time and a lot of choice when it comes to advisors and support. Here’s a quick recap on where we fit.

Todd Davies & Associates provides short, sharp, targeted interventions that drive sustained improvement in capability and performance. 

Our positioning is that of an experienced senior partner, but at a freelance price point and in bite size chunks. 

We work with in-house teams to help them build capability and keep costs to a minimum. This enables us to deliver high value for small outlays and helps us in our quest to build sustained improvements in capability across the entire economy by helping as many organisations as we can every year.

People tend to hire us when they need:

  1. Help with an ill defined or emerging challenge.
  2. A short, sharp diagnosis or intervention that will help to drive sustained uplift in capability and performance
  3. A piece of work or thinking that can’t easily be delegated or outsourced
  4. A leadership perspective that is commercial, pragmatic, tested and technically sound
  5. An outcome for a small financial outlay.

Often we are hired before a brief is clearly defined as part of determining what the underlying issues are and how to go about tackling them.

These are niche areas that we’re geared up to address. If any of these sounds like you or you would like to understand how we can help please let me know.

Let’s talk

Audit and risk leadership positions can be isolated roles. It helps to have someone to bounce things off.

People occasionally tell me that they don’t get in touch because they think we might be busy. This is a shame and a missed opportunity. 

Please rest assured that nothing makes our day more than working through a new problem or challenge, or just hearing from one of our regulars.

If in doubt, please give me a call, book a time to chat on Calendly, or just drop me an email. We’re here to help.

Until then, go well.

Todd

Postscript for our regional and international readers

Thanks for taking the time to read all the way to the end.

I’m pleasantly surprised by the number of audit and risk leaders from around the world in prestigious roles and organisations who read our content. You’re in very good company.

Our newsletters align with our mission of doing what we can to move the dial in our home market. But this doesn’t mean they’re not for you.

Australia is a big place. It is 6 hours in a plane from east to west or from top to bottom. Our nearest capital cities are 3 hours apart. The ability to provide remote support without getting on a plane is essential.

For many years we’ve put digital solutions in place to service clients in all locations and keep our air miles down. We aim is to be available irrespective of what city we might be in on any given day.

Modern digital solutions mean that if you’ve got an internet connected device we can support you. Please don’t let location be a barrier to working with us. 

If anything in our newsletter resonates with you or you like our thinking and think we might be able to help, we’d love to hear from you.

Found this useful?

If so, please pass it on or subscribe here to make sure you never miss an edition.