Risk management culture: Is your organisation ‘risk-ready’?
The single most significant event to jolt the business community into taking risk management seriously was the global financial crisis (GFC). That was over a decade ago. Today, economic conditions have evolved and while the risks may be different, they are no less urgent. Businesses face a future where technological resilience can make or break business models and innovation is a key to survival.
In this interview, I ask Joanne MacDonald, director of MacIsles Consulting and former head of risk management and compliance at Colonial First State Global Asset Management, for her views on the state of play on risk management in Australia.
Ten years on from the GFC, how mature are Australian businesses in their approach to risk management?
I think capabilities are mixed. Some firms, particularly in the mining, airlines, pharmaceutical and construction industries, were already quite sophisticated well before the GFC. Post GFC, there is clearly a better awareness of risk, but the jury’s still out on whether it’s being managed more effectively. It may well take another major financial downturn like a recession to test that maturity.
What aspects of risk management could businesses improve?
I think the engagement process on risk and how it’s understood in the organisation can be improved. There’s an opportunity here for risk professionals to step up and help their boards by giving them quality intelligence about their own organisation and the environment they’re in.
A good risk professional can also help shift the traditional focus on downside risks to a more positive conversation about how risk management can create value, drive innovation and maximise opportunities. Businesses are very risk-averse at the moment. And the mood’s been driven by a range of factors — the macroeconomic environment, shareholder and community expectations, and government policy settings. I believe this negative mindset is getting in the way of our national innovation agenda.
Properly skilled risk practitioners can help shift this mindset. They need to have the acumen to work with the business and apply commercial thinking in a risk environment to come up with solutions that support growth and drive value. They need to know how to articulate value-creating opportunities so they resonate with the board and executive, and filter through the organisation effectively. That’s how you earn a seat at the board table and make risk management relevant and valuable for the business.
What are your tips for embedding a strong risk management culture in an organisation?
A genuine risk management culture is not about whether you have the right systems and processes. It’s about how people in the organisation think and behave. And changing human behaviour is a gradual process. It can take five to ten years to build a solid culture.
To develop a positive risk management culture, I think you need first of all to reward vigilance. That means putting in place appropriate remuneration and incentive schemes to reward the right approaches to risk throughout the organisation. It also means having genuine whistleblower policies that allow staff to fearlessly report breaches of company standards and laws to independent channels.
I also think the board and executive need to pay attention to behaviours at the shop floor level. They can start by venturing out of their offices and talking to staff at all levels and tapping into grassroots intelligence. That’s how you get to know how far the culture you want to develop has permeated through the organisation.
Finally, ensure you focus on upside risk as much as on negative downside risks. The best risk professionals understand that their role is not just to protect their organisations from harm, but also to help create value for the future.
What in your view are the top three business risks facing Australian businesses at the moment?
I think three important risks all organisations need to be on top of are procurement risk, physical and IT security risk, and regulatory risk.
Procurement is a real ‘bread and butter’ issue. All organisations need to ask themselves if they are getting value for money from their supplier relationships. Are they maximising their purchasing power? Preventing fraud? Ensuring there are no conflicts of interest? Should they go to tender to test the market and potentially get a better deal? It’s easy for companies to get distracted by the latest ‘flavour of the month’ risk event and forget about core matters like procurement that can really drive value in the business.
Security risk, both physical and technological, is also very important. Everyone is talking about cybersecurity risk today, but in my view, this is simply a modern take on longstanding risks like information theft and corporate espionage which have been around for decades. Businesses must take this seriously and develop a cohesive plan to address information security risk.
But at the same time, they should not neglect physical security risks. This is absolutely critical to keep employees and business assets safe. Imagine the consequences of an intruder gaining physical access to a server room, or a fire destroying key business infrastructure and you will immediately realise the importance of this aspect of security.
Regulatory change is another concern. The volume and frequency of regulatory change — both at global and national levels — is a real challenge. I believe that an important part of managing this risk is to ensure that as a business you give appropriate focus to the advocacy stage. That means getting in early and having your say on regulatory proposals when they are at the consultation phase. This is your opportunity to influence and shape regulation before it is finalised. So aim to ensure your voice is heard either independently, or through an professional association such as Governance Institute.
Joanne MacDonald will chair Governance Institute’s Risk Leaders’ Symposium which will be held in Melbourne on 12 May 2016. Download the brochure for full details, including sessions speaker highlights.