By Ken Weldin
31 July 2018
In late May/early June, the Governance Institute of Australia held a series of Governance and Risk Management Forums across Australia. PKF was pleased to act as national sponsor for these events and to have an active role in each Forum as they moved across the country exploring current themes.
In most cases these events moved to a two-day format reflective of what the Institute’s CEO Steve Burrell described as “unparalleled times for governance professionals”.
Context for Governance in 2018
The 2018 governance landscape is being dominated by a number of major events which have Boards and management teams racing to ask – “tell me we don’t do that, do we?”
The year started with Larry Fink, Chairman and CEO of Blackrock, the world’s largest investor, commenting as follows in his annual letter to shareholders:
“…to prosper over time, every company must not only deliver financial performance, but also show how it makes a positive contribution to society…Companies must benefit all of their stakeholders, including shareholders, employees, customers and the communities in which they operate...”
From global to more local matters, these themes of positive contribution, impact and the role of culture were continued when the ASX’s Corporate Governance Council released the fourth edition of its Corporate Governance Principles and Recommendations for public consultation.
Between these two documents however, the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry commenced under the Honourable Kenneth Hayne, AC, QC.
The related collateral events of the crisis at AMP on the back of a fee for no service scandal and the report by the Australian Prudential Regulation Authority (APRA) into conduct at the CBA underline this point. Chairman, Directors and CEOs have fallen at AMP following an investigation by AUSTRAC, the federal financial intelligence agency, and CBA has accepted the largest fine in Australian corporate history – $700 million.
During the commission hearings, a series of revelations played out publicly – and they continue to do so. Together with the AMP cases and the “must read” APRA CBA Report, they demonstrate all too vividly, what happens when organisations and individuals lose sight of ‘how’ and ‘why’ they do business and they become complacent about the governance and risk levers designed to offer protection.
Against this context, several key thinking points came out from the Forums as follows:
Culture: All businesses large and small can learn from the APRA report and the Royal Commission
· Remember the movie Jaws? For some it is a morality tale about the dangers of extramarital sex and the inability of a weak father to control his family and his community.
· Just as Jaws is not about the shark, the APRA report is not about financial services!
· Many businesses will aim for what APRA described as a collegial and collaborative working environment which places high levels of trust in peers, teams and leaders and the ‘good intent’ of staff.
· However, these positive elements of a sound culture can also have a downside when acting with integrity as a non-negotiable.
· Pursuit of consensus can lessen constructive criticism and lead to slower decision-making, lengthier and more complex processes, and a slippage of focus on outcomes.
Key question: What are the positive elements of your culture hiding?
Complacency: The real danger when it comes to risk management is complacency
· Australia has enjoyed 26 years of economic growth with a 27th more than likely next year. Many large organisations seem to perform ‘well’ or ‘well enough’ and that ‘we don’t need to worry about all that risk stuff’.
· Success can dull the senses and complacency can lead to inadequate challenge.
· How robust are your models – both macro and at the individual product or business unit level? Is your organisation thinking about stress tests or contingency planning?
· Or are you complacent:
a) around your economic environment
b) and/or what does this mean for your control environment?
Key question: Do you tend to rationalise problems away more in hope than in true mitigation?
Data & cyber risk: As risks go, cyber and data loss is high profile, damaging, often invisible and impacts reputation immediately
· Many organisations taking this risk seriously see cyber as a non-delegable risk for the CEO and there is increasing talk in the market now around Data Ethics Committees.
· Are you strategically positioning your Chief Information Officer, or your Chief Technology Officer? Or is that who you call when your mouse is not working?
· A powerful video was shared in the Forums – search Deloitte, Companies Like Yours in YouTube and you can see why major organisations such as IBM have banned USB sticks.
· This is a small example of what can be done, but what else are you doing?
Key question: If large corporates and government departments with significant resources are falling foul of this, why do you think you won’t?
Climate Change & Environmental, Social, Governance (ESG) risks: What was once a fringe topic, is moving into the mainstream
· Speakers from Climate Works, Aither, Morrow Sodali, KPMG and others presented research from shareholder groups confirming that climate change and ESG topics are increasingly important in shaping investment decisions.
· Even if you as an individual are less convinced, more and more of those you are dealing with in your supply chain, customer base and investors are concerned about these issues. The tone and message of the Larry Fink letter sends a clear signal of this.
· Last year CBA faced a class action around the inadequacies of its climate change disclosures within its investment and lending base. Just under a quarter of the questions at the recent AMP AGM were on the topic.
· Will consumers and stakeholders switch away from you, possibly forever, if a greener, cleaner, more socially responsible alternative presents itself? If you are not asking this question, then you should be.
Key question: Are we being tolerated simply because there is not a more socially responsible alternative?
Drawing these themes together, what is on the mind of today’s Chief Risk Officer? Speakers such as the risk leaders from Santos and Bendigo & Adelaide Bank concluded as follows:
- Culture, culture, culture. This word has been around business for some time now, but this is surely the moment when it becomes unavoidable. There is a key difference between the culture you ‘want’ as opposed to the culture you actually ‘have.’
- A key challenge for risk is to consider how do we as individuals and teams concentrate in today’s digital world, given fast moving innovation and the automation of many tasks.
- Risk needs to be a ‘do-ocracy’, in that it needs to get things done and as such, the ‘Risk team’ alone cannot be the sole owners of risk behaviour.
- Imagine yourself sitting beside a customer when you make your decisions – would it change your behaviours?