Managers face risk every day, in every decision they make. Put away the Mylanta. Although you can't eliminate risks, there are ways to ensure you're taking intelligent ones.
When HIH went into provisional liquidation in March with debts estimated to be as high as $4 billion, many Australian battlers - not to mention other insurers, businesses and governments - were left holding the can.
Whatever the Royal Commission's eventual findings, we can safely assume that the collapse came about through a litany of failures by the board of directors, management, the auditors, and by both regulators: the prudential regulator APRA and its corporate cousin ASIC. However, above and beyond that, Bruce Ferguson, national president of the Association of Risk & Insurance Managers of Australasia (ARIMA), believes the collapse points to a failure in the execution of risk management.
Managers face risk every day, in every decision they make. Organisational risk management is a structured and disciplined approach to managing risk focused on aligning strategy, processes, people, technology and knowledge with the practice of evaluating and managing potential pitfalls.
And risks abound. Accelerated pace of change; increasing complexity in the global economy; the heightened expectations of customers, shareholders and regulators; changes in technology and brutal competition are just some of the risk factors organisations have to be prepared to address. While the focus of many organisations' risk management effort remains on the financial aspects of the business, experts say risk management in the 21st century should cover every aspect and activity of the business, including e-business and activities like mergers, acquisitions and take-overs.
"Risk management is increasingly being seen as part of corporate governance. If you view corporate governance as being the glue that binds the organisation's controls, then risk management is seen as providing the resilience, the shock absorber to the corporate body," says Kevin Knight, president of the Australian Institute of Risk Management (AIRM).
"If corporate governance and risk management were tied tightly together as part of the overall way in which boards function, we shouldn't end up with nasty surprises like we've had with HIH because quite simply the bells should have been ringing and the information should have been coming through."
As it happens, ARIMA has no doubt the Australian Prudential Regulatory Authority (APRA) was "found lacking over the collapse of HIH Insurance". In a statement released by ARIMA, Ferguson called on the government to overhaul "APRA's legislation to ensure the market knows what's going on, so we can never again get caught in such a mess as the sorry saga of HIH."
APRA is producing a prudential standard that deals specifically with risk management, including the processes that need to be in place in the business, and the reporting processes that should be used to inform the board of operational and other business risk issues. Had the standard been in place before the HIH collapse, the outcome might have been entirely different.
"[Within HIH] there would have been warning signs internally for some time that something was going wrong," Ferguson says. "Now I'm assuming directors didn't know that they were trading insolvent because if they did they're in all sorts of trouble. So obviously there were no systems in place internally to put up the warning signals.
"You need to have a systematic approach to these things and so there needs to be systems in place that are warning directors what's going wrong in the organisation."
Likewise, while the Australian Securities & Investments Commission (ASIC) is calling on organisations to state their risks in their annual reports, Ferguson says the ASIC only requires superficial risk reporting, in contrast to its rigorous demands for accounting reporting.
In the case of HIH, the results of both failures may yet prove devastating. ARIMA believes concern about the future of the Australian insurance industry has led to a substantial outflow of business into the international markets, particularly London. In addition, some economists are warning the multibillion-dollar collapse is likely to be the main factor contributing to weak growth in gross domestic product in the next quarter and will trigger a wave of bankruptcies and send the building industry into turmoil.
None of the people who might be blamed for the failure of HIH are likely to come off entirely unscathed either.
Risk management is accepted best practice for reducing the shock factor - a way of dealing with a concern before it becomes a crisis. Since you can't hope to read the future, applying structured risk management offers some hope that you can at least get advanced warning of some of the pitfalls looming on the landscape and take action to minimise the likelihood or impact of potential problems. It's just the insurance HIH needed to protect itself against an uncertain world.
Leader of the Pack
With this and other prominent failures routinely hitting the headlines, it might seem surprising to learn Australia is very much at the forefront of risk management development. Yet it is. For one thing it was the first country to have a formalised standard for risk management: AS/NZS 4360, first released in 1995 and updated in 1999. Developed by Standards Australia, 4360 outlines the process of establishing the context, followed by identification, analysis, evaluation, treatment, monitoring and communication of risk.
The $100 billion a year UK National Health Service (NHS) was so impressed it has bought the standard for its million-strong workforce to help them manage the many risks of a large health system.
Announcing the deal, Stuart Emslie, head of controls assurance for the National Health Service in England, said:
"Recent evidence suggests that adverse events and failures of all types in health care happen because of failures somewhere in the continuum of care and service. As many as 80 per cent of adverse events occur because of the failure of a system rather than a person.
"The current thinking around health care systems is making accountability for point-of-care problems an organisational issue that is the responsibility of the board and senior managers rather than purely an individual mistake. It was for this reason that we decided to adopt the Australian risk management system approach."
Ross Wraight, chief executive Standards Australia, says it is important for organisations to make informed decisions to either accept, transfer, treat, or ignore their risks. The risk management approach puts forward a process of priorities designed to help facilitate that decision.
Passing the Buck
While US organisations like to consider themselves at the forefront of risk management activities, risk management there tends to be synonymous with using insurance as a vehicle for transferring an organisation's own risk to someone else. In Australia the emphasis is usually more on examining holistically the entire risk management exposure of the organisation and considering insurance as well as other alternatives to find the best ways to manage that exposure.
How should risk management be structured? There's growing consensus worldwide that boards must accept final responsibility for - and oversight of - an organisation's analysis of and response to risk.
For now, financial institutions, utilities and energy companies tend to be ahead of the rest in risk management efforts. As organisations move to triple bottom line reporting (embracing financial, environmental and corporate citizenship), risk management comes into its own as a means of preventing undesirable outcomes.
"At the leading edge we're seeing more explicit quantification of risk with a view to linking that to capital," says Robin Low, risk management partner PricewaterhouseCoopers.
"We're seeing this particularly in the banking sector where they know they're carrying quite a lot of capital that relates to operational risk. They want to understand what drives that risk, how much capital is at stake and whether it's worth investing more to improve the processes and reduce the capital. It's getting quite sophisticated in terms of closing that loop between risk and capital and risk and performance," Low says.
Influenced by the regulatory process, many organisations in the financial sector have a dedicated risk management structure, she says. However, while the financial sector is most advanced, there are other organisations in other sectors that also manage risk well.
That includes government departments and agencies. Knight says while the Australian private sector works on the assumption that they know everything and the public sector knows nothing, the reality is that the public sector has always had to excel at managing risk because government policy has prohibited public sector agencies from insuring against failures.
"The public sector is miles ahead," Knight says.
Risk management can look at specific issues and be focused, or it can be managed holistically. Ian Deayton, divisional director risk management for broker Heath Lambert Australia and a former risk manager of the year, says the latter approach is vastly more effective.
"While I don't put adjectives in front of risk management often, I'm starting to use the word holistic' because most specialist consultants talk about all sorts of risk management and it confuses people," Deayton says. "We talk about enterprise-wide risk management, strategic risk management, operational risk management, traditional risk management, e-business risk management and financial risk management. All those adjectives really form part of a holistic approach to risk management, which encompasses all the risks in a business."
Take IT risk management. IT systems are not only vulnerable to hackers, or software and hardware problems, but also damage by fire and flood or through the actions of thoughtless or vengeful employees.
"The risks go on and on forever, and when you put an adjective in front of it you tend to restrict people's thinking," Deayton says. "Some people think risk management is issuing bits of paper that have procedural things on them. That's part of it; but you've got to actually understand everything that happens in a business."
Figuring out your areas of risk exposure typically means talking to everyone involved with a potential risk, looking at the risk from every possible aspect and getting your hands dirty. A good risk manager can't sit behind a desk, Deayton says, and even a dedicated risk manager needs outside help from a wide range of people. For instance, if the risk being focused on is a particular occupational health and safety issue affecting one of his clients, Deayton might consult a sports medicine person because the injuries people suffer are not dissimilar to sporting injuries. If he is looking at ensuring business continuity, if the main manufacturing building burns down, he might talk to real estate agents about whether other properties of similar size might be available in the area.
How Deep Are Your Pockets
In a period of growing economic turbulence, the corporate sector is facing the burden of increasing litigation and more onerous legislation.
"The era of blaming and claiming is definitely upon us, and the deep pocket syndrome (make the party which can afford to pay bear the biggest burden') is more prevalent than impartial assessments of contributory negligence," Ferguson says.
Legislative changes are forcing corporations to act more responsibly and to be more accountable. These moves accentuate the importance of risk management within the management process, Ferguson says. More widespread application of sound risk management is the only way to overcome these perils.
"The greater the risk environment, the greater the need for organisations to employ risk managers and to develop processes that facilitate the implementation of risk management throughout the organisation," he says. "In many cases, due diligence is the only defence, and due diligence can only be displayed by having effective corporate systems in place.
"Company directors have a responsibility to ensure that risk management processes are sound. The Australian Stock Exchange listing guidelines require acknowledgement in the annual reports of publicly listed organisations that risk management processes are in place. ASIC will get tough with organisations which do not implement risk management, and shareholders demand sound risk management to protect their investments."
However, if the understanding of risk management in Australia's boardrooms is broadening, Ferguson says that much still remains to be done to educate Australian directors. Surveys show that far too few company directors understand the concept, and few have boards with risk management committees. That failure leaves them massively exposed.
"The fallout from a risk management failure is much greater than just the pure dollar cost. The bad publicity that is generated can be hugely damaging to an organisation's public image. That cost is difficult to quantify, but the ramifications are long-term and far-reaching," Ferguson says.
Managing risk is essential to good business practice; it relies on common sense and the implementation of sound structures to ensure nothing is overlooked. In the increasingly litigious environment facing Australian corporations, the importance of communicating with stakeholders cannot be overemphasised.
Ferguson says it is unlikely that the propensity for Australians to litigate and to participate in class actions will abate. Risk managers, therefore, must accept that there is a certain inevitability that legal action will start, and implement strategies to first limit the likelihood of it occurring and, second, manage it in the best way possible should it occur.
Experience has shown that organisations which implement strategies quickly to defuse potential litigation by early intervention can keep costs down and achieve more equitable, faster settlements for all involved.
To Risk or Not to Risk
Standards Australia says risk management is increasingly becoming an integral part of an organisation's agenda. Employing sound risk management practices is a journey which evolves as specific organisational needs and capabilities mature.
"The key to successful risk management is to recognise where you are on the journey and to consider where you want to be as you embrace the challenges and benefits of adopting sound risk management practices," the organisation says.
"An organisation at the end of the journey can confidently manage both the negative and positive consequences of risk. By taking a thorough and consistent organisation-wide approach to risk identification, analysis and evaluation, and by adopting sound communication practices, an organisation can control the negative consequences of risk and exploit the opportunities for growth and wealth creation that risk presents."
AIRM's Knight likes to quote the following remarks from a Canadian professional director, published in Guidance for Directors Dealing with Risk in the Board Room.
"As I look back on my career as an independent director I realise that my efforts were mostly futile," the director says. "Management gave us reams of information about past performance, and we dutifully discussed it. We were looking at the wrong information and asking the wrong questions. We should have focused on the future and questioned the strategy and competence of management to execute it. The board did not wake up until it was too late."
Knight says: "You think of any of the corporate collapses and that's what it generally comes down to: that unless the board has been conniving to bring about the collapse, the fault is most likely to lie with the information that is being fed to them.
"And one of the things that we're trying to do in a lot of the public sector now is to say when you're doing your strategic planning, strategic management activities, what are the risks that have to be managed in order to turn that into operational reality? By applying the 4360 process to the strategic plan of the company at board level and at various management levels, you're asking what are the skills, knowledge and resources you need in order to manage that and achieve those outcomes.
"We aim for the heights and we make sure we manage the risks by providing the knowledge, skills, ability and resources to achieve it," Knight says.
Taking No Chances
E-business is a risky business.
Companies with holistic information risk management strategies are more likely to be protecting their revenue stream, brand, market capitalisation and customer retention rate. So said business advisory firm KPMG in a recent e-business white paper. KPMG's national e-business and e-assurance services leader Ted Surette says tackling the risks inherent in each layer of the business model, and dovetailing that strategy with all other plans in the company, is "fundamentally good for business".
"Taking a holistic approach to risk management at the start of an e-commerce venture supports the growth of new products, enhances the capability of infrastructure and drives new ways of relating to customers. It's better for e-business than bolting on a few risk procedures or policies at the end of a project," he says.
KPMG advises organisations to consider a six-point risk management framework comprising an integrated strategy endorsed by all levels of management; a designated program "office" charged with overseeing risk initiatives; risk policies and procedures for business strategy, e-strategy and IT strategy; operations and monitoring; applications infrastructure; and, technology infrastructure. Without risk management your e-business projects are unlikely to deliver, Surette says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.