06 Aug First glimpse at the state of play in the Risk Management Industry post Covid19
Without question, the Coronavirus has been the pivotal risk event in 2020 which has shaped and re-framed all other risk exposures; a genuine tectonic shift in the risk landscape. It’s useful for us then, to peek at one of the first surveys of the risk profession that was conducted during the first wave of infections (March 2020) and was written with a degree of reflection in the following two months. Perhaps this is our first chance to look up and reassess our own positions and practices.
Many of us will probably need to consider how our own ERM roadmap must be reconfigured for the future. The survey was conducted by the Governance Institute of Australia in their latest Risk Management Survey Report. 393 organisations responded with a breakdown by the industries shown here.
With 71% of the businesses only operating inside Australian territory, we should be careful to avoid assuming that all the issues highlighted have global applicability. However, 45% of the businesses surveyed, reported annual revenues in excess of AUS $100m. Amongst respondents, 39% declared themselves to be senior governance or risk management professionals and a further 17% were CEOs/C-Suite execs.
With 22% of the respondents working in the health care and social assistance sector, it is not surprising that several participants cited as pandemic as a risk and referred to “increased demand for our health services” as a risk their organisation was managing.
Risk Context for the survey
For a country that had only just started to recover from the devastating bushfires that started in late 2019 and were contained in February 2020, the impact of Covid19 on Australian businesses has been unprecedented. In some senses, those bushfires have fallen out of consciousness as the pandemic appeared to exhaust all available mental bandwidth. An Australian diplomat told us last week that they fully expected the bushfire situation to soon become a focal point again, as the country heads into spring weather. Connecting these local conditions up with the bigger picture of climate change research is going to be an important part of risk consciousness in the next few years.
In international comparisons, Australia had a good Coronavirus response (in the first wave of infections). The Federal government and in turn, State governments, were generally perceived to have kept infection rates low and avoided patients saturating hospital capacity.
Like many nations, the second wave is proving to be more problematic. As a warning sign to all risk managers, “risk fatigue” seems to be setting in where the population seems incapable of maintaining high vigilance or different behaviours that would suppress infection rates. It seems that unless risk measures become normalised, effort and enthusiasm drop-off quickly.
Businesses haven’t had the same proactive approach at navigating this pandemic and the risk challenges that it exposed.
The practice of helping executives “feel the risk exposure – control effectiveness gap” is an important part of the CRO’s toolkit, turning risk reports from rational exercises, into credible “avoidable pain”
Risk Scenario testing is weak
One of the biggest flaws uncovered from the report was a lack of risk scenario testing. For a country that is accustomed to extreme bush fire seasons, it is surprising that such a key step in risk management haven’t been as widely adopted. A sizeable 39% of the participants said they didn’t run risk scenarios to test how the organisation and employees would respond and 44% only did so “occasionally” (which sounds a lot like a good intention rather than an actual event).
To show you the context of the inner conflict that organisations risk, out of the 393 participants asked, 84% agreed that “risk management is highly valued across their organisations. However, amongst the same group of participants, there was less certainty on how well risk management is understood in the organisations. A dissonant signal that raises concerns about how accurate their sentiment on the organisations’ value of risk management truly is and how the risk culture of an organisation can support risk management efforts or undermine them.
We know that to define the objectives for the future, to visualise events that may arise and how to navigate them, organisations need a risk management plan in place. Most do at different levels of maturity, however, the report showed that there is a clear correlation between having the right structure in place and effective risk communicating and managing risks across a range of areas. This was all thanks to dedicated risk departments in the more effective organisations.
In Australia, the average risk department consists of four people, that meet quarterly, a profile which suggests that those organisations believe they are managing somewhat static, low-velocity risks, that they are overconfident in their agility, or perhaps that they have an approach which decentralizes risk response (maybe all three!). The practice of helping executives “feel the risk exposure – control effectiveness gap” is an important part of the CRO’s toolkit, turning risk reports from rational exercises, into credible “avoidable pain”. In our experience, colour-coded spreadsheets never have the same power to stimulate active ownership of risk exposures like scenario testing does.
There is often an inherent disconnection between the culture of the organisation and the risk mandate.
Perceiving Risk function value & addressing risk culture issues
The next issue in the report is inadvertently raised. People were asked if risk management is appreciated by the rest of the organisation. As a surveying methodology, it fails as an objective question because it unveils biases, blindspots and potentially false perceptions. We question the extent to which CROs have reliable and qualitative information available to assess and improve the value provided by their function over time. Clients frequently ask for help in evaluating the prevailing risk culture of their organisation.
The survey report contains an interview with Tom McLeod, a risk leader with over 25 years of global experience across many sectors. His view is that only 5-10% of Australian companies have a “strong risk culture”. And when asked his opinion on the way Australian organisations have mature views and structures for the risk management function, Mark Salomon, Group Risk Manager for Vicinity Centres, said: “We do a lot of reporting. The Board get it. The Executive gets it. And that’s great and valuable. But the embedding – we still do not seem to be able to push it down. The theory doesn’t travel down the organisation. There is often an inherent disconnection between the culture of the organisation and the risk mandate.”
The survey tells us that 72% of respondents believe that risk management is valued, yet only 42% of people mildly agreed that they thought it was understood, whilst 19% disagreed or (7%) strongly disagreed with the idea.
There is no universal definition of what a strong or positive risk culture is, that can be picked up and deployed as a template. It’s easy to state that risk culture is something to be considered, defined and turned into a target like an ordinary project.
The risk survey highlights that many people don’t really know what it means in practice and perhaps this is the perplexing issue with risk culture: can it be made into a target and then imposed top-down, or is it something organic that springs out of what people do? In our experience, a strong risk culture grows when it comes from both directions.
Getting good at seeing slow-moving risks
The survey follows the publishing of the influential 2019 Banking Royal Commission, showing its effect on the risk management landscape in Australia. The country’s banks had to reverse a sales culture which minimised responsibility for good customer outcomes and concentrated more on the achievement of sales targets.
Even though the focus of subsequent legislation was on the finance industry, it induced increased visibility of the risk management function as an integral aspect of good corporate governance, across a diverse range of industries.
Risks surrounding legislative and regulatory changes and staff conduct were noted as specific risks in the survey report that are well managed by organisations. We could categorise these as fairly low-velocity risks. People are good at jumping out of the way of things we can see coming toward us from a distance; obvious risks with obvious countermeasures.
The report also shows that more complex risks with less linear outcomes are proving harder to manage. Risks associated with talent, the threat of disruption or failure to innovate, the environment and economic shock received the lowest scores in terms of ability to manage – and they scored the same low marks in last years survey. This tells us that organisations are struggling to build out tools and processes which help them deal with such risks. Let’s take one of those risks and examine this concern further.
Same risks, no new steps
Environmental risks have been at the forefront of the news in the last two decades. As a country where climate change, habitat fragmentation, land-use change and invasive species are key risks, Australia as a whole, could not claim leadership for environmental risk response. Increasingly, shareholders and societies have been prioritising environmental sustainability alongside other traditional objectives such as growth and profit.
Organisations cited damage to brand and reputation as their top risk over the next three years. Which is quite eye-opening considering that one of the reputational risk factors over the next years will be the failure to address environmental concerns. Business leaders may have a blind spot when it comes to recognising these issues, which are played to them via ‘culture wars’.
They are probably failing to grasp the growing sense of “climate emergency” and not preparing their organisations far enough in advance to make meaningful changes. Thus, reputation risk is likely to materialise. The question is – how are the root causes of the reputation risk being broken down and analysed? How are boards forcing executive management to recognise potential risk blindness? What role do CROs have in helping organisations face up to complex issues which are bound in competing societal narratives?
Perhaps more than ever, managing risk has to be done throughout the organisation and not merely as a process which sustains the risk management function. Driving a capable and engaged risk culture will be vital in the pursuit of that goal.
Final thoughts – bumpy ride ahead
As we mentioned in the beginning the current pandemic has exposed many flaws in the management of risks. Business continuity plans and economic shock have been the ones that have been emphasized the most. While companies may not have been able to prepare for Covid19, the risk of future viral outbreaks are something that we should focus on more. Continuity plan should include provisions for actions to be taken in these types of events, especially with businesses being forced to deal with the complete shutdown of the workplace like we have experience in the past three months.
When looking at the economic downturn that came with the outbreak it is easy to see that it was inevitable – that’s just how Hindsight Bias works! However, a portion of the respondents mentioned economic shock as a risk that they felt they didn’t manage well. This is worrying in a time of financial uncertainty and looming recession/economic reconstruction.
Risk management needs to think harder about how it grapples with VUCA (Volatility, Uncertainty, Complexity and Ambiguity). Scenario testing, horizon scanning, wargaming, stress testing – these tools can all help us get a more robust understanding of how risks may combine, mutate and disrupt our objectives, as well as helping us determine our corresponding strengths, weaknesses and resource limitations when responding.
A common thread across this report is a sense that risk managers seem satisfied to be recording “business as usual” risks, whilst truly disruptive risks pass through the system, barely digested, leaving a big mess to be dealt with. Perhaps more than ever, managing risk has to be done throughout the organisation and not merely as a process which sustains the risk management function. Driving a capable and engaged risk culture will be vital in the pursuit of that goal.
Covid19 has rocked the world economy and societal fabric alike. Now we must prepare for many shockwaves that will follow. Managing risk matters more than ever.
Take a look at our bespoke e-learning services and any other ways we can help you and your business communicate about risks for greater advantage.