insights Article Six | June 2021 | proximity.com.au
RISK MATTERS
An integrated and dynamic risk management framework to ensure sustained business success.
By Ian Lancaster Principal Advisor Proximity
The COVID-19 pandemic created a time of unprecedented change for both public and private organisations. Boards and executives had to move quickly to address threats and seize opportunities, while also protecting employee health and safety, adopting digital and evolving to new ways of working.
In this Insight article, I look at the importance of risk management through the Victorian Government’s review of its requirements for a Risk Management Framework - as an indicator of what really matters.
Why is risk management important? The current environment is being characterised by the term VUCA – which is a trendy acronym referring to conditions that are volatile, uncertain, complex, and ambiguous, making events and outcomes unpredictable. While VUCA requires high-quality decisions to be made at speed with imperfect information, the pandemic highlighted that many organisations maintained a static and formula driven view of risk. The issues are compounded by pointin-time reviews, which are not linked to business strategy or decision-making. Ultimately, these organisations will be caught flat-footed, as change is increasing exponentially.
How did some go wrong? Put simply, risk management is not an activity that comes naturally, particularly in a VUCA environment. It’s complicated by a short-term focus, incentive conflicts, behavioural biases and blind spots.
RISK MATTERS 1
proximity insights
ɚ A framework that is not only fit for current, but also future purpose. ɚ A logical and systematic methodology supported by leading practices and processes. ɚ A comprehensive assessment covering significant, emerging and longer-term risks (e.g., cyber risks, pandemic & climate change). ɚ A culture that promotes accountability, with risk ownership clearly defined. ɚ Appropriate risk resources, with multi-disciplinary skills, including quantitative analysis and business acumen. ɚ Dashboard reporting with deep dives into significant and emerging risks. ...and, the list goes on. In this environment, it is challenging to ensure that we have the right information to make informed decisions to proactively manage risk, comply with all our statutory obligations and meet community expectations.
So, what are Boards asking? With the ‘new normal’ now becoming evident, Boards and executives are facing increased risk, and are rightly asking the question – what should risk management look like in a VUCA environment?
Where do we look, for what good looks like? The Risk Management Framework provides the building block to design a fit for purpose risk management capability, so this is a good place to start. My experience is that the risk management framework accurately reflects an organisation’s risk management maturity. As such, it is a good time to revisit the risk management framework to assess our current and future state risk management maturity, and to identify any significant gaps.
Commonwealth and State Governments have promulgated their Risk Management framework and policy as regulatory requirements under standing directions, which Board’s and governing bodies must comply. The board may delegate responsibility to their Audit & Risk Committees; however, the board retains ultimate responsibility for the organisation’s risk management framework and compliance with external laws and regulations. Therefore, the board must ensure that systems and processes are in place and are adequately resourced to identify, analyse, treat and monitor all material risks and support compliance. The board must also ensure that controls and that systems for oversight and assurance are present and effective. The Department of Treasury and Finance recently revised the Victorian Government’s Risk Management Framework (VGRMF), which is effective 1 July 2021. It is notable that the VGRMF requires the application of a logical and systematic methodology, consistent with leading practice (International Risk Management Standard ISO 31000:2018), as illustrated below.
Establish the context
RISK IDENTIFICATION RISK ANALYSIS RISK EVALUATION
Review & Monitoring
The answer is also becoming apparent: Risk Management needs to be bold, dynamic and integrated. It must keep pace with a rapidly changing environment, linked to strategy and supported by a positive risk culture.
Government risk management framework and policy
Communication & Consulation
Risk management requires:
Article Six | June 2021 | proximity.com.au
Risk Treatment
The VGRMF has placed increased requirements on Boards, which provides an indicator of what matters and may also suggest what was not adequately addressed in the past.
RISK MATTERS 2
proximity insights
Article Six | June 2021 | proximity.com.au
An integrated risk management framework
Let’s look at the changes to the VGRMF requirements and how the components are interrelated and therefore need to be considered and defined with an integrated and iterative approach.
STRATEGY Align Strategic Planning & Risk Management
RISK APPETITE Define the Board’s Risk Appetite Statement
The board has ultimate responsibility for strategy and the management of risks to that strategy. The way the board discharges this responsibility has ramifications throughout the organisation and sets the tone for how the executive will approach risk (risk culture).
Risk appetite and strategy are fundamentally linked, we cannot discuss one, without the other. The relationship results from the following definitions:
Strategic risk management is critical to ensuring that the organisation is set up for success. Arguably, strategic risk management has never been more challenging given the VUCA environment we are operating in. Success is where strategy and risk management are fundamentally aligned through the Board’s risk appetite, having regard for the resources and objectives of the organisation.
ɚ Risk Appetite is defined as the degree of risk that an organisation is willing to accept to achieve its strategy or business objectives. ɚ Risk is defined as the effect of uncertainty on the achievement of objectives – which highlights the link to strategy. Strategy and risk appetite should therefore be developed concurrently, with one informing the other. This should be an iterative process, with both executives and directors contributing. Ultimately the strategy and risk appetite must be approved by the board.
RISK CULTURE Demonstrate a Positive Risk Culture Peter Drucker’s famous quote is: ‘culture eats strategy for breakfast’. This was not to devalue the importance of strategy, but more to recognise that culture is critical to successful implementation. However, culture is complex – it’s intangible and difficult to observe. So we need to look at behaviours in an organisation as a representation of its culture. This is often documented as organisational values and measured via observation and cultural surveys - with a range of success. Problems arise because ‘risk’ can be confronting and generating buy-in at the right level is key to success. The tone from the top must demonstrate a positive risk culture. Leaders need to communicate the strategic direction, with an analysis of strategic risks, opportunities and benefits. This will set the example for risk management to be embedded as part of the culture where a shared understanding of risk leads to well informed decision making.
Successful organisations will create an integrated capability and capacity to respond to change and disruption as the opportunities and benefits will be leveraged through connectivity and networks.
RISK MATTERS 3
proximity insights
A dynamic risk management framework The future will be both exciting and daunting. We will need a dynamic risk management framework with capacity and capability to respond to: ɚ Exponential and disruptive change. ɚ More rigorous board obligations with increased penalties for non-compliance. ɚ Staff fatigue from ongoing change projects and outdated office working conditions.
So, what does success look like? Successful organisations, think differently. They see emerging risks as a strategic opportunity to remain relevant and build sustainable value. Successful companies exhibit: ɚ A longer-term planning horizon, with a dynamic and iterative change mindset. ɚ Product and services developed to meet their customers immediate and emerging needs. ɚ A positive language and conversations about risk translating risk into opportunity. ɚ A global perspective with data driven analysis to better understand complex risks, such as climate change and pandemics. ɚ A ‘new normal’ agile operating model that designs the work around human behaviour and staff wellbeing. More than ever, organisations now need to think differently. Transforming your risk management framework is the refresh button enabling you to rethink your approach to strategy, risk, opportunity, and value.
Need assistance conducting a gap analysis or maturity assessment? At Proximity, we understand the need for a dynamic and integrated risk management approach and see immense upside, with benefits to ensure you: ɚ Are equipped with the right information to make informed decisions in real-time. ɚ Deliver on strategy in challenging times. ɚ Proactively manage and leverage opportunities from emerging risks. ɚ Take advantage of business opportunities, with confidence. If you need assistance conducting a gap analysis or maturity assessment, please get in touch 1800 959 885 or enquiries@proximity.com.au
Article Six | June 2021 | proximity.com.au
Ian Lancaster | Principal Advisor Proximity | Melbourne Ian Lancaster recently joined Proximity as a Principal Advisor to lead Risk and Compliance services. Ian is a subject matter expert in risk management with over 40 years’ experience working in the government and financial services sector. Ian’s experience is within the government and regulated sector, particularly financial services. Ian has gained significant executive experience working in banking, investment, superannuation, stockbroking, and insurance companies. Ian’s strength is working with and between Boards and executives to bring a collaborative and pragmatic approach to deliver value-add and innovative solutions. Ian has the proven experience and capability to: ɚ Assess your strategic plans and annual programs to your risk appetite and capabilities to ensure you are set up for success. ɚ Improve your risk management and compliance frameworks and programs to leading practice, and in accordance with policy, legislative and regulatory requirements. ɚ Facilitate workshops to identify opportunities to connect and leverage, which will optimise the valueadd. ɚ Communicate effectively, as an experienced presenter at Board and Executive meetings. ɚ Lead and deliver your risk management, compliance and internal audit programs that will support your strategic objectives and governance requirements. Outside of work, Ian is progressing a qualification in Risk Management for Sustainability and Climate Change. He is passionate about sports and worked with Richmond Football Club to design and implement their Risk and Compliance framework, aligned to achieving their strategic goals for football success. Ian also enjoys all forms of arts, and frequently attends music, films and theatre. Contact Ian on 0403 048 241 or email ian.lancaster@proximity.com.au. References and suggested reading: 1. Risk Governance; Elizabeth Sheedy; Routledge, 2021 2. Disrupted, Strategy for Exponential Change; Larry Quick, David Platt with Kristen Van Vloten; Resilient Futures Media
RISK MATTERS 4
proximity insights
Article Six | June 2021 | proximity.com.au
Proximity is a leading provider of professional services to government and large organisations. We provide end to end consulting, legal and commercial services, from concept development to postimplementation review.
James Dunn Director
Sean King Director
0407 888 894
0408 167 542
james.dunn @proximity.com.au
sean.king @proximity.com.au
We provide guidance, support, and collaborate with, clients to overcome challenges and achieve excellent outcomes. Clients can engage us for our respective expertise in legal, procurement, program, project and management consulting; but more notably, we offer the full suite of support on projects. We advise from start to finish, with Proximity consultants working seamlessly with Proximity lawyers and commercial advisors to deliver the intended project outcome. Our team members are true experts in their field, who share their insights generously, at every step of the way.
For enquiries or to understand how this insight may apply to your situation, please contact us on 1800 959 885 or email enquiries@proximity.com.au
RISK MATTERS 5