Risk Management March 2011 by LexisNexis Media

March 2011 Issue 83

PP255003/06868

GREEN

RISK MANAGEMENT MOVING THE BUSINESS CASE FROM RISK MITIGATION TO VALUE CREATION

SHAREHOLDERS RALLY The new wave of class actions set to bite corporations PLUGGED INTO THE MATRIX The critical role of responsible managers RETURN ON RISK INVESTMENT Get greater value from your spend NAVIGATING THE ESG MINEFIELD Are you asking the right questions?

www.riskmagazine.com.au

IN THIS ISSUE

REGULARS From the editor News review News report Risk people

5 6 10 25

10 ESG

FEATURES AND REPORTS ESG: Navigating the ESG risk minefield

Companies could do a better job of providing information about environmental, social and governance (ESG) risks to investors, according to an expert in the area

Financial services: 12 Would you stay plugged into the matrix? Responsible managers must be plugged into the risk and compliance framework of their company for both their own sake and the organisation's, writes Dr Ulysses Chioatto

The business case: Establishing return on risk investment

Shareholder stars align: The class action attraction

Effective risk management isn't about spending more, but rather about getting greater value from what is spent

ESTABLISHING RETURN ON RISK INVESTMENT

A number of factors have aligned to further encourage shareholder class actions, writes Angela Priestley, and corporations should be concerned

COVER STORY Corporate social responsibility: Green risk management

Corporate social responsibility, environmental issues and risk management are increasingly intertwined. Craig Donaldson explores this trend and speaks with a number of experts about the greening of risk management

NEXT MONTH

SHAREHOLDERS STARS ALIGN

Fraud has been on the rise following the GFC, and most Australian companies are playing catch-up. A recent study, for example, found that the average reported cost of fraud doubled from $1.5 million in 2008 to $3 million per organisation in 2010. Furthermore, only one third of frauds are actually being picked up. This feature will look at the thorny issue of fraud, examine the commons challenges for Australian companies, detail the role of risk management professionals in the process and explore cutting edge tools, techniques and processes for fraud detection.

RISK March 2011

FROM THE EDITOR

QUOTE OF THE MONTH

"After any significant negative profit announcement by a listed entity there is almost an expectation now that it will be followed by a press release from a plaintiff law firm or a litigation funder,"

EDITOR’S NOTE

Class action fever to hit

Sarah O’carroll Editor

Roger Forbes, partner, Mallesons (p18)

What’s your take on this quote? To have your say write to the editor sarah.ocarroll@lexisnexis.com.au Best comments will be published in the April issue of Risk

ABOUTUS Editor: Sarah O’Carroll Journalist: Benjamin Nice Contributor: Craig Donaldson Designer: Ken McLaren Publisher: Fiona Marcar Design and Production Manager: Anthony Vandenberg Production Manager: Kirsten Wissel Subscribe today Risk Magazineis published monthly and is available by subscription. Please email: subscriptions@riskmagazine.com.au All subscription payments should be sent to: Locked Bag 2333, Chatswood D/C, Chatswood, NSW 2067 Advertising enquiries: Marika Biro - (08) 8371 5800 marika@agsmedia.com.au Editorial enquiries: All mail for the editorial department should be sent to: Risk Magazine, Level 1 Tower 2, 475 Victoria Ave Chatswood, NSW 2067 Copyright is reserved throughout. No part of this publication may be reproduced without the express written permission of the publisher. Contributions are invited, but copies of all work should be kept as Risk Magazine can accept no responsibility for loss. Risk Magazine and LexisNexis are divisions of Reed International Books Australia Pty Limited, ACN 001 002 357 Level 1 Tower 2, 475 Victoria Ave, Chatswood, NSW 2067 tel (02) 9422 2203 fax (02) 9422 2946 ISSN 1833-5209 Important Privacy Notice You have both a right of access to the personal information we hold about you and to ask us to correct if it is inaccurate or out of date. Please direct any queries to: The Privacy Officer, LexisNexis Australia or email to privacy@lexisnexis.com.au. © 2009 Reed International Books Australia Pty Ltd (ABN 70 001 002 357) trading as LexisNexis. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., and used under license.

A daily scan of the financial press would leave plenty of directors and risk managers alike on edge. That’s because Australia, it seems, is being inundated with class actions. The evidence is in the headlines: if it’s not mounting talk of “closed” class actions such as those surrounding Centro, engineering firm Downer EDI, Opes Prime or Storm Financial, it’s the headlines regarding emerging matters such as Babcock & Brown Power, Sigma Pharmaceuticals and Nurfarm Limited. And while there’s evidence to suggest that Australia has not actually experienced a rise in class action numbers in recent years – such as that provided by academic Vincent Morabito, who found that around 14 class actions have been filed with the Federal Court on a yearly basis since the early 1990s – there’s still cause for concern from directors and risk managers about just why class actions are garnering so much attention these days. They should also be concerned about the future, because a number of factors are aligning

for a spate of shareholder specific class actions in Australia. It’s the perform storm: litigation funders have consolidated their place in the market, technology is easing the burden of organising and managing a class action, the regulators are ramping up their level of scrutiny and market volatility is still present following the GFC. Meanwhile, the media loves a good class action story. A negative profit announcement by a corporation is enough to spark a stream of press releases from plaintiff firms or litigation funders calling for action and, consequently, generate headlines in the press. Even if such publicity never materialises into an actual class action, the negative talk is enough to spark prosecution in the public court of law and hinder reputation and the bottom line in the process. Class actions are coming. They’ll predominantly be shareholder specific as well as big, nasty and very very public. It’s all enough to leave directors and risk managers awake at night. After all, you never know what the morning’s headlines may bring.

CAB MEMBER SINCE DECEMBER 2005

RISK March 2011

NEWS REVIEW

AML internal auditors urged to lift their game Internal auditors must boost the rigour of their audits of anti-money laundering compliance to successfully protect their organisations’reputations and progress the fight against financial crime, according to the Institute of Internal Auditors, Australia (IIA). “Internal auditors should be capable of performing a comprehensive, independent annual review of whether their company has a sound framework for managing its money laundering and terrorist financing (AML/TF) risks,” said Joe Garbutt, IIA’s director policy. “There’s definitely room for us to lift our game. It may be tempting for some internal auditors to limit their reviews to broad, high-level issues – like whether the company has an appropriate AML/TF policy. “But a cursory desktop review is not enough. A truly effective review requires auditors to dig deeper – to roll up their sleeves, question the information they’re given and physically investigate the nuts and bolts of systems and controls that manage AML/TF risk.” Garbutt said that the AML legislation’s “know your cus-

tomer” rules, which require banks to perform a series of checks on a customer’s identity when opening a bank account, were a good example of an area where there was no substitute for probing. “Auditors should always look behind the stats. A company may be reporting 99 per cent account opening accuracy – but ask if those numbers sound too good to be true. A prudent auditor would comb through a sample of those accounts and verify that all the requirements have in fact been satisfied and indeed are evidenced by appropriate records.” While technology was an excellent aid for AML compliance, particularly for monitoring and identifying un-

usual account activity, Garbutt said it was important for internal auditors to check there were adequate systems and resources to investigate all irregularities. Otherwise, companies ran the risk of not meeting their obligations to report suspicious transactions to AUSTRAC, he warned. “The bottom line is that internal auditors need to work hard to improve their knowledge of the complex AML/TF laws and associated risk management measures in order to have the confidence and skill to provide reliable assurance that the company’s regulatory and reputational exposures have been minimised. “Money laundering may cost the Australian economy over $4 billion annually. Given the scale of the threat, it is likely that most major financial institutions will be used to launder the proceeds of crime.” As dirty money comes from real crimes that impact communities, he said AML/TF laws should be seen as more than just a compliance exercise. “The laws help protect a company’s reputation and enable them contribute to the fight against crime through a strong AML/TF program,” he said.

Improvement in risk controls needed Many organisations could improve their practical implementation of Risk Management Standard AS/NZS ISO 31000:2009, according to an expert in the area. There are three hallmarks of benchmark risk control processes and systems within any organisation, said Rod Farrar, director of Paladin Risk Management Services. The most important hallmark of risk control processes is that that they are actually implemented and then continually monitored and reviewed for effectiveness. “For this to occur each control needs to be assigned an owner, it needs to be resourced,” said Farrar. “It needs to have measurable and achiev-

able performance measures and that performance needs to be continually monitored. It has been my experience that the implementation of controls is an area where many organisations could greatly improve.”

“Any risk control that diverts an organisation away from its ‘core business’or its core values may create greater downstream risk and potentially, result in more significant consequences,” he said.

“It has been my experience that the implementation of controls is an area where many organisations could greatly improve” Rod Farrar, director, Paladin Risk Management Services

Another important element is that risk controls need to align with not only the strategy of the organisation, but also its ethics and values, he said.

Farrar also said any control must offer value for money to the organisation, in which a cost-benefit analysis needs to be conducted to ascertain whether the cost of pre-

vention is greater than the cost of the cure should the risk eventuate. With greater emphasis on issues such as technology, globalisation and uncertainty around issues such as climate change, risk managers must continue to scan the environment to ensure that the controls that are being developed for their organisation will mitigate not only current risks but emerging risks as well, he added. “It should be remembered, however, that the risk manager in many organisations may not be the owner of particular risks and, therefore, their role will be to continually provide advice to assist risk owners to determine the most effective control or mix of controls to mitigate the risks for which they are responsible,” said Farrar.

ATO ruling provides a roadmap to manage risk The ATO’s recently released Taxation Ruling TR 2011/1, setting out its finalised transfer pricing view on business restructuring by multinational enterprises, provides a roadmap to manage risk, according to Deloitte. Business restructuring has been an area where many tax managers have struggled to provide a high level of assurance to their CFOs and boards around certainty of tax treatment or an assessment of risk more broadly, said Fiona Craig, Deloitte transfer pricing partner. “There is always a positive for taxpayers when guidance is provided in a difficult area. Certainty is a good thing,” said Craig. “This guidance is welcomed and allows businesses to 6

RISK March 2011

continue to implement commercial strategies, such as reorganisations in their global market, with knowledge of the framework within which the ATO will review the arrangement.” Years of public consultation preceded the publishing of the TR 2011/1, and Craig hoped that several restructuring cases involving large Australian corporations will progress following the ATO’s ruling on the issue. Marc Simpson, Deloitte transfer pricing account director, said that while the release of the Ruling is welcomed, the ATO position on business restructures has similar contentious elements to other recent pronouncements on transfer pricing. For the full story see www.riskmagazine.com.au

NEWS REVIEW

Project risks open doors to new opportunities Financial services companies that excel in executing projects, especially those that involve regulatory compliance, can gain a competitive edge by embracing opportunities unavailable to peers with a constrained appetite for risk, a recent study suggests. In todayâ&#x20AC;&#x2122;s environment, where markets are volatile, demand weak and regulatory scrutiny intense, no organisation has much room for error on new initiatives â&#x20AC;&#x201C; and those with mature project management practices are able to spot failure before it becomes too costly, and leverage it to improve future performance. The study, conducted by the Economist Intelligence Unit and sponsored by Oracle, found that financial services companies that identify failure early in the project development process and respond to problems as they arise can invest in higher-risk initiatives without threatening their bottom lines or their reputations. This proactive approach, which requires both a rigorous project management practice and intrepid executives willing to make difficult decisions, is unusual in the industry. Where it exists, it allows companies to mitigate project risks and use resources more effectively to propel growth, but in its absence, companies become more risk-averse, fo-

cusing on low-risk projects that merely protect assets and meet regulatory requirements. The study, Mitigating project portfolio risks in the financial services industry, also found that dismantling the culture of blame allows companies to accept failure and use their resources more effectively. By encouraging team members to communicate concerns, publicly acknowledging those who identify problems and showing over time that teams will not be punished for failure, companies help their project teams focus on finding solutions and learn from mistakes.

Furthermore, managing must-do regulatory projects requires a balance between flexibility and adherence to process. Because these initiatives cannot fail, some organisations pour an endless stream of resources into them when they founder. Mature project management organisations are better able to refocus scope and add or adjust resources as needed to keep their projects on track. The study also found that executives must be held accountable for project failures. When the final responsibility rests with them and their success is tied to the success of their projects, executives will deal with problems as they arise in order to deliver the expected ROI. Additionally, process is not sufficient in identifying signs of failure and finding solutions, so effective communication is key. In mature organisations, cross-departmental conversations occur among stakeholders to identify concerns at every milestone; this helps ensure that risks of failure are identified and dealt with early in the process. Many companies also fail to reassess risks throughout the project life cycle. Assessing risks in the planning stage is a crucial factor of success, but ongoing progress reporting, milestone review and risk assessment are also essential.

RISK March 2011

NEWS REVIEW

More action needed on mental illness in the workplace

There is an increased amount of anti-discrimination litigation around mental health issues in the workplace, often because line managers do not connect promptly and early enough with HR, OHS and return-to-work coordinators in identifying mental health issues in employees.

Joydeep Hor, managing principal of employment law firm People & Culture Strategies, said employers often leave themselves exposed because they fail to recognise particular traits or behaviours that are symptomatic of mental health conditions, which subsequently results in a "level of inaction and certainly a lack of pro-activity in terms of dealing with the matter". A lot of employers also feel a sense of apprehension in asking questions about mental illness and "on that basis probably proceed to manage the employee in accordance with other practices", he said. "This also increases the exposure from a health and safety point of view to that employee and potentially others, and also opens up a range of other consequences for themselves."

As a result of an increased level of openness and transparency around mental illness generally, Hor said more people are identifying conditions, impairments or disabilities which attract the protection of anti-discrimination legislation, and in particular, the general protections under the Fair Work Act. As such, employers need to possess the necessary commitment at the senior leadership levels to understand that mental health issues in the workplace are not just about an employer "being touchy feely and warm and fuzzy, but it's about an employer managing its occupational health and safety exposures", Hor said. "There are various serious consequences for individual directors and those involved in management or corporations who fail to take necessary steps to address mental wellness, if you like, in

workplaces, in exactly the same way as there are for physical occupational health and safety breaches or identified risks," he said. Companies need to demonstrate their commitment to these issues, said Hor, who added that they must also have the necessary infrastructure in place for people to raise mental health matters as well as an awareness among managers and leaders to understand the full scope of what can and can't be done when it comes to understanding medical information and backgrounds. "You need to ensure that any steps taken by way of discipline or termination of employment fully comply with your legal obligations, and that you've thought laterally about what the consequences of some of those decisions might be," he said.

Bridging the risk management/compliance divide There is still a serious disconnect between risk management and compliance in many organisations, according to the Information Systems Audit and Control Association (ISACA). Many companies still don’t realise the two are linked, said Robert Stroud, ISACA’s international vice president. “Risk management for instance offers us a huge opportunity to both mitigate risk, which IT is typically very good at, and also accept risk for business growth,”said Stroud. “Now the reality is that if you make those decisions in isolation of your compliance requirements, you can end up making a decision to accept risk that’s inappropriate, or alternatively you could insert too many mitigating controls that stifle the business.”

Stroud said a balance is necessary and this will be particularly important in 2011. While most organisations have a relatively good understanding of how to remove manual compliance controls and automate the compliance process, he said enterprise risk management is still a new art form outside of some industries such as banking and finance and more organisations need to understand how to leverage and progress enterprise risk management. “One of the things that I often see now is that organisations will go and put a series of risk management controls in place, they’ll go and measure risk and they’ll understand it and then they’ll just go while … trying to put mitigating

controls in place,” he said. “You really need to be able to balance risk in every aspect of your business and you need to arm your staff with a capability for risk awareness and risk acceptance where appropriate and also of course documenting it.” Stroud, who spoke during a recent Information Security Media Group podcast, said businesses need to be able to accept risk and use it for business advantage, and then understand when a risk is unacceptable to the business and mitigate that control. “So we need to move away from the perspective of avoiding risk at all cost to where risk can be a business value enabler,” he said.

Using risk to power proactive HSE practices Effective risk management practices only motivate people to have a proactive health, safety and environment (HSE) mindset when the results of the process provide simple, tangible results that make sense to the people involved in the process, according to Allan Wildbore, general manager of occupational health and safety for the Spotless Group. “Simple, tangible results that make sense generally come by involving a mix of the people involved in the activity, management and specialist help,” he said. There are a number of elements that will assist clarity of process, Wildbore said: describe the activity to be assessed and create boundaries within which the assessment will be conducted; identify the hazards present because of the identified activity; identify and assess the risks presented by the hazards; and identify and agree 8

RISK March 2011

what the most effective mitigations are and how the activity can be done safely. He also said to: carry out the identified mitigations, introducing the “safe” way of doing the activity and re-enforce the new or agreed safe way. “By engaging the group you gain their buy in because

they have been part of creating the result. They have been included and feel listened to,” he said. Speaking ahead of the upcoming Safety in Action Conference in Melbourne, Wildbore said there are a number of steps OHS professionals can take to achieve this. He recommended keeping the process appropriate to the working group and as simple as it can be, being clear about the process and what is involved and that the group (and not the OHS professional) owns the delivery and outcomes, and gaining the endorsement and involvement of a more senior manager than those directly involved in the risk assessment activity. “Overly complicated risk assessment processes”is one of the usual challenges in the process, and as such Wildbore recommended simplifying the language. For full story see www.riskmagazine.com.au

NEWS REVIEW

Get out and start your own business, women urged Women who feel they are undervalued at work or encounter a poor working environment should“get out, and start their own businesses”, according to Telstra Business group managing director, Deena Shiff. Speaking at an Executive Women Australia (EWA) presentation this week, Shiff gave a three point plan to women who felt disgruntled in the corporate world. The first was to defend the rights of other women in the workplace and the second was for women to value their own worth. “Defend the rights of other women, first and foremost, and then figure out your own rights by doing that, work out your own choices, and speak up if your value is not being recognised at work,” she said. Shiff’s third piece of advice to women who feel disgruntled at work was to seriously consider a start-up business of their own. She showed this to be an attractive and viable option by highlighting the high number of start-up businesses by women in WA compared to other states. Because corporate WA has the highest pay disparity be-

tween men and women this has a direct correlation with the amount of women who are “getting out there and doing it for themselves”, she said. The presentation, which focused on the topic Will Gender Balance Boost the BottomLine, followed the EWA survey of 1,500 members, which revealed a gloomy outlook for women in senior executive roles. Forty-four per cent of participants expect it to take more than ten years for businesses to re-

expressed her frustration that so many women felt disheartened by gender inequality at work, and explained the need for women and organisations to make serious changes to the way that they approach the issue. “What we are seeing is a large number of ambitious, very capable women, with the talent and the desire to contribute as senior executives feeling like they are being restrained and belittled by gender barriers,” she said. “Women won’t be satisfied to con-

“Embrace opportunities, proactively career-plan, and carefully choose boards” – Kevin Lewis, chief compliance officer for ASX

verse the trend of decreasing numbers of women in boardrooms. The survey also found that over a quarter of the female respondents were not confident that they could progress into a senior executive role, despite over 50 per cent aspiring to make it to the top. EWA executive director, Tara Cheesman

tinue to sit on the corporate sidelines and see the ‘boys club’remain the status quo.” EWA members stated that the most popular means of achieving board equality was to ensure ‘board commitment to delivering diversity’. Meanwhile Kevin Lewis, chief compliance officer for ASX, told the audience that they should “embrace op-

portunities, proactively career-plan, and carefully choose boards”. Lisa Hudson, chief executive and publisher of Fairfax Magazines, told women that they should be confident and ambitious, and also enlist the help of men. “Enlist the help of men, because at the moment men dominate. Without their help we can’t initiate change. Try to play men at their own game. Men are very good self promoters, and women need to be just as confident,” she said. Getting down to the question of“will gender balance boost the bottom-line?”, Hudson explained that although it is tough for females, the workplace is becoming more flexible with gradual change coming into effect. “Managers are starting to understand that they alienate women at their peril,” she said. “Women, despite juggling all kinds of demands in a complex world, bring focus, organisation and a unique set of skills to their roles, and that has been proven in numerous studies to bring big dollars to the bottom line.”

RISK March 2011

NEWS REPORT

Navigating environmental, social and governance risk

ompanies could do a better job of providing information about environmental, social and governance (ESG) risks to investors, according to an expert in the area. While plenty of companies employ in-house sustainability managers to report on ESG factors, Josh Dowse, principal of Dowse CSP, said ESG risk disclosure will only be as meaningful as the questions that are being asked of companies. Such questions need to be asked in a direct and constructive way – “what happened at this incident? With what consequences for your employees/contracts/government relations? How are you working on this issue? With whom? What progress have you made – not in dollars spent, but in outcomes gained?” he said. “ESG risk management is more about stakeholder engagement – learning what the issues are and dealing with them to both the company’s and others’ satisfaction – than it is about isolated metrics. The companies want to eliminate risks as much as the investors want them to.” Dowse, who has 20 years’ ESG-related work with companies including McKinsey & Company and Macquarie Group, said the most common ESG risks

depend on the business, its locale of operations and its customers. “The mainstream ESG data providers offer you 1200 plus factors to take into account, yet only a handful would be likely to indicate significant risks, and that handful will be different for each company,” he said. “Will the investor know which ones? It is more likely to be the patterns that matter – the responses to the inevitable policy breaches, how stakeholders are engaged on awkward ESG issues, whether metrics are relative and meaningful or would be overwhelmed by non-ESG operating factors.” On specific factors, he said it’s hard to ignore anything that affects employee engagement, with retention numbers a decent starting metric to explore. Dowse also said social media and brands are a dynamic mix, and “anytime you need a very localised ‘social license to operate’, it’s worth looking at how that license is being secured.“I’ve seen an IT company go into community asset management without fully recognising the risks and getting into more trouble than its investors expected.” Energy, water and waste risks will continue to be more complex as Dowse said food, tourism, lifestyle,

“Listen to insurance companies rather than geologists, and think variation from the mean, not just the mean trend” Josh Dowse, principal, Dowse CSP

RISK March 2011

mining and the environment compete more and more intensely for land. “And climate change surely is beyond debate. Listen to insurance companies rather than geologists, and think variation from the mean, not just the mean trend,” he said. Dowse also noted that investors are getting more familiar with quantifying environmental exposures, looking at the tangible implications and costs that might flow from a breach, or a rise in energy or water costs, and producing large reports detailing their calculations. “Yet for most Australian-listed companies, more than half their market value is attributable to their intangibles – their people, brand, relationships and capacity to innovate. They’re what deliver future income, and what might be most at risk from ESG factors,” he said. “Due diligence could look at how they’re being protected, and also whether major client relationships, revenue sources, capital assets, employee retention and the like may be affected by ESG factors.”

ESG RED FLAGS Josh Dowse, principal of Dowse CSP, said the following issues are an indication of the type of systemic weaknesses that environmental, social and governance (ESG) due diligence may raise as red flags: • Lack of data • Absolute numbers without reference to a ratio that offers a meaningful measure of relative year-on-year performance • Trends without analysis • Policies and management systems proudly declared, but with no reported incidents, and no operational changes when something is reported • A lack of awareness or strategic planning on social and environmental issues that clearly affect the company’s supply chain • ESG awareness held only at low levels of the organisation, or limited solely to the brand or corporate affairs departments • A lack of external engagement on any issue beyond direct contracts and marketing

OPINION

isk managers, in-house legal counsel, and compliance managers in the financial services sector must keep the “chosen one” (really two, at least) plugged into their firm’s risk and compliance matrix or framework. In other words the Responsible Managers nominated on an Australian Financial Services License (AFSL) must be integrated into the financial services business for the sake of both the AFSL holder and the Responsible Manager. Like Neo in The Matrix movies – Responsible Managers are the key to the future of concerned. If Responsible Managers are plugged in they often try and disengage. That is because they’re business minded and many think that the risk and

RISK March 2011

compliance “matrix” is either evil, not real or both – and being plugged in is to be strenuously avoided as it’s full of robots interfering in your business and scaring you witless. Since 2005 many risk and compliance managers have told me that awareness and understanding are the two ways of effectively plugging in your Responsible Managers. Awareness of the obligations involved and understanding how the risk and compliance framework works. Awareness by Responsible Managers, whether they are company directors or senior managers, of legal and regulatory requirements is critically important and often overlooked in the overall make-up of a framework. If Responsible Managers

OPINION

Awareness by Responsible Managers, whether they are company directors or senior managers, of legal and regulatory requirements is critically important and often overlooked in the overall make-up of a framework

don’t understand their legal and regulatory obligations, they won’t be able to recognise compliance risks and won’t be able to supervise their staff adequately. This should be put to Responsible Managers as the risk of “poor customer service”, losses or brand damage. Furthermore Responsible Managers need to understand their business’s risk and compliance framework.This can be put to them as “insurance”, in that having a properly staffed and supervised risk and compliance function looking after compliance risks is key to their responsibilities – whether they’re a director or other officer. They must show that they have exercised all due diligence to save themselves from any civil or criminal action.However due to the large number of responsible managers it is not easy. There are over 15,000 across an industry which is the fourth largest sector of the Australian economy and made up of: • corporate finance and wholesale banking (the ‘deal makers’) • financial markets (the ‘traders’) • managed funds and superannuation (the ‘asset managers’) • retail banking and private wealth management (the financial advisors). It’s a diverse sector in the size and complexity of its institutions, all with global reach, which means there are competing and contrasting legal requirements on Australian businesses which have head offices in the northern hemisphere or Asia. This leads to varied approaches in building and maintaining risk and compliance frameworks, which keeps the regulator (ASIC) busy checking and enforcing standards and (secretly) confuses many Responsible Managers. Responsible Managers must also understand risk management. There are three common misconceptions about risk management in the sector. It’s often

mistaken for risk measurement. This is a problem; the capacity to properly measure risk is necessary but insufficient to ensure proper risk management. Another common misconception is that risk management is about risk reduction. In fact, it’s at least as much about return enhancement as it is about risk reduction. The third misconception is that it’s often equated with risk diversification; mistaking it for risk diversification is lethal (consider 2008, when sharp downturns in almost all asset classes painfully highlighted the limits of diversification as a technique). For risk managers the choice is not about “taking the blue pill and the story ends or the red pill and you stay in Wonderland”, but overcoming the reluctance to be plugged into the risk and compliance matrix through culture. It leads to greater awareness and understanding of the risk and compliance framework both for the Responsible Manager and the organisation as a whole. It is clear and practical – corporations should have policies, which are monitored and enforced or be criminally liable for any breach by their employees. The Criminal Code applies to the Corporations Act (not Chapter 7, financial services), where the Act has a wider scope for attributed criminal liability for financial services. In my opinion Responsible Managers should look at the case of ASIC v Chemeq Ltd where Justice French said that a corporate culture of compliance is not a risk averse mentality but a kind of inbuilt mental check list, as a background to decision-making and requires train ing of Responsible Managers, including company directors, especially refresher training, of their obligations on a regular basis. Dr Ulysses Chioatto is a lawyer and organisational consultant and the facilitator of the Responsible Officers and Managers Forum

RISK March 2011

NEWS REPORT

I An institution’s risk profile can be defined by the sum total of business decisions taken every day by employees throughout the organisation

RISK March 2011

n the wake of the global financial crisis, boards of directors of financial services organisations globally are taking a more active role in providing oversight of risk management, including establishing the risk management policy and framework and approving their institution’s risk appetite. A recent research report found that roughly 90 per cent of financial institutions had a defined risk governance model and approach, and 78 per cent reported that their board of directors had approved their risk management policy or enterprise risk management (ERM) framework. Furthermore, 86 per cent of financial institutions had a chief risk officer (CRO) or equivalent position – which reports to the board level or to the CEO, or both, at 85 per cent of firms. The research report, which was conducted by Deloitte, also found that more institutions have adopted ERM programs, as 79 per cent reported having an ERM program or equivalent in place or in progress, while roughly a quarter of firms reported that the greatest challenges in implementing an effective ERM program were integrating data across the organisation and cultural issues. The report also found that at many institutions, risk management programs are likely to include a growing spec-

trum of risk types, such as model risk, and to use more sophisticated techniques, such as stress tests. “Risk technology and information systems may need to be upgraded to easily integrate risk data on a consistent basis across different products, geographies, and counterparties,” said the report, which surveyed chief risk officers from 131 financial institutions from around the world,with aggregate assets of more than US$17 trillion ($16.98 trillion) “In the final analysis, an institution’s risk profile can be defined by the sum total of business decisions taken every day by employees throughout the organisation. The linkages between business operations and effective risk management should continue to be assessed and nurtured.” In addition to a focus on risk management methodologies and reporting, senior management may need to further develop a risk-aware culture throughout the organisation. “One important consideration in this effort is the closer alignment of performance management and incentive compensation with risk considerations and accountability,” said the report, which found that more than a third of financial institutions had completely or substantially incorporated risk management considerations into their overall performance goals and compensation decisions. “While we saw an uptick in risk-based compensation practices, it was mostly at the senior management level,” said Edward Hida, global leader – risk & capital management for the Deloitte and editor of the report, Navigating in a changed world.

“It is even more important that financial institutions take risk management into account in performance evaluations and incentive compensation across the organisation. Because of all of the attention the issue has received around the globe – there is considerable work to be done here.” The report found that among senior management, 64 per cent of institutions sought to balance their emphasis on shortterm versus long-term incentives, 57 per cent paid their incentive in company stock, and about half (52 per cent) deferred payouts linked to future performance. However, less than a third of institutions (31 per cent) matched the timing of payouts to senior executives to the term of the risks involved, and 26 per cent had instituted “clawback”provisions.Additionally, four out of five institutions (82 per cent) reported that they required that a portion of the annual incentive be tied to overall corporate results. The report also found that, globally, institutions were far along in Basel II implementation, with 70 per cent or more having fully or mostly completed implementation in the areas of external agency ratings (for the standardised approach), calculation and reporting, internal audit review, and governance and controls. Roughly one-third of executives expected that the Basel II rule revisions announced in July 2009 would have significant impacts on their strategy in such areas as entering new geographical markets, changing their business model, or conducting mergers and acquisitions. “During the last few years,risk management assumptions and methods have been challenged as never before, and will be facing even more rigorous requirements in the future,” said Hida, who noted that regulators have numerous risk-focused efforts on the horizon including Basel III and other systemic risk initiatives. “As a result, many institutions have – and are – strengthening their risk management governance models, and there is likely to be a continued focus on enhancing risk management data and analytics capabilities. This is a very busy time for risk managers at financial institutions.” STEPS TO BETTER RISK GOVERNANCE Deloitte’s recent report, Navigating in a changed world, revealed that financial services institutions globally had taken a number of steps in response to concerns regarding risk governance: 63% Improved board risk reporting information 62% Increased management risk committee reporting information 55% Enhanced risk limits 48% Updated risk appetite statement 48% Reviewed management risk committee structure 41% Developed risk dashboard report 39% Held more frequent management risk committee meetings 38% Updated management risk committee charters 35% Expanded CRO responsibilities 33% Established CRO position 30% Reviewed board risk committee structure

RISK March 2011

THE BUSINESS CASE

Establishing F return on risk investment Effective risk management isn’t about spending more, but rather about getting greater value from what is spent

RISK March 2011

or years, companies have invested heavily in governance, risk management and compliance (GRC), increasing the size, magnitude and reach of their GRC functions and activities. But in the aftermath of the most severe economic crisis in a generation, they are acutely conscious of the need to demonstrate sound risk management, according to a recent report. Companies believe that their reputations,customer loyalty and even their credit rating and access to capital depend on it, and some reports suggest that financial institutions alone will spend up to US$100 billion ($99 billion) globally on mitigating risk in 2010-2011. The report,The multi-billion dollar black hole,conducted by Ernst & Young, said as the trend towards massive expenditure in GRC continues, many companies fail to grasp that their GRC investment, unless properly focused,“is potentially being poured into a black hole and will not deliver the value investors and other key stakeholders demand”. It found that of most concern are the views held by external stakeholders– regulators, investors, analysts, academics and journalists – who have become a critical interest group in the post-crisis environment. “External stakeholders are more dissatisfied with the quality of GRC than companies’ own operational management and business leaders,” said the report, which indicated a compelling need for all countries, irrespective of maturity, to enhance their GRC capabilities. Those that attempt to bridge gaps with increased expenditure on governance,risk and compliance often end up with uncoordinated GRC initiatives that are bolted together, and the report found that much of this spending is a knee-jerk reaction rather than a considered one – leading to a haphazard approach, disconnected from the wider business strategy,as well as duplication, overlaps and gaps in risk coverage. In 2009,for example,an Ernst & Young-sponsored research survey by the Economic Intelligence Unit found that 73 per cent of respondents had seven or more risk functions and 67 per cent had overlapping coverage in two or more risk functions, while 50 per cent reported gaps in coverage between risk functions and a further 62 per cent believed they can get better risk coverage for less spend. Regardless of pressures and appetite for change, the report said companies need to recognise that reinvention cannot be achieved with incremental improvements.“Without a well thought-out strategy, they will chip away at the exterior of a function that is not working effectively. Consequently, good investment risks slipping away because companies do not take a holistic view of enterprise risk and cannot deliver the value expected of them,” said the report. Successful organisations begin by identifying the sources of existing GRC expenditure, and they measure and assess where risk management spend

THE BUSINESS CASE

Spend from low-value risk management activities, which may be routine and deliver comfort but are not business critical, needs to be redirected to other higher-risk priorities

is currently targeted and pinpoint uncoordinated, overly complex or overlapping activities. “Spend from lowvalue risk management activities, which may be routine and deliver comfort but are not business critical, needs to be redirected to other higher-risk priorities,” said the report. Martin Studer,managing partner for business risk services (Europe, Middle East, India and Africa) at Ernst & Young, said organisations need to start by setting out a business case,as they would for any other change program. They should define their unique value and performance objectives and address the expectations of regulators, investors and other stakeholders, he said. “The business case must be about value, cost and risk assurance enhancement.It should describe how the organisation wants to govern these activities. The company also needs to have a clear and shared view, from the board through to executive management and business unit level, that determines risk appetite and risk tolerances (the amount of risk the company is prepared to accept to drive a certain effect in the market),” said Struder, who said that for a program like this to work, risk functions need to be embedded into the business under an accepted business process owner. The last phase is to define how the risk functions will engage with the business to realise the shared vision for

value generation.“Spending on resources and governance is necessary, of course, to overhaul performance enablement processes and extract greater value,” he said.“However, compared with the sums already spent – estimated to be several billion dollars worldwide – refocusing existing investment to tackle the most significant risks, rather than those that merely offer a degree of comfort, will add to overall business value.” THE VALUE OF RISK MANAGEMENT An Ernst & Young survey of 137 global institutional investors found that 82 per cent will pay a premium for companies that demonstrate successful risk management, while 61 per cent will not invest where there is evidence of poor risk management and 41 per cent would withdraw investment where there is a perceived lack of appropriate risk management. Furthermore, an Aon survey found that 79 per cent of organisations with mature risk management systems are either moderately or very successful at protecting and enhancing shareholder value, while a Marsh survey found that companies with strategic risk management policies are twice as likely as traditional companies to believe that their enterprise risk management systems help to navigate the financial crisis. Source: The multi-billion dollar black hole, Ernst & Young

RISK March 2011

FEATURE

A number of factors have aligned to further encourage shareholder class actions, writes Angela Priestley, and corporations should be concerned

The class action

attraction T

he recent news that litigation funder IMF Australia is pitching to fund a shareholder claim against engineering firm Downer EDI is the latest in a line of possible and initiated shareholder class actions to emerge over the last 12 months. Like other organisations to face such action, Downer EDI has made the headlines. Reporting on numerous shareholders up against the might of a major engineering firm makes for some classic story-telling and, it seems, Australians are keen to follow such affairs. More than ever, the actions of corporations are being scrutinised by the regulators, the shareholders, the public and the media.And with the true extent of the GFC’s fallout yet to hit, a number of litigation funders now on the scene and the take-up of technology easing the burden of organising and funding a class action, the Australian business environment is ripe for a wave of shareholder class actions.

The numbers are up Needless to say, such news of shareholder class actions is also leaving the directors of Australian boards on edge.According to the Directions 2011 report, released by Mallesons Stephen Jaques last month, 34 per cent of the 300 directors surveyed indicated they have been involved in an organisation that has given attention to class action issues in the previous 12 month period. In fact, as Mallesons partner Roger Forbes notes, directors are increasingly finding that shareholder class actions are almost to be expected. “After any significant negative profit announcement by a listed entity there is almost an expectation now that it will be followed by a press release from a plaintiff law firm or a litigation funder,” he says. But despite such expectations and the concerns of directors, there’s little evidence to suggest that we’ve seen a rise in shareholder class actions in recent years. A recent study by Vince Morabito, a professor at Monash University, found that although specific shareholder class actions now constitute a slightly greater proportion of total class actions than in the 1990s,the Federal Court of Australia has not been inundated 18

RISK March 2011

with such claims.He says his research has found around 14 class actions have been filed every 12 months since 1992. Still, Blake Dawson partner John Emmerig does not believe Morabito’s figures will help directors rest any easier at night. He says the shareholder class action numbers of the past are not an indication of what’s to come in the future, and the stars are aligning to see Australia emerge as a hotbed of class action activity. It starts, notes Emmerig, with the fact that Australians are amongst the most active global participants in the stock market. “Take shareholder participation, then the fact we have the most demanding continuous disclosure laws, the most liberal class action regime and combine it with the precedent factor: that is that it has been done [before], results were obtained for the plaintiff groups and so the next faction follows more easily,” Emmerig says.

A ‘perfect storm’ Emmerig is not alone in suggesting the current environment might be ripe for a wave of shareholder class actions. At the ACLA National Conference in late 2010, Middletons partner David Hope described what he believes is the “perfect storm” facing corporations. Hope pointed to his own range of influencing factors that are leaving corporations more exposed to class actions, such as recent legislative changes, market volatility and the decreasing costs of class actions generally - especially via technology and the arrival of litigation funders. But it’s the fallout from the GFC and the uncertainty still facing the market which is likely to have the most dramatic impact in the future.

FEATURE

“The fact is there’s more public scrutiny on companies generally [following the GFC],” said Hope at the time. “There have been changes to the legislation with respect to enforcement of listing rules of misleading and deceptive conduct.” Dawna Wright, a partner at McGrathNicol, points to market volatility as being central to encouraging shareholder class actions. “The more volatile the market, the more difficult it is to keep up with continuous disclosure rules,” she says. “And most of the regulators have been saying they’re ramping up their level of scrutiny. When you combine those two things plus the impact of litigation funders, those three things together can have a serious impact.” Since their input was first legislated in 2006, litigation funders have been able to share a number of significant class action success stories. While they faced a hiccup in 2009, when the Federal Court found that such funders were akin to a managed investment scheme and therefore subject to regulation by ASIC, the introduction of temporary class orders has since made life for funders a little easier (a permanent exemption from managed investment scheme requirements is expected to be formulated in 2011, according to Mallesons). Morabito notes that, up to March 2009 (his study period), class actions by litigation funders have seen a 100 per cent settlement rate. “That seems to suggest that litigation funders do a very good job,” he says. With returns of between 20 and 45 per cent of the settlement (according to IMF), litigation funding makes for a healthy investment too – and ultimately contributes to an environment that could encourage more shareholder class actions in the future.

Faster, cheaper, simpler Technology is another factor that could contribute to a wave of shareholder class actions in Australia. The ability to email communications, to swiftly establish websites chasing potential plaintiffs, to use social networking to extend reach and use electronic filing and databases to track members of the class is greatly reducing the burden of plaintiff firms in preparing a class action. Technology is also a significant enabler in raising the number of plaintiffs now getting involved in class actions - especially across more general class actions, such as the recent bank fees class action led by Maurice Blackburn, IMF and Financial Redress in which 27,000 Australians agreed to participate. But when more specifically examining shareholder class actions, partners contacted by Lawyers Weekly (Risk Management’s sister publication) indicate that the number of plaintiffs now attracted to such class actions could actually be on the decrease,with funders and lawyers instead choosing to target the high-end investors, rather than the ‘mum and dads’. “There is a lot more activity in directly approaching large institutional shareholders,” says Forbes. “For every thousand shareholders, it’s much more worthwhile to sign a few large intuitional shareholders.”

Emmerig points to some recent examples to note such a change. “When the GIO shareholder class action was settled in 2003 there were 20-plus thousand investors in the class who shared approximately $100 million,” he says. “When Multiplex settled last year, it was still $100 million dollars but only around 100 shareholders who shared in the fund.” And these days, Forbes believes large institutional players are also more likely to be involved. “Five years ago they may have been horrified to be a large institutional shareholder with a brand name being part of a class action organised by a law firm. But now they look at those things sensibly and rationally, and make a decision as to whether they’ll sign up to the action or simply vote with their feet and sell their shares.”

A change of mindset With more media attention, increased regulator scrutiny, fallout from the GFC and technology on board, Emmerig notes one final ingredient he believes will encourage a greater number of shareholder class actions in the future: a changed mode of thinking. “Class actions have moved from being one-offs,to being the mainstream. People are more willing to participate and more willing to initiate.” For corporations, all these factors are pointing toward a risky future ahead. And the uncertainty of shareholder class actions can only add to the woes of board directors. To date, no shareholder class action has reached judgment, thus it’s difficult to ascertain just how a court would treat such a matter, especially in proving causation and determining how loss can be calculated. Meanwhile, the courts have been resistant to revealing information to defendants regarding just who is involved in the class, meaning claims have been difficult to quantify and settle. But, according to Forbes, that may soon change, especially given the small concessions made recently in Centro’s current class action,which permitted Centro to obtain some information about the class. “The court is becoming, it seems, a little less inclined to accept the proposition that members of the class shouldn’t be disturbed.” Even with such favourable outcomes for defendants, the potential reputation and market risks a shareholder class action can bring will continue to keep plenty of directors awake at night. Just the very mention of a class action can immediately affect a share price, while the ‘trial by media’ mentality that such action can provoke is almost impossible for an organisation to defend. Downer EDI may be the latest corporation to face the spotlight of a litigation funder but it won’t be the last.In the meantime, company directors will continue to keep their actions in check - and keep an eye on the media headlines to read of the latest proposed class action. “The director network is tight,” says Forbes. “They would all be well aware that every time they engage in profit announcements or something else that may involve some obligation of continuous disclosure that [the threat of the class action] is in the background.”

The shareholder class action numbers of the past are not an indication of what’s to come in the future, and the stars are aligning to see Australia emerge as a hotbed of class action activity

RISK March 2011

COVER STORY

Green risk management

RISK March 2011

COVER STORY

he business case for corporate social responsibility (CSR) is now widely accepted among Australian organisations, which are increasingly seeing it as a strategic opportunity for creating new value and not just a tactic for risk mitigation, according to a recent Australian report. It found that organisations are reporting increasingly strong links between CSR capabilities and positive organisational performance, while reducing environmental impact and building an understanding of CSR are considered the most important issues for CSR managers. However, the report, The State of CSR in Australia, conducted by The Australian Centre for Corporate Social Responsibility (ACCSR), also found Australian organisations need to move beyond a focus on risk minimisation and regulatory compliance if they are to successfully leverage their CSR strategies for the purposes of competitive advantage. Suzanne Benn, a professor at Macquarie University’s Graduate School of the Environment and director of The Australian Research Institute for Environment and Sustainability, believes there is a shift to integrating sustainability and CSR across all aspects of a business.“So it’s become less of a specific function and more of an integrated function within organisations. It’s been incorporated into reporting guidelines and it’s been incorporated into supply chain guidelines, so there has been a shift away from having a CSR manager who just looks

“To be effective in managing social and environmental impacts and opportunities, you need a much higher degree of internal coordination and cooperation” Leeora Black, managing director, The Australian Centre for Corporate Social Responsibility

after relations with the community to more of an integrated understanding across organisations,” she says. At the same time, there is a greater differentiation being made between social and environmental aspects, according to Benn.“The environmental area is increasingly technical, so that requires a different academic background with a different set of responsibilities to those working in social welfare areas,” she says.

Environmental considerations Environmental issues are high on the radar of most organisations, according to Leeora Black, founder and managing director of ACCSR. “People are working on understanding and managing their greenhouse gas emissions and water usage and they are focused on reducing the environmental impact of their working spaces, their offices and buildings and so on,” she says. Environmental considerations vary from industry to industry, Black explains.“With both financial services and mining, their priority issue is going to be on managing regulatory impacts (according to The State of CSR in Australia report). But for mining their second top priority is environmental management and this is a direct pathway for them to risk management, whereas managing regulatory impacts for financial services is going to be more about reducing conflict with activist groups.” One of the more obvious looming environmental issues for Australian companies is the proposed carbon tax, which is driving companies to consider environmental issues, according to Suzanne Young, associate professor and director of corporate responsibility and global citizenship at the La Trobe Graduate School of Management.“I still don’t think they’re grappling with the whole issue of climate change necessarily; it’s still being driven by legislation and the threat maybe of increased taxes across certain sectors,” she says. “But I don’t think companies are really seeing that climate change and the associated risks are really impacting in a lot of sectors. While the mining sector and related industries might be more active here, in most other sectors it’s still based on a push by legislation.” Benn agrees that trying to second guess what the government is going to do about a carbon tax is a big issue. “It’s kind of a risk management issue, with companies moving ahead before they really know what government is going to do,” she says. RISK March 2011

COVER STORY

EMBEDDING SUSTAINABILITY IN RISK MANAGEMENT Many CEOs are placing sustainability as a central pillar in their corporate strategies, but are stopping short of embedding measurement systems and processes in the business framework, for example in reporting and risk management, according to a recent research report. With financial and non-financial performance becoming interconnected, this shortfall leaves companies exposed. Conducted by the Economist Intelligence Unit, the research took in more than 280 senior executives – three-quarters of whom are responsible for their firms’ strategy and business development – mostly in AsiaPacific, Western Europe, and North America. Despite the rising importance of environmental, social and governance (ESG) factors in corporate strategy, the research report found senior executives do not appear fully committed to embedding sustainability in risk management, with just 22 per cent saying that ESG elements are a fundamental part of their risk management systems. This compares with 35 per cent who say they include selected elements of their ESG goals in their risk management activities, while only 22 per cent who do not include ESG practices in their risk management systems expect to do so in the future and around 14 per cent have no plans to introduce ESG criteria into their risk management practices – “a stance that may leave them financially exposed, as sustainability and profitability become ever more intertwined”, according to the report. Among companies for whom environmental sustainability is a focus, it found that 32 per cent incorporate such issues into risk management, while the corresponding figure for social sustainability is 19 per cent and 28 per cent for governance. “It appears, then, that environmental sustainability is more likely to be integrated into risk management than are other elements of sustainability,” the report concluded.

Internal sustainability, corporate governance and risk management There is a huge variation in how well sustainability, corporate governance and risk management professionals work together, according to Adrian King, climate change and sustainability partner at KPMG. The better companies use sustainability professionals to work with risk, board committees and management to integrate sustainability practices throughout the company, he says, however, other companies often employ sustainability professionals just to produce annual sustainability reporting who have little contact with the rest of the company. “The key to improvement in this area is increased internal communication and better engagement between the different professionals within a company. Initial meetings to

understand each others’ goals, roles and challenges can often quickly lead to identifying opportunities to support each other and the setting up of both formal and informal communication and information sharing channels,” he says. Black also says there is a lot of variation in how well companies perform in this area. “I would say that more can be done and more needs to be done,” says Black, who adds that The State of CSR in Australia report found that one of the top outcomes from CSR is reducing risk. “Now that suggests to me that there is better coordination going on inside companies but obviously it’s not enough. I also think that in the medium-term, the intense focus on risk management benefits of CSR is going to give way to a greater focus on innovation in CSR. So what looks like best practice in risk management today will be business as usual tomorrow, and the new frontier for excellence in CSR and sustainability will be more focused on innovation,” says Black. Benn agrees that internal sustainability, corporate governance and risk management professionals could have a lot more awareness of each other’s issues. An interesting trend is towards having multi-skilled individuals in these roles, and Benn says it’s increasingly common to see sustainability managers with diverse qualifications. “I see integrated multidisciplinary postgraduate courses emerging. Students may have a science, finance or engineering background, so with another postgraduate qualification that brings together risk management with sustainable development and change management, for example, you’re getting multi-skilled people in those positions. I think this will make a big difference in terms of breaking down silos, because you have people who will be able to talk the language of other silos,” she says.

“There has been a shift away from having a CSR manager who just looks after relations with the community to more of an integrated understanding across organisations” - Suzanne Benn, director, The Australian Research Institute for Environment and Sustainability

RISK March 2011

The role of risk management Risk management professionals play key roles in developing and implementing sustainability practices, according to King. They are involved in identifying the sustainability risks as well as developing policies and procedures to manage these risks, and he says they are also often involved in the monitoring of these policies and procedures through the likes of internal audits. He says risk management professionals need to identify, as much as possible, opportunities to extend existing risk management processes to sustainability risks. Existing risk management processes are often mature and well established and he says they should include all sustainability issues rather than a company inventing separate processes to manage sustainability-related risks. “While sustainability professionals can provide valuable information over the sustainability risks and responses, risk management professionals often have the practical experience and proven processes already in place to facilitate the management of sustainability risks within their company.” Young also says risk management professionals have a large role to play.“I think it’s very important for them to be engaged and thinking of strategic risk rather than just operational or financial risk.A lot of risk professionals have traditionally been more focused on safety,governance or finance.So risk professionals really do need to engage more at the strategic level and the long-term planning level,” she says. “There’s a place for sustainability and risk, and they like to act quite closely together. I think risk professionals maybe need to engage with sustainability more than what they do

COVER STORY

“Risk professionals maybe need to engage with sustainability more than what they do at the moment” Suzanne Young, director, corporate responsibility and global citizenship, La Trobe Graduate School of Management

at the moment. In some sectors it is quite strong, like in mining and finance, but there’s definitely an opportunity.” Benn agrees that risk management professionals have “a very big role” because the space that companies see sustainability and corporate social responsibility in is largely about risk management. However, she says risk professionals need to understand the language, discipline and key concepts of sustainability, in order to understand the associated risks. “Many corporate responsibility issues are long-term, so it can be difficult to work these considerations into the business model that risk management specialists are needed for really,” says Benn.

“You have to communicate to senior managers that it’s not just about short-term. One of the big criticisms, in terms of how companies have gone about (or not gone about) trying to implement sustainability, is that they are at the beck and call of institutional investors who may have very short-term considerations.” Black says it’s fundamentally important just to “talk to your internal sustainability manager. Stay connected with the sustainability agenda in your organisation and work collaboratively at every opportunity with the sustainability professionals in your organisations. That’s rule number one, two, three, four and five.”

A COMMON BLOCK One of the biggest obstacles that companies face is in driving broad-based understanding of the CSR and sustainability agenda right throughout the organisation, according to Leeora Black, founder and managing director of the Australian Centre for Corporate Social Responsibility and an honorary visitor to the La Trobe University Graduate School of Management. “The reason for is, as a management discipline, the focus on corporate responsibility and sustainability is probably the most multidisciplinary, cross-functional management function we’ve ever yet seen in the development of modern business management methods,” she asserts. “To be effective in managing social and environmental impacts and opportunities, you need a much higher degree of internal coordination and cooperation than for many other types of organisational tasks which can be managed more vertically and hierarchically.” Most organisations are built on silos with vertical accountability lines, whereas Black says success in this area requires a lot more horizontal coordination for success – which is a challenge to the way most large modern companies are actually structured.

RISK March 2011

CRISIS MANAGEMENT

Pandemic planning: Government support To what extent should we rely on the Government during a major pandemic?

Organisations need to take responsibility for their own staffing issues and for business continuity as a whole in the event of a pandemic 24

RISK March 2011

rganisations often take for granted that during a major pandemic, government at all levels – national, state and local – will automatically ‘take charge’ and resolve all their major problems. We believe this is a very dangerous and misguided assumption that could lead to serious problems for the organisations concerned. Recently, we asked the executive team of a major Sydney-based government agency what they thought about our concerns – expecting strong disagreement. Instead, they all absolutely agreed and cited specific examples of lack of support they had encountered during what was, after all, the recent fairly mild ‘swine flu’ pandemic. Other organisations have experienced much the same. This is not meant to degrade the process that governments follow in a pandemic/epidemic or their desire to assist as best they can. It’s simply recognition of the fact that the Government often cannot do very much, especially when their own resources are depleted, as would be the case should a major crisis occur. A serious pandemic – similar in scope and immensity to earlier ones we have experienced where thousands of lives have been lost worldwide – would see closure of schools and childcare centres, travel bans, warnings not to meet with other people unless absolutely necessary, up to 60 per cent absentee rates over a period of up to 18 months, and a huge amount of social and personal trauma – with increased rates of crime and fewer police. All organisations would be affected including the Government. So just when their assistance is most

needed by the community they themselves will be at their most vulnerable with depleted staff resources and service dislocation. How can anyone believe, amongst all this high level drama that they can simply wait for the Government to fix everything? Will the Government provide additional staffing to support organisations whose own staff have elected not to come to work or are too sick to do so? Will the Government provide additional staffing to the suppliers of those organisations who depend on service/ product deliveries from affected countries or even locally? Will the Government provide funding to pay the wages of staff who decide not to attend work through fear of infection or simply because they can’t get there due to lack of transport or because there is no-one to look after their children? Will the Government provide additional services such as health monitoring or trauma counselling to organisations when their first priority must surely be to assist those in need of immediate medical attention or 24/7 care – and all this with reduced numbers of doctors, nurses and other medical staff? The answers to all the above, and many other questions, must surely be ‘no’. Clearly, organisations need to take responsibility for their own staffing issues and for business continuity as a whole in the event of a pandemic. It should not simply be left to Government. – Cliff Reece, principal, Crisis Risk Management

RISK PEOPLE

Risk people : Robert Emery Head of group risk and compliance, Bupa Australia

How and why did you get into risk? By accident – I was the head of compliance at MBF and before that at IAG for its wealth management business operations. As nobody had specific responsibility (or ownership) for risk management I was asked to look after it.

What is your current role, and how did it come about? Head of group risk and compliance, Bupa Australia. I joined IAG (formally NRMA Insurance) back in 1995 as head of compliance for its wealth management and life insurance operations. Then in 2005, IAG decided to sell this business to MBF who in turn merged with Bupa in 2008 and – here I am. Basically I have been doing exactly the same but for three different companies, but over time the business operations have grown significantly as has the complexity of businesses.

What is your career ambition?

I see governance, risk and compliance as the new frontier

I actually love what I am currently doing in risk and compliance and believe that nearly every business operation revolves around these two functions – that is every decision involves taking educated risk and idealistically every activity

should be fully compliant with each law, regulation code or rule. I have now also been a director for the Australian Compliance Institute for about seven years and immensely enjoy the responsibilities associated with being a director. As such, my long term ambition is to move away from a business management role and move more towards taking on a range of directorships.

What do you get up to in your spare time? I love golf, watching rugby league (too old now to be participating) and wine. Now that my children are old enough to take themselves to sport and I have finished (well nearly) building our latest home (if you ever finish building), I have returned to playing golf. In fact, when I was younger I had the choice of becoming a professional golfer or completing an accountancy degree and I chose the latter. In those days there was not as much money in golf, apart from the elite, that there is today. If I had to make that decision now, I may make a different decision: risk versus return, sounds a lot like “risk management”!

What has been your career highlight to date? There have been a number, but I guess it would be my first directorship as it helped take my career to another level and I learnt a lot about managing a business.

What do you think it takes to succeed in risk? An open mind and never stop asking ‘why?’.

What advice would you give to graduates considering a career in risk? Just do it. I see governance, risk and compliance as the new frontier – it is here to stay and will only get bigger and more important. Just ask the regulators and law makers.

How do you see the profession developing and what do you think it will look like in five to ten years time? See above. The GFC will result in a greater management and board focus on risk, governance and demonstrated compliance.

Compliance and Risk roles – Australia taylorroot.com.au Compliance Manager - RE

Sydney

Well respected Australian ﬁnancial services organisation that prides itself on the retention of its clients through excellent service and outstanding technical knowledge. You will provide expert advice on matters relating to the corps act and ASX listing rules. Key attributes are the ability to conﬁdently liaise with senior executives as well as the regulators. $110,000

Compliance & Risk Manager

Sydney

Emerging fund manager. The position will be an excellent opportunity to develop a compliance and risk framework. We are seeking 5+ years of work experience with a preference for a funds management background. Small team environment so the ability to be self motivated and to take initiative is essential. $130,000

Compliance Manager

Melbourne

Well known ﬁnancial services group with a diverse portfolio are currently looking for a senior compliance professional to manage its function. This role will initially cover the monitoring and supervision of the compliance infrastructure across the group. Working with senior management this role will offer a broad range of work and strong career prospects. $140,000

To discuss Compliance and Risk roles, please contact Amanda Atherton in Sydney on +61 (0)2 9236 9000, Neil Williams in Melbourne on +61 (0)3 8610 8400 or email amandaatherton@taylorroot.com.au or neilwilliams@taylorroot.com.au THE SR GROUP . BREWER MORRIS . CARTER MURRAY . FRAZER JONES . PARKER WELLS . SR SEARCH . TAYLOR ROOT LONDON . DUBAI . HONG KONG . SINGAPORE . SYDNEY . MELBOURNE

RISK March 2011

INTERNATIONAL

First corporate manslaughter conviction in UK

A company in the UK has become the first to be convicted under the UK Corporate Manslaughter and Corporate Homicide Act 2007, which introduced the new offence of corporate manslaughter where the gross negligence of a company’s senior management results in death. The company, Cotswold Geotechnical Holdings, was found guilty after an employee, Alexander Wright, 27, was killed after being buried in a deep soil trench collapse. In September 2008, Wright was left working alone in the 3.5 metre-deep trench on a development plot to finish-up when the company director left for the day. However, the two people who owned the plot decided to stay at the site as they knew Wright was working alone in the trench. About 15 minutes later they heard a muffled noise and then a shout for help. Despite the plot owners’best efforts to rescue

him, Wright died of traumatic asphyxiation. The prosecution’s case was that Wright was working in a dangerous trench because Cotswold Geotechnical Holdings’ systems had failed to take all reasonably practicable steps to protect him from working in that way. In convicting the company, the jury found that their system of work in digging trial pits was wholly and unnecessarily dangerous.

The company ignored well-recognised industry guidance that prohibited entry into excavations more than 1.2 metres deep, requiring junior employees to enter into and work in unsupported trial pits, typically from 2 to 3.5 metres deep. Wright was working in just such a pit when he died, and while Cotswold Geotechnical Holdings denied killing him, the company was fined £385,000 ($617,674) and ordered to pay the fine

over a 10 year period. Commenting on the case, law firm Norton Rose said that historically, convictions of large companies for manslaughter have failed due to the difficulty in identifying the “directing mind” of a company, that is, an individual in a managerial role who caused the death. “The Act attempts to address this lacuna by considering the actions of a company’s senior management collectively,” said the firm in a news update on the case. “The prosecution was able to demonstrate to the jury that the behaviour of Cotswold Geotechnical Holdings and its management fell far below that which could reasonably be expected,” said Norton Rose, which also noted that the fine imposed on the company was far larger than the average fine for a work-related death (usually around £100,000 ($160,434)) and “is no doubt a signal that larger fines can now be expected”.

RISK BUSINESS DIRECTORY

www.riskmanagementmagazine.com.au/Directory/Compliance-Risk-Software 26

RISK March 2010