COVID-19: Less prepared than we could be for future crises? 

7 minute read  12.05.2020 Kate Hilder, Mark Standen

Governance Institute Risk Management Survey 2020. The Governance Institute's latest Risk Management Survey provides insights into the current risk and governance landscape in Australia

About the report

The report is based on an online survey or 399 governance and risk professionals and senior executives primarily based in Australia. It was conducted in March 2020 (at the onset of the COVID-19 pandemic)

Insights into the current governance/risk landscape 

  • Broadly speaking the report found that most organisations have established 'sound structure for managing risk' that is broadly in keeping with the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations. A theme running through the report, is the link between having appropriate structures in place and improved perception of risk function effectiveness.
  • Leaders are setting the right tone? 84% of respondents agreed that risk management is highly valued across their organisation and 72% agreed that risk management is highly valued by other leaders in their organisation. The report considers that this demonstrates that entities and their leaders are 'setting the right tone when it comes to risk management'.
  • What could be done to improve risk management culture? Respondents nominated: having better reporting tools (52%) and raising the 'voice' of risk within the organisation (52%) as the top two ways in which organisations could improve their risk culture. A theme running through the report is the need to improve communication with stakeholders (including within organisations).  
  • Impact of the Hayne Commission?Most respondents felt that the risk management function is both more visible and has a higher profile within the organisation as compared with two to three years ago. Respondents also felt that that more time is spent on risk.

(Gaps) in the current approach?

The report highlights that  organisations are not regularly testing their risk/crisis plans. For example, though 55% of organisations run scenarios around risk events (eg bushfires, lack of access to key people etc) to test their response, few (11%) do so frequently. 

In addition, risk management frameworks do not always include risks of modern slavery and/or whistleblower protections.  

COVID-19 preparedness and response

28% of respondents felt that their business was well prepared for the impact of COVID-19 and the same number (28%) felt that their business was unprepared.  The report identifies the presence/absence of working from home policies/capabilities as a key theme running through the reasons given for these responses.  

Top five risks facing organisations over the next three to five years

Respondents ranked damage to brand/reputation (59%), economic shock (53%), increased competition (52%), regulatory change (49%), cybercrime (48%) as the top five risks facing their organisations. The report comments  that it is 'worrying' that climate risk is not within this group, given the level of shareholder interest/concern in ESG issues, including climate. 

Report Overview

Building on the 2019 annual risk management survey, The Governance Institute's latest report provides insights into the structure/make-up of risk functions across a range of (primarily) Australian organisations, the changes in risk/governance post-Hayne as well as insights into what risk/governance professionals see as the key pressure points/challenges that organisations will face over the next three to five years.  

In addition, the report provides insight into how prepared risk/governance professionals feel their organisations to be in terms of facing future crises and how they have responded to the present COVID-19 crisis.

How risk functions are structured 

Broadly speaking the report found that most organisations have established 'sound structure for managing risk' that is broadly in keeping with the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations.

The report also suggests that there is a link between having 'the right' risk structure/framework in place and better understanding of/stronger risk culture/better risk management within organisations. 'Perhaps the link is that, in establishing a dedicated group to focus on risk, the company makes it clear that it takes risk management seriously. As a result, there is more dedication throughout the organisation to every component of that process, in turn leading to better outcomes' the report states.

Most respondents (69%) said that they have an audit/risk committee or equivalent.  28% have a dedicated risk committee

  • 50% of audit and risk committee members are Non-executive directors (NEDs). NEDs also 'dominate' the risk departments in both not for profit organisations and commercial organisations
  • 23% of audit and risk committee members are drawn from 'management'
  • In government organisations, there is usually a mix of NEDs and management representatives on risk/audit committees
  • The majority of respondents (60%) said their risk committee meets quarterly and 18% said that it meets monthly.

38% have a separate risk department

  • Larger entities, government entities and ASX listed businesses the most likely to fall into this group). Entities with annual revenue over $10bn were most likely to have a separate risk function (93%)
  • The report found that the average risk department/team had four people, but that there is significant variation: 28% of respondents said that their risk team was smaller (1-2 people), 23% said that their risk team was larger (5+ members)
  • 13% of organisations do not have any of these.

Risk culture – work to do in better communicating/educating stakeholders

  • Leaders are setting the right tone? There was a 14% uptick from 2019 in the number of respondents who agreed that risk management is highly valued across their organisation with 84% of respondents in the 2020 survey agreeing that this is the case. 72% of respondents agreed that risk management is highly valued by other leaders in their organisation. The report considers that this demonstrates that  entities and their leaders are 'setting the right tone when it comes to risk management'.
  • Risk management is valued but could be better understood? The report found that though risk management is valued as an idea (outside the of the risk function) there is less understanding within organisations more broadly about what risk management is in practice. There is scope for organisations to better communicate/educate stakeholders around this.
    • 43% of respondents agreed that risk management is widely understood within their organisation, with only 20% agreeing strongly. 26% of respondents disagree/disagree strongly.  
    • 54% of respondents agreed that their organisation has a robust risk appetite statement in place. 26% disagree with this.
  • What could help the organisation improve its risk management culture?  Respondents nominated: better reporting tools (52%) and raising the 'voice' of risk within the organisation (52%) as the top two ways in which organisations could improve their risk culture. This was closely followed by leadership from the board (43%) and clarity of purpose/risk strategy (42%). Only 26%of respondents felt more financial resources would improve their risk management culture and only 16% thought suitable reward systems were necessary. This was more marked in larger organisations with larger risk teams.
  • Overall risk reporting is viewed positively: When asked about their organisation’s risk reporting to the board, 49% of respondents said it is only quite effective while 21% think it is not very effective.  
    • A correlation between having the right structures in place and better communication? Risk reporting is more likely to be perceived as effective in companies that have a dedicated risk department or committee (as opposed to those that have a combined audit/risk committee).  Where there is no risk committee or equivalent, 39% of respondents said their risk reporting is not effective. The report suggests that this indicates a link between having 'the right' structures in place and improved perceptions of the effectiveness of reporting. 

Impact of the Financial Services Royal Commission

Most respondents felt that risk management had changed in terms of the time spent, the number of meetings and in terms of visibility as compared with 2-3 years ago (pre-Hayne).  

The areas in which they felt there had been the most change were the visibility of the risk function: 38% of respondents said that the risk function is more visible now/has a higher profile and in terms of the time spent said that the Hayne Commission has impacted the risk management function, primarily by making it more visible/raising its profile. Respondents also felt that more time is spent on risk management (30% said that much more time is spent on risk management than previously). 

Perceived strengths and weaknesses in the current approach

  • Respondents felt that the risks being best managed by their organisations were risks associated with staff conduct (eg corruption/bribery, harassment, discrimination), legislative (and policy) change/intervention, reputation and regulatory change.  
  • In contrast, respondents nominated risks associated with talent attraction/retention, disruption/failure to innovate and economic shock as areas where they were less confident of their ability to identify early/manage well.

(Gaps) in risk management frameworks?

  • Whistleblower protections : 51% of respondents said that their risk management framework incorporates whistleblower protections and 26% said it was included elsewhere. 15% of respondents said that whistleblower protections were not included and 9% were unsure.
  • Modern Slavery obligations: 37% of respondents indicated that modern slavery obligations are no included in their risk management framework and almost a quarter (22%) said they were unsure. 22% said it was included.  

Level of preparedness for future crises?  

The report found that many organisations are not regularly testing their risk/crisis plans: 

  • Though 55% of organisations run scenarios around risk events (eg bushfires, lack of access to key people etc) to test their response, only 11% of these do so frequently. 
  • Organisations with dedicated risk departments are more likely to run scenario testing. 
  • 39% do not run scenario testing.

Level of preparedness for COVID-19?

  • 28% of respondents felt that their business was well prepared for the impact of COVID-19
  • 44% of respondents felt that their business was somewhat prepared for the impact of COVID-19
  • 28% felt that their business was unprepared for the onset of COVID-19

Perhaps unsurprisingly, the report identifies the presence/absence of robust business continuity plans and working from home policies/capabilities as a common theme in the responses. Those respondents who had no existing policies/whose staff were not able to work remotely felt least prepared for the current crisis.

The report observes that 'the pandemic has exposed gaps in the crisis management and business continuity capabilities of both businesses and governments' and suggests that there is opportunity for organisations to improve their planning for/preparation for future crises including by conducting regular testing of business continuity/crisis plans.

The report also suggests that business continuity plans could usefully include, going forward, provision for the actions to be taken in the event of a future pandemic/similar crisis.

The report goes on to note that respondents were surveyed at the outset of the COVID-19 pandemic, and suggests that it will be interesting to see whether/the extent to which the responses change in the next survey.  

Finally, the report includes a discussion of new risk management initiatives that respondents have implemented in response to COVID-19 many of which centre around technology/digital innovation eg digital meetings/technology to support remote decision making/communications. The report observes that some respondents are also planning for/preparing for the heightened level of cyber-risk that flows from rapid innovation/changed working environment.   

Top risks facing organisations

  • Top 5 risks over the next 3 years: Respondents ranked damage to brand/reputation (59%), economic shock (53%), increased competition (52%), regulatory change (49%), cybercrime (48%) as the top five risks facing their organisations.  
  • Top 5 risks over the 5 years: Respondents ranked regulatory/legislative change (59%), disruption/failure to innovate (53%), damage to brand/reputation (52%) and cybercrime (49% as the top five risks for organisations over the next 5 years.  

A mistake to de-prioritise climate risk? 

  • 32% of respondents would have ranked climate risk within their top five risks over the next five years.  
  • 24% of respondents said they would rank climate risk within the top five risks facing their organisation over the next three years.  

Commenting on this the report states, 'Respondents did not rank environmental risk as a top concern over the coming three to five years, indeed it fell towards the bottom of the list. This is worrying when we consider the increased emphasis that shareholders are placing on sustainable finance and environment, social and governance (ESG) factors'.  

About the survey

The report is based on 393 responses to an online survey conducted in March.  

The respondents were primarily Australia-based risk/governance professionals working in a range of sectors, and for a range of different organisations.  39% of respondents identified as senior governance/risk professionals, with 17% identifying as C-suite level.  Most respondents were based in NSW (30%), QLD (22%) or Victoria (21%).  Only 5% were based overseas.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIwMjIzMzFiMy0yNzk2LTQyNDYtYTM2My1hNTU4ZDc0MzMzYTkiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczMzMwNDg4NCwiZXhwIjoxNzMzMzA2MDg0LCJpYXQiOjE3MzMzMDQ4ODQsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2NvdmlkLTE5LXN1bW1hcnktZ292ZXJuYW5jZS1pbnN0aXR1dGUtcmlzay1tYW5hZ2VtZW50LXN1cnZleS0yMDIwIiwiYXVkIjoiaHR0cHM6Ly93d3cubWludGVyZWxsaXNvbi5jb20vYXJ0aWNsZXMvY292aWQtMTktc3VtbWFyeS1nb3Zlcm5hbmNlLWluc3RpdHV0ZS1yaXNrLW1hbmFnZW1lbnQtc3VydmV5LTIwMjAifQ.rhVaW6eWLw8H7FzNKNfheGJxwjBBybYPgYTgraSozfQ
https://www.minterellison.com/articles/covid-19-summary-governance-institute-risk-management-survey-2020