In Australia, 2020 has been a year of managing risks, from drought and fire to the coronavirus pandemic, remote working and regulatory and reputational issues.

COVID-19 erupted after Australia’s record drought and savage bushfires had already disrupted businesses across the country. The successive crises made demands that few could have predicted or prepared for.

The experiences shared by senior directors and executives at FM Global’s recent Rethinking Risk roundtable point to the ability of companies with well-prepared risk and crisis management plans to respond with agility, minimising not only the damage to business operations, but also any consequent loss.

St Vincent’s Health Australia was on the front line when the pandemic hit and, according to its group CFO, Ruth Martin CA, while regular risk profiles had been prepared for the board, they hadn’t routinely rated a “pandemic” as “highly likely”.

Says Martin, “What’s interesting is that while you have all the planning in place, sometimes it can be a little dusty.”

“What’s interesting is that while you have all the planning in place, sometimes it can be a little dusty.”

The organisation learnt three important lessons under pressure from the crisis: the need to respond with agility from the board down; being prepared to hear bad news to enable quick responses; and having business fundamentals in good order, including cash reserves.

Be prepared before the crisis hits

Insurer FM Global helps companies minimise risk to mitigate against losses, but it also came under pressure with the shutdowns. Onsite assessments, critical to its underwriting, were threatened. 

While the company had occasionally used remote engineering servicing for this purpose, after border closures the technology had to scale up quickly, says operations manager Lynette Schultheis. 

Picture: Lynette Schultheis, operations manager.

“This past six months, we’ve applied it 13,000 times. In theory, it was in place, but to be that agile and nimble to enact it so quickly, there were some growing pains.”

The climate and virus disasters came at the same time as Australian-listed global energy company Worley was dealing with other significant changes: integrating a new CEO, the energy transition, geopolitical tensions and falling energy prices.

Worley managed the situation by establishing a dedicated project management office to respond to the COVID crisis.

“We had to move more than 40,000 people around the world to work from home as our pandemic response plan kicked in,” explains senior group director Tony Frencham.

The priorities were staff safety first, then business continuity, followed by customers’ needs.

Frencham says the company’s robust risk culture was vital. “You have to have your core values, purpose, systems and beliefs in place before a crisis. You can’t be tinkering with those things when the crisis happens.”

Building the ‘risk muscle’

Penny Winn, a director of Coca-Cola Amatil, Goodman Group, CSR and Ampol, says some companies honed their risk culture in the years after Australia’s banking royal commission and other high-profile regulatory cases.

“I call it ‘risk muscle’ because, effectively, it is something you build up, just as an athlete practises for the Olympics.”

She says the duration and multiple layers of disruption, all interconnected, were a big test in 2020.

“What it brought to bear was about 10 risks all at once: economic risk, health risks, operational risks, etc.”

Her boards relied on their risk muscle to get them through, she says, with Coca-Cola Amatil convening weekly instead of monthly and stepping up information flow.

Risk adviser Peter Deans, a former chief risk officer for Bank of Queensland and BankWest, has developed an open-source framework, called 52 Risks, to help organisations identify, assess and manage their risks.

He says 2020 has accelerated many trends and jolted companies that didn’t have a deep understanding of risk in their business.

“They will look back now and say, ‘One of the lessons to come out of this difficult period is that an investment in risk management does actually pay off.’”

Picture: Peter Deans, 52 Risks.

“An investment in risk management does actually pay off.”

When a company self-harms

Several high-profile companies suffered enormous reputational damage and business losses in 2020, escalating the importance of identifying and governing risk.

Serious problems – such as those exposed by the casino licence inquiry into Crown Resorts, Westpac’s breaches of anti-money laundering laws and Rio Tinto’s destruction of a sacred Indigenous site – have rippled through the nation’s boardrooms.

Deans says it comes down to “a complete breakdown of the governance of risk management, despite having the resources and some good people in the chain”.

Winn likens the failures to the “boiling frog” fable – the temperature in a pot of water rises from lukewarm to boiling without the frog noticing until it’s too late to jump out.

“In a lot of cases, there is a culture of acceptance of small breaches and these breaches then build up and you get the Westpac situation,” she explains.

“In isolation, none of them seem extreme and management will say, ‘We’ve got it all under control’. But that’s where boards need to sweat the small stuff.

“Boards have a responsibility to review, to see, to question and to dig their heels in and say, ‘We are not good enough’… I think that’s critical.”

Climate change risk

The disruptive forces of climate change threaten a new era of uncertainty and, warns Schultheis, it’s a mistake to lose sight of this.

“Climate change can be just as big an issue for a client as a pandemic. If you were to lose a location, if a cyclone takes it down, then your competition is more than happy to just step in and take your place.”

There are many low-cost practical measures that can mitigate against catastrophe, she adds. “Just very basic things for a bushfire, such as removing your ignitable liquids to a safer area and elevating your expensive equipment in a flood.”

The climate challenge risk varies for different businesses and requires specific responses. Alongside planning for extreme weather events, companies need to think in broader strategic terms, advises Deans.

“Does my business look the same? Do my consumers and customer segments look the same in three, five and 10 years, and what should we do strategically to respond to that?” he says.

He cites the Australian Prudential Regulation Authority’s new requirement, in 2021, for banks to complete financial vulnerability assessments to evaluate the impact of climate change on their business.

“That will be a wake-up call, I think, for many banks. There is a question around business model sustainability. That should be the strategic discussion company directors are having right this minute.”

According to Winn, assessing future business sustainability raises a forensic transition risk.

“[Ampol, for example] can mitigate the climate change risk, but at the expense of lowering demand and lowering our viability in the longer term,” she says.

“It’s really hard to do both, but it is critical that boards do have that longer-term view.”

Frencham says climate risk mitigation has been a key focus at Worley. “Even though we’ve been going through all these crises, we’ve accelerated our climate change position statement to be net zero by 2030 and our customers have all done the same thing,” he says.

“It’s the right thing to do, the science is compelling and the stakeholders expect it. It has been highly energising in a very anxious year for our people and it’s allowed us to get on the front foot... with customers who you’d think would be distracted. But it’s front of mind for them, too.”

Cyber attacks are a significant threat

When the COVID-19 shutdowns forced health services online, relocated workforces to their homes and revolutionised meetings via video conferencing, it reinforced that all businesses are now dependent on technology. No company can make, supply, deliver or market products or services efficiently without it. And the risk of cyber attack has multiplied.

Malicious cyber activity is one of the most significant threats impacting Australians, according to Australia’s Cyber Security Strategy 2020. Released in August, the report states that 2266 cybersecurity incidents – at a rate of almost six per day – were referred to the Australian Cyber Security Centre in the 2019–20 financial year.

Deans points out that spending on mitigating the risk of cyber attack is no longer discretionary.

“I think those days are over,” he says, pointing to severely disabling hacks experienced in 2020 by Toll and Travelex.

“The downside risks are quite high – potentially catastrophic financially – and the reputation will take years to recover. So it’s really just a case of getting the experts in and spending some money, and probably spending a little bit more.”

Schultheis says directors also need to consider the risk to plant and equipment from cyber attacks, with most machinery computer-controlled and connected to the internet. Hence, FM Global’s cyber assessments now include software security.

With more people working remotely, computer network security risks have increased.

Worley’s Frencham says there’s the added complexity of being hosted by different systems on multiple customer sites. “We have to meet their standards and protect their assets, people and systems, and then also do the same for us.”

The health sector has become a target for cyber attacks, with data worth a fortune on the dark web, which is why St Vincent’s Health employs an ongoing testing regime.

“Cyber risk is huge in health – health is the new banks. That’s a big issue for us...” says Martin, adding that cybersecurity reports are prepared for every meeting of the board’s audit and risk committee.

“Our first and best line of defence is our people,” she adds. “We send out dummy phishing to see who will actually click on the link, then notify that person and instruct them to do training.”

Boards need digital technology capability and directors who can educate themselves on the threats, says Winn.

“It’s a matter of being connected. Directors’ roles are not just about looking inwardly to the organisation, but also scanning the environment and learning from the incidents.

Picture: Penny Winn, independent director.

“Directors’ roles are not just about looking inwardly to the organisation, but also scanning the environment and learning from the incidents.”

“You have to make sure management has the people, capability and resources to do it correctly, and that you know enough to ask the right questions.”

Opportunities and resilience

There are significant lessons to take forward from 2020, notes Frencham. “I think the biggest risk in 2021 is not taking up the opportunities.

“We’ve moved a decade in the past year in terms of a lot of improvements. It’s very clear that sustainability, energy transition, climate change and circular economy are front and centre and we have to lean in to those.

“We’ve moved a decade in the past year in terms of a lot of improvements.”

“Yes, digitalisation has been accelerated and we have to continue that progress. The one area of risk among all that, that we’re concerned about, is our people. We [need] new pathways to develop our people.”

Martin says the culture of leadership is evolving, allowing more flexible decision-making where appropriate. “I think leadership is changing and having people that can make decisions in more agile working groups has been something other companies could potentially learn from.”

The pandemic has also brought home the fact that companies operate in a society that depends on them to function well. A focus on maximising shareholder value now seems to be broadening to include the health and resilience of the company.

“Reputation is very slow to be earned, but very fast to be lost,” says Winn. “In the digital world, it’s on hyperdrive... effectively, the customer is in control. Reputations have been hooked into what’s happening on social media and it’s so important.”

According to Frencham, in 2020, Worley relaunched the company’s purpose and values after holding more than 100 workshops around the world with its employees.

“It all goes to culture, and the culture certainly comes from leadership,” says Martin, recognising the value of independent, questioning voices.

“It is accountability and clarity of roles and responsibilities,” agrees Winn.

“It’s become apparent that the board is ultimately accountable and has to be very comfortable with the risk profile, and make sure that management accountabilities are fully understood throughout the organisation. This will be one of the learnings out of the last couple of years, with some of these governance failures.”

This is an edited extract from an article that first appeared in the December 2020 / January 2021 issue of Company Director magazine, published by The Australian Institute of Company Directors.