Risk management

for directors:
A guide

Governance Institute of Australia 2022

Table of Contents
What this guide covers 1
Acknowledgements 1
Foreword 2
An integrated approach to risk management is central to good governance 3
The regulatory environment 3
Shareholder and member interest in board oversight of risk management 4
Distribution of responsibility 5
Board committees — audit and risk 6
Culture 13
Tools, processes and improvements 16
Non-financial and emerging risks 22
When risk management fails 25

About us
A national membership association, Governance Institute of Australia advocates for a community of more than 43,000
governance and risk management professionals, equipping our members with the tools to drive better governance within
their organisation. We tailor our resources for members in the listed, unlisted and not-for-profit sectors, and ensure our
member’s voice is heard loudly. As the only Australian provider of chartered governance accreditation, we offer a range
of short courses, certificates and postgraduate study to help further the knowledge and education of the fast-growing
governance and risk management profession. We run a strong program of thought leadership, research projects and news
publications and draw upon our membership of the Chartered Governance Institute to monitor emerging global trends and
challenges to ensure our members are prepared. Our members know that governance is at the core of every organisation —
and in these tumultuous times, that good governance is more important than ever before.
What this guide covers
This resource has been developed by Governance Institute of Australia as part of its commitment to promoting good
governance and risk management. It is designed to be a practical resource to assist Australian directors in any sector.

It is intended to assist boards to integrate and enhance their oversight of governance and risk management frameworks.
This in turn will assist organisations to achieve strategic focus, by providing boards with the information they need and
ensuring ongoing ownership of risks by all employees in relation to achieving strategic objectives. It is not intended to advise
directors about how to create an enterprise risk management system or a technical management-led risk process — these
are more suited to development by management.

The original edition of the guide was published as Risk Management: A handbook for directors in 2016. This revised edition is
published in 2022.

Acknowledgements
Governance Institute acknowledges the contribution of Judith Fox FGIA , author of the first edition of this guide.

Glossary
ACNC means the Australian Charities and Not-for-profits Commission which regulates charities.

ASIC means the Australian Securities and Investments Commission the corporate, markets, financial services and consumer credit
regulator.

APRA means the Australian Prudential Regulated Authority the banking, insurance and superannuation regulator.

Business judgement rule the ability of directors to rely on section 180(2) of the Corporations Act in relation to their obligation to act
with care and diligence under section 180(1) of the Corporations Act.

Corporations Act means the Corporations Act, 2001.

Corporate Governance Principles and Recommendations means the Corporate Governance Principles and Recommendations,
2019, 4th Edition, ASX Corporate Governance Council.

ESG means environmental, social, governance.

Net zero or Net zero emissions means achieving an overall balance between greenhouse gas emissions produced and greenhouse
gas emissions taken out of the atmosphere.1

Safe harbour means a legal provision to reduce or eliminate legal or regulatory liability in certain situations as long as certain
conditions are met, particularly section 588G of the Corporations Act

1
See the Climate Council.

Risk management for directors: A guide 1

Foreword
Directors have a fiduciary duty to act in the best interests of the company. In order to discharge their duties, directors need
to know, and properly assess, the nature and magnitude of risks faced by the entity.

An integrated governance and risk management framework is central both to informed decision-making by the board and
adapting to changes in the environment in which the organisation operates. This guide has remained one of our most in
demand resources since it was first published in 2016. Recent high-profile corporate events where risk management has
often been highlighted as a failing, serve as a strong reminder of the importance of board oversight of risk management.
The recent global pandemic, with its corresponding impacts on supply chains and its acceleration of new patterns of work
and cyber security threats, has fundamentally challenged how boards identify, mitigate and monitor risk.

Shareholders, investors and members increasingly expect boards to demonstrate and publicly disclose effective oversight of
risk management, especially on climate and cyber risks. Public sector entities with boards also face increasing scrutiny from
parliaments, ministers, departments, integrity bodies, ombudsmen and auditors general. There is growing recognition that
the board’s ability to effectively manage and disclose risk impacts a wider array of stakeholders, including employees and
the communities in which organisations operate. This heightened level of public scrutiny is illustrated by a 2020 Governance
Institute survey that found 60 per cent of risk professionals consider brand or reputation damage to be among the top five
risks facing organisations in the immediate future.2

This practical guide aims to equip new, existing and prospective directors to fulfil their duties. It is more than tick-box
compliance or a long list of regulations – instead it aims to spark challenging questions in the minds of individual directors
and healthy debate around the boardroom table.

This guide is designed to assist directors in all sectors. It is essential reading no matter whether you are a director of a listed
or unlisted company, a not-for-profit organisation, or a public sector entity with a board, and regardless of size.

In the years since this guide was first published, Australian directors and their organisations have undeniably grown in risk
maturity. Boards have become increasingly systematic and have adopted more structured risk management processes.
They are benefiting from a more conscious assessment of the risks embedded in their daily operations, aided by advances
in risk management techniques and technologies, although sectoral differences remain. The impact of royal commissions
into financial services and aged care and APRA’s prudential inquiry into CBA have also driven a heightened focus on risk
management.

The challenge now is to continue this maturation in other areas such as culture and non-financial risks including cyber
security – areas where the guide has a renewed focus.

This updated resource builds upon the original work of Judith Fox and has been revised by Governance Institute with
valuable inputs from members who are risk management practitioners, company secretaries and senior members of the
business and not-for-profit community.

Armed with this guide, a director is well placed to tackle this integral element of good governance that is critical to
organisational success.

Megan Motto Pauline Vamos

CEO Chair

2
Governance Institute of Australia, 2020, Risk Management Survey Report 2020, p. 32.

Risk management for directors: A guide 2

An integrated approach Key elements of a risk management framework
to risk management is include:

central to good governance • a ssessing the organisation’s appetite and tolerance

for risk
Governance codes and regulators place the management • clear and documented lines of responsibility
and oversight of risk at the centre of corporate governance and accountability for risk management and risk
and the role of the board in steering organisations, and for decisions
good reason. Failures of risk management often involve a • a documented process for identifying types of
weakness of governance, and vice versa. events that could compromise the achievement
of the organisation’s objectives, as well as
Governance and risk should be seen as connected and
opportunities for value creation
integrated in a single framework. • putting in place policies and processes to mitigate
the identified risks
• monitoring and managing risks over time at an
Risk management should be operational level
• establishing contingency plans for major risk
integrated with governance events and emergencies that may occur, and
in a single framework for any • regularly assessing the adequacy of the risk
management framework.
organisation overseen by a board
or other governing body. The board
should put in place a structured,
continuous process to identity, The regulatory environment
manage and respond to risk. While by no means a new concept, risk management is the
subject of increasing attention and regulatory activity in many
jurisdictions. Australia is no exception. No sector is immune.

Directors face an increasingly complex array of national,

What is risk and risk management? state-based and international governance and risk
management regulation, including a mix of mandatory,
Risk-taking is what organisations do — it is part of every voluntary, principles-based and rules-based regimes. Some
decision an organisation takes. Risk management standard industries are more heavily regulated than others. Not all
ISO 31000 2018 defines risk as ‘the effect of uncertainty on codes and regulations are aligned, and many vary in their
objectives’ and risk management as ‘coordinated activities level of detail about risk management.
to direct and control an organisation with regard to risk’.3
Risk encompasses the opportunities to create value for These ever more stringent regulatory requirements have
the organisation (upside or opportunity risk) as well as the been influenced by local and global events. They include
threats or hazards present and to be considered to ensure high-profile corporate collapses that led to the Sarbanes-
value is not compromised (downside risk), with recognition Oxley regulation in the United States (2002), the 2008 global
of the uncertainties attached to the opportunities and financial crisis, the Financial Services Royal Commission in
hazards alike. Organisations that manage risk well can limit Australia (2017-2019), the Royal Commission into Aged Care
the impact of threats and take advantage of opportunities. Quality and Safety (2018-2021), the growing consensus
on climate change science, the rapid uptake of digital
Risk management is critical as it assists organisations in technology, the COVID-19 pandemic and global conflict.
setting strategy, achieving objectives, making informed
decisions and potentially avoiding loss events. It also
protects customers and vulnerable stakeholders from
harmful impacts, such as those investigated by the royal
commissions into the financial services and aged care sectors.

3
 tandards Australia, 2018, AS ISO 31000:2018, < https://www.standards.org.au/standards-catalogue/sa-snz/publicsafety/ob-007/as--iso--
S
31000-colon-2018 >.

Risk management for directors: A guide 3

 take proactive steps to fulfill their duties. This underscores
the need for directors to understand and take their duties in
What this rapidly evolving regulatory relation to risk management very seriously and for boards
environment underscores is the collectively to ensure there is a robust and integrated risk
management and governance framework is in place and
board’s ultimate accountability continually improved.
for risk management and the
importance of directors taking
an integrated, organisation-wide Shareholder and member
perspective to the oversight of risk. interest in board oversight
of risk management
Regulatory obligations on directors in relation to risk Listed entities in many jurisdictions are expected to
management include: apply the principles and practices in a governance code
in the relevant jurisdiction or provide an explanation
• d irectors’ duties at common law, in the Corporations Act for why they have not done so.4 Investors look to these
and under other statutes disclosures to make decisions about the deployment of
• the ASX Corporate Governance Principles and their capital investment. They are increasingly keen to
Recommendations for listed companies obtain greater clarity about how well boards are overseeing
• ASIC, APRA and ATO standards, regulations and the management of risk within the organisation and the
regulatory guidance management team’s ability to exercise control. Investors
• the Privacy Act and notifiable data breaches to the Office see the board’s capacity to present a balanced and
of the Australian Information Commissioner understandable assessment of the entity’s performance
• emerging regulation around cyber security and the and prospects as key to whether a board is adequately
protection of critical infrastructure assets and assets of undertaking its responsibility to act as the agent of
national importance shareholders to preserve and create value on their behalf.
• environmental protection legislation
• anti-discrimination laws Members of unlisted organisations, while not necessarily
• anti-money laundering laws seeking to make decisions about the deployment of
• whistleblowing legislation a financial investment, are equally keen to assess the
• public sector governance legislation and standards capability of the board to:
applicable to public sector entities • set the risk appetite for the organisation
• ACNC legislation and regulation applicable to charities • oversee the risk management framework implemented
and not-for-profits by management and satisfy itself that the framework is
• state and territory legislation applicable to incorporated sound.
associations
• workplace health and safety legislation and workers’ Public sector entities with boards are created to carry out
compensation law. certain functions for government that have been approved
by the responsible parliament and the relevant minister will
Put simply, in addition to their duty to act in the best have an interest in the board’s accountability in respect of
interests of the organisation, directors have other legal and its oversight of risk management within the entity. Integrity
fiduciary duties. To discharge these duties, directors must and central agencies such as auditors-general, public
carefully oversee and, where appropriate, disclose the risks service commissions, ombudsmen, anticorruption bodies
faced by the entity. and departments of treasury may also have an interest.
Public sector entity boards also need to take account of the
Directors of companies regulated by the Corporations Act interest of other stakeholders, including the community, in
have some protection from personal liability through the the oversight of risk management.
operation of the safe harbour provision, relating to claims
for insolvent trading, and the business judgment rule, which
protects directors from personal liability for poor decisions
made in the course of performing their duties. However,
these protections are unlikely to apply if directors do not

4
In Australia, the Australian Securities Exchange (ASX) Listing Rules require disclosure of the extent to which the corporate
governance frameworks and practices of listed entities align with or differ from the Corporate Governance Principles and
Recommendations, the ‘if not, why not’ regime.

Risk management for directors: A guide 4

 Individual directors
Key question for directors: Directors should be aware of their responsibilities and
duties in relation to risk management. All directors on
• If your organisation was the subject of a Royal
induction and thereafter should understand the entity’s
Commission or other significant external review
business and the material business risks it faces. The chair
what failings or weaknesses might it identify in your
of the board should regularly review and agree with each
governance and risk management framework?
director their training and development needs to ensure the
• How do you believe your organisation’s senior
directors as a group have and maintain the skills, knowledge
management team would answer the above
and familiarity with the organisation required to fulfil their
question?
role on the board and on board committees effectively.

The board needs an appropriate mix of non-executive

and executive directors. This includes having a sufficient
number of independent non-executive directors who
Distribution of can challenge management and hold them to account

responsibility and represent the best interests of the organisation and

its members as a whole rather than those of individual
members or interest groups. However, it is the responsibility
The role of the board
of all directors, not just independent non-executive
Risk management begins and ends with the board. This directors, to exercise independent and active judgment.
is an oversight role, not involvement in the day-to-day
managing of risk. Given the integral role of audit, risk and related board
committees, it is vitally important that individual members
The board has overarching responsibility for setting the of these committees devote sufficient time and care to
organisation’s strategy and business model and the their duties.
corresponding level of risk.
Directors should ensure they have sufficient time to meet the
Setting strategy and managing risk are closely connected. obligations of their role. Directors who sit on multiple boards
The board sets the entity’s risk appetite – the nature and risk committees should ensure they have sufficient
and extent of the risks it is prepared to take to achieve capacity, especially during periods of intense workload.
objectives. The board oversees the integrated risk
management and governance framework and regularly Directors should also consider how they personally
satisfies itself that this remains sound. This involves contribute to promoting an effective and respectful
putting in place a structured, continuous process to boardroom culture. Effective directors foster a probing risk
identify, manage and respond to risk and overseeing culture in the boardroom, balanced with discretion and respect.
management’s implementation of strategic and operational Length of tenure may also be relevant a director’s ability to
risk management. effectively contribute to risk management. The Corporate
There should be appropriate demarcation between the roles Governance Principles and Recommendations recognise that
of the board and management. The board is not a ‘rubber lengthy tenure may pose a risk to director independence and
stamp’. It may reject or make changes to management’s the loss of opportunities for fresh ideas and perspective.5
recommendations. The board does not give effect to the
operational elements of the framework. Directors should
exercise caution when setting aside any strongly expressed Delegations of authority
recommendations of management.
Whole-of-organisation governance is about how authority is
It may be appropriate for the board to temporarily intensify exercised and controlled below the board in an organisation.
its supervision of management in response to major Authority cascades from the board to the CEO to the
risk management events or at pivotal moments in the executive management team and throughout the organisation.
achievement of organisational objectives such as mergers
All decision-makers in the organisation should understand
and acquisitions and major digital transformation projects.
the purpose for which authority is to be exercised—to
facilitate the strategic objectives of the organisation (the
why). All decision-makers should understand how authority
is exercised, who has authority to do what, and what
boundaries apply (the how).

5
See the discussion in ASX Corporate Governance Council (2019) Corporate Governance Principles and Recommendations, 4th Edition, ASX
Corporate Governance Council, p 14. Recommendation 2.3.

Risk management for directors: A guide 5

There should be appropriate monitoring systems in place
to provide assurance (safeguard) that decisions are being Board committees – audit
made in the right way for the right purpose.
and risk
The board needs to know that an effective framework is in
The board is ultimately responsible for the oversight of risk
place clarifying who is authorised to make what decisions
management. In exercising this responsibility, boards often
and in what circumstances.
establish committees with a focus on particular issues. Two
There should also be comprehensive delegated authorities common areas of focus are:
in place, clearly articulating to each decision maker within
• risk oversight and internal control
the organisation their capacity to make decisions in relation
• integrity of financial reporting.
to their specific responsibilities and duties. The delegations
of authority framework needs to align with the strategic
Perceived failings by audit and risk committees received
objectives of the organisation. The delegation of authority is
particular attention in APRA’s Prudential Inquiry into the
a key structure articulating risk tolerance in an organisation.
Commonwealth Bank of Australia and the Final Report of the
The delegations policy should clarify that setting out the Hayne Royal Commission.6 This underscores the need for the
delegations of authority is a fundamental component of a board to give careful attention to the structure, composition
risk management framework. It is not a stand-alone policy, and functions of these committees, and for individual
but central to the governance framework of an organisation directors to give careful and full attention to their duties.
both at and below board level. It provides a framework for
As with any board committee, audit and risk should operate
decision-making and accountability within the organisation
under a written charter or terms of reference that clearly
and therefore needs to be clear and easy for staff to use.
articulate the role, composition and specific responsibilities
Appropriate training is essential in ensuring that staff
the committee will perform as well as any authorities that
understand the operational limits of their delegation.
will be delegated. The composition and functions of these
When framing delegations of authority, management needs committees will depend on the particular circumstances of
to consider them within the risk management framework each entity, including its size, complexity and nature of its
through scenario testing. This could include considering the functions and operations. It is important to regularly review
risks of unintended consequences if a particular authority the composition of board committees to ensure there is
is delegated. an appropriate balance of the skills needed to carry out
their work. This review is typically carried out annually by
The board and management need to ensure that all
the committee chair with the assistance of the company
material risks, both financial and non-financial, are covered
secretary.
by the delegations of authority. A common weakness in
delegations frameworks is that no senior executive is Since the first edition of this guide, there has been a
responsible for non-financial risks. gradual move towards separating risk management from
audit. Governance Institute’s 2020 risk survey found that
For APRA-regulated organisations the Banking Executive
dedicated risk committees were most common in ASX
Accountability Regime (BEAR) establishes accountability
listed companies (40 per cent of respondents) compared to
obligations for banks and other authorised deposit-taking
unlisted large businesses (27 per cent) and the government
institutions and their directors and senior executives.
sector (27 per cent).7 However, there remains no consensus
BEAR will be replaced by the Financial Accountability
about whether it is preferable to have a stand-alone audit
Regime (FAR). FAR will extend strengthened, BEAR-like
committee and stand-alone risk committee, or to combine
accountability requirements to other APRA-regulated
these committees. It is also possible to have no dedicated
entities and to their directors and senior executives with the
risk committee on the basis that risk management is the
aim of strengthening and increasing individual and entity
responsibility of every board and board committee.
level accountability across the financial services sector,
including for non-financial conduct risk. The notable exception is where the committee structure
is mandated. APRA requires APRA-regulated institutions
to establish a board audit committee and a board risk
committee. An audit committee is mandated in Australia
for the top 500 companies under ASX Listing Rule 12.7.
Principle 4 of the Corporate Governance Principles and
Recommendations guidelines recommends all listed

6
See Prudential Inquiry into Commonwealth Bank of Australia, APRA, 30 April 2018 at pages 16–17.
7
Risk Management Survey Report 2020, Governance Institute of Australia, p. 16.

Risk management for directors: A guide 6

entities establish an audit committee, and Principle 7 The role of management
recommends listed entities establish a committee or
It is management’s role to recommend, execute and
committees to oversee risk but does not specify that it
operate within the risk appetite, framework and process
has to be a stand-alone risk committee or combined with an
approved by the board, in line with the board’s strategy and
audit committee. By contrast a combined audit and risk
subject to its oversight.
committee is mandated for all NSW government
departments and statutory bodies.8 Boards’ expectations of senior management teams’
involvement and attention to risk management are increasing.
Key considerations influencing committee structures
include: resource constraints, whether combining audit Management should establish mechanisms to:
and risk may bring clarity particularly where major risks
are financial, and whether having separate committees • m onitor exposure and risk management performance —
will allow greater deliberation time. In a review of director monitoring risk appetite at an organisational level means
oversight of non-financial risk, ASIC questioned what it there needs to be a clear and defined way to escalate risk
perceived to be ‘modest’ meeting hours for risk committees monitoring results from all the areas of the organisation
at the institutions it reviewed that ranged from 16 to • approve the retention of risks
40-hours a year across its sample.9 • enforce the risk tolerances prescribed by the board — an
effective risk appetite statement will shape the way the
Many listed entities will have more than one board committee organisation is managed, and
responsible for the oversight of different elements of risk, • routinely monitor and evaluate the risk management
such as workplace health and safety, sustainability, processes and report to the board.
investment, environmental impact and technology Given
the rapid rise in cyber incidents during the COIVD-19 Appointing and challenging management
pandemic many organisations are reviewing which
committee should have responsibility for cyber risk. Some Good governance demands an appropriate separation
organisations include cyber risk in the responsibilities between those responsible for managing an organisation
of the audit and risk committee, others form a separate on a day-to-day basis and those responsible for overseeing
committee. Whichever approach is adopted the committee its management.
responsible needs to be satisfied that their organisations Effective risk oversight begins with a clear, mutual
are sufficiently prepared to address this risk.10 understanding of the extent and nature of the board’s
It is essential to clarify the way in which board committees responsibilities compared to those of management and
communicate with each other and to the board to ensure other stakeholders. The ultimate goal is that boards
that each committee benefits from the insights of the other have confidence in the information they receive from
committees. Audit and risk committees, where separate, management, and management creates a cohesive process
should maintain a close working relationship to maintain in which risks and their impacts are routinely identified,
consistency. evaluated, and addressed. The assessment of risks to
reputation and organisational long-term sustainability is the
A board risk committee typically: responsibility of both parties.
• p rovides oversight of activity and advice to the board One of the most important roles of a board is to select,
in relation to current and potential future risks and risk appoint and, if necessary, replace the chief executive
management strategies, possibly in relation to a specified officer. In many organisations, the board will also approve
subject area the appointment, and when necessary, replacement,
• provides recommendations about risk appetite and of other senior executives. Boards should periodically
tolerance consider whether current management has the capacity
• monitors the management of risk within its remit, and to effectively manage risk, including as part of succession
• identifies to the board any matters within its remit where planning and executive remuneration policies.
it considers that action or improvement is needed and
recommends the steps to be taken. The capacity of directors to bring independent judgment to
bear on decision making and challenge executives is important
Regardless of the committee structure, there can only be one in preventing domination of a board by any one individual
management process within the organisation and there should — the CEO in particular. A culture of consensus, where
be a single, integrated view of risks presented to the board. management’s recommendations are not questioned or
challenged, is to be avoided especially at times of apparent
business success. Such questioning relies on a clear
understanding of the strategic risks and opportunities
facing the organisation.

8
NSW Treasury (2020) Internal Audit and Risk Management Policy for the General Government Sector (TPP20-08), p. 2.
9
Director and officer oversight of non-financial risk report, ASIC Corporate Governance Taskforce, 2019 p. 43.
10
See Cyber Risk Readiness, Response & Ransom: An Audit Committee perspective, The Institute of Internal Auditors Australia 2022.

Risk management for directors: A guide 7

The Financial Services Royal Commission highlighted the The risk management function needs to be sufficiently
central importance of directors holding management to close to the business to properly advise the business,
account. rather than housed in a separate silo. At the same time
the risk management function must not be ‘captured’
by the business functions and must retain sufficient
Boards cannot operate properly independence to fulfill its assurance function, question
without having the right the decisions of other business units and, if necessary,
information. And boards do not escalate concerns. Each organisation needs to decide
the appropriate balance between these two aspects of its
operate effectively if they do not function. In large organisations these functions may be
challenge management. separate roles and held by different individuals, but this
may not be the case in smaller organisations.
Commissioner Kenneth Hayne11
Directors should remember that risk management performs
both a control and a strategic function. Risk management is
Chief Risk Officer less effective in organisations where it operates purely as a
control function.
It is becoming more common for boards to identify an
executive to lead the risk management process in order to If the organisation has an internal risk management function
promote accountability. and an internal audit function, consideration should be
given by the board to the interaction between these two
APRA-regulated entities are required to have a designated
functions within the entity.
risk management function and must appoint a Chief Risk
Officer (CRO) to be responsible for that function.

The CRO should report directly to the CEO and the CRO’s
office should be independent of all other business units. Key question for directors about the risk
It may be beneficial for the CRO to have a clear and direct management function:
reporting line to the full board and/or the Audit/Risk board
committee, to ensure an undiluted and non-conflicted • H ow close to the business is the risk team? Is the
‘voice’ on risk is heard at board level. A dedicated CRO may team able to operate objectively?
also assist in embedding risk management processes more • Are the terms used relevant and understood by
fully into the day-to-day operations of the organisation. everyone in the business?
• Does management retain accountability for
Whether or not a CRO is appointed, board expectations for managing risk?
increased CEO and senior management team involvement • Do the board and the CEO provide a clear licence
and attention to risk management are increasing. to the CRO to assist divisions?
• Does the CRO have a direct line of report to the
audit or risk committee?
Dedicated risk management function • Can the CEO terminate the employment of the CRO
or other senior executives, or are they independent
The organisation’s size, business mix and complexity will
of the senior executive team?
dictate whether there are sufficient resources to implement
• Does the risk management function have an
an internal risk management function. This unit may report
appropriate level of authority, influence and
to a CRO or another senior executive.
independence in the organisation?
A risk management function is responsible for designing • Does the risk management function have adequate
and implementing the risk management framework resources and skills to undertake its role?
that is appropriate for the organisation. By coordinating • Is there a single person or team responsible for
the participation of all aspects of the business in risk coordinating risk across the organisation?
management, a risk management function relies on • Does the approach to risk management take into
information that is already available. It also develops account risk scenarios and the interaction of
channels of communication to ensure that strategy and multiple risks?
risk appetite are central to developing risk management • What was the date of the last operational review
strategies and that information from a variety of sources of the risk management function by internal audit
across the business is synthesised for reporting to the and what was the result and action taken by
board. If the organisation has a risk management function, management?
and seeks to implement an enterprise risk management
framework, the function needs to be structured and have a
mandate to fulfil its role and accountabilities.

11
 inal Report, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, Commissioner Kenneth
F
Hayne, 2019, Volume 1, p. 396.

Risk management for directors: A guide 8

Internal audit and external audit It is important that there is a good understanding of the
three lines of defence throughout the organisation.13 14
A board needs to satisfy itself that the risk management
framework is operating effectively and as intended. Boards should also be aware that regulators have in recent
Effectiveness can be tested from time to time through years intensified their focus on audit quality.
assurance providers such as internal or external audit.

A listed entity should disclose if it has an internal audit Line managers and frontline employees
function, how that function is structured and what role it
It can be difficult to make risk management ‘come alive’ for
performs. If it does not have an internal audit function it
all employees in an organisation. It can seem esoteric or
should disclose the processes it employs for evaluating
something with which only senior management needs to be
and improving the effectiveness of its governance, risk
concerned. Yet risk management is everyone’s business,
management and internal control processes.12
and is about making informed business decisions by
An internal audit function brings a systematic, disciplined creating awareness of risk.
approach to evaluating and continually improving the
In most large organisations, there will be a person or team
effectiveness of an organisation’s risk management and
responsible for the design, implementation and monitoring
internal control processes. An internal function has a
of adherence to the risk management framework who
unique role in that it is based inside the organisation, but is
can also act as a ‘single point of reference’ regarding risk
also independent and objective. Its knowledge of practices
and threat management. The seniority of the head of
across an organisation also mean it is well placed to provide
risk management varies. However, there is rarely a single
a perspective on organisational practices and risk culture
person or team responsible for coordinating the information
based on its observations of practices and behaviours.
about risk across the organisation and synthesising that
The head of the internal audit function should have a direct
information for the board. Usually, different teams for
reporting line to the board or to the board audit committee,
example, finance, operations, public relations, executives,
and risk committee or committees if they are separate, to
manage different aspects of risk.
ensure there is independence of assurance.
Business managers manage risk every day in relation
Smaller organisations may not have an internal audit
to the products and services they offer or wish to offer,
function but should be able to demonstrate the processes
but may have a narrow understanding of how these
in place for evaluating and continually improving the
risks either align with or diverge from the organisation’s
effectiveness of their risk management and internal control
risk appetite or strategy. Conversely, those managers
processes. Smaller organisations frequently engage an
supporting the business units, such as legal, taxation and
external consultant to provide independent internal audit
human resources, may lack an understanding of how their
services. The board may see advantages to using external
expertise specifically applies to the organisation’s products
consultants to support the internal audit function, or in
and services.
outsourcing the internal audit function.
Governance Institute’s Guidelines: whole-of-organisation
The ‘three lines of defence’ can be a useful way to define
governance provide a framework for an organisation to:
roles and responsibilities when considering effective risk
management and control: • e
 nsure that the effort undertaken by all employees across
the organisation is aligned with the strategic objectives
• First line — operational management control
• clarify individuals’ roles, authorities and accountabilities
• Second line — management assurance (risk control
in achieving strategic objectives
and compliance oversight functions established by
• empower individuals to make decisions that are aligned
management), and
with strategic objectives
• Third line — independent assurance.
• clarify the controls and boundaries that apply to the
The board and its committees are not included in the ‘three exercise of authority, and
lines of defence’ but are served by the ‘three lines’. Its • provide for clear and effective accountability for the
role is to ensure that the ‘three lines of defence’ model is decisions taken and authority exercised.
reflected in the organisation’s risk management and control
A clear whole-of-organisation governance framework
processes.
supports the achievement of the organisation’s strategic
objectives by clarifying that decision-making is tied to risk
and there is accountability for the exercise of authority.
Such a framework allows all employees to respond to
changing circumstances, while ensuring that decisions are
made within the risk appetite set by the board.

12
See Recommendation 7.3 Corporate Governance Principles and Recommendations.
13
See for example, Report Board Governance of AML/CTF Obligations at Westpac: The Advisory Panel Review, 8 May 2020 at p 14.
14
See also The IAA Three Lines of Defence Model, July 2020.

Risk management for directors: A guide 9

 ESG risks
Questions for directors: There is increasing pressure from shareholders and other
• A re there processes in place to integrate risk stakeholders for corporate action and disclosure on ESG
management into strategic planning? issues. These often involve a risk management component,
• Does the overall strategic planning process including requests for climate change risk disclosures,
consider and prioritise the uncertainty attached genuine commitments to achieve net zero targets, and
to achieving strategic objectives across the divestment from fossil fuel assets.
organisation? Social risks to consider include workplace bullying, sexual
• Does management need to be encouraged to harassment and assault, geopolitical risks, demographic
incorporate value creation as well as preservation risks as Australia’s population ages, issues affecting
into its risk management framework? cultural minorities, and ethical risks such as corruption and
• Does the board consciously assess risk and reward human slavery in global and domestic supply chains.
when considering major strategic initiatives?
• Does the board assess strategic plans in terms Governance relates to the governance of organisations and
of their potential failure and the attendant many investors focus on governance issues because they
consequences? consider it impacts the value of their investment.
• Does the board have an adequate framework to
understand the interrelationships, interdependencies
and compounding effect of risks? Climate change risk
• Does the board analyse the proposed means of
Climate change poses significant challenges for Australia,
reaching those goals, and the likely constraints?
affecting its society, economy and natural environment.
• Does the board act as a catalyst to bridge silos in
Australia is particularly vulnerable to drought and
the business by bringing various risk owners into
bushfires, which may be exacerbated by climate change.
the same room to present their perspectives and
It has historically relied heavily on fossil fuels for energy
strategies on risk?
security and economic growth. Climate change also poses
• Does the board have a view on who is the designated
challenges for biodiversity. Investors and other stakeholders
person with responsibility for risk management
such as regulators are increasingly seeking disclosure from
within the organisation, the person who will work with
organisations about their exposure to, and management
the risk owners, each of whom has responsibility
of climate change risk. There is also increasing regulatory
for managing different aspects of risk operationally?
focus on climate change risk. In 2021 alone:
For example, it could be a CRO in a larger organisation
or the chief financial officer or company secretary • A SIC committed to targeting misleading ESG claims related
in a smaller organisation. to financial products as part of their 2021-2025 corporate
• Is the board confident that there is communication plan and warned of regulatory action against misleading
and understanding between those responsible net-zero claims.15
for reviewing the management of opportunities • APRA commenced its climate vulnerability assessment
and the risks attached to them across the on the five largest Australian banks to help assess the
organisation and those responsible for articulating vulnerability of institutions and how they may adjust their
organisational messages? business models in response to climate change.
• Does the board appropriately allocate risk
management resources?
In 2021 Noel Hutley SC and Sebastian Hartford-Davies
updated their 2016 opinion on climate change. In their 2016
opinion they expressed the view that directors’ duty of
care and diligence under the Corporations Act permits or
requires Australian company directors to respond to climate
change risks. Their view was that directors who failed to
who failed to consider climate change risks then could be
found liable for breaching their duty of care in the future.
In 2021 they say it is ‘clear the benchmark for directors
on climate change and attendant risks and opportunities
continues to rise’.16

15
See Speech, ASIC’s Corporate Governance Priorities and the Year Ahead, ASIC Chair Joe Longo, 3 March 2022.
16
See Climate Change and Directors’ Duties, Further Supplementary Memorandum of Opinion, Noel Hutley SC and Sebastian Hartford-Davies,
23 April 2021.

Risk management for directors: A guide 10

In recent years many organisations have announced net
zero targets. Since the United Nations Conference on
Climate Change – COP 26 the number is likely to increase.17

Climate change risk will impact organisations in all sectors

either because of their own operations or because it
impacts their suppliers, customers and other stakeholders.
For these reasons directors should consider the impact
of climate change on their organisation and consider
appropriate disclosures. The Task Force on Climate-
related Financial Disclosure (TCFD) framework is rapidly
emerging as the preferred framework for disclosure of
material climate-related risks.18 In 2022 the International
Sustainability Standards Board was formed to develop
comparable reporting by companies on climate and other
ESG issues.

There has also been a significant increase in climate

change related litigation. Globally, the cumulative number of
climate change-related cases has more than doubled since Social risks include:
2015.19 This represents an increasing risk for organisations
in all sectors. • M odern slavery – this includes serious exploitation such as
trafficking in persons, slavery, servitude, forced marriage,
forced labour, debt bondage, the worst forms of child
labour and deceptive recruiting for labour or services.20 It is
Nature loss important for organisations to identify modern slavery risk
There is also an increasing focus on the financial risks and proactively address the risks identified including risks
that nature loss poses for organisations. The Task Force across their supply chains.
on Nature-related Financial Disclosure (TNFD) is a global, • Human rights – this relates to the human rights of people
market-led initiative with a mission to develop and organisations impact, including in their workforces,
deliver a risk management and disclosure framework for communities, customers and end-users. Poor practices
organisations to report and act on evolving nature-related can expose organisations to significant reputational and
risks. The TNFD Framework draws on the TCFD Framework financial risk.
recommendations with recommended disclosures covering • Poor labour standards – there have been a number of
four areas: governance, strategy, risk management and high-profile scandals relating to underpayment of staff.
metrics and targets. The final TNFD recommendations are There are also growing risks relating to casual and insecure
scheduled for release in 2023. employment and unsafe working conditions.
• Workplace safety – The safety of a workforce not only
relates to physical safety, but also to mental health,
Social risks and organisations should ensure that there is adequate
support for employees’ psychosocial wellbeing. Ensuring
Investors and other stakeholders have an increasing workplaces are free of sexual harassment is an increasingly
interest in how organisations are managing a group of risks fundamental part of providing a safe workplace for all
characterised as ‘social risks — the potential negative employees. Safety also extends to proactively preventing
risks to organisations that result from their impacts on and responding effectively to racism and other forms of
communities of people such as employees, customers and discrimination
local communities. A number of well documented failures • Diversity – Organisations are likely to be more successful
to manage these risks have lead to significant reputational when they harness collective intelligence and approach
and other damage to a number of public and private sector problems with cognitive diversity. There are a several
organisations. aspects of diversity which organisations may wish to
consider when looking at diversity. They include: gender,
age, education and professional experience and ethnicity.
There has also been a focus for some years on increasing
gender diversity on boards and in senior management
teams, particularly for listed companies.

17
 ee A Guide for board and management on the path to net zero, Governance Institute of Australia, 2022.
S
18
See Climate Change Risk Disclosure: A practical guide to reporting against the Corporate Governance Principles and Recommendations,
Governance Institute of Australia, 2020.
19
See Setzer, J., Higham, C., Climate change litigation is growing and targeting companies in different sectors, 2021.
20
See section 3 Modern Slavery Act 2018 (Commonwealth).

Risk management for directors: A guide 11

Governance risks Technology risks
Governance risks relate to the risks that arise from poor While technology business units and service providers
governance practices. Good governance is important to for an organisation should have an active risk register
shareholders, stakeholders, employees and customers and risk management approach and culture, technology
alike and has a strong link to an organisation’s reputation. risks can also significantly impact overall organisational
Poor governance practices are therefore a source of risk for performance, customer experience and reputation. It is
organisations. therefore advisable for organisations to establish a process
and criteria for how technology-related risks of strategic
Governance Institute considers governance has four key
or widespread operational impact can be included or
components:
escalated to the appropriate governance and overall risk
• T ransparency – making clear disclosures about the management levels within an organisation.
organisation’s structure, operations and performance, both
externally and internally, and maintaining a genuine dialogue
Cyber risk
with, and providing insight to, legitimate stakeholders and Given the increased amount of global online activity
the market generally. during the recent pandemic combined with a significant
• Accountability – ensuring that there is clarity of decision- escalation in global conflict, the number of cyber-attacks
making within the organisation, with processes in place has increased dramatically. Consequently, organisations
to ensure that the right people have the right authority for and their boards have a heightened focus on this risk. At
the organisation to make effective and efficient decisions, the same time this increase in global online activity has
with appropriate consequences for failures to follow those also been a source of opportunity for many organisations,
processes. opening up new products and markets and increasing their
• Stewardship – developing and maintaining an enterprise- ability to connect to their stakeholders.
wide recognition that the organisation is managed for the
Many organisations use the Australian Cyber Security
benefit of its shareholders/members, taking reasonable
Centre’s Essential Eight Maturity Model as a first step
account of the interests of other legitimate stakeholders.
towards improved their cyber security risk profile.22
• Integrity – developing and maintaining a culture committed
to ethical behaviour and compliance with the law.21 A recent Federal Court decision found that a company
which held an Australian Financial Services Licence was
Recognising and managing risk is a crucial part of the in breach of the provisions of the Corporations Act due to
role of the board and management and oversight of conduct involving cybersecurity.23 This is the first case in
risk management is the responsibility of the board. Risk which ASIC has exercised its powers for an organisation’s
management is an important part of governance. failure to have adequate cybersecurity and cyber resilience
risk management controls. While this case relates to an
In Australia, the principal reference and reliance for corporate ASIC regulated financial services firm it is also relevant
governance rests in the provisions of the Corporations for other organisations which may come under scrutiny
Act 2001 and the Corporate Governance Principles and by other regulators because they are subject to similar
Recommendations. obligations.24 They need to ensure there is a robust
monitoring of incidents to proactively identify broader
Good governance therefore ensures transparency and systemic issues or system deficiencies and that there is no
accountability, and can prevent scandals, fraud and issues delay in developing and implementing improved compliance
relating to organisational liability. An organisation that bases measures once a deficiency has been identified.
its structure and corporate culture on good governance
principles is more likely to avoid major disasters. ASIC’s good practice guidance for financial services firms
encouraging activity to promote cyber resilience also
serves as a useful starting point for organisations in other
sectors. ASIC considers that ‘informed oversight of risk
involves the board being satisfied that cyber risks are
adequately addressed by the risk management framework
of the organisation. Important controls include ensuring the
organisation has appropriate safeguards in place against
malicious cyber activities, and that recovery capabilities are
adequate’.25 ASIC’s questions below are a useful guide for
boards when considering the management of cyber risk.

21
See Governance Foundations at www.governanceinstitute.com.au.
22
See Issues in Focus Cyber Risk, The Insurance Council of Australia.
23
See ASIC v RI Advice Group Pty Ltd [2022] FCA 496.
24
See also What a Federal Court ruling on cybersecurity means for AFS licensees, ASIC 2022.
25
See Key Questions for an organisation’s board of directors, at www.asic.gov.au.

Risk management for directors: A guide 12

Questions for directors on cyber risk
Culture
Risk management framework
• Are cyber risks an integral part of the organisation’s risk The concepts of risk culture and organisational culture are
management framework? closely interconnected.
• How often is the cyber resilience program reviewed at the It is APRA’s view, adopted in this guide, that risk culture
board level? is ‘not separate to organisational culture, but reflects
• What risk is posed by cyber threats to the organisation’s the influence of organisational culture on how risks are
business? managed’.28 An organisation’s culture is the sum of its
• D oes the board need further expertise to understand the risk? shared values and behaviours. Applying APRA’s view,
organisational culture includes the values and behaviours
Monitoring cyber risk of its people as they relate to various dimensions, such as
• How can cyber risk be monitored and what escalation risk, but that those dimensions are not separate cultures.
triggers should be adopted? References are commonly made to an organisation’s
innovation culture, safety culture or compliance culture
Controls — these would, under APRA’s interpretation, simply be
• What is the people strategy around cybersecurity? considered dimensions of the organisation’s culture.
• What is in place to protect critical information assets? However, there are alternate views that consider an
organisation's risk culture to be separate from its
Response organisational culture, rather than a subset of it. An example
• What needs to occur in the event of a breach? would be an organisation that, overall, has a positive culture
Boards should ask themselves: and yet is deficient in the area of risk management.
» If and when a problem arises, what processes are in
place for communicating effectively, internally and Noting these range of views, it can be stated confidently
externally, and managing the situation? that an organisation’s culture influences — positively or
» Has there been a sufficient level of scenario planning negatively — how it manages and tolerates risk, and that in
and testing to ensure that response plans are valid turn the risk culture is capable of shaping the organisational
and up to date, including with third-party suppliers and culture.
dependants?26

Following a pilot assessment against the requirements of

Prudential Standard CPS 234 Information Security APRA
‘…the culture of an entity can be
wrote to all APRA-regulated entities about boards’ need described as ‘the shared values
to strengthen their ability to oversee cyber resilience. It and norms that shape behaviours
expressed the view that it ‘expects boards to have the same
level of confidence in reviewing and challenging information and mindsets’ within the entity. It
security issues as they do when governing other business is what people do when no-one is
issues’.27
watching…’
Commissioner Kenneth Hayne29

It is also widely accepted that a robust risk management

framework is beneficial to a healthy corporate culture
as it drives accountability. Equally, risk immaturity in an
organisation can fail to curb or exacerbate key conduct risks
that contribute to negative impacts on the achievement of
the organisation’s objectives and detrimental impacts on
stakeholders.

26
Loc cit.
27
See Insight Improving cyber resilience: the role boards need to play, APRA 23 November 2021.
28
APRA, 2016, Information Paper: Risk culture, p. 7.
29 
Commissioner Kenneth Hayne, Final Report, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services
Industry (2019) Volume 1, p. 334.

Risk management for directors: A guide 13

The board’s role in culture
The board is responsible for defining an organisation’s
The challenge for the board is to
purpose and approving its statement of values and the code go beyond risk being a tick-box
of conduct to underpin the desired organisational culture.
compliance exercise to develop
A code of conduct reflects the core values of an an organisational culture where
organisation and the expectations of stakeholders and
the community at large. But simply having the code is not risk is genuinely considered
sufficient — regular staff training and occasional updating and managed at all levels of the
of the code are also needed.
organisation.
A key component of culture is the behaviour and conduct
of senior managers and the board itself. This is often
referred to as the ‘tone at the top’. The organisation’s
clearly articulated ethical and behavioural standards must
Risk-aware culture
be reinforced in practice by the organisation’s leadership The risk culture of an organisation is the shared
group. The board and management must model, and must attitudes (values) and behaviours of individuals about the
be seen to model, the desired culture as employees will management of threats and risk in an organisation. The
follow the example of senior leaders. A number of recent organisation’s culture will be a key determinant in its ability
well-documented scandals relating workplace sexual to respond and adapt to changes in the environment in
misconduct underscores the importance of ‘tone at the top’.30 which the organisation operates.

The question for boards is whether the culture is known To effectively manage risk and leverage the opportunities
and understood and whether the actual culture (the lived created by uncertainty, an organisation needs a risk-aware
culture) represents the necessary and desired culture. It is culture. A risk-aware culture is a critical subset of the
an essential element of governance for a board to understand broader organisational culture that incorporates the way
if there is any disconnect between the desired and stated directors, managers and employees think, communicate
culture and the actual culture, for it is only the actual and behave about all aspects of risk.
culture — the enacted values — that ultimately matters.
Organisations should be alive to cross-cultural differences
An organisation may have sub-cultures, which are intra- and their implications. People play the crucial role in
organisational groups of people who exhibit a set of shared defining and sustaining cultural attitudes. As a result,
values and behaviours that are identifiably different from focusing on the particular aspects of people’s identity
those in other areas of the organisation. Boards and that can have an impact on culture can be an important
management need to identify if there are subcultures within means of providing insight into understanding why a culture
the entity that do not align with the desired culture of the operates as it does. The role of people’s national cultural
organisation as a whole: any ‘rogue’ subcultures should be identity is influential in organisational culture. National
identified. cultures have different values and therefore different
behaviours may be anticipated in response to a common
Rules are necessary but not sufficient to inculcate a
situation. Research has pointed to national differences in
culture where the enacted values align with the desired
the way people tend to deal with uncertainty, and these are
values. Also, without an open and transparent culture, the
important in understanding people’s attitudes toward risk.31
questioning that will test if the enacted values align with the
desired values will not be take place. Both go to the heart of
governance and risk management if they are to create and
protect value for the organisation. Incentives
Incentives play a powerful role in influencing individual’s’
values and behaviour and hence the culture. Incentives may
have unintended consequences. Research has shown that
individuals will seek to do those things that are rewarded,
implicitly or explicitly, tangibly or intangibly, often to the
exclusion of activities that are not rewarded. This can create
cases of folly, however, where the types of behaviour
rewarded are those which the organisation is trying to
discourage, while the desired behaviour is not rewarded at all.32

30
 ee for example, Set the Standard: Report on the Independent Review into Commonwealth Parliamentary Workplaces, Australian Human
S
Rights Commission, November 2021.
31
 ofstede’s cultural dimensions theory, as articulated in Culture’s Consequences and Cultures and Organizations: Software of the Mind,
H
co-authored with Gert Jan Hofstede.
32
Kerr, S, ‘The folly of rewarding A, while hoping for B’, Academy of Management Journal, Dec 1975; 18, 000004, p 769.

Risk management for directors: A guide 14

 When remuneration arrangements are designed or implemented in a
way that sees executives rewarded with large bonuses despite their poor
management of risks, those remuneration arrangements increase the
likelihood that the entity will engage in misconduct, or conduct that falls
below what the community expects. By contrast, when remuneration
arrangements are designed and implemented in a way that properly takes
into account the way that executives have managed risks – including
compliance risk, conduct risk and regulatory risk – those remuneration
arrangements will decrease the likelihood that the entity will engage
in misconduct, or conduct falling below community standards and
expectations.33
Commissioner Kenneth Hayne

Board evaluation of the lived culture

Questions for directors on incentives: For a board of directors, it can be very challenging to
understand the degree to which the culture reflects the
• D o we hope for long-term and sustainable growth
values it espouses. Equally challenging for a board is to put
— but reward quarterly sales?
in place the strategies necessary to develop such a culture.
• Do we hope for teamwork — but reward individual
effort? Boards increasingly receive ‘dashboard’ reports from
• Do we hope for safer workplaces — but reward management on key metrics such as:
productivity and cost reduction?
• Do we hope for candour — but reward reporting of • stakeholder views of the organisation’s culture
good news and agreeing with the boss and punish • employee engagement surveys
reporting of bad news or disagreement with the boss? • surveys of customers and their degree of satisfaction
• Are both the overt and implicit incentives aligned • leadership behaviour surveys
with either the stated values of the organisation • workplace health and safety statistics
or the mitigation framework to prevent undue • key human resources statistics, such as staff turnover
risk-taking? rates and exit interview trends
• Is this monitored constantly? • de-identified whistleblower data, and
• Does the board include risk management as a • education and training completion rates.
criterion for executive evaluation? Boards should apply insights from key metrics to identify,
• Are current remuneration practices aligned or address and prevent underlying root causes and risk
at odds with the risk tolerance/capacity of the factors leading to misconduct and other cultural problems,
organisations? rather than focusing on isolated incidents.
• How much pay is at risk?
• Does fixed remuneration form the larger part of Relying on the history of the business does not provide
short-term behaviour? complete insight into the culture currently operating
• Is the construction of remuneration systems and within the organisation, although it can form part of the
targets driven by shareholders with short-term information available to the board in forming a view of
performance targets? whether the culture reflects the vision of the board.
• Are risk-related objectives built into the company’s
A board can organise for external consultants to provide
executive remuneration structures?
a briefing to inform the directors of what occurred in a
company that did not identify or manage its risks, providing
a step-by-step study of the process. This can provide
insight into issues of culture that may not have been
apparent from the results of other methodologies used.

33
 ommissioner Kenneth Hayne, Final Report, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services
C
Industry (2019) Volume 1, p. 347.

Risk management for directors: A guide 15

 Questions for directors to consider on culture:
Tools, processes and
• D oes the organisation have a clear statement of
improvements
values? Employees need to feel ownership to truly The following section outlines common tools, processes
invest in new values. In large geographically diverse and improvements that may assist directors when
organisations ensure there is a balance between considering how to add value to their board in the area
local and global responsibility for values. of risk management and ensure their organisation is
• When reporting on culture to the board there effectively managing risk. Directors will need to decide if
should be a mix of lagging and leading indicators they are relevant to their individual circumstances.
and there will be internal work required to
determine what is appropriate. Indicators could
include: customer and whistleblower complaints, Better integration of risk and strategy
breach reports, regulatory reports and investigations Risk management and strategy are two sides of the same
and correspondence from regulators. coin and should be regularly connected in discussions of
• Consider how the drivers of culture mindsets, the board and board committees.
behaviours and outcomes, referred to in the APRA
Report (p. 82) operate in the organisation. Risk management should be explicitly incorporated in the
• What are the dominant cultures in your strategic planning process.
organisation? Where does the organisation want to
The board should hold management accountable for
be and how does it get there?
developing and executing a strategy that corresponds with
• Do any of these apply to the organisation:
the risk appetite it has set.
» widespread complacency
» reactivity rather than pre-emption regarding risk
» uneven influence of the risk function
» not fully ‘walking the talk’ when it comes to risk Key question for directors:
management
» less tendency towards reflection, introspection • D
 o the board’s agendas promote integration of risk
and learning (from mistakes) issues with other agenda items such as strategy,
» a collegiate, high trust environment, leading to organisational structure and finance?
some over-confidence and over-collaboration
» striving to balance empowerment with challenge,
although not well executed A shared taxonomy of risk
» aiming to be a values-led institution, but an over-
reliance on good intent Organisations benefit from a shared risk taxonomy as the
» self-perceived, but incomplete, focus on the foundation of the risk control framework, to ensure a unified
customer. view of risk is shared by the board, senior management
• How does the board ensure that information is not and all business units. A common risk language helps
filtered by senior management? unite the various disciplines in the joint effort of achieving
• Does culture align with strategy in the organisation? organisational goals.
• How does the accountability framework operate in A comprehensive taxonomy enables risk to be sorted into
the organisation? levels of hierarchy including major risk categories, risk
• Does the performance management framework subcategories and risk types that supports other critical
address the ‘how’ and not just the ‘what’? parts of the risk management, including risk identification,
• Can management quickly and easily provide the risk mitigation and, ultimately, board reporting.
board and senior management with the right
performance and reward insights? There are many existing taxonomies that may be tailored
• Does senior management model the organisation’s to the organisation’s sector and operating environment. A
values? How do they demonstrate this? taxonomy in a clinical setting such as residential aged care
may differ markedly from financial services, for example.
One example of a taxonomy is 52 Risks®.

A potential challenge is reaching an agreed definition and

taxonomy of non-financial risks as these are often defined
by the exclusion of financial risks.

Risk management for directors: A guide 16

Risk appetite and risk tolerance Risk appetite should be expressed in a way that is
meaningful and the board’s stated risk appetite should
At the broadest level, the strategic/business plan is the
align with the risk appetite in action within the organisation.
board’s articulation of an organisation’s risk appetite.
An organisation’s appetite for risk may be different over
However, it is increasingly common for boards to issue a
time, during a crisis, in different geographies, for different
formal risk appetite statement separate to its strategy.
business units or for different categories of risk. The
APRA regulated entities are required to have board- statement should be descriptive enough to give its audience
approved risk appetite statements, and it is good an understanding of the approach the organisation takes
governance for boards of listed companies to establish the to managing risk and the weighting of risk against potential
risk appetite – see the Corporate Governance Principles reward. It can be both quantitative and qualitative.
and Recommendations.34
While regulators may prescribe a range of contents for the
Setting the risk appetite explicitly articulates the statement, it is generally accepted that such a statement
attitudes to and boundaries of risk that the board expects should reflect the:
senior management to take and within which it expects
• s trategy of the organisation — objectives, business plans,
management to operate in pursing the organisation’s
stakeholder expectations
strategic objectives. A considered, clearly articulated risk
• capacity of an organisation to absorb loss — the
appetite provides a sound foundation for risk management.
tolerance for loss or negative events that can be
reasonably quantified
• ethical stance of the organisation, activities that are not
acceptable and classes of risk to be avoided
Difference between risk appetite and risk tolerance?
• skills, resources and technology required to manage and
The COSO Guidance, Enterprise Risk Management monitor exposures
— Integrating with Strategy and Performance • willingness of the organisation to invest in pursuit of its
defines risk appetite as: The types and amount of strategic objectives — multiple risk appetites may exist
risk, on a broad level, an organisation is willing to for different types or sources of risk, and
accept in pursuit of value.35 Risk appetite is strategic • expected return on investment — that is the amount that
and refers to the entire organisation’s approach to the organisation is prepared to spend to improve likely
risk. Risk tolerance is the practical application of outcomes.
risk appetite to specific transactions or activities.
Strategic plans of the organisation are risk appetite,
while business plans at the business unit level are Risk registers and risk matrices
risk tolerance. The two concepts are sometimes Risk matrices are commonly adopted by boards and refined
used interchangeably. Nonetheless they may be by management to assess risks within the business. The
referred to jointly in a board-approved risk appetite criteria used in the risk matrix should be suitable to the
statement. For example, the Department of Finance’s context of the organisation and consistent with its risk
Commonwealth Risk Management Policy (RMG 211) appetite.
encourages entities to develop a ‘risk appetite and
tolerance statement’. The board-approved statement There are a wide range of best practice risk matrix
may consist of high-level risk appetite statements in templates available. Boards should build on these templates
only one or two paragraphs that in turn drive a more but ensure they are appropriate to the organisation.
detailed listing of risk tolerances. In this example, the
two parts work together and together constitute the
risk appetite statement.

Without a shared understanding of risk appetite and

alignment between the board and management, risk
management may be carried out with unclear expectations.
This can result in a culture where decisions are made
without consideration of risk and are inconsistent with the
desired risk appetite.

34
See APRA Prudential Standard CPS 220 Risk Management and the Corporate Governance Principles and Recommendations 1.1, 7.1 and 7.2.
35
 ee Guidance on Enterprise Risk Management Enterprise Risk Management – Integrating with Strategy and Performance 2017.
S

Risk management for directors: A guide 17

Data analytics, quantitative approaches and Board education and training in the area of risk
dashboards management may benefit from a structured approach,
especially where organisations operate in highly technical
There is an opportunity for most organisations to improve
and dynamic sectors. The board may consider devoting a
the nature and type of key risk indicators included in board
portion of its training budget to risk management training.
reporting and dashboard systems. A 2020 Governance
It may also be appropriate to arrange mentoring for new
Institute survey of governance and risk professionals and
directors in areas where the organisation faces areas of
senior executives found that, when asked about their
emerging risk — such as cyber security.
organisation’s risk reporting to the board, almost half (49
per cent) said it was only ‘quite effective’ and almost a
quarter (21 per cent) rated it ‘not very effective’.36

Sophisticated risk management systems provide an array

of quantitative statistics that can be a rich source of
information for boards and management.

The growing use of data analytics may also provide

opportunities for the board to instruct management to
strengthen dashboards to include more information,
including lead and lag indicators, that help track risks.
Leading metrics serve as early warning signals of potential
issues and may point to successes that can be further
leveraged.

Where data is relied upon to inform board decision making,

maintaining data quality becomes critical. The board and
management should ensure there are systems and processes
in place to ensure accuracy, consistency, security and that
the most up-to-date data reaches the board.

Board skills matrix

Board renewal is critical to performance. The board of
directors should regularly assess the composition and The importance of boardroom culture
effectiveness of the board as a whole, as well as any future Boardroom culture and behavioural dynamics are
need for new directors. This will include a review of the fundamental to the decision-making process for managing
required mix of skills, experience and other qualities of risk and overseeing strategy.
directors. A skills matrix is a useful tool to assist the board
in determining the right mix of directors and understanding Board decisions on risk and strategy are made in a group
its needs for additional skills and to identify any gaps. setting, which has many advantages, including access to
A skills matrix is key to the process of determining director a greater pool of knowledge and wider acceptance of the
nominations — it functions as a risk management tool board’s final decision. However, poor group dynamics can
for the board. Factors to consider when developing such also result in narrow thinking, suppression of divergent
a matrix could include not just the skills and experience, views, shallow judgments and an inability to uncover novel
but also the personal attributes and diversity required of and emerging risks and potential weaknesses in the risk
directors, both collectively and individually. management framework.

All directors should contribute to open, frank and dynamic

dialogue on risk and strategy, constructively challenge
Risk competency of directors assumptions, exercise an appropriate level of scepticism,
Boards collectively and directors individually should assure and explicitly consider alternative perspectives. They
themselves through periodic assessments that director should balance this with discretion and mutual respect.
skill sets are appropriate for effectively overseeing risk. Ultimately, each director must support the board’s final
Gaps in necessary collective competencies or knowledge decision on risk and strategy, whether they were originally
can be addressed by education and training and through in favour or not.
the selection process for new directors.

36
Risk Management Survey Report 2020, Governance Institute of Australia, p. 9.

Risk management for directors: A guide 18

Information flows to the board mitigation measures. A study of governance practices
during the first stage of COVID-19 pandemic found ‘too
The provision of reliable and timely risk information to the
many organisations were taken by surprise by the COVID-19
board is vital.
pandemic as a result of not having a comprehensive
Information protocols within the organisation should allow continuity plan, with boards and management instead
for, and anticipate the continually changing landscape in ‘workshopping’ contingencies in real time’.37 Since COVID-19
which companies operate. many organisations are now paying increased attention to
contingency and scenario planning and testing crisis and
The board must recognise that a failure to act on business continuity plans.
information it has can be just as damaging as not having
the information at all. The board should ensure these planning processes are
integrated into the risk management framework.
Risk management is often included in the CEO’s reports
to the board. An advantage of this approach is that it
enables the board to obtain assurance from the highest
level of management that risks are being appropriately
Frequency of board deliberation of risk
managed. However, CEO reports on risk are often prepared Risk management needs to be formally included in
without input from employees across the organisation. Key the board reports and included as an agenda item at a
risk information may not make its way to the board. Risk frequency and regularity consistent with the organisation’s
managers and frontline employees with access to key risk risk appetite so the board can satisfy itself that the risk
information may lack sufficient seniority to ensure this management framework remains sound.
information is escalated to the appropriate level.
The company secretary will usually prepare an annual
The board should ensure the risk information provided planner that sets out the regular items to be considered
to it is complete and reliable and that management is at particular board and committee meetings throughout
undertaking all reasonable endeavours. The board may the year, including topics relevant to risk management,
create additional lines of reporting to the board on risk. as well as a timetable for the submission of papers and in
Individual directors may also seek to experience the turn, the provision of board papers to the board. Directors
organisation at the operational and customer level through should ensure the time allotted for risk management
site visits, for example, through overnight stays in facilities throughout the year is sufficient, and that adequate time
such as residential aged care or by other means. is available in the timetable for the review of board papers
by all necessary parties and for obtaining management
A deeper understanding of the organisation, its business
approvals. Each organisation will have their own mandatory
model, customers, employees and impact on the
approval steps that are required as part of this process.
communities in which it operates will enable directors to
more effectively manage risk and to take a more active Some boards choose to have risk management as a
role in boardroom discussions and engagement with standing agenda item, to ensure it receives continual
management. focus and attention. Whether or not this is appropriate will
depend on the unique circumstances of the organisation,
including the frequency of board and committee meetings.
Critical incident and business continuity The challenge with a standing agenda item is to ensure it
planning does not become stale and routine over time and result in
‘rubber stamping’ of management recommendations.
Business continuing and critical incident planning has
become an increasingly important component of risk Some organisations conduct their risk discussions when
management in many sectors. The aim is to minimise the annual reports are released and around the time of the
impact of a crisis or emergency as a result of bushfires, annual general meeting. This may create timing and
flooding, pandemics, terrorism, major cyber security resourcing issues as director elections, remuneration and
breaches or related incidents. other issues require the board’s attention. The best time to
engage the board on risk management may be during less
As part of this planning process, some organisations are crowded periods of the financial calendar.
conducting annual threat assessments and mock scenarios
and developing self-contained business resumption However a board chooses to engage with the issue, risk
facilities to enable business continuity. The planning management should be an on-going conversation in
processes may or may not be conducted in the same area order to encourage continual improvement. Governance
as the dedicated risk management function as part of risk documentation should indicate which risk management
topics will be referred to which meetings.

37
 ee Governance through a crisis Learning from COVID-19 Lessons for now and beyond, Governance Institute of Australia and the Australian
S
Institute of Company Directors, 2020 at page 28.

Risk management for directors: A guide 19

Board papers and board reporting process, articulating their expectations on quality and
sufficiency of information to be provided and ensuring that
Reporting of risk management programs and initiatives
there are systems and control processes for maintaining
is primarily an aid to good governance. Reporting risk
the integrity of information.
information should be for the purpose of informing board
decision-making. This type of information provides In 2019, an ASIC review found that, in the sample it reviewed,
assurance that the risk management processes and the size of risk committee packs averaged 300 pages, with
practices are effective, appropriately located in a functional one organisation’s papers averaging just over 700 pages.
sense, connected and relevant to the business and are ASIC recommended against ‘dense and voluminous’ board
being actively managed and improved. packs. The regulator encouraged organisations ‘to ensure
concise management reporting’. ‘We do not believe that
Board papers are the primary means by which directors
imposing and enforcing a maximum page limit will solve
gain the necessary information required to fulfil their risk
this issue. But the fact that organisation-specific guidelines
management role. To support directors in discharging their
are not being enforced suggests that chairs have not been
duties, information in board papers must be coherent,
sufficiently engaging with the nature of reporting provided
complete to the extent necessary, and consistent. In the
to them,’ ASIC concluded.39
Financial Service Royal Commission, Justice Hayne noted
that boards must have the ‘right information in order to Preparing board papers is predominantly the role of
discharge their functions’.38 His comments reiterate the management, with company secretaries also playing a vital
importance of improving the quality of information (not role. The company secretary should work with management
increasing the quantity of information) provided to boards to produce papers that clearly specify what the board
so that directors are able to effectively discharge their or board committee is being asked to do. For further
duties. assistance on board papers see Governance Institute’s
2021 guidance on board papers.
Well-written, concise board papers play an important role
in ensuring directors have the necessary information to No business case should come to the board without
contribute to board discussions and enable the company a proper risk assessment attached to the proposal.
secretary to succinctly record the proceedings and The risk assessment process, leading to advice on
resolutions of a meeting in the minutes. A well-written options ultimately for decision by the board, needs to
board paper will identify the rationale for proposed include quantitative data that tracks the performance of
resolutions. This allows the board discussion to focus management in implementing the board’s agreed strategy.
on the key matters raised in the paper and any further It should also include qualitative data, but not be dependent
information or clarification required by the board. If board on that alone.
papers are to fulfil this important function, appropriate care
The risk committee, if applicable, should review and
must be taken in their preparation.
approve the metrics and methodology used for the
It is essential that directors take an active role in satisfying calibration of performance against the risk appetite. It is
themselves that board papers are adequate and that they essential that management and board have clarity as to the
have sufficient and the ‘right’ information on which to base levers that need to be engaged to manage any identified
decisions and to perform their oversight and monitoring risk to the value of the organisation.
functions. This includes contributing to the board paper

38
 ommissioner Kenneth Hayne, Final Report, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services
C
Industry (2019) Volume 1, p. 400.
39
ASIC (2019) Corporate Governance Taskforce, Director and officer oversight of non-financial risk report, pp. 27-28.

Risk management for directors: A guide 20

 Engagement with investors on risk issues
Questions for directors about board reporting: Risk management is a subject on which it is increasingly
beneficial for boards to specifically engage with investors
• Is the breadth and materiality of information that
and members, particularly with retail and institutional
management provides correctly calibrated to help
shareholders on ESG issues.
us perform our oversight function?40
• Is the information we receive on non-financial risks Active, informed, constructive and periodic communication
of a similar quality to that we receive on financial between the board and shareholders is crucial for a mutual
risk?41 understanding of corporate strategy, risk and risk oversight.
• Are the elements of the risk management
Dialogue should be founded on an appropriate and reciprocal
framework operating as intended and providing the
level of respect, trust, seniority, skill and professionalism.
benefits sought?
• How often does the board discuss risk with
management?
• How is management addressing the major Insurance
opportunities and risks facing the organisation? Insurance is a form of risk transfer where another entity
• How does the board know that these are, in fact, carries a risk for the entity where the risk resides. Risk
the major opportunities and risks, and that the transfer is an important component of risk management
steps management is taking to address them are with which directors need to be familiar.
appropriate?
• What are the top 5–10 risks and mitigation The board in consultation with management should
strategies being monitored? determine the appropriate type of insurance products and
• What are the risks that are likely to result in a levels of cover for the organisation’s present and future
material misstatement in the annual financial risk exposures. The risk register and other important
statements? components of the risk management framework will be
• How does the board know when risks are useful in the annual insurance renewal process.
increasing, holding steady, or decreasing?
An important area for consideration is cyber security
• How is risk built into the business plan and strategy
insurance. This type of insurance relates to cyber threats
development?
and risks and many organisations now take out cyber
• Is the hierarchy of risks still fit for purpose?
policies. These products differ from provider to provider
• Is there analysis from the perspective of key
and jurisdiction to jurisdiction, but generally include cover
stakeholder groups such as, customers, staff,
for forensic investigation, data restoration, customer
investors, regulators, communities, which could
notification and rectification for example call centres,
reveal areas of risk to ongoing viability that
and indemnification of penalties imposed by government
traditional analytical approaches may miss?
regulators. Since the onset of COVID-19 the costs of this
• Does the board have assurance that it is receiving
insurance have increased dramatically and ‘the combination
the information it needs?
of a small premium pool and the increasing sophistication
• What level of assurance does the board want?
and maliciousness of some cyber-attacks have put
• Are controls in place to investigate the quality of
significant pressure on insurers and businesses alike.42
the information flowing to the board?
• Do all proposals come to the board not only with
a business case but also a risk assessment and
does reporting on projects include risk reporting?
• Does the same discipline applied to the business-
as-usual reporting apply to decisions concerning
new projects?
• Is risk management integrated with all of the
business’s systems, such as performance
management, process management and
implementation of strategy?

40
ASIC (2019) Corporate Governance Taskforce, Director and officer oversight of non-financial risk report, p. 28.
41
Ibid.
42
 ee Issues Paper Cyber insurance: Protecting our way of life in a digital world. ICA Calls for overhaul of cyber policy settings, Insurance
S
Council of Australia, March 2022.

Risk management for directors: A guide 21

 Non-financial and
emerging risks
Significant risk events involving non-financial risks, including
the COVID-19 pandemic, global attention on workplace
sexual harassment, and a spike in cyber-attacks, have
dramatically increased the importance of this area in the
minds of directors, regulators and stakeholders. Boards in
all sectors are grappling with this rapidly expanding area.

According to the World Economic Forum’s Global Risks

Report (2022), the top 10 risks facing businesses in the next
decade are predominantly environmental, geopolitical and
societal — not financial.

Non-financial risk is a broad and fluid concept generally

defined by exclusion. Some organisations prefer terms such
‘pre-financial’ or ‘emerging’, to recognise these risks which
often have financial impacts. However, the category is
generally understood as including the themes outlined below.

Projects and risk management As noted earlier in the guide, it is important for
organisations to develop a shared taxonomy of risk that
Project teams frequently bring external skills, contacts includes a definition of non-financial risks.
and experience and therefore a new perspective to an
organisation. Given that projects are temporary in nature
with fixed budgets, scope and timetables, team members
are focused on identifying risks which may impact on The challenge for a board is
delivery of the project. Project teams also typically work
with various levels in an organisation which can differ from to pursue a more proactive
the way risk is managed in an organisation. They work with
organisations to help build the business cases and are
approach to the management
frequently speaking to staff to identify new organisational of non-financial risks.
risks which are potentially additional benefits that can
included the project realisation plan. They also have
heightened awareness of risks to delivery of the changes
contemplated by the project. In particular, there are increased community expectations
CROs and their teams typically engage horizontally with in all sectors on environmental and social issues. The rise
executives across an organisation to assist in the review, of digital technology poses opportunities as well as threats
analysis and monitoring of the treatment of the highest and ethical challenges. The COVID-19 pandemic is also a
rated organisational risks. Executives in turn will typically reminder of the importance of managing public health risks
work vertically with their divisions to identify, assess, and the interconnectedness of all sectors in a globalised
manage and monitor a division’s risks. To successfully economy.
deliver a project the project team will need to work both
vertically and horizontally and can frequently uncovers risks
that may not have been apparent. Projects can therefore
be a valuable additional channel for identifying internal,
external and emerging risks.

Risk management for directors: A guide 22

As part of their consideration of risk, boards should actively consider these and other significant and emerging non-financial risks.

Reputational risks frequently stem from other risk categories. Reputational damage is often
caused by a failure of risk management in other areas. It is increasingly understood that
business models are founded on trust in the organisation.

Reputational risks can arise when there is damage to an organisation’s reputation because
of a mismatch between public perceptions and the actual objectives and resources of the
organisation. Serious misconduct, human or system failures, unethical conduct, major
Reputational computer system failures, major privacy and data breaches, and major difficulties in meeting
objectives can seriously damage credibility when they occur, as illustrated by recent royal
commissions in the financial services and aged care sectors.

Digital technology is reshaping society and markets. Artificial intelligence, facial recognition
and other innovations may be increasingly incorporated into government services and
processes. These technologies carry vast possibilities as well as significant risks.

The increasing digitalisation of society and business also exposes companies to data
breaches and cyber-attacks.

Organisations are vulnerable to cyber criminals. The losses from cyber-attacks were estimated
Digital by the Australian Cyber Security Centre to $33 billion across all industries in Australia to 30
June 2021 an increase of 13 per cent on the previous year. A growing number of regulatory
initiatives are focused on cyber risk.

However, digital risk management failures often do not involve cyber criminals. Poorly planned
migrations to new technology platforms, inadequate internal controls on private data,
staff failure to follow security protocols and related issues can have significant impacts on
organisations.

Regardless of the technical complexities, directors must understand, remain vigilant and
proactively oversee these risks. They need to ensure there is a robust monitoring of incidents
to proactively identify broader systemic issues or system deficiencies and that there is no
delay in developing and implementing improved compliance measures once a deficiency has
been identified.

Digital risks should be firmly integrated into the organisation’s risk management and
governance framework. Strengthening the technology, cyber security and project risk
management expertise of the board, or ensuring it has access to external advice in these
areas, may also be beneficial.

There is increasing pressure from shareholders and other stakeholders for corporate action
on ESG, particularly climate change issues. Directors need to be aware of the sources of
these pressures and ensure these risks are considered in the organisation’s risk management
and governance framework.

ESG
continued

Risk management for directors: A guide 23

 The Royal Commission into Aged Care Quality and Safety signalled that boards of aged care
providers must be more accountable for the delivery of high-quality standards and quality of
care to older Australians.

Clinical risk management is concerned with the quality and safety of healthcare services,
including in residential aged care settings.

Many relevant organisations have structured risk management processes in place, however
Clinical there may be weaknesses in implementation at various levels – such as sporadic reporting
by frontline staff, inadequate responses from line management, and a lack of escalation to
senior management and the board.

Boards across the healthcare sector are encouraged to review the Final Report of the Aged
Care Royal Commission and consider how its findings may be applied to their own risk
management and governance frameworks.

There is also the opportunity for healthcare boards to consider lessons from the COVID-19
pandemic.

Recovery from the COVID-19 pandemic involves addressing a range of threats and disruptions
including:

• s upply chains – organisations in all sectors have been impacted by supply chain disruption,
frequently the result of local or global border closures and ‘stay home’ restrictions. The
long-term impacts are still uncertain
• new work patterns – employees in many sectors have adopted new ways of working and
Recovery the impact on organisations and on major city centres are still unclear
• social cohesion disruption, livelihood disruption and mental health deterioration’ are
from the
noted in the 2022 World Economic Forum as emerging threats over the next two years –
COVID-19 addressing these threats is likely to require concerted private and public sector efforts, and
pandemic • while many organisations were negatively impacted by the COVID-19 pandemic, many
others found significant opportunities, such as innovation in products and processes
which have opened new markets, a rapid increase in the use of technology throughout
organisations where under normal circumstances these deployments would have involved
multi-year projects and greater organisational willingness to move swiftly leading to
increased efficiency.

Directors need to consider both the short-term and long-term impact of COVID-19 on their
organisations.

Risk management for directors: A guide 24

 However, an incident or crisis, especially one that generates
significant public interest, may warrant a stronger approach.
Questions for directors to ask on non-financial risks:
Generally, a beneficial first step in response to such a risk
• A re all material non-financial risks incorporated
event is to commission an investigation.
into the development of strategy and the risk
management framework? The board will need to carefully consider the design of this
• Who in the senior management team, delegations investigation. Appointing the appropriate person or team,
framework and ‘three lines of defence’ is internal or external to the organisation, will be fundamental
responsible and accountable for non-financial risk to its success. This person or team should have sufficient
management? seniority and independence to be able to deliver accurate
• Do we need to employ internal and external findings without undue influence from parts of the
expertise to assist with non-financial risk organisation that may have been involved in the risk event.
management? It may appear that an external party is best suited to this
• Which emerging digital technologies can be task. However, the board should consider who this external
incorporated into the organisation’s strategy and party reports to within the organisation, their potential
business model within the existing risk appetite? prior dealings with internal stakeholders, and whether they
• Does the organisation’s risk appetite need to be have other commercial dealings, present or future, with
adjusted to reflect the changing environment for the organisation that may affect their impartiality. A highly
non-financial risks? trusted internal person or business unit may be able to
• How can we leverage emerging digital technologies achieve this task.
such as big data, natural language processing
The board should consider its own involvement in the risk
and robotic process automation to enhance the
event and its ability to be impartial in commissioning the
organisation’s management of risk?
investigation.
• Are we adequately disclosing environmental
including climate, social and governance risks to At a minimum, the investigating person or team should
our investors and other stakeholders? interview a wide range of stakeholders in the organisation
• Are we aware of the extent of any potential to identify root causes that led to the event.
workplace harassment, bullying and sexual assault
in our organisation? The board should determine in advance the process for
• Do we assess the risk of modern slavery in our responding to any findings of the investigation so that
supply chains. independence can be preserved, especially if the findings
may relate to the board itself.

Remediation
When risk management Once the findings of the investigation are delivered, the

fails board should ensure management promptly addresses the

root causes identified, not just the isolated event.
Previous sections of this guide have concentrated on how
Where necessary, it may be appropriate to engage with
directors and boards can develop greater risk maturity —
regulators on the implementation of the findings.
to avoid major losses and organisational failure.
The board’s response to systemic issues should send
Another important question for any director is what to
strong signals to management and staff about its
do when risk management fails threat is realised and an
expectations for handling any future incidents.
objective is compromised.
Consideration should be given to accountability and
Apart from the enormous damage they can cause to an
responsibility of senior management, including any
organisation and its stakeholders, risk management failures
potential impacts on remuneration incentives and longevity
are valuable learning opportunities — but these lessons
of tenure.
can be lost as a result of finger-pointing or an unwillingness
or inability to identify root causes. Directors should also be aware that recent findings of royal
commissions have highlighted that boards will be held
ultimately accountability for significant risk events.
Thorough and impartial investigation
As noted earlier in this guide, the board should oversee
a process of continual oversight and improvement of the
integrated risk management framework.

Risk management for directors: A guide 25