Organisational risk management Anton Usher 19 March 2014

Overview A whistle stop risk review 19/04/2017 Overview A whistle stop risk review Risk in Australian corporate governance The benefits of organisational risk maturity Risk management and in-house counsel The evolution of in-house counsel’s role In-house counsel’s contribution to risk management Integrating risk management within your organisation Using an enterprise risk management framework Using a compliance framework Using a risk based internal auditing approach Key takeaways © Sparke Helmore 2011

A whistle stop risk review 19/04/2017 A whistle stop risk review © Sparke Helmore 2011

A global view: top risks in 2013 Aon global Lloyds global Deloitte global Aon Asia-Pac Economic slowdown / slow recovery High taxation Economic trends Brand & image Regulatory / legislative changes Loss of customers / cancelled orders Business model Market environment (economic slowdown) Increasing competition Cyber risk Reputation Regulative / legislative changes Damage to reputation / brand Price of material inputs Competition Business interruption Failure to attract or retain top talent Excessively strict regulation Human resources Failure to innovate Changing legislation Lack of innovation Sources: Exploring Strategic Risk: A global survey, Deloitte, (2013) Survey completed by 300 companies (with annual revenues in excess of US$1 billion) representing consumer/industrial products, life sciences/health care, technology/media/telecommunications, energy and financial services industry sectors from the Americas, Europe/Middle East/Africa and Asia/Pacific <http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_grc_exploring_strategic_risk_093013.pdf> Lloyd’s Risk Index 2013, Lloyd’s, (2013) Survey completed by 588 companies (77% representing smaller businesses with an annual turnover of US$499 million or less and 23% representing larger companies with an annual turnover of US$500 million or more) across Asia-Pacific (31%), Europe (28%), North America (26%), Latin America (10%) and South Africa (5%) <http://www.lloyds.com/news-and-insight/risk-insight/lloyds-risk-index> Aon Global Risk Management Survey 2013, Aon Risk Solutions, (2013) Survey completed by 1,415 companies (encompassing small, medium and large entities) representing 28 industry sectors, in 70 countries from all regions of the world <http://www.aon.com/2013GlobalRisk/> Aon’s 2012/13 Australasian Risk Survey, Aon Risk Solutions Australia, (2013) Survey completed by 133 unique Australian and New Zealand organisations across 19 industries <http://www.aon.com.au/australia/thought-leadership/risk-survey.jsp> © Sparke Helmore 2011

A selected industry view: top risks in 2013 1st risk concern 2nd risk concern 3rd risk concern Banks, Insurance, Investment & Finance Regulatory / legislative changes Economic slowdown Brand & image Education & not for profit Human resources Government Political risk & uncertainties Business interruption Utilities Natural disasters Natural resources Property damage Environmental risk Commodity price risk Non-aviation Transport Services Injury to workers Source: Aon’s 2012/13 Australasian Risk Survey, Aon Risk Solutions Australia, (2013) Survey completed by 133 unique Australian and New Zealand organisations across 19 industries <http://www.aon.com.au/australia/thought-leadership/risk-survey.jsp> © Sparke Helmore 2011

Risk in Australian Corporate Governance 19/04/2017 Risk in Australian Corporate Governance © Sparke Helmore 2011

Increasing risk management prominence (1) (Proposed) third edition of ASX Corporate Governance Principles and Recommendations Increases risk management prominence by recommending listed entities: establish a risk committee undertake risk management reviews at board / board committee level at least annually disclose whether, and if so how, they have regard to economic, environmental and social sustainability risks The ASX Corporate Governance Council issues the Corporate Governance Principles and Recommendations (Recommendations). The Recommendations are applicable to all ASX listed entities but reflect a contemporary view of appropriate corporate governance standards more generally. The Third Edition draft was issued in August 2013 and is planned to be introduced on 1 July 2014. The Third Edition is the first review of the Recommendations since the GFC. The Recommendations state that risk management reviews should enable the board to satisfy itself that the: entity’s risk management framework is sound, and entity is operating within the risk appetite set by the board. © Sparke Helmore 2011

Increasing risk management prominence (2) New APRA risk governance measures: New Risk Management standard - CPS 220 Revised Governance standard - CPS 510 Increases risk management prominence by requiring: a separate board risk committee & designated CRO a risk management framework that: includes a risk management appetite and strategy addresses material risk (financial, operational, strategic) adopts a ‘three lines of defence’ risk governance model annual risk management declarations and three yearly risk management reviews at board risk committee level The APRA risk governance package was released on 31 January 2014. In addition to the Risk Management and Governance standards (which are effective from 1 January 2015), the package includes a draft Prudential Practice Guide CPG 220 Risk Management, on which comments are invited by 28 March 2014. You can find the package here: <http://www.apra.gov.au/CrossIndustry/Pages/January-2014-Consultation-Risk-Management.aspx> The APRA risk governance package: Was foreshadowed in an important speech by the APRA Chairman, John Laker, delivered on 27 February 2013. This speech articulated the concept of risk governance and how it has risen to prominence following various global reviews into the governance failings in some major global financial institutions during the GFC. You can find the speech here: <http://www.apra.gov.au/Speeches/Documents/John%20Laker%20-%20Importance%20of%20good%20governance-ABCC%20Melbourne%2027%20%20Feb%202013-SC%20single%20spacing.pdf> Places a heavy emphasis on risk management for APRA regulated entities that is an understandable response to the GFC and other more recent global (but not Australian) banking scandals. Is an important governance development applicable to all corporations, especially in the listed sphere and also for large government owned corporations. © Sparke Helmore 2011

Risk governance: three lines of defence model Source: Draft Prudential Practice Guide CPG 220 Risk Management, APRA, January 2014, p19. © Sparke Helmore 2011

The benefits of organisational risk maturity 19/04/2017 The benefits of organisational risk maturity © Sparke Helmore 2011

Prosperity is connected to risk maturity 19/04/2017 Prosperity is connected to risk maturity Lacking Basic Defined Operational Advanced Prosperity Current global research studies show a clear and direct statistical link between higher levels of risk maturity and an organisation's prosperity – particularly: increased share price returns reduced share price volatility higher return on equity performance higher revenue / EBITDA, and increased organisational resilience. See for example: Aon Risk Maturity Index Insight Report, November 2013, Aon Risk Solutions (2013): <http://www.aon.com/risk-services/thought-leadership/reports-pubs_risk-maturity-insight-report.jsp> Turning risk into results: How leading companies use risk management to fuel better performance, EY (2013): <http://www.ey.com/Publication/vwLUAssets/Turning_risk_into_results/$FILE/Turning%20risk%20into%20results_AU1082_1%20Feb%202012.pdf> Risk management maturity © Sparke Helmore 2011

Some characteristics of risk maturity Board set risk management strategy & commit to it being critical in decision making A senior executive drives & facilitates implementation of risk management Transparency of risk communication Risk culture encourages full engagement & accountability at all levels Risk identification uses internal & external information Operational & financial risk information included in decision making processes Risk & risk management options are leveraged to extract value Adapted from: Aon Risk Maturity Index Insight Report, November 2013, Aon Risk Solutions (2013): <http://www.aon.com/risk-services/thought-leadership/reports-pubs_risk-maturity-insight-report.jsp>

Risk management & in-house counsel 19/04/2017 Risk management & in-house counsel © Sparke Helmore 2011

Evolution of in-house counsel’s role 19/04/2017 Evolution of in-house counsel’s role An Australian in-house counsel survey % response What does your executive team expect from you? Contributions to risk management Help in making commercial decisions 75% 51% What recent development has most impacted your role? Technological developments Increased regulations 66% 53% What is the greatest challenge for in-house counsel? Maintaining a work/life balance Keeping pace with legislative changes 32% Source: Institute of Knowledge Development, The role of legal counsel survey (2005) © Sparke Helmore 2011

In-house counsel’s contribution to risk management 19/04/2017 In-house counsel’s contribution to risk management HELP your Executive/Board answer these questions: Do we have a handle on critical organisation risks and our ability to respond? Is the top-down strategic view of critical organisation risks right? Is the effort being put into risk processes aligned with the risk priorities? Are our systems and people capable of responding to these risks? Is risk management “built into” the way we do business or is it “added-on”? USE an enterprise risk management approach that is: Consistent with ISO AS/NZS 31000 Tailored to your organisation Practical and value adding © Sparke Helmore 2011

Integrating risk management 19/04/2017 Integrating risk management © Sparke Helmore 2011

Enterprise risk management framework 19/04/2017 Enterprise risk management framework © Sparke Helmore 2011

Identifying risks that matter 19/04/2017 Identifying risks that matter Risks that don’t matter Risks that matter Successfully achieved corporate objectives © Sparke Helmore 2011

A risk to successful delivery of objective 19/04/2017 A risk to successful delivery of objective Objective Critical success factor 1 Critical success factor 2 Risk © Sparke Helmore 2011

Using sources of risk to identify risk 19/04/2017 Using sources of risk to identify risk External Stakeholders Community Political / Government Clients Suppliers Competitors Reputation Regulatory / contractual Internal Strategic and business Budgetary Governance Legal IT Human resources and skills Knowledge management Change management © Sparke Helmore 2011

Critical success factors 19/04/2017 An example risk Objective Critical success factors Reduce workers compensation premium by 10% by FY14/15 renewal Existing claims liability reserves are reduced Systemic claim causes are mitigated Risk: poor incident data quality © Sparke Helmore 2011

Use a heat map to assess and report risk 19/04/2017 Use a heat map to assess and report risk Definitions: Risk: the effect of uncertainty/chance on successful achievement of Corporate objectives Inherent risk: the level of risk without regard to the effect of planned risk mitigation strategies Residual risk: the level of risk with regard to the effect of planned risk mitigation strategies External risks: risks that emanate from external factors and/or involve external parties Internal risks: risks that emanate from within the organisation Risk tolerance: the level of risk beyond which the organisation is not prepared to tolerate and which must be reduced Preparedness: the extent to which the organisation is prepared for the consequences of the risk and/or to implement proposed risk mitigation strategies Likelihood: the probability or chance of the risk occurring Consequence: the impact on the organisation if the risk does eventuate Risk level: determined by combining risk likelihood with risk consequence © Sparke Helmore 2011

Using a compliance framework A compliance framework defines what you: HAVE to do (legal and regulatory obligations) WANT to do (organisational requirements) VOLUNTARILY do (organisational commitments) Legal and regulatory obligations might include: Corporations Act ASX Listing Rules Employment law Workplace health and safety law Mining and resources law (Commonwealth and State), and many many more! Organisational requirements include: industry codes of practice, and voluntary industry body membership requirements (e.g. Chamber of Commerce requirements). Organisational commitments are usually: found in organisational policies & procedures, and designed to meet a specific business need. Note: Internal policy is not normally a legal MUST do, but it can be a MUST do if it is: included within terms of employment, and/or designed to meet a regulatory need. © Sparke Helmore 2011

An empowering compliance framework Compliance = achieving business objectives safely Compliance Standard - AS/NZS 3806:2006: Provides a compliance framework that is about designing controls (policy and procedure) to achieve compliance with obligations Recognises organisation size, structure and nature affects compliance program design and management Comprises 12 principles covering: Commitment (principles 1 – 5) Implementation (principles 6 – 9) Monitoring and Measuring (principles 10 and 11) Continuous Improvement (principle 12) © Sparke Helmore 2011

Prioritising legislative compliance obligations Using a legislative compliance register helps prioritise key areas of legislative / regulatory compliance. Prioritisation is risk based having regard to the impact of non-compliance on: the organisation (including penalties), and the organisation’s clients/customers (losses etc). A legislative compliance register enables: compliance risk to be rated compliance requirements to be clearly identified compliance accountability to be clearly identified, and effective compliance monitoring. © Sparke Helmore 2011

Why use a risk based internal auditing approach Risk based internal auditing (RBIA): is independent and objective evaluates and improves risk management effectiveness helps achieve corporate objectives © Sparke Helmore 2011

RBIA adds value RBIA is linked to the risk assessment process RBIA focusses on: areas of high risk key control systems for high risk areas, testing: control design – operational effectiveness control operation – operational compliance © Sparke Helmore 2011

Use risk based internal audit ratings Internal audits should be given overall risk ratings reflecting the level of inherent risk associated with the activity within the audit scope and the effectiveness of internal controls Other RBIA benefits Assurance audits with extreme/high audit ratings become key inputs in the risk assessment process and inform future risk management plans. Risk based assurance auditing of internal controls for high risk areas: reinforces a shared common view of key risks relative to others at senior levels challenges risk assessment and controls, and helps identify common themes. © Sparke Helmore 2011

Key takeaways Risk management is becoming more prominent in Australian corporate governance Risk mature organisations do better In-house counsel has a key role in contributing to effective organisational risk management Enterprise risk management adds value by: prioritising risk mitigation effort prioritising and helping to ensure compliance obligations are met helping to ensure risk mitigation effectiveness helping to achieve corporate objectives © Sparke Helmore 2011

Thank you