AUTHOR: JO CARROLL

Taking Control of Risk Management in 2023.

Focus on risk management has increased significantly over recent years as organisations have been forced to face back-to-back or even parallel crises. However, even with this increasing focus, many organisations are still finding themselves in predicaments that could have been avoided through effective risk management.

In this blog we will work through some recent high profile risk events, looking at them through three key risk themes and drawing out the practical lessons we can learn.

Accountability and Ownership

The collapse of Silicon Valley Bank (SVB) in March 2023 presents an excellent case study in the importance of not just assigning accountability and ownership but operationalising these concepts to hold leaders to account. This was the third largest banking failure in US history and the largest since the GFC in 2009. After months of regulators raising concerns, SVB failed after a bank run was caused when customers were spooked by their announcement on 8 March that it would hold an emergency sale of some treasury stock to raise $2.25b.

SVB was the 16^th largest bank in the US, focussed on serving companies in the technology and start up industry. Prior to its collapse the Federal Reserve had identified that SVB was using modelling of interest rate risk that was ‘not at all aligned with reality’. Their risk modelling didn’t anticipate the combination of interest rate rises and liquidity risk shocks. This was flagged with bank management but not addressed.

In the year leading up to its collapse the bank had gone 8 months without a head of risk (Chief Risk Officer or CRO) and there was a lack of risk expertise at board level, with only one of the seven board members on the risk committee having a risk management background. Regulators were raising concerns for months, but the bank did not act.

While our regulatory environment in Australia is different to the US, the broader ramifications in the Banking Sector are still to be seen. Could we be headed for a similar fate?

What does this mean for Risk Management?

1. A Chief Risk Officer with influence can hold other executives to account. However, too often the role is undervalued and classified at too low a level to exert the necessary level of influence.
2. Boards need members with deep and proven Risk Management experience.
3. Risk Management should be built into Job Descriptions and performance measurement and reward systems.
4. Create and use risk tolerance, models and settings that inform data driven decision making.
5. Assign responsibility to address concerns to regulators (this should go without saying).

Legal but not ethical

Rio Tinto’s May 2020 desecration of Juukan Gorge to make way for an expansion of its iron ore mine in the Western Pilbara highlights the importance of looking beyond legality to ensure decision making is ethical.

This site contained ancient rock shelters showing human occupancy dating back 46,000 years, making it the only inland site in Australia showing human occupation through the last Ice Age. Rio Tinto knew the archaeological value of the site before its destruction but was set to make $135m for the site and so the decision was made to go ahead. At the time this was legal but not ethical (aboriginal heritage laws have since been introduced in Western Australia) and caused great distress to the traditional owners, the Puutu Kunti Kurrama and Pinikura people.

Following considerable public backlash, 3 top executives and 2 board members chose to stand aside, including CEO and Chairman. Rio Tinto has now imposed a moratorium on all work within 10sq kms of Juukan Gorge and is making reparations to the traditional owners including full reconstruction of the caves. Damages are expected to be much more than the $135m they expected to make from the mine.

What does this mean for risk management?

1. Ethical and cultural decisions ͏need independent advice. Risk management practices need to keep pace as failure to meet community and social expectations presents an increasingly high reputational and financial risk.
2. ͏Diversity in decision making needs to be actively sought to ensure broad and varied perspectives are considered at the decision-making table.
3. Strong Environmental, Social and Governance practices need to be implemented to align organisations with social expectations to create and sustain long-term value.

Improper Influence

This case study is particularly relevant for public servants. On 17 June 2022, Former Deputy Premier of NSW Mr John Barilaro was announced as the Senior Trade and Investment Commissioner to the Americas. A Parliamentary Inquiry Interim Report found that this decision had “all the trademarks of ‘jobs for the boys’”, finding a preferred candidate had been selected and offered the position only to have that process set aside for a change of government policy. Quoting the Inquiry:

‘The process of appointment was flawed and not at arm’s length, there was a lack of transparency and integrity in the public sector recruitment process’… ‘there was a pattern of Ministerial interference and lack of transparency conducted by the Government’

This was not only embarrassing to the Government but the Minister and CEO both lost their jobs as a result.

What does this mean for risk management:

1. Good probity processes need to be defined and tailored to the decision being made and linked to the risk of the decision.
2. We need to say ‘No’ when the risk is too great. There must be the ability to give frank and fearless advice.
3. Set the tone from the top and lead by example.
4. ͏Decision-making processes should be transparent. Individual decision makers should always ask themselves whether they would be comfortable defending their decision publicly (for example in a Parliamentary Inquiry!).

Each of these cases provide important lessons for all organisations. To avoid becoming another cautionary tale, take these lessons on board and prioritise risk management!