We recognise the continuous and deep connection to Country, of Aboriginal and Torres Strait Islander peoples as the first peoples of this nation. In this way we respectfully acknowledge the Traditional Custodians of this land, sea, the waters and sky. We pay tribute to the Elders past and present as we also respect the collective ancestry that has brought us all here today.
AUTHOR: MARK HARRISON
In a recent Insights publication, the Australian Government Auditor-General has recently reported that since 1 July 2021, only 31% of audit findings relating to risk management were positive.
This forced us at Sententia Consulting to think about whether risk management in the Australian Government really is that bad.
We have concluded that the answer is yes… and no.
The fact is that the Australian Government (and government generally) is responsible for some of the most complex and risky ventures and activities in the country. Defence of the nation, operating healthcare systems that must cater for every citizen, delivering environmental outcomes in the face of massive environmental headwinds, all are ventures that can just as easily be unsuccessful as be successful … as well as being just plain difficult. Yet there are plenty of (often unheralded) successes by Government in all of its responsibilities.
It’s easy to look at some of the more challenging episodes in the Australian Public Service and attribute those to poor risk management – Robodebt, the “pink batts” scheme, any number of Defence materiel design and construction projects, and the 2013 lost ballot papers in the Federal Election, amongst others. Further, most agencies and public servants have experienced their own challenged procurements, failed programs, poor grant decisions, and policy implementations which in hindsight could have gone better.
While there is almost inevitably some truth to the comment that all of these are a result of poor risk management, that is simplistic and only part of the circumstances. (Note here, we are not seeking to misinterpret the Auditor-General’s comments, which were not that simplistic.)
Risk management represents just one part of good governance, or good project management, or good procurement management, or good program management, or good contract management, or frankly any model or framework for effective execution of aspects of public administration. Each of these have frameworks with multiple components that all need to work together to create good outcomes. Typically, those frameworks involve having good people doing the right jobs, good planning, effective process design, strong stakeholder engagement, tight legislative compliance, and clear accountability mechanisms.
While risk management definitely is important in contributing to all of these components of effective management, it is not the only discipline that needs to be in place and operating to support good outcomes. Put another way, good risk management does not guarantee a good outcome, but poor risk management does expose agencies to poor outcomes, and reduces defensibility when those poor outcomes occur.
In my 20-something years of working with the Australian Government, I have seen plenty of examples of really good risk management, and I have seen just as many examples of poor (or non-existent) risk management.
That 20 years of experience has taught us that the key ingredients to good risk management are:
- Deep experience and relevant expertise in what you are doing. Too often the Australian Government embarks on projects or processes without the right skills and experience to truly understand how to execute it effectively. Further, without that experience and expertise, it is impossible to really know what the risks are that need to be managed and how best to manage them.
- Strong situational awareness and good information. Risks emerge through projects and processes from a range of sources and vectors. If managers do not have effective monitoring of their operating environment and good data on the metrics that matter, they will likely not see risks emerging or unfavourable operating circumstances approaching. These are sure conditions for unmanaged risks to have a negative impact on your project or function.
- Discipline in following through on risk mitigations and controls. In our view, this is the key to effective risk management, and the most common gap. Risks typically require active management – the taking of steps or the creating of conditions that reduce risk. While managers may think about this while planning, it is not uncommon for the execution of those controls or mitigations to waver over time or as pressure increases. Risks that are not effectively controlled almost inevitably result in poor outcomes.
- Honesty in assessing risk and interpreting what it means. We have seen countless examples of agencies assessing risk at a level that is “perceived” as acceptable, or that reduces the effort required to develop risk management plans. While this may reduce effort at the early stages of a project or process, it increases the likelihood that risks become issues – and that’s where the effort really begins.
- A team that is on the same page about how risk should be considered and managed, including what risks should be taken and what risks should not. In the public service, we operate in teams and the secret to effective teamwork is having a team aligned behind a purpose who are well-informed, well-coordinated, well-directed and well-aligned. This should equally apply to the approach and attitude to risk, as any other aspect of teamwork.
Note here that I have not mentioned risk registers once. I have not referenced the Commonwealth Risk Management Framework once.
Each of these are important tools – tools that support good process and each of the ingredients I have referred to above. For all projects I lead or contribute to, I ensure I do follow the Framework, and I do maintain a focussed risk register.
But, where agencies miss the point with risk management is that they focus all of their energy in connection with risk management on the register and having a register that is “complete”, and a process for risk management that follows all of the steps in the manual or the policy or the Framework. And insufficient energy on some of the ingredients outlined above – and therefore on actually preventing or responding to risk.
To close this article I am reminded of two quotes that are influential in my approach to risk management:
- The first is a quote from an enormously successful leader of a “top 10” Australian company, who said to me “we have been successful in our field, not because of risk registers and risk management reports, but because we have good people who know what we are trying to achieve and make good decisions to support that achievement”. What resonates for me from this quote is the importance of having the people with the right skills, experience, authority and information to support the management of risks and opportunities in any project, organisation, function or business.
- The second is a slightly modified famous quote as follows: “culture eats strategy [and process] for breakfast”. This classic quote from Peter Drucker (and I apologise for my adlibbed addition) reflects something that I believe is the difference in good risk management – everyone on the team understands the desired outcomes and what can impede them, is empowered to work together to achieve them, and they naturally respond to risk accordingly. This does not suggest that either risk strategy or risk management processes are unimportant to good risk management. But rather, that a powerful, informed and empowering culture around risk is more influential to effective risk management.
AUTHOR: JO CARROLL
Taking Control of Risk Management in 2023.
Focus on risk management has increased significantly over recent years as organisations have been forced to face back-to-back or even parallel crises. However, even with this increasing focus, many organisations are still finding themselves in predicaments that could have been avoided through effective risk management.
In this blog we will work through some recent high profile risk events, looking at them through three key risk themes and drawing out the practical lessons we can learn.
Accountability and Ownership
The collapse of Silicon Valley Bank (SVB) in March 2023 presents an excellent case study in the importance of not just assigning accountability and ownership but operationalising these concepts to hold leaders to account. This was the third largest banking failure in US history and the largest since the GFC in 2009. After months of regulators raising concerns, SVB failed after a bank run was caused when customers were spooked by their announcement on 8 March that it would hold an emergency sale of some treasury stock to raise $2.25b.
SVB was the 16th largest bank in the US, focussed on serving companies in the technology and start up industry. Prior to its collapse the Federal Reserve had identified that SVB was using modelling of interest rate risk that was ‘not at all aligned with reality’. Their risk modelling didn’t anticipate the combination of interest rate rises and liquidity risk shocks. This was flagged with bank management but not addressed.
In the year leading up to its collapse the bank had gone 8 months without a head of risk (Chief Risk Officer or CRO) and there was a lack of risk expertise at board level, with only one of the seven board members on the risk committee having a risk management background. Regulators were raising concerns for months, but the bank did not act.
While our regulatory environment in Australia is different to the US, the broader ramifications in the Banking Sector are still to be seen. Could we be headed for a similar fate?
What does this mean for Risk Management?
- A Chief Risk Officer with influence can hold other executives to account. However, too often the role is undervalued and classified at too low a level to exert the necessary level of influence.
- Boards need members with deep and proven Risk Management experience.
- Risk Management should be built into Job Descriptions and performance measurement and reward systems.
- Create and use risk tolerance, models and settings that inform data driven decision making.
- Assign responsibility to address concerns to regulators (this should go without saying).
Legal but not ethical
Rio Tinto’s May 2020 desecration of Juukan Gorge to make way for an expansion of its iron ore mine in the Western Pilbara highlights the importance of looking beyond legality to ensure decision making is ethical.
This site contained ancient rock shelters showing human occupancy dating back 46,000 years, making it the only inland site in Australia showing human occupation through the last Ice Age. Rio Tinto knew the archaeological value of the site before its destruction but was set to make $135m for the site and so the decision was made to go ahead. At the time this was legal but not ethical (aboriginal heritage laws have since been introduced in Western Australia) and caused great distress to the traditional owners, the Puutu Kunti Kurrama and Pinikura people.
Following considerable public backlash, 3 top executives and 2 board members chose to stand aside, including CEO and Chairman. Rio Tinto has now imposed a moratorium on all work within 10sq kms of Juukan Gorge and is making reparations to the traditional owners including full reconstruction of the caves. Damages are expected to be much more than the $135m they expected to make from the mine.
What does this mean for risk management?
- Ethical and cultural decisions ͏need independent advice. Risk management practices need to keep pace as failure to meet community and social expectations presents an increasingly high reputational and financial risk.
- ͏Diversity in decision making needs to be actively sought to ensure broad and varied perspectives are considered at the decision-making table.
- Strong Environmental, Social and Governance practices need to be implemented to align organisations with social expectations to create and sustain long-term value.
Improper Influence
This case study is particularly relevant for public servants. On 17 June 2022, Former Deputy Premier of NSW Mr John Barilaro was announced as the Senior Trade and Investment Commissioner to the Americas. A Parliamentary Inquiry Interim Report found that this decision had “all the trademarks of ‘jobs for the boys’”, finding a preferred candidate had been selected and offered the position only to have that process set aside for a change of government policy. Quoting the Inquiry:
‘The process of appointment was flawed and not at arm’s length, there was a lack of transparency and integrity in the public sector recruitment process’… ‘there was a pattern of Ministerial interference and lack of transparency conducted by the Government’
This was not only embarrassing to the Government but the Minister and CEO both lost their jobs as a result.
What does this mean for risk management:
- Good probity processes need to be defined and tailored to the decision being made and linked to the risk of the decision.
- We need to say ‘No’ when the risk is too great. There must be the ability to give frank and fearless advice.
- Set the tone from the top and lead by example.
- ͏Decision-making processes should be transparent. Individual decision makers should always ask themselves whether they would be comfortable defending their decision publicly (for example in a Parliamentary Inquiry!).
Each of these cases provide important lessons for all organisations. To avoid becoming another cautionary tale, take these lessons on board and prioritise risk management!
Author: Kirsty Martin
The world is constantly changing, and risk management needs to keep up. Here are some key lessons to take control of risk management.
The impossible is possible – so take your chance!
The unlikely and unexpected can and does happen. In recent years we have seen organisations across all sectors rapidly transform in response to unexpected events (pandemic, anyone?), with changes that would usually have taken months or years to rollout being accelerated into weeks or even days.
Although mostly implemented reactively, many of these transformations have had a positive impact on employee and customer experience and accessibility. Think…
- Remote working
- Increased flexibility
- Telehealth
- Improved digital platforms
- Self-service options etc.
Which raises the question… Why had they not already been widely embraced?
The key lesson here is that transformation can occur quickly, and innovative organisations shouldn’t wait for a catalyst, such as a pandemic, to force their hand before fully committing to transform where opportunities are identified. If the last few years have showed us anything it’s that rapid change is possible, and people can adapt faster and more effectively than we perhaps give them credit for.
What does this mean for risk management?
It’s time to walk-the-walk on a positive risk culture that uses risk management to identify opportunities and drive innovation. Decisions can be made quickly while still taking a risk managed approach, and changes can be rapidly implemented and scaled where they are prioritised and staff are empowered to do so.
We’re more interconnected than we think – so consult broadly
We often think of organisations or industries individually. We conduct various analyses of our internal and external environments, but still tend to focus on those elements that we can see may have a direct impact on our particular industry. Given our highly complex supply chains, changes in seemingly unrelated industries or communities can completely shock our operating environment through indirect impacts.
For example, a single ship getting stuck in the Suez Canal in March 2021 had vast and lasting global impacts on almost every industry from electronics to construction to food retail. Most organisations (outside of those directly involved in logistics) would never have considered that as a risk to their business.
Or the pandemic. We saw how the virus and related policy decisions had profoundly far-reaching impacts across society. Many of these impacts would not have been immediately obvious when looking at the risks through the purely epidemiological or economic lenses that tended to dominate the discussion. To understand the full picture, input is also required from public health policy experts, heath care workers, sociologists, businesses, schools, unions and more.
The same is true for most decisions across any organisation. Without input from a broad group of stakeholders from the various teams, organisations, communities and more that combine to create our operating environment, we may not understand the full impact of our decisions and the flow on effects that may influence our intended outcomes.
What does this mean for risk management?
Leaders need to deeply understand the supply chains that their organisations rely upon and consider both direct and indirect risks. This should include consideration of broader essential services such as childcare, schooling, healthcare, retail and logistics and the flow on effects that disruptions or changes in these sectors could have on your organisation. We’ve seen many times in recent years the profound flow on effects for broader labour market participation, spending behaviour, consumer confidence etc. that can come from issues in core services.
There will always be another crisis – so be ready to adapt
The word unprecedented has become a cliché. Organisations in 2022 are dealing with multiple and sometimes interconnected crises. Pandemic, war, climate change and more. These and other crises will continue to cause disruption and we need to be proactive to mitigate and adapt. Taking climate change and the associated increases in regularity and severity of weather events and natural disasters as just one example, organisations should be (at a minimum):
- Updating WHS policies (for extreme heat, air quality, flood safety etc.)
- Upgrading or relocating property holdings (to mitigate more regular flood risk, expanding fire risk areas, rising sea levels etc.)
- Contingency planning for severe weather-related supply chain interruptions.
- Reassessing business models, services, products, supply chains etc. to minimise carbon footprints and ensure sustainability
Organisations will continue to be faced with highly complex and sometimes abstract risks that will require both long term proactive strategic planning and the ability to react and adapt in the short term when faced with specific incidents.
What does this mean for risk management?
Organisations need to have an active and ongoing risk culture that is able to engage with long term risks and opportunities at regular intervals whilst also managing risk in the everyday in operating environment. Risk management cannot just be an annual ‘tick box’ exercise and it cannot be ‘set and forget’. Organisations can’t get complacent that ‘after the crisis’ everything will go back to how it was. The world is forever changing, and as such risk management needs to be invested in and nurtured as an ongoing process and mindset.
Risk Management in 2022
So, what are risk forward organisations doing?
- Identifying opportunities and taking them! An effective risk culture will provide regular information that supports faster decision making and enables organisations to take risks and lead the way in doing things differently.
- Learning more about themselves and the complex supply chains and communities in which they operate.
- Investing in and nurturing an ongoing risk management mindset across their organisations.
As always, there is no one size fits all approach to risk management. Rather, each organisation must assess their current level of risk maturity and understand the way their organisation functions to identify the best approach. For some (most) organisations, a significant amount of education and support across all staff will be required to move towards a more risk forward approach that reaps the rewards of these lessons.
If you’re looking to mature risk management at your organisation, Sententia Consulting’s highly experienced risk consultants can help. Contact us today.