Effective risk management is paramount to shareholder value yet anecdotal evidence suggests that not all organisations have the necessary processes and tools in place to identify and mitigate potential commercial risks.

Against that background CSA was keen to explore the level of risk readiness within Australian organisations.

1. Do you believe that your organisation have the right risk management processes and procedures in place to effectively identify and mitigate potential risks to the organisation?

YES 91%
NO 9%

Comment

It is a process of constant refinement in terms of changes occurring both within and outside the organisation. However risk management is a clear objective within the organisation.
Risk Management is an endless thing. One will never be entirely happy with what they do.

2. Does your organisation have a well-documented risk strategy plan in place?

YES 74%
NO 26%

Comment

Risk management plan and procedures are in the process of formal documentation.
This has been driven to some extent by increasing focus on risk management in laws and regulations including Sarbanes-Oxley Act (US); CLERP 9 and ASX Corporate Governance Council recommendations.
Not documented well enough but it is currently getting greater attention.
The size of our business means that most if not all significant foreseeable business risks are usually reported in the monthly board papers for directors to discuss and make appropriate decisions. Formal compliance plans exist for the significant statutory compliance risks.

3. Has this been effectively communicated throughout the organisation; from the Board through to front office staff?

YES 68%
NO 32%

Comment

It gets as far as mid level management then tends to peter out.
Not communicated to front office staff although staff are involved in regular compliance training activities.
Well communicated to senior and mid levels of organisation, are improving communication (as required) to front line staff.

4. Which executive has overall responsibility for risk management within your organisation?

CEO 23%
Company Secretary 18%
CFO 23%
Internal Auditor 6%
Other (please describe) 59%

(Note: some respondents nominated more than one executive)

Head, Risk Management Division; Exec GM – Risk; Ex GM – Operations; Chief Risks Officer; Director, Finance & Risk; GM Risk Assessment & Compliance; CRO; GM Risk

5. Who does that executive report to?

CEO 37%
The Board 27%
Audit Committee 25%
Other (please describe) 11%

CFO; Risk Management C’ttee; Group Exec – Ops & Dev; Corporate Gov & Compliance C’ttee;

The CFO in recognition of risk being business enterprise wide risk. The Chief Risk Officer is also an ex officio attendee at the Board Audit and Risk Management Committee and the Board Environment Committee.

6. Does risk management have the ‘buy in’ and co-operation of senior management in your organisation?

YES 85%
NO 15%

Comment

Processes not well developed.
There is Buy in but it can always be greater.
Business unit managers are responsible for risk management in their unit.
A separate risk management unit provides professional advice and oversight.
Management committee comprised of all relevant divisions meets on a bi-monthly basis to review risk plans and strategies.

7. Does risk management have the ‘buy in’ of the Board?

YES 97%
NO 3%

Comment

In some ways the Board is more vocal about it than senior management.
The board is more conscious now than say 18 months ago.
There is a very active Board Risk Committee

8. Has your organisation had a bad risk management experience that helped focused everyone’s mind on the need for effective risk management practices, processes and tools within the organisation?

YES 49%
NO 51%

Comment

The bad experience of other companies does focus the mind, especially if directors are directors of other companies that have had bad experiences.
This is usually the result of involvement in litigation when the actions of the company and specific individuals come under close scrutiny and analysis — all with the benefit of hindsight.