Since the onset of the global financial crisis (GFC), much has been written about risk management and the lack of robust risk management practices and processes within organisations that was evident in many instances. With this in mind, Chartered Secretaries Australia (CSA) is keen to explore with you your organisation’s current risk management processes and procedures and to what extent these may have changed over the past 18 months.

1. In your view, does your organisation perceive risk management as a subset of good governance?

a) Yes 96%
b) No 4%

Comments:

Risk is regularly assessed at business level and aggregated by senior management for reporting to the board on a six-monthly basis.
Risk management is a major pillar of good governance.
Effective risk management is an integral part of good business management.
Risk management is integral to good governance.
It is part of rather than a 'subset' of corporate governance.
It is branded as good management, not risk management, as that is what it is.
Risk identification long ago seen as a key part of the governance arrangements.
It is seen as an inherent aspect of our governance.
To be aware of the potential risks and your tolerance in taking those risks or not is an essential part of your overall corporate governance.
Risk management is critical and definitely sits within our governance suite.
OH&S, Workers Comp and environmental risks are well documented at each workplace and periodically audited/ reviewed by a board committee.

2. Has your organisation undertaken a review of its risk management processes and procedures since the advent of the GFC?

a) Yes 72%
b) No 28%

Comments:

The process we have had in place for the last three years is robust and effective.
We were always cautious in our investment selection.
Review of risks is an ongoing process. The GFC offered new perspectives on a range of risks and may lead to a different risk appetite in some areas.
A benchmark exercise was undertaken.
Yes, but not because of the GFC. We review our risk management framework annually and adjust as appropriate.
Looking to ensure it is practical and pragmatic.
Part of annual review and a consequence of the sale of the business.
Risk policy adjusted in light of issues identified during the GFC.
Safety on sites has taken priority. Also cash invested is only with A1 or better institutions.
Reviewed to ensure risk appetite remains appropriate.
Yes, but not as a consequence of the GFC, simply as a form of good governance and to ensure compliance with our stated principles in our CG Statement in the annual report.
Various policies and processes relating to credit and liquidity risks in particular have been reviewed.
In the ordinary course.
Continuing review and report to Audit Committee.
Our organisation reviews its risk management framework and processes annually in any event.
A new risk manager was appointed in Q2 2009/10 and has rolled out an updated risk management process throughout the organisation.
Not GFC-induced as such; more continuous improvement.
Continuing review to be consistent with ASX good practice recommendations, not necessarily prompted by GFC.
Yes, but not as a result of GFC.
Yes, but not as a result of the GFC — it is an ongoing event.
A strategic board review was held in early 2010 to agree actions and response to GFC threats relevant to the business/each asset was carried out, but there is no overarching formal process and procedure in place to identify and manage these types of risks. This is managed day-to-day by the executive team.
Various aspects of risk management reviewed but not as a complete/full process.
Ongoing monitoring and review.
But the review was not prompted by the GFC. The industry faces completely unrelated risks.

3. If yes, did your organisation bring in external advisers to undertake the review to assure the board that all risks had been independently identified and are being adequately addressed and monitored?

a) Yes 22%
b) No 78%

'If yes' comments:

In some areas only.
An external benchmark exercise was undertaken, which resulted in minimal changes to our risk management processes, which gave added assurance to the board that the risk management processes were adequate.
We use external consultants.
Internal audit exercised by external independent advisers, including ongoing review of risk areas and process improvement.
Scheduled for June 2010.

'If no' comments:

Risk processes are always under review so no need to do anything special.
We are best placed to identify and monitor our risks.
As we are prudentially regulated, the effectiveness of the company's risk management framework is required to be independently reviewed annually.
Well-developed risk framework in place that involves external and internal audit.
Risk issues regularly reviewed by external auditors but not since GFC.
Not necessary.
It was a more high level review than a detailed review, so external advisers not required.
Not considered necessary as we believe our management team and staff are capable of identifying relevant risks.
No external advisers were consulted specifically. However, by virtue of business-as-usual activity, parties external to the business, such as regulators and credit rating agencies, do influence risk management thinking.
The board was happy that the audit/risk committee could cover the review.
Our risk management process proved robust in the GFC.
Our internal resources have the capability of independence from the business to allow our review of the risk management processes to be effective.
An external review to benchmark our company's risk management processes against other large listed companies was conducted just before the GFC.
Sufficient internal expertise.
Believe we have the expertise and have identified improvement opportunities in-house to deliver on this.
Our company is in good shape financially so no need to anything differently than pre-GFC.
The GFC has not largely impacted on the company. We have a strong internal risk team and do not need advisers at this point in our history.
The external auditor also reviewed the risk profile.
Internal support mechanisms used.

4. If a review (either internal or external) was undertaken, have there been significant changes to how your organisation manages and reports on its risk management and assurance processes?

a) Yes 37%
b) No 63%

5. Who in your organisation has oversight of the risk management function?

CEO 36%
CFO 55%
COO 9%
Chief risk officer 26%
Chief audit executive 4%
Company secretary 21%
Other 13%

Comments:

Business unit CEOs are responsible for risk management at the business unit level.
The two most senior directors monitor this area.
The CEO is responsible for risk but other key officers are responsible within the framework for their particular areas.
We have a board Audit Committee which oversees financial risk matters and a board Risk and Compliance Committee that oversees non-financial risk management matters. Day-to-day operations of financial risk management reside with the CEO and CFO, and non-financial risk management resides with the Chief Risk Officer who reports to the CFO.
Head of Group Audit & Risk and the Audit, Risk Management & Compliance Committee.
It fits within the CFO arena (with the CRO and Company Secretary reporting there), although the CAE does also report direct to the Audit Committee about the topic.
We are implementing a performance review monthly and reporting on that to the full board.
Risk is addressed by the senior management team.
CRO is member of Executive Committee and reports to CEO.
Deputy Chair who chairs risk committee.
Risk management is not really done.
We are large enough to warrant a CRO.
CFO/Company Secretary is one person.
Risk management continues to have a high profile in the company and is a focus for senior executives and board.
Through the monthly board papers and formal sign-off to board on half-year and year financial statements.
The Finance & Audit Committee has direct responsibility for this.

6. Has your organisation had to employ additional staff to meet risk identification, risk management and assurance requirements since the onset of the GFC?

a) Yes (If yes, how many?) 9%
b) No 91%

Comments:

A dedicated group risk manager has been appointed.
No, but some front-line staff was diverted to other activities.
Three.

7. Do you believe your organisation now has in place adequate risk management and assurance processes?

a) Yes 83%
b) No 17%

Comments:

We are this year developing business continuity plans to sit alongside IT disaster recovery plans now in place at business units.
All areas of risk from service delivery to record keeping and including insurance coverage have been reviewed.
There are always opportunities for continuous improvement and this is a developing program.
Our risk management and assurance processes are adequate and have not changed significantly since the GFC.
It is still evolving.
Yes, but it needs constant review.
What is adequate today may not be adequate tomorrow. This is a completely dynamic discipline.
But regular review.
Process in place but insufficient control on follow-up and implementation of process change.
We have very solid risk management and assurance processes.
There is always room for improvement.
Identified improvements in data collection, risk register maintenance, and some other specific programs to manage key risk.
Being worked on constantly.
Most of the key business risks are identified and addressed in the monthly board papers.
The risk management and assurance processes are adequate but could still be improved.
Greater depth of the embedding of a risk-averse culture is still some time off.

8. If you are a listed company, do you feel confident that your board will be able to report to investors under Principle 7 of the ASX Corporate Governance Council’s guidelines that the company has an effective risk framework in place to manage material business risks?

a) Yes 86%
b) No 14%

Comments:

This is a developing program with a relatively robust framework with established processes but there is always room for improvement.
There are procedures already in place to adequately manage material business risk including identification, ownership and escalation. There is always room for improvement however.
A subsidiary of a listed company that has a well developed risk framework.
This is appropriate for the size of the organisation and management team.
Meets the current requirements for reporting.