BoardPro Podcasts
A series of podcasts designed to demystify the world of business governance bringing practical advice and tips for organizations to improve their operational effectiveness.
BoardPro Podcasts
Webinar: Beyond Compliance: Turning Risk into Strategic Insight
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Most organisations treat risk as a compliance exercise, something to monitor, report, and minimise.
But what if that mindset is holding back real strategic value?
In this webinar, we challenge the traditional view of risk and explore how Boards and executives can reframe it as a driver of innovation, opportunity, and competitive advantage. Drawing on leading-edge governance practices, you’ll discover how to shift risk from a passive reporting function into an active strategic conversation, one that uncovers hidden opportunities, informs better decision-making, and even creates new revenue pathways.
If you’re ready to move beyond box-ticking and start using risk as a tool to shape the future, this session will show you how.
So, hi everybody. Welcome to our webinar today titled Beyond Compliance, Turning Risk into Strategic, Strategic, sorry, insight. On our panel today is Stephen Bowman, Roger Chow, and Margot Foster. Welcome to you, team. My name is Sean McDonald, and I shall be your moderator in the background for the next 40 odd minutes. Firstly, thank you so much for attending today. We always appreciate you the effort you make to be here for our live webinar events. During the session, if you have any questions, please try and use the QA button on your toolbar. We'll be answering as many of these as we have time for throughout the webinar. And finally, if you stay through till the end, which of course we hope you will do, we have a really short one-minute survey at the end of the webinar for you to consider. Your feedback really helps us bring relevant content to you week after week, and it enables us to position the wealth of expert presenters for you. So please take a minute to complete the survey as you leave the webinar today. For those not too familiar with Board Pro, we are a board software provider, sometimes called a board portal, and we serve just over 35,000 users around the world, and we're represented in about 34 different countries. And we enable organizations to prepare for and run their board meetings more efficiently and effectively with less time and deliver more impact and value for the organization. And as much as we are a board software provider or board portal, part of our wider mission here at BoardPro is to make the fundamentals of governance free and easy to implement for all organizations, but especially those organizations with resource constraints. And one of the many ways we do this is by providing free access to hundreds of governance templates, guides, and resources, which you'll find, funnily enough, in the resources section of our website. And these webinars that we host every week are also a great way of accessing key governance knowledge without the time, commitment, and costs associated with in-person events. So that's enough from me. Let me have my team introduce themselves, starting with you, Stephen.
SPEAKER_03Hi everyone, and thanks for joining us today. Steve Bowman from Conscious Governance. I've been working with boards and CEOs and have been on boards and have been CEO of many organizations for many, many years, and have really collected some of the best tips and techniques that really high-performing boards have been using. They don't have to be big boards, they don't have to be very wealthy boards, but these are the boards that actually make a difference around the world. And so partially what we want to do today is to share with you some of the insights that we've gained from working with some of these boards, some of the chairs, some of the organizations, particularly around risk. Over to you, Roger.
SPEAKER_02Thank you for that, Steve. So I'm Roger Chow, an experienced board director and chair, having sat on and chaired a number of boards in the public sector, the private sector, and the not-for-profit space. Also do a lot of board consulting for a range of boards across a number of industries and sectors as well. Lovely to meet you today.
SPEAKER_03Margaret.
SPEAKER_01Thank you, Steve. So my my experience, and it's great to be here with both of you, and thanks for having us, Sean, and welcome everybody on the call today. So my experience is similar to Roger's and Steve's. I've been on lots of boards, I've chaired boards and committees, and I work with boards through my um company Boardroom Excellence Australia. Really focusing on the practical tips, insights that make boards hum. And I think we all agree there's nothing better than uh a good board meeting, and there are so many moving parts, and today we'll talk about just one of those, which is making risk a bit more strategic. So over to you, Steve.
SPEAKER_03Okay, so thanks. The purpose of today's webinar is not to delve into how to do risk management, it's really about changing our perspective around risk and therefore the some of the practical techniques and strategies that we can use to get more leverage and more impact from actually understanding and managing risk. So the first thing where this starts is a mindship change. Now, we've all heard these stories amongst boards and uh and uh and staff. You know, often a board when we do a lot of governance reviews when we ask the board about risk, and they they always frame it as something that's negative that's happening. Yeah, we've got to understand risk because these are big things that can make us go put in the night, sort of thing. It's the potential for the loss, there's something that can go wrong. So it's terribly exciting when you start to think of that. And then you ask the staff what their view is, and they get even more granular. Oh, it's complicated, it's difficult. We've got to monitor it. Oh, but we give them a risk register every board meeting, so that should keep them happy. So it's more of a compliance issue rather than um something that will add true value to the organization, and that's what we've got to shift, both at the board level but also at the staff level. Sean. So what we find is in any risk um ecosystem, there's certain things that exist there. Um the first one is a risk register. Everyone has a risk register, they're usually pretty, they've usually got a bit of red and a bit of orange and a bit of green in them. Um, and maybe they include risk appetite. But the problem with risk registers is that they focus on the um the reporting of what that risk is rather than what we can do with that risk and how we can actually leverage it. There's risk treatment plans about how we tend to go about it. The one thing that's mostly missing is the compliance breach registers. So, you know, this is a really important document. It's very easy to do, and we will give you a downloadable resource uh at the end of this uh session that you can use. But if we did have a risk that eventuated, how did we deal with it? And what have we learned from that? So that we can actually then, as a continual learning process, use that risk and how we dealt with it to you to uh our advantage later on. The key thing in all of these is that these documents tend to focus on the identification and maybe how we deal with the risk, but what they don't do is what the very definition of risk says that we should do, which is we should be looking at the opportunities that come from managing these risks, the leverage that we can extract for managing these risks, and maybe even the potential revenue that we can get from managing these risks. So these key documents often act in isolation. And Roger, you come across this often in your role as chair of finance audit risk committees and so on. What's your view on how key documents are created around risk and what's missing?
SPEAKER_02Yeah, like you were saying, I think all too often they're they come across as in their own silos and they're not really integrated. Um I think there's some great examples, like one of the boards that I was working with late last year, I actually reviewed their risk register, their treatment, their compliance register, and like you said, they were working really well, they were very strong, they were fantastic, had a lot of detail, but they weren't integrated. Um so when I started to actually review their compliance breach register, I thought saw that there was a pattern of breaches that were occurring over the past 12 months. And we then started to look at actually how does this relate back to our risk treatment plans? How does this relate back to our risk register? What do we actually need to start to change with regards to this to actually prevent some of these compliance breaches? And more so, what are some of those strategic opportunities? Um what we actually found with some of these was that one of the issues was about manual handling. Um and the issue wasn't so much putting more training, giving staff more training. It was actually around that the model was too dependent on manual handoffs from that perspective as well. Um what the board actually realized was they actually needed to change to actually make better workflow systems, clearer workflows, better system prompts, fire faster client response. And it meant that this was less a compliance response to the problem itself, but more actually an efficiency opportunity to actually improve the business from that perspective as well. So that's that's one way where integrating more actually looks at the strategic opportunities as opposed to just the negative risks.
SPEAKER_03Margot, what do you see from your role as both director but also chair of boards? What have you seen in these areas?
SPEAKER_01Well, I think part of the problem with um dealing with risk is that it is, as Roger said, siloed. And people tend to think of risk as, oh, it sits over here and we'll deal with it separately once or twice a year. Um it's got to be managed by somebody in the organization, but it doesn't come back to the board enough in forms that um the where the information can be proper properly assessed or dealt with on a meeting by meeting or at least quarterly basis. So I think that the uh going to your original point, Steve, it's something to be worried about and say, we'll park it over here and we'll only deal with it when we need to, is part of the problem. So integrating it as an opportunity and part of your business, because everything is really a risk, you know, whether it's financial or non-financial, um, into how the how the meeting runs, in board papers, etc., is really essential from my point of view.
SPEAKER_03And the single biggest thing that we can do, which is the whole purpose of this webinar, is start to look at risk from the viewpoint of opportunity, strategic leverage, and potentially revenue or adding more value, more impact to what you're doing because you understand some of the moving parts that are in there. Okay, sure, next slide. So risk management, please, please, please. Risk management is not about risk registers. Every time I see a board pack and I see hundreds of them during the year, and I say, give me all of your risk stuff, they give me a risk policy. Fine, okay, that's obviously cut and pasted from somewhere, never been reviewed. They'll give me the risk heat map and the uh the uh what we regard as the definitions of critical and high, and so that makes a very pretty document. And then there's a risk register, which is usually four or five pages long. The difficulty is as a director, it will take me probably 10 minutes to go through and figure out which are the big risks because they're hidden in amongst there. So the the high or the critical risks are actually done within the document somewhere, but they're not brought to our attention. So one of the key things that you can do with that is actually take your top two or three risks and put them at the top of the risk register. You know, the the really high or the critical risks, they're the ones that if we deal with them are going to have the biggest impact. And if we don't deal with them, are going to have the biggest impact. And therefore, we can extract the most strategic advantage from those high or critical risks if we think about them differently. So we need to help our board focus on these big risks by having them at the top of the risk register, and then when you're providing a risk report to the board, don't bore them with all of the medium or low risks. They can see that if they need to through the risk register. But do the report on these top three or four really key critical risks. You know, how are we dealing with them? What are the opportunities that arise? How can we minimize their potential to occur? How can we turn that to our advantage? If they do occur, how can we minimize their impact on us? What are we going to do to put that in place? Now, what are the implications of that in other parts of our business that might open up new businesses, new opportunities, new services? And therefore, what might the potential revenue implications be if we were to start looking at it from that perspective? So you'll see that as we as we go through this webinar, that there's some simple things we can do that can start to change that uh that viewpoint. So risk should be an ongoing conversation, not just a report against here are our top three or four risks. An ongoing conversation about what are the strategic implications behind this risk, about how we can leverage this risk, about what are the opportunities that opens up. If we actually understand this risk, we manage it really well, or even if we don't manage it, we look at how we can put in place the things to minimize potential and impact if it does, then how can we leverage that to create other contracts? How can we leverage that to create other parts of the business? How can we leverage that to create greater impact in our communities? Because it's there, it's available to us, we just don't think that way.
SPEAKER_02Roger, thoughts? Yeah, and I'm just picking up because Rob's Rob Plummer in the chat has actually asked a really important question that relates directly to this. Um and Rob's question was should each board memo be linked to risk or opportunity? Um fantastic point there, Rod. And what I always say when I'm working in a lot of organizations is there's some easy quick wins when you're setting up your board templates, when you're looking at your agendas and papers. Every single paper which is coming to the board needs to be linked to risk and strategy. And I always have a question there when I'm helping boards create their templates in terms of which strategic pillar does this connect to? What does this mean for risk attached to the organization? Because as a board member, when I'm receiving papers, I want to know so what? Why is this an issue for the board? Why is this an issue for me? Why should it concern me? What I should what should I be doing with this? So when I'm talking to the papers, the people that are writing papers for boards, I say, put yourself in the shoes of the person actually reading this paper. What does it mean for risk? What does it mean for strategy? What are the implications? Why is it even coming to me as a board director from that perspective as well? So great question there, Robert. Margo.
SPEAKER_01Oh, my answer is exactly the same as Roger's. Um and I agree. Board papers need to include a risk heading and maybe a risk mitigation heading as well, as well as linking to the strategy, because it's very difficult for paper writers to put themselves in the shoes of the reader, director. And so having a framework that helps them understand the issues that you need so that you can ask, answer that so what question is is really key. I think the other part of the other problem of dealing with risk is so often you get these A3 spreadsheets, you know, of risk, and they are impossible to read on a computer as well. You know, everyone turns up to a meeting with a laptop or you're sitting on screen, you cannot, you cannot get a sense of the risk framework, process, whatever it is on those documents and look at an A3 printer. Um and so I think it makes it even more important that you extract the risks on a regular basis so that they are top of mind for the board in all the papers that they're reading. And again, it's the the other side of the coin being the opportunity that can arise. And it does free up the paperwriter to think creatively rather than just do a look what I have done report, which uh serves nobody.
SPEAKER_03There's there's two insights that come from this. Um, and the the first one is the board reporting, as both Margot and Roger have said. There are two rules to any board report, and there's only two rules. The first one is we've already covered, which is so what? So what do you want me to do with this? What's the implications? Don't make me read 15 pages and I'm not left with a so uh so what? Give it to me right up front. The other part, which I think is just as important, is the where's Wally impact. Where's Wally in all of this? Now, for those of you who aren't in Australia or New Zealand, do a Google search on where's Wally, and then you'll smile and you'll see what I'm talking about. But show me where's Wally in this. Put a big red circle around it. Uh, whether you call it a risk, whether you call it an opportunity, but show me the where's Wally. Don't force me to try and figure it out for myself as a director. And so one of the simplest things that you can do tomorrow if you choose, is in any board report, but in particular your financial reports, your PL and your balance sheet, have a heading at the bottom of that report that says strategic implications for board discussion. And there'll either be one or two implications because you need to be providing the board with the first cut at an analysis of so what and where's Wally. And that simple heading, strategic implications for board discussion, reminds the board that we're here not just to interrogate the report, we're here to look at the bigger picture implications of that. And even if you have that heading and you put in the word nil, that's fine. But it reminds the directors that strategic implications is what we're looking for. And typically a director will come up and say, Well, you've got nil in there, but I think there might be one. Bingo, you've just got them where you need them. They're thinking at that strategic level. So one of the things that we want to do with risk is get directors to the stage where, in particular the newer directors, that in a nanosecond they can do an analysis of risk. Now, what what do we don't need three weeks to analyze a risk? Well, what we need to be able to do is to look at a risk and say, well, there's always three elements of the risk. What's the chance of it occurring, the possibility of it occurring? Is it high? Is it medium? Is it low? Is it imminent? Oh my God, there it is again, sort of thing. And then if it does occur, what's its impact going to be? And is it going to have a catastrophic impact? Is it going to have be a nuisance impact, or it's a you know, who cares sort of impact? Because then you can start to look at risk very, very quickly to get a feel of where it is in the ecosystem of risk. Uh, one of the most common things that we find uh, particularly new directors come up with and and and on some boards as well, is that they regard the risk of fraud as very, very high because it's, you know, that we'd hope it never happens. But when you lead the through the thinking, well, what's the possibility of that risk of fraud occurring? What's the potential for it to occur? Some directors will say, oh, it could occur anytime. Yeah, but when did it last occur? When did it last occur in your sector? Where where have you seen this occur? Well, it hasn't, but it could. Okay, so what do we put in place to reduce the possibility of occurring? What have you currently got? And then they'll list down, well, we've got a finance audit risk committee, we have an internal audit, we have this external audit, we've got uh you know strong uh engagement with our communities so that they'll tell us if something a bit funny is going on. Everyone has three weeks or more away a year on holidays. Yeah, 94% of all fraud is found when someone's away from their desk for three weeks or more. Just a little hint for you. And then the impact of it, so what would the impact be? Oh, it'd be catastrophic. Well, do you know what the average size of fraud is in this sector? Well, no idea. It's probably about $100,000. Well, that'd be embarrassing. Yeah, but it's not catastrophic. So you get them to think that way so they don't focus on what they personally believe is a high risk, they put some sort of analysis behind it. So the question that we've got then is when we look at reducing the possibility of it to occur of occurring, and if it did occur, reducing the impact of it, then the next question that should be in there is what innovative strategies can we put in place that will assist in reducing the possibility of that risk occurring? What haven't we thought of? What are some of the strategic things that we could do that could actually then open up the markets that we're in in this area if we understand and manage this risk in an appropriate way? And what's often missing from any risk report is any discussion about innovative strategies that we can do. Sean, next one. So the first insight that we've got here is that we can start, and it can be at the board level and certainly at the uh at the staff level, start to refocus the attention of our risk managers, our senior staff, and the board on strategic opportunities arising from the risks and possible revenue opportunities. So add it to the risk register. Put two extra columns on the right-hand side of your risk register. One that says strategic opportunities, and the next one that says possible revenue opportunities or possible impact opportunities. And that gets people to think about this. And you do that in particular for your top key risks. Roger, what have you what have you seen people do in this space?
SPEAKER_02I I love this one, and this is one I always harp on about, like you, as you know, I always say, what are the strategic opportunities? Um and I particularly find this of use in a lot of social purpose organizations as well. Um, and there was one that I recall that I was working with in a bit of a consulting gig for them, and they looked at that they had a very high rated risk-ground concentration around a particular customer segment. Um for their purposes, when they looked at their risk register, they said, look, we need to diversify their income, which is true. Um, but it was also very general. Um so I said to them, actually, let's flip this question. It's not about revenue diversification, it's actually asking, well, why are these customers so dependent on this? And what does that actually mean for an opportunity thing from an opportunity perspective itself? Um and what the management actually realized when they started to digest this question and actually reflected it, they realized, well, the organization had a very specialized capability for complex clients. And that's why these particular segments were coming to them. So as opposed to looking purely for revenue diversification, they actually thought, actually, what if we actually change these offerings and actually offer the same offering to clients with less complex means and a cheaper model itself with less with less less um conditions attached? And it actually meant that this was actually now a revenue opportunity as opposed to a diversification risk from that perspective as well. Um so what I actually say to them is look, yes, concentration in your sector can be about evidence of of there's a less a lack of diversification, but it's also an opportunity that you have this specialty that actually hasn't yet scaled. And it's asking those questions that Steve has just spoken about, which actually translate that risk itself from a negative perspective into a revenue generation opportunity. It's a great point, Mr.
SPEAKER_03Any any insights, Margo, that you've had that you've seen on the policy?
SPEAKER_01Well I'm not just thinking about um you know There's lots lots of not-for-profits that have few or no staff and how challenging it can be for them to think about risk. So just keeping it simple and talking about risk, identifying the main risks, and then the opportunities, even in a simple document, simple process, to start thinking up and out and about the organization rather than just being uh consumed by the operational stuff, which is uh tends to be the default position. So it's it doesn't need to be hard. It just needs to be on your agenda and on your mind and to be led sufficiently by the chair, um, who uh and if anyone else is on the board who has some of the skills to to build it in so that you are thinking, um, even in a less formal way that than has been described, uh, so that you are they these matters are on your agenda, whatever they may be, whether it's the sponsorship, whether it's government funding, whether it's uh you know, perhaps a sporting field risk, that sort of thing. So um doesn't matter what what what it is, there's plenty of opportunities, even in small organizations, and probably more essentially for small organizations or just as essentially, uh, to keep to keep those things in mind.
SPEAKER_03So one of the th one of the most common high or critical risks that we often see, particularly if you're a membership-based organization or you're reliant on government contracts, is that ever lasting chestnut of one of our key risks is change in government policy. Okay, so it all it it often comes up. So, what's the potential for that to occur? Well, what day is it? So it could happen anytime, all right? And it has happened in the past, and we sometimes don't get much notice of it. So the potential for that to occur is at the very least medium, potentially high, particularly if you're going into the the election cycle. So now, what can we put in place to minimize the potential for them to change policy? Oh, you're dreaming, they don't listen to anything. Well, yeah, but what can we put in place? So, what haven't we done? What have others done to put in place the uh the techniques to maybe minimize the potential for them to change policy? And then you start to get really creative. That then you can say, well, look, maybe we should be positioning ourselves as a critical friend rather than someone who constantly goes after them telling them how things are wrong. Maybe we could look at a different way of our relationship with the key ministers, the key people in there. Maybe we could look at liaising with other organizations that we hadn't considered. Let's do some research on how other organizations do this and do it really well that might give us some ideas. Now, all of a sudden, there's three or four new innovative ideas that that particular board probably hadn't thought of or that their policy team hadn't thought of, but it's being led from a strategic point. Now, if government does change policy, how can we minimize its impact? Okay, well, let's look at all the things that we can do to minimize the impact on our members or our sector. Let's get ready. What are some of these things that we should do anyway? Whether or not that policy changes. So all of a sudden you're being driven by innovation that is fed by the potential risk rather than sitting back and saying, I hope it doesn't happen because we won't know what to do. So it's just a different way of looking at things.
SPEAKER_01All right, now look, I agree with that, Steve. And I've had those conversations over the last couple of days actually with some organizations. And it's really swapping um inertia for innovation, I think. You know, because the inertia is doing the things the same old way and dealing with the risk by going to the minister and saying, oh, poor us. But uh the innovation is, as you say, thinking about how to do it differently, maybe using different resources, different other groups of people, um, and uh, you know, being being clever about it rather than um, as I say, the inertia of just, you know, the status quo.
SPEAKER_03One of the greatest questions that I found, Margo, that can be asked around there, and doesn't matter who asks it as long as it's asked, is so how can we turn this to our advantage? And you can go, yeah, how can we turn this to our advantage? You start to think about things from a different view rather than that's just the way it is. There's nothing we can do about it. So you start to switch it from the compliance perspective to the potential opportunity perspective that arises, whether or not it occurs uh is less relevant than thinking in that way. Okay, let's look at the role of the board in all of this. Sean, next one. So the first thing to do is have a look at your risk management policy. Does it overtly identify opportunity aspect in that policy? Or is it the standard boring risk that risk is the chance of anything going wrong? The actual definition of risk under the ISA standard is anything that impacts on our ability to deliver against our strategic goals. Nowhere in there, in it in that definition, is there nasty yucky icky stuff. It's all about the ability to deliver against our strategic goals. Anything that gets in the way of that, we'll call a risk. So have a look at your policy to see whether it overtly brings that out, because that's the first step. The second step is look at your risk appetite. Most organizations do this terribly. Your risk appetite statement, does it align with your strategic priorities? But more importantly, do the staff find it useful to give them guidance about what they should be bringing to the board? You know, if we've got zero appetite or low risk appetite for this, don't spend your time trying to do a paper that addresses something that we've got a zero or minimal appetite for. Don't waste my time as a board member. So understand how risk appetite is actually used. Now, Roger, you've seen a fair bit around risk appetite and how badly it can be done. What's some of your insights on this?
SPEAKER_02No, totally agree with that. And like I think, like you said, it needs to be operational. It needs to be usable by the staff. But often I've seen a lot of risk, like risk appetite statements being quite needy of saying this is what this is a type of risk we don't agree with that we don't want to undertake. This is a type of risk that we have no appetite for. But there's that flip side, which is what are the types of risks you're prepared to actually accept and take on to actually create value as well. And that actually then gives the staff guidance to go away and innovate. To undertake new pilots, new projects, because the appetite statement has given them the permission to actually do that as well. So I think that's a critical flip side to a lot of this. Margo?
SPEAKER_01Yeah, no, I agree, I agree.
SPEAKER_03So the so look go back to your risk register. It should have another column in there that says, are we in compliance with our risk appetite? So so that you don't lose it. This is uh Roger's point before, which these reports should be integrated. They should actually help each other. So let's look at some other board responsibilities. Does the risk committee now I'm gonna call on Margo on this one because we had a great conversation yesterday about this? But does the risk committee or the finance audit risk committee regularly review risk progress with the senior executives, or is it just there to report activity through to the board? Um, it raises the interesting issue of should we have a finance audit risk committee and run the risk of risk being the thing at the end of the agenda that we never quite get to, or should you pull out a separate risk committee and run the risk of having too many committees? Margot, you've got some great thoughts on this.
SPEAKER_01Well, I you know, I have sat on a number of boards, been on a few uh finance, risk and audit committees, and certainly my my most recent experience is that uh risk takes play second fiddle in the finance, risk and audit committee, invariably, because that there's usually a lot of risk people, uh finance people on it. And their task is to review the financial accounts before and for the next board meeting and to make recommendations for the board to approve those accounts, whatever the case may be. And um it's very hard to find the time uh for those for that committee to properly deal with risk and bring the risk matters to the board in the same way that uh recommendations should come for for financial matters. I am never in favour of adding more committees. I mean, the fewer committees the better. Um I think BHP has four. Um, you know, and a lot of golf clubs, I do work with golf clubs, some of them have rather more than four. But you know, yeah, I think it's really important to consider what works best for your organization. Do you have a separate finance committee or how do you how do you structure the work of the FRAC so that it's the board is getting the risk information that it needs and not just on that every six months basis and it might turn up in a in part of your board papers as well. So that that was sort of the conversation we touched on yesterday. But I think it's a live issue for a lot of boards.
SPEAKER_02And I think I think the other thing is that the workload for these committees actually needs to be forwards looking, not backwards looking. Um if we look at, I guess, traditional ordinary risk committees, they look at order, they look at budget variance, they look at compliance, assurance, financial controls, they're very much backwards looking. What's happened, what's failed, what's gone wrong, what needs correcting. The strategic way to look at risk in terms of moving forwards is what does this mean for the future? Like what has to remain true for our strategy to actually work? What are we more exposed to as an organization because of these choices we're making within that? So, what are the forward-looking things we as a risk committee or order and risk committee or finance order and risk committee need to be asking us to look towards the future as opposed to looking back towards the past as well? I think that's a critical way to flip a lot of that.
SPEAKER_01But I also think it's up to the board to decide what information it wants from this committee and therefore how it spends its time. And not just leave it to the committee within its terms of reference, its its charter or whatever to to make it up as it goes. Because otherwise, there is an information deficit quite often in relation to that forward-looking opportunity uh discussion that we've been uh touching on um this morning.
SPEAKER_03And unfortunately, what I see happen very often is that there's a large number of boards out there that have no clue what they want, so therefore they default to more information, more information, I want more information. And so your board packs become 300, 400 pages long without the distillation of so what and where's Wally and that. And that's why with finance reports, always you should have what are the strategic implications? You know, balance sheet. You get a balance sheet. Most people don't know how to read a balance sheet, or if they do, they don't know what to do with it. So, what I want to know is what are the key ratios from the balance sheet and so what? You know, if this ratio is going up, what does it mean for us in five years' time? You know, if this ratio is going down, what does that mean for us in two years' time? What are the implications? Is that challenging some of our assumptions? There's a great question in the in the chat there. Um I can't see who wrote it, but um, you know, what what do you do when uh the assumptions behind a risk change? Then the risk changes, absolutely. You're you're absolutely spot on with that. One of the things that we always recommend that boards do is to look at uh uh a three-year rolling program, look at any major business cases from three years ago that we made that we chose to go ahead with, and re-look at the assumptions behind that business case to see whether or not we got close to what actually did happen. Were our assumptions spot on or not? And if they weren't spot on, what have we learnt from that? And so those assumptions will be based partially on the risk side of things, but also on growth of market or whatever it might be. But a great technique to use is to go back to you know, once a year, go back to some decisions two or three years ago and test those assumptions out. What have we learned? What didn't we get quite right there? What have we learned from that? And that makes the assumption making so much more powerful, the decision making so much more powerful. Another another comment for another day. Okay, let's have a look at um the uh succinct reports on risk reports. We'll give you an example of a risk report right at the very end, a template again that you can download. So, but they they've got to be useful rather than um rather than comprehensive. You know, we don't want a risk report on all the 75 risks. I do want I do want them in the top three or four, and the emerging risks. One of the things often missing from reports, particularly the CEO's report, is I always like to see a heading that says emerging risks. It may not be right now, but it's certainly going to come up. You should have had two years ago emerging risk AI. If you've got it, if you didn't have it two years ago, it should be there now. Now, you're looking ahead. We're not saying that we have to actually do anything significant at the moment, but we've got to start positioning ourselves so we better understand it and we keep ourselves abreast of this emerging risk, because even though it may not have hit home right now, it is likely to in the future. What can we put in place now so that no matter what the future throws at us, we're going to be in good shape? And it would actually add value whether or not that risk eventuated or not. Okay, so board responsibility is the culture of the board risk mitigation, which is a very fancy word that says minimizing the potential for it to occur, or is it actually looking at strategic opportunity? So we've talked about that at length. Now, if you really want to get the attention of the CEO on this, and therefore the senior executive team as well, then establish one or two KPIs that are directly related to the innovative management of a key risk. And you can reflect this in um in the KPIs. For example, when I was uh the CEO of the Institute of Banking and Finance, my board through the chair came up with one KPI that I thought was brilliant, scared the hell out of me. And the KPI was that the six major COs of major financial institutions in Australia and New Zealand thought that I was doing a good job as the CEO of the Institute of Banking and Finance. And I thought, heck, how the heck are they going to manage that? So I said to the the chair who was the CEO of one of the major banks, I said to him, How are you gonna do that? He said, easy. Call him up and ask them, how well do you think he's going? And I want you at at least a four out of five on a on a five-point scale on it. And so what that meant is the key risk for us was that the CEOs are the ones that signed off, the fact that their organization would pay membership fees. And the key risk was that they wouldn't sign off because they couldn't see the value. And so that forced me to go and see them and talk to them about what they wanted, what they desired for the for the sector over the next 10 years or so, what we were doing to help them, how can we make their life a bit easier? So that there was no, you know, that I think the technical term is bullshit. There was no bullshit involved in it. It was all about creating the value that was needed. And it scared the heck out of me because I'd never done that before. Um, I got there in the end, but it totally changed the trajectory of the organization. Okay, now the other board responsibility is to monitor um these key risks. You know, when is a key risk no longer a key risk? Well, we need to keep monitoring it. You know, with this key risks that we've got, you know, the high or the critical risks that we've got, usually three or four of them. What's worked in this? What have we done? What hasn't worked? What have we tried and it didn't work? What have we learned from this? What have we missed? What should we add to this? What should we take out? Have we missed any emerging risks? And this should be an annual review, not of the whole risk register, but from the board's perspective, those high and critical risks. Roger, how do you find boards monitor risk?
SPEAKER_02Yeah, I think, like you said, always continually reflecting on it. It's not a set and forget. Um, and I think this brings up one of the key questions that I just saw in the chat earlier, which is from Adrian, which is does the board need to see all 99 odd risks? Um and the quick question is no. As you can expect for an organization, they will have hundreds of operational risks from trip and fall hazards to something being left on the floor. These aren't the ones that keep the board up at night. Um, I think the key thing is actually to steal those and actually ask the board, actually, which of these, if they were to change tomorrow, would be dramatic for the organization? Which ones keep you up at night as a director, not a cable left on the floor. It's about the strategic risks that Steve was talking about before, about changing government policy in funding decisions and other things as well. So, really distilling those to the key critical risks for a board is really critical because the board won't have the time to devote to 20 different risks coming to it every single meeting. It's the the top three or four that even keep them up at night.
SPEAKER_03Yep. I just saw an interesting comment in there that often uh risk committees, there's in the constitution it says that all committee members should be board members. Get rid of that. You've got to stop that. You should have on your committees a general comment, you should have you know one or two directors, but also one or two external people that aren't even members. And often I'm I'm asked, well, why would people want to? Because it's interesting, because they can, because you've asked them. It's as simple as that. So have one or two independent uh members on your committees who've got more skills than the actual directors do in that area. And it's not difficult to find, they're out there. But you've got to enable that by changing your constitution, and then you've got to get members' approval. The key thing is if you've got a constitution that says that committees can only be made up of directors, you're tripling the work of the directors. No wonder you find it difficult to find people to sit on your board. So just a a a thought around that.
unknownOkay.
SPEAKER_01I'd just like to learn on that too, Steve. Yes, please. It's a it's a risk mitigator. I mean, otherwise you've got Fox and Henhouse potential, um, you know, the same people who are running the running the finances, uh, to whom some directors default because they're not financial experts, giving them the advice, giving the opinions. So having independent people and certainly an independent chair is the way to go. And I know lots of not-for-profits and so many organizations say, yes, you must be director to be on these committees, but independence, different thoughts, um, it is they are all risk mitigators and avoid groupthink. And, you know, someone might come and say, well, let's let's present our financials our risk uh in a different way, uh, rather than the way we've always done it, which as I always say is the answer to nothing. So those different perspectives.
SPEAKER_03Great, Marga, thanks. Okay, Sean, next one. Okay, board process. So you can embed all this into your board charter, your board induction, your board agenda, your board committee, the annual report. So you embed this, but you've got to put in place, start to change the languaging around risk. Risk is about looking at emerging opportunities and emerging value ads that we can do through the lens of risk. It's a very different way of looking at it. And so what you probably want, the very best risk manager I came across at a staff level was when I asked him what his job was, he's he said, My job is to ask questions. I thought, I really like this person. Because he wanted to ask questions, not just to monitor and provide a report. He wanted to ask questions. Why is that a risk? What could we do about it? What are the different things we haven't thought about it? And um and their risk process, an ecosystem they put in place was all about generating value. Okay, so just to finish off, we've given you some templates that you may find of use. There's an example risk register just to give you an idea of how others have done it. Uh, and you'll see in there the last two columns. You don't need to read this online, but the last two columns are um opportunities, so potential opportunities and then potential revenue, just to make the point. Um, the compliance breach register, just to give you an idea of that one, and then the next one, Sean. And then an example of an actual risk report that can be quite useful for the board. So it gives you a way of looking at it. Make all these your own, you know, shamelessly use them, make them fit for purpose for your organization. And the true test of all of this is whether or not the board and the staff start changing their view about risk and get really excited about how they can look at risk that can actually unlock value for your organization and your communities. Sean, to you.
SPEAKER_00Thank you, sir. So please feel free to connect with our presenters, Margot, Roger, and Stephen on LinkedIn. Everybody, I'm sure they'll look forward to your connection. Uh, just draw your attention to a number of uh webinar topics coming up over the next few weeks. Uh, best place to check all those out is on our website on the webinar page. You'll receive an email from me. Uh, it'll be tomorrow now, which will include a recording of today's webinar, the transcript and the presentation slides, and also the resources that Stephen uh pointed to towards the end of the webinar today. If you'd like, um if if you would like a copy of those uh spreadsheets, uh just let us know on the survey at the end as you exit. Uh don't forget to complete our one-minute survey, everybody. It really helps us. And if you're considering board management software for your organization, we would love to hear from you. Better still, why not try our 30-day free trial? It's simple and straightforward, and no credit card is required to get started. So, thanks again, everybody, for your attendance today. I hope you enjoyed the session. Thanks again, Stephen, uh, Roger, and Margot for your great conversation. I look forward to seeing you all, everybody, at our next webinar. Have a great day.