Carolyn Crompton explains how the risk management message is spreading from Australia/New Zealand.
It is nearly four years since the Australia/New Zealand Risk Management Standard 4360 standard was first published; the latest version was released in April this year. In that time it has been adopted by major Australian entities, such as property and financial services group Lend Lease, the ANZ Bank, and Australia Post. It has been used by the Australian auditor-general to set best practice benchmarks and forms the basis of risk management systems at the Royal Perth Hospital, Western Australia.
Now, increasing international adoption of the principles of the riskmanagement standard AS/NZS 4360 demonstrates that Australia is a leader in the development of risk management as a management discipline.
For example, an Australian Customs Service scheme is helping disseminate AS/NZS 4360 throughout the Asia-Pacific region, by employing it in training that the service provides for its counterparts in the region. The standard provides a methodology which enables customs services to sift throughmyriads of daily international transactions and movements, focussing their verification systems on those which present the most risk. This improves enforcement and means the vast majority of low-risk transactions can proceed with minimal customs involvement.
Training and dissemination of information on resources like AS/NZS 4360 are leading to increased harmonisation of customs practices throughout the region, reflecting the versatility of AS/NZS 4360 and the way it is becoming an international benchmark.
The British National Health Service uses 4360 as the basis of its “controls assurance” framework for managing clinical and organisational risks. The standard is a generic document, providing a framework and guidelines rather than a definitive “how to”. It details the steps in the risk management process — establishing context, identifying, analysing and evaluating risks, then implementing appropriate treatments. It emphasises the need for communication between all stakeholders, and constant monitoring and review of the effects of changing circumstances on priorities.
International acceptance of AS/NZS 4360 is not only an important stage in the development of risk management, but also in the evolution of theAssociation of Risk & Insurance Managers of Australasia (ARIMA), which was a major player in the standard's development.
In 1975, when the organisation was formed, it was conceived mainly as an information-sharing association for corporate insurance buyers. As thediscipline of risk management outgrows this base, one of ARIMA's challenges is to ensure it continues to expand and that it is able to cater for allpractitioners. This includes those who practice risk management as part of their managerial role, but whose primary responsibility lies elsewhere,such as accountants, auditors and lawyers.
ARIMA's current goals are to increase membership, make greater use of advertising and public relations to promote itself and risk management,increase risk management education and form strategic alliances with other related associations and industry bodies.
A milestone in risk management's Australian development was reached in 1992, when the Australian Stock Exchange's listings rules were changed to require public companies to report on their significant risks and the arrangements in place to manage them.
In the same year, the government of the State of Queensland decided risk management would be adopted by the Queensland public service. Over the next five years, other state governments followed suit and there was commitment to risk management from the federal government, particularly via the auditor-general, who has strongly encouraged government departments to adopt risk management as an auditing tool.
As a result, the public sector has been an important influence on the development of risk management in Australia. Sound public sector riskmanagement practice has become increasingly important because of continuing trends to separate core business operations and out-sourced service delivery elements.
Australian public sector management has, over the last decade, been enthusiastic about adopting private sector business practice, accepting thepolitical line that the private sector can do things better, and is more cost-conscious. In many cases, that is correct. However, in such a climate,one of risk management practitioners' core responsibilities is to challenge their organisations to look beyond the short-term and examine the realcosts, and ARIMA has chosen outsourcing as the them of its 23rd national conference which will be held in Hobart, Tasmania in November.
If out-sourcing is undertaken for sound economic reasons, it can be highly beneficial. However, too often, the motivation is ideological. The result is organisations with inadequate staffing and no corporate memory. Much public sector out-sourcing, for example, is done for political reasons; notrue risk assessment is performed. Cost-benefit analysis often looks only at basic costs, not the hidden costs of out-sourcing. Rigorous risk management standards must be applied to out-sourcing because, badly managed out-sourcing can deplete or even destroy an organisation, divesting it of core functions and the people who understand them. There can be no hard and fast rules about what activities can and cannot be out-sourced successfully. Only a risk analysis will identify them, because organisations' risk profiles vary dramatically.
Risk management itself is sometimes out-sourced, in my view, a classic example of short-term thinking. Risk management should be an integral part of business operations, and one of Australian risk management practitioners' major challenges is the further development of a “risk aware” culture among organisations, both public and private. While great strides have been made, there is still some way to go before top-level management and board commitment to sound risk management principles becomes general.
An April survey by the Australian Institute of Company Directors and KPMG showed only 51% of directors of listed companies felt they had full information necessary to assess risk, and only 47% of companies surveyed had formal risk management policies. That is, nonetheless, an improvement on the situation in 1996 when only 37% had a formal policy.
Even the 51% may be a good sign. It is actually down from the 1996 figure of 63% of listed-company directors, so if more directors feel they are not up to speed, it may indicate more of them are now taking risk seriously.
Australia has experienced some major incidents in the past 18 months which demonstrate that, even where risk management systems are established, the consequences of senior management being out of touch can result not only in serious business interruption but can expose companies to major damage to reputation.
A water contamination scare in Sydney in July-August last year, resulted in the city's water corporation facing class actions for financial loss andpersonal injury (the personal injury action was subsequently dropped). It was also the catalyst for a New South Wales state government inquiry resulting in sweeping changes to the organisation.
The inquiry found that while risk management systems in different branches of Sydney Water Corporation were quite good, when the organisation-wide crisis hit, senior management, who had never been involved in incident-management planning, had to take over. Their initial response was inadequate and the organisation was almost overwhelmed by the magnitude of public reaction.
A fire at an Esso gas plant at Longford, Victoria, in September last year led to the company facing considerable public and business anger at loss of gas supply and a $1 billion class action. Esso compounded its image problems by seeking to blame the disaster on individual workers, a rationale rejected by a subsequent judicial inquiry. The inquiry found senior management was unaware of risks, despite plant operators' end-of-shift reports having warned of potential system failures, as there was no system for workers' reports to reach managers who had the ability to act on them.
Lack of contingency plans, not acting quickly enough, or attempting to shift blame are increasingly risky for organisations. The effort requiredto limit damage or defend actions after a disaster has occurred can leave little or no time for maintaining day-to-day management. Increasingly, companies which appear to be guilty of causing serious environmental damage are finding they sustain heavy corporate image damage,which can also have tangible consequences, such as a fall in share value or loss of market share. This may apply even if the company is actually trying to do the right thing, but fails to communicate it adequately.
Problems may be compounded in cases when the “right” course of action is ambiguous or unclear. For example, after years of environmental damage, now acknowledged by Australian mining giant BHP to be far more extensive than it previously maintained, the company faces the dilemma of whether to close its Ok Tedi copper mine and damage the local economy, which has become largely dependent on it, or continue the project and the environmental destruction. There is likely to be damage to the company's standing whichever way it goes; clearly, careful risk management is required. A logical growth area for risk managers is the field of corporate image, and alerting management to the need for strategies to safeguard that all-important asset.
For risk management practitioners it is tempting, and perhaps plausible, for us to believe that had risk management been a commonly accepted discipline when the seeds of such disasters were sown, the contemporary effects would not be as bad, neither for the companies and governments involved, nor the communities and habitats affected.
This thought brings us full circle, to the importance of measures like the Australian Customs Service's training program for developing awareness ofrisk management throughout the Asia-Pacific region. ARIMA itself also pursues this goal through its membership of the Federation of Asia-Pacific & African Risk Management Organisations (FAPARMO.) and its financial support for Australia's chairmanship of the international working group to standardise risk management terminology.
Risk management is evolving at different rates in different places; in many Asian countries it is still in its infancy. The thirst for knowledge in places like Malaysia, Indonesia and the Philippines is high, and independent bodies, such as ARIMA, therefore, have a major responsibility to share their knowledge. We are doing that through participation in international events and activities and our support for FAPARMO.
Carolyn Crompton is national president, Association of Risk & Insurance Managers of Australasia, and president, Federation of Asia Pacific &African Risk Management Organisations. E-mail: firstname.lastname@example.org.
The 23rd national conference of ARIMA takes place from 14-17 November at Hobart, Tasmania. See www.arima.com.au for more details.