GovernWith Blog

Key Points

• Cybercrime Negotiations: Dealing with Cyber Criminals is complex and requires experts who understand their tactics and strategies.
• Cyber Insurance: Cyber insurance provides financial and reputational protection against cyberattacks, offering access to professionals experienced in negotiation and data recovery. Michael Parrant is Aon Australia's leading cyber expert
• Real-World Examples: Organisations across Australia face unique cybersecurity challenges and can benefit from cyber insurance expertise.

Negotiating with Cyber Criminals Snippet

Understanding the complexities of negotiating with Cyber Criminals

As board directors, there exists a responsibility of ensuring the security and stability of your organisation's digital infrastructure. 

The threat of cybercrime, particularly ransomware attacks, looms large in today's technology-driven world. This article sheds light on the complexities of negotiating with cyber criminals and emphasises the indispensable role that cyber insurance plays in safeguarding your organisation. Drawing from real-world examples, we explore the significance of engaging professionals who possess the expertise to navigate the ever-evolving landscape of cybercrime.

Understanding the Criminal Enterprise:

It is crucial to recognise that cybercrime is not a small-scale operation. It has grown into an industry, ranking as one of the top revenue generators globally. The criminals operating in this space are professionals themselves, well-versed in conducting due diligence, identifying pressure points, and executing negotiation strategies. Consequently, it is imperative that organisations seek assistance from experts who understand the intricacies of dealing with these cyber criminals.

The Value of Cyber Insurance:

Fortunately, most insurance providers offer access to vendors who specialise in negotiating with cyber criminals. Engaging these professionals becomes even more critical in the face of a ransomware attack. Cyber insurance provides organisations with the means to mitigate the financial and reputational risks associated with such incidents. By partnering with cyber insurance providers, you gain access to experts who handle these situations regularly, providing guidance on the criminal enterprise at hand, their reliability in delivering decryption keys, and their tendency to publish data.

Learn more through our ‘Negotiating with Cyber Criminals and Cyber Insurance’ snippet

Sector Specific Scenarios:

Independent Schools:

Independent schools, like any organisation, are susceptible to ransomware attacks. The loss of student records, financial data, or intellectual property could have severe consequences for both the school and its reputation. Engaging cyber insurance vendors who possess extensive experience in negotiating with cyber criminals allows schools to navigate these challenges effectively, ensuring the safe recovery of data and minimising disruption to daily operations.

Aged Care Providers:

Aged care providers handle sensitive personal and medical information, making them prime targets for cybercriminals. A ransomware attack on an aged care facility could compromise patient privacy and disrupt critical healthcare services. By leveraging cyber insurance, providers can access specialised vendors who understand the unique challenges faced by the aged care sector. These experts guide organisations through negotiations, ensuring the restoration of services while protecting patient data.

Human Services Providers:

Organisations offering vital human services, such as disability support or crisis helplines, possess confidential data entrusted to their care. Cyber attacks targeting these organisations not only jeopardise the privacy and safety of vulnerable individuals but also hinder their ability to deliver essential services. Cyber insurance offers a lifeline, allowing human services providers to engage professionals experienced in negotiating with cyber criminals. This ensures minimal disruption to services and reinforces the organisation's commitment to its beneficiaries.

Hospitals and Healthcare:

Hospitals are particularly vulnerable to ransomware attacks due to their heavy reliance on interconnected systems and critical patient data. Such attacks can have life-threatening consequences, potentially disrupting medical services and compromising patient safety. Engaging cyber insurance vendors who specialise in working with healthcare institutions provides hospitals with the necessary expertise to navigate negotiations with cyber criminals. This expedites the recovery process and helps safeguard patient data, ensuring continuous care delivery.

Community Service Organisations:

Community service organisations play a vital role in supporting and empowering communities. Disruption to their services resulting from a cyber attack can have far-reaching consequences, impacting the lives of those they serve. Cyber insurance becomes an essential component of their risk management strategy, offering access to professionals well-versed in dealing with cybercriminals. These experts facilitate negotiations and assist in restoring services promptly, enabling community organisations to fulfill their mission.

Why understanding the threat is not enough

Negotiating with cyber criminals is a complex undertaking that requires expertise and a comprehensive understanding of the evolving cybercrime landscape. As board directors, it is crucial to recognise the magnitude of this threat and take proactive measures to protect your organisation. By engaging with cyber insurance providers and their associated vendors, you gain access to professionals who possess the knowledge and experience to navigate the intricate world of cybercrime negotiations.

Remember, cyber insurance is not just an added expense but a strategic investment in your organisation's resilience. It provides financial support, expert guidance, and peace of mind during times of crisis. The examples from the not-for-profit sector highlight the tangible benefits of cyber insurance in mitigating risks and ensuring the continuity of operations.

To learn more about Cyber Attacks and the Cyber Crime landscape, view our Webinar replay with Michael Parrant here

Cyber Security Key Points

• Understanding cyber security definitions is crucial for not-for-profit organisations in the Australian sector.
• Real-world examples highlight the importance of implementing robust security measures and frameworks.
• View videos from Australia's leading cyber security experts

Safeguarding Digital Assets in the Not-for-Profit Sector

In today's increasingly digital landscape, the not-for-profit sector faces unique challenges when it comes to protecting valuable digital assets. 

44% of Directors are not confident their induction process effectively prepares new directors for their role on the Board. A further 54% of Directors are not confident that their Board adequately addresses succession planning. If the start and end of the Director lifecycle are like this – what is the middle like? 

GovernWith’s CEO & Founder Fi Mercer will be joined by special guest Megan Motto, CEO of Governance Institute of Australia to discuss each stage of the Director's lifecycle and their learnings. They will also provide tips on how to ensure Directors have the tools and resources they need to succeed at each stage. 

A life cycle is a series of events bringing something new into existence, whether that’s a life, a product, or a director. The life cycle follows its growth and progression into maturity, eventual critical mass and finally, its decline. 

The stages of the Director’s lifecycle are recruitment, induction, development, mentorship, and retirement. These stages encompass the progression a director goes through over their tenure with a Board and whilst there are some common factors, the length of each stage is unique for every Board and Director. 

Let’s break down each stage: 

 Recruitment 

The first step of any life cycle is important, because without the right foundation being built at the beginning, you’re setting yourself up for failure. Therefore, having the right people on your Board is key to being able to achieve your purpose. Choosing the right Directors is hard, it’s a balancing act between choosing between the people you have apply and the skills, experience, qualifications, and behaviours you need to fill from the Directors departing. Knowing how these potential Directors are going to complement the existing ones, (or perhaps not), is critical to ensuring that the right people are recruited. 

Induction 

44% of Directors (from our governance data insights) are not confident their induction process effectively prepares new Directors for their role on the Board. This is not a comforting statistic for any new Directors who might be looking to join a Board. Having spoken to Directors old and new about what their induction programs looked like, and what works and what doesn’t, we’ve found that having an individually, targeted approach is key. It’s not a good use of time and resources to be educating new Directors on something they are already experts in, nor is it wise to assume that a director already knows something, especially when it is sector related. Connecting a directors induction program to their skills and capabilities is proving to help fast track a director’s confidence, engagement, and satisfaction. 

Development 

We’ve spoken about it at length in previous blog posts, such as Board Skill Sets - New Requirements for a New World , in this new world we find ourselves in when it comes to the skills required on a Board. With this in mind, it’s more important than ever that we’re not only upskilling Directors in the areas that they need, but also in a way that ensures the Board is well rounded. A well-rounded Board has a combination of Sector Specific Skills, Professional skills, Contemporary skills and, of course, Behavioural Skills. Knowing where each Directors areas are for opportunities of development is key for a sensible development plan rather than a scattered, generic approach. Targeted Education relevant to the identified capability gaps is proving to be far more important than the old “one size fits all” Governance Education that used to be rolled out regardless. 

Mentorship 

Whilst this may not be a stage that every Director goes through or spends much time in, it is a vital step to ensure the continuation of their organisational knowledge. Where possible, it is essential that more tenured Directors take newer Directors under their wing. Even something as simple as offering to have a cup of tea pre and post a Board Meeting to go over any items that they may want clarification on, helps build their understanding and confidence and ultimately helps meetings run smoother. What can then also be gained, is that they both bring forward something to the other, the more tenured Directors offer Board experience and knowledge, and the newer Directors can remotivate and remind those older directors who might be feeling stagnant or stuck in their Board roles. It reignites the question – Why are you on the Board? – What is my “Why”? because they have someone asking. 

Retirement 

And finally, after the Director has served their term and is ready for their next step, it’s time to consider their retirement. However, how is a director supposed to be assured that all their hard work will be continued when 54% of Directors (from our Governance Data Insights) are not confident that their Board adequately addresses succession planning. The fundamental piece to understand here is what skills are about to leave the Board, so that you can look for someone with similar skills to replace those gaps. Or it can be used as an opportunity to broaden the skills on the Board and diversify those around the table. 

As we’ve outlined in the life cycle progression above, being a director is a varied position that has five unique stages, each of which have specific requirements. 

 Thankfully, there is also the help of Boardroom Plus to assist with each stage of this life cycle as well. The Individual Director Development program that is now available – it helps people who want to be Directors become more prepared and the Whole Board Governance program that includes features to help with induction, development, recruitment, mentorship, and retirement. 

Book into a demonstration below 

Boardroom Plus

The Evolving Skillset for Directors

The skills needed to be a director is an ever-changing list and in an environment of legislation changes, added media scrutiny and increased requirements to the scope of work required of a director – not matter the industry, it’s getting trickier for Boards to keep them.

Rising Employee Well-being Concerns

Added to this is the stressor of increasing exhaustion and burnout levels throughout every staffing level of the organisation and the struggle to replace staff who leave. A recent Deloitte survey suggests that in their survey of 2,100 employees and C-level executives across the USA, UK, Canada and Australia “nearly 70% of the C-suite are seriously considering quitting for a job that better supports their well-being.”

The Great Resignation

Looking beyond the C-suit, with the great resignation now at our shores, the Bureau of Statistics confirms that there has been an increase in the proportion of workers switching jobs – from a low of 7.5% in 2021 to 9.5% as at February 2022. Compounding this issue is a talent shortage, which is making it harder, taking longer and more expensive to replace the staff that leave. 

The Impact on Boards and Communities

Anecdotally, we’re hearing about this a lot from Boards, CEO’s and Executives who are having long serving staff, executive and Board members leaving and taking their wealth of sector and organisation specific knowledge with them. And especially in the smaller communities where they’ve always had a hard time recruiting for Directors it has become that much harder with the added external pressures. 

A Call to Action

Fi Mercer, GovernWith’s CEO and Founder, has spoken a lot about this over the last 12-months in the Aged Care sector, from the 2021 and 2022 Govern with Care conference, 2021 LASA Aged Services Innovation: Owning the Future Now, however it’s an issue for all Directors and not just those in Aged Care. We believe that it is such as important element that Directors must be aware of an act upon before it’s too late. 

Reimagining Succession Planning

Whilst this situation could be framed negatively, we think that it’s the perfect time to shake up succession planning and director appointments to give both a fresh perspective. With only 46% of Boards in 2021 feeling that they address all levels of succession planning there is room for improvement for all Boards. 

Innovative Approaches to Director Appointments

Apart from a focus on the future skills required for successful Boards there are other aspects to consider for thinking outside the box in terms of achieving director appointments. As companies are getting more creative and flexible in order to attract and retain staff members, Boards should think about doing the same for Board positions where they can. For example, there is an increase in the number of virtual director positions available where Directors who aren’t living in the community but have the skills needed by the Board are able to virtually be a part of the meetings and only travel to in person meetings on occasion. Another example is Boards who are recruiting younger professionals who are interested in becoming part of the Board but need to be upskilled in a particular area. These young professionals are then put onto sub-committees to learn and be nurtured by the more experienced Directors to gain the skills they need. This helps ensure future succession for the Board and gives opportunity to those who might not normally get it. 

Investing in Director Development

Along the same lines, more Boards are offering development opportunities for their directors as well. By organising for their directors to participate in a skills matrix to identify relevant and targeted training opportunities to upskill themselves Boards better able to attract professionals who are still growing their careers rather than at the end of it. 

Building Collaborative Alliances in Governance

Another opportunity that boards should consider is growing their relationships with other boards in the community. These affiliations, especially in areas like health and aged care where there is a real focus on this notion of partnerships, can help to share the load of governance. 

A final question for you to think about heading into the second half of the year - Is your Board looking at the skills, qualifications, experience and behavioural attributes of everyone around the table to ensure that should something happen you’d know the real breadth of skills that were being lost? 

If you want to learn the skills, qualifications, experience and behavioural attributes of your board or for yourself as an individual, register to attend one of our demonstration sessions here 

GovernWith is about to publish our Governance Data Insights Whitepaper for 2021, covering the Top 5 Governance Risks identified in 2021 from our Governance Review and Development Programs. Each year, as part of our commitment to our governance community, we publish our findings to increase the awareness of issues in governance and help provide Board and Councils with guidance on how they can improve and assurance that they are not alone in their governance struggles, whether they undertake their evaluations with us or not. 

Our Governance Data Insights Whitepaper for 2021, covering the Top 5 Governance Risks identified from our Governance Review and Development Programs from 2018 to 2021 has been published. Each year, as part of our commitment to our governance community, for supporting a culture of continuous review and development for effective governance we publish and share these valuable insights.  

This year, our Governance Data Insights Report includes over 450 board contributions in more than 14 sectors, focusing on Corporate Governance & Director skill areas. 

The Top 5 Governance Risks for 2021 are: 

1. Stakeholder Engagement 
2. Strategic Direction 
3. Continuous Review and Development 
4. Risk Management and Compliance 
5. Sector Specific Skills 

With 4 years of data from our growing community the data insights are even more compelling for supporting continuous review and development as key to building effective governance. 

In crafting the Whitepaper Report this year, we decided to look at our data in a new way. Usually, we group the organisations together according to the year that they have undertaken the evaluation (Annual Benchmark). This year we’ve added a twist and grouped organisations together based on the number of the evaluation they’re up to (Number of Evaluation Contributions). 

We found looking at the annual benchmark the results remained relatively static year after year. However, when we sliced the data by number of evaluations contributions, we see collective improvement that isn’t seen in the annual benchmark. It is evident that the pathway to governance improvement is continued annual evaluation, both for whole Boards and Individual Directors. 

It’s been a great few months being able to bring our community some insights into Climate Change, Social Inclusion and Gender Equity. This series started on the back of the large amount of legislation and requirements Boards, Directors and Executives are needing to deal with. Everyone we’ve been speaking to who is undertaking our Governance Review and Development programs is saying that they understand they need to address these topics at the Boardroom table but don’t know where to start or how they can best lead their organisations in these topics.   

Why are these topics so important?  

According to a report published by Inclusive Australia The Inclusive Australia Social Inclusion Index: 2018 – 19 Report “one in four Australians experience major discrimination based on their age, gender identity, sexual orientation, religion, ability or origin.” 

In regards to climate change, as we all know and as the Bureau of Meteorology State of the Climate 2020 Report confirms “There has been an increase in extreme fire weather, and in the length of the fire season, across large parts of the country since the 1950s, especially in southern Australia.” Climate change itself relates to any governing body organisation (be it small, medium, large, rural, regional or metro), because it’s reach and impact is far greater than just a change in the weather. The flow on effect to the communities we serve relate to their health, safety, access to food, clean water, electricity, heating and other essential services. The ultimate impact is on the venerable members of our society and whilst this is of the utmost importance to everyone, it is especially important at the Boardroom table. 

And finally, gender equality whilst improving still has a long way to go in Australia. According to the Workplace Gender Equality Agency (WEGA) achieving gender equality will lead to “more jobs and increased GDP. These two important pieces of our economic strength, which could result in decreased poverty, higher life expectancy and better quality of life.” 

 Our Contemporary Governance Webinar Series  

To begin the series we spoke with Co-Founder & Non-Executive Director of Women on Boards Claire Braund about Gender Equity and Social Inclusion. 

Claire started her discussion by explaining the difference between equality and equity. To illustrate the difference, Claire used the image of people standing on the boxes below. Her image helped us to understand that equity is giving people access to what they need so that they have the same opportunity as everyone else, rather than giving everyone the same access irrelevant of their starting point which is equality. This point was crucial to her when she started Women on Boards, they identified that women needed a bigger leg up than men did due to the lack of women on Boards at the time. 

In the third image we can see that the supports aren’t needed anymore because the fence (source of inequity) has been removed. This third scenario is one that is not often seen but ideal to strive towards. 

Claire summed up gender equity with the wonderful quote - “Gender Equity is about how we think about creating a framework to produce equal outcomes for people of different genders.” 

Claire then talked about inclusion and how it broader than just social inclusion. There are in fact three types of inclusion: political, economic, and social. Political is about being able to have a say in decisions affecting your life, such as being able to vote. Economic is about being able to undertake paid or volunteer work. Claire points out that this is an area, as a country, in which we have work to do as the gender pay gap still sits at around 14-15%, fluctuating between different sectors. Social inclusion is about feeling valued and welcomed in interactions with other people. 

An important learning that came out of Claire’s talk was that it was “important to address that diversity and inclusion are not the same thing, diversity is a state of being and not something that is governed while inclusion is a set of behaviours that can be governed and can be changed.” This is saying that it is not only enough that we have a group of diverse people around the table but that we also must behave well towards all members regardless of who they are. 

In her summation Claire thinks that to address social inclusion we need to “look at our behaviours and we think about how we are behaving and what we're doing to make sure that we include all those people that are sitting on the edge of the circle.” 

 In our second State of Governance webinar we spoke with Jo-Anne Moorfoot from Australian Centre of Healthcare Governance, Micaela Drieberg from Victorian Healthcare Association and Julia Cookson an expert convener for Governance Evaluator. The group spoke about Gender Equity, Social Inclusion and Climate Change and the insights they have on these topics across the health, community health, human services, and aged care sectors. 

 This webinar went into great examples as to how our panellist have enacted and seen others address these key areas. If you haven’t seen it yet it’s a must watch regardless of what sector you’re in. Watch the recording here.  

 The main take away from this webinar was that real change starts from the top. Jo-Anne summed this theme up in such a thoughtful way – “it’s really important for boards to recognise the role they play in leading the organisation they are the apex they set the tone. We all know that the board sets the culture for the organisation so particularly with the issues that we've talked about today, social inclusiveness, climate change, and gender equality, if it's not important to the board how can we expect it to be important to the organisation. The board must take a leadership role and set the expectations around what they want to see happen in the organisation, what sort of actions they want to occur and then they have to follow it up with seeing the evidence. Seeing evidence means that there is actual proof that the organisation is living climate change responsibility, social inclusiveness and gender equity wholly, otherwise it won't happen.” 

This also ties in perfectly with one of Claire’s comments around Boards leading culture and how “you cannot be what you cannot see.” This means that if a Board is homogenic, non-inclusive and uncooperative that is the behaviour and culture that is on show and the tone that has been set from the top. 

 What Next?  

Whilst this is the end of the discussion series, it doesn’t mean that this is the last we will or should discuss these topics – this is just the start of the conversations that need to be had around the Boardroom table and beyond. 

At Governance Evaluator we have decided to include new sub-modules into both our Board Evaluation and Director Development and Skills Matrix to ask Boards if they regularly see, discuss, and respond to evidence, both qualitative and quantitative, about the top risks relating to climate change, social inclusion, and gender equity. We will also be asking Boards if they reflect on their leadership in these areas as well. To ensure that we also gain the whole picture of the Board, and as recognition that they are important skills, we are also going to be asking Directors to rate their skills, knowledge and experience around climate change, social inclusion, and gender equity. These changes will start to be rolled out across our portal from next month.  

With the ever-changing landscape of technology, it brings with it a lot of new language to the table, which makes it seem complicated and one of those technically detailed conversations. It doesn’t have to be. 

It doesn’t have to be. 

The frequency we are hearing terms such as cyber and cyber-security reported in the news is growing – even as recently as last week with the NSW Education department being hit by a cyber-attack. The Australian Institute of Criminology has released a report putting the total economic cost of cyber-crime across Australia at $3.5 billion in 2019, including $1.9 billion lost by individual victims. 

With the depth and breadth of technology needed to run and work within an organisation increasing and the ongoing maintenance of the technology that this entails, the risk the IT infrastructure poses to the organisation is also escalating. 

As a Board director, you’re empowered to question the risks of any aspect of an organisation and with that comes the need to educate yourself to understand those risks and your organisation's preparedness to respond to those risks. It’s also worth noting that the Federal Government is working on new cyber-security standards that include corporate governance, first floated in the 2020 Cyber Security Strategy, which may hold directors personally responsible for cyber-attacks.  Addressing cyber and IT infrastructure risk should be no different to addressing finance or stakeholder engagement risk for example. 

It’s important that Board directors identify these risks as organisational risks and not just an IT problem, as taking this approach will encourage your peers, stakeholders and employees to take the same approach. 

In our research into cyber-security, Techradar recently reported that up to 99 per cent of cyber-attacks require human interaction to execute.  This is why it is so important to bring all levels of the organisation along on the cyber and IT infrastructure conversation. 

So, how do you have the conversation? 

The CEO is a lynchpin in the conversation, bringing information to the board and acting as a leader for the organisation's attitude to this topic. A great place to start is to have a strategic plan for cyber and IT Infrastructure for the organisation in place and that plan should be a regular part of the Board’s agenda and papers. 

What questions should be raised at a Board meeting?

The Australian Cyber Security Centre has published a prioritised list of mitigation strategies to assist organisations in protecting their systems, called the Essential Eight. A great question off the back of those strategies is “how do we stack up?” 

It doesn’t have to be that detailed though, as suggested in the book The Secure Board, some great questions are: 

• Do we know who has access to our critical information assets and how is this monitored and managed? 
• What happens in the event a key supplier is compromised? 
• In our security team, how many people are focussed on the security of technology, and how many are focussed on the behaviours of our people? 
• Are we doing everything we can for our customers to protect their data that we hold? 

The most important thing though, is that the cyber and IT infrastructure conversation at the Board room level starts straight away before an incident occurs. The acceptance of these risks as organisational risks needs to be guided from the top, to then filter down through the whole organisation. 

If you’d like to hear more from experts in the field, watch our recent webinar Cyber Security for Boards where Fi Mercer chats with Anna Leibel and Claire Pales about how it’s no longer a question of if you need to know about cyber-security but when you’re going to learn. 

This article takes inspiration from Anna and Claire’s book, The Secure Board, which is a fantastic starting point for assuring your board is addressing and understanding the cyber risk in your organisation.

Last year cybercrime increased 600% globally. In 2021, cyber is expected to be a $6 trillion business which will make it more profitable than the illicit drug trade. 

Blog by Claire Pales and Anna Leibel, co-authors of The Secure Board and Directors of The Secure Board Advisory 

“In our book "The Secure Board", which was released in March 2021, and at the May Governance Evaluator webinar we explain cyber risk in non-technical terms so you will have confidence next time your IT or security leader attends your Board meeting.” 
- Claire Pales and Anna Leibel, authors of The Secure Board and Directors of The Secure Board Advisory 

Written for current and aspiring Board members, "The Secure Board" provides the insights you need to ask the right questions, to give you the confidence your organisation is cyber-safe. Designed to be read either in its entirety or as a reference for a specific cyber security topic on your upcoming board agenda, "The Secure Board" sets aside the jargon in a practical, informative guide for Directors. 

"The Secure Board", is the second book from Claire Pales and the first for her co-author Anna Leibel. Claire and Anna are the founders of the boutique advisory firm The Secure Board and leading experts in cyber security and technology. They are independent advisors who have worked with many with boards and committees in both Australia and Asia. Anna is also a current director on the board of Ambulance Victoria. Based on their work with boards and executives, their local research and global trends in cyber, the book covers the 5 key elements of cyber knowledge that Directors expressed concerns about when it came to managing cyber risk. 

“I recommend The Secure Board as essential reading for all leaders. It will equip you with the knowledge and foresight to protect your information and your people.” 
– David Thodey AO, Chair of CSIRO 

“[This book] will challenge you to stop, to reflect and then re-set some of your governance thinking. Anna and Claire, you have made a great contribution to the development of all Directors who choose to pick up this book” 
– Ken D. Lay AO APM FAICD, Lieutenant-Governor of Victoria 

Blog by Brendan Moore, General Manager Member Services, Leading Age Services Australia. 

Aged care governing bodies need independent audits to reassure them of operational compliance. 

All organisations engage independent, external auditors for their financial reports. However, there is a strong case for governing bodies to engage independent, external auditors for their operational performance. 

While internal audit plays a key role in the corporate governance structure to provide ongoing assurance on the effective management of risk within an organisation, there are many organisations that do not have a formalised, structurally independent role of internal audit within their business. 

For those organisations that do have such a role, there is a case to be made for a fourth line of defence in the form of an external auditor of operational compliance. 

According to the Chartered Institute of Internal Auditors (CIIA), ‘internal audit is a cornerstone of an organisation’s corporate governance’. 

Many aged care providers will be limited in their ability to resource such a function and governing bodies will be reliant on the first and second lines to provide reports via senior management. 

There have been notable instances in the Aged Care Royal Commission where such an approach has been found wanting for a variety of reasons (e.g. management withholding information, inadequate systems for documenting and interpreting risk information, processes not identifying key risks). 

For these reasons, boards need to be aware of potential conflicts of interest and ensure they take measures to safeguard the objectivity of internal audit. 

The CIIA lists four key issues for Directors to ask about and be reassured upon in regards to any internal audit function: 

1. It must be structurally independent and report directly to the governing body. (Noting that any internal audit also needs to have access to management information and have a good relationship with management.) 
2. The function must be properly resourced and staffed by a person with appropriate knowledge, skills and experience. 
3. It should focus on the greatest risks to the organisation and have a plan executed to respond to these. 
4. The scope of activity is the whole business and it should be unrestricted in pursuing its role purpose. 

Leading Age Services Australia (LASA) is engaged by many operators to conduct ad hoc gap analysis/mock audit services. These engagements are invariably by management, who sometimes may be a contributing factor in operational compliance—for better or worse. 

As the diagram indicates, using LASA to substitute for internal audit in compliance risk/audit can be appropriate to circumstances where resourcing capability to fill such a role internally is not possible. 

While ad hoc, it is fair to say ‘at least it is happening’. For organisations that do not engage a substitute, or employ their own internal audit function, or an external audit service reporting to the governing body, only the first, second and fifth lines are active. With the fifth line being the regulator, this represents a risk retention setting that has left some aged care providers exposed to adverse compliance findings. Often stated responses such as ‘we didn’t know’ or ‘this result has completely surprised us’ do not invoke confidence in the regulator about the organisation’s audit and governance processes. 

Research conducted in 2019 with attendees at LASA’s Governance in Aged Care workshops indicated that governing bodies could increase their focus and time on ensuring statutory and regulatory compliance, particularly with the heightened focus on organisational governance in Standard 8 of the Aged Care Quality Standards. 

Reliance on management by governing bodies may expose them to liabilities and risks that independent audit of varying areas of operational performance may identify, mitigate and possibly eliminate. 

If you are a Director of an age services provider, the following questions are worth reflecting on: 

1. Do you have a compliance plan that considers the regulatory framework and a stand-alone compliance/clinical governance committee supplemented by independent auditing? 
2. Are you confident you are fully informed of the areas you are ultimately accountable for under Standard 8 of the Aged Care Quality Standards? 
3. Is there sufficient focus on quality, safety and clinical governance within your governing body’s activities?  

As we touched on in last month’s webinar (which you can watch here) resilience and governance go hand in hand. Kerri Rivett, CEO of Royal Freemasons and Board member of LASA, spoke about the need for directors and boards to have the ability to have dual skills, both monitoring risk on a daily basis whilst ensuring they take time for blue sky thinking and strategic planning. She went on to describe this as the ability to pivot, adapt and thrive, something that she and her executives and board believe in. In Kerri’s view this is a key element of resilient governance. 

Building on from this, resilience and director development also go hand in hand. They are both integral to good governance and an overall positive experience on the board. Resilience isn’t built in a day, it takes time and commitment, it’s about fostering skills so that you have the capacity to learn, cope, adapt, and transform in the face of everyday events as well as shocks and stresses. 

Through our governance data insights this month we’re showing how director development is so important for resilience. We have identified that there are crucial elements that need to be taken into account. These are both the director’s professional and sector relevant skills. We have also identified the importance of directors understanding their culture and contribution requirements. Our infographic highlights the average results from the Director Development and Skills Matrix evaluations.  This data is as a result of over 700 director contributions over the last three years.  

What we are seeing is that there is 11% lower sector specific skills and experience in directors when compared to their professional, culture and contribution skills and experience. Therefore, highlighting the importance of ongoing review, training and development in relation to the sector that the director is in. 

Through Governance Evaluator's convening role with many boards, we have discovered that organisations who engage in ongoing individual director review and development, in particular for areas relating to their sector knowledge and experience, describe an improvement by year two. They find improvement in their ability to be more discerning, more strategic and more aware of their top organisational risks. This therefore is a crucial piece for the evolution of a resilient board.  

Below is an example of how in the health and aged care sectors over the last three years when directors did target sector skills as their area of training there is an improvement in their results.  

Our findings in relation to this also align with a recent article by the Governance Institute of Australia, in which they state - “By 2025, governance professionals will need to be keeping pace with rapid changes and a broader set of issues affecting their organisations. That means they will have to continually maintain and improve their knowledge base and skill set.” They conclude the article with the summation that - “Overall, participants believed that a combination of experience and ongoing education was needed to build the level of awareness needed for the governance professional role.” You can read the full article here.  

If you are interested in getting involved in engaging with a program of continuous development and review, click here to find out more or contact our governance expert below to see how we can help you. 

As we started to touch on in last month’s blog post, year three is a magic number in the evaluation journey. The third year is when we see surface level issues, such as risk management, board meetings and agendas, and governance systems and processes, resolving or resolved and the real work beginning for deeper level improvements. This resulted in ongoing increases in the average board evaluation results in years four and five. Boards often describe themselves at this time as being more discerning, strategic, able to have the tough conversations and knowing what they don’t know at this point in their journey. 

Our last webinar touched on this as well, our panel of chairs and CEO’s spoke about how they are using governance data to inform their decisions and what their journeys have been like over the last three years. The big take away was that it isn’t about turning every answer of the evaluation into a green, it was about becoming more discerning in their answers and self-evaluations and finding the areas that still needed to be worked on and improved. They didn’t see it as bad thing to have areas to work on, rather a positive that they were mature enough to identify these areas. By taking this approach, the boards are building their own resilience. 

Developing governance capabilities and governance resilience seems to go hand in hand, however, you’ve got to be in it for the long haul to see this occur. It’s not just about evaluating once – you’ve got to work on the actions from your results, you’ve got to keep coming back and most of all, you’ve got to surround yourself with the best people to help you grow and succeed. 

In this month’s data driven governance insights we wanted to showcase examples of resilience that we’ve seen in our Governance Evaluator Crowd data. For each of the eight key corporate governance modules in our governance evaluation we’ve mapped out the average board answers over five evaluation years and separated these by sector. 

Our eight key corporate governance modules are Strategic Direction, Risk Management and Compliance, Finance, Governance Relations, Board Composition, Board Processes, Stakeholder Engagement and Continuous Review and Development. We have data from 10 of our sectors with 5 years of data for Health and Community, 4 years for Water Boards, 3 years for Aged Care, 2 years for Local Government and Waste and Resource Recovery Groups, and for interest, we have also included the following sectors who currently have one year of data so far to show their starting point for Education, Associations, Finance and Sport. Totalling over 480 evaluations with over 5,000 directors results contributing to our Governance Evaluator Crowd. 

As we can see from the above graph, for all except the last two modules, the 10 sectors all follow a similar path in their results, starting low but over the 5 years increasing. Sometimes this increase is drastic, like in Risk Management and Compliance where we see an average 23% increase in the answers given. In terms of our evaluation scale this would increase the average answers from a yellow to a solid green. Though sometimes the increase isn’t as drastic, like in Finance, where we only see an average increase of 12%, but an increase none the less. 

The results are showing for the first 6 modules that the answers are low in the first year, a small increase in the second and subsequent increases in the  fourth and fifth year and overall, the answers are clustered closely together. 

The interesting part of these results is the great variance in year three, all of the sectors see increases in some modules and decreases in others which would account for why in last month’s data insights we saw a plateau in the overall results for the third year. This is where we see growth in resilience, the boards are becoming more discerning in their answers, they’re having those difficult discussions that our webinar panellists spoke about. The great thing that we see though is after every dip in the average answers across those first six modules, we see a subsequent increase. What this is showing to us is that boards are taking the results from the last evaluation and acting on them. They are working to create an action plan to address the areas that need attention and then over the course of the year completing the areas that they set out for themselves. 

The last two modules are completely different, Stakeholder Engagement and Continuous Review and Development do not look similar to any of the other graphs, the sectors are not clustered together – there is a definite spread in the way that these sectors are answering these questions no two sectors were similar in their journey with these modules. 

Stakeholder Engagement and Continuous Review and Development were both identified as part of our analysis of 2019’s Benchmark data as two of the top five areas of risk. If you want to see where you’re sitting compared to our 2019 Benchmark data, take our 2-minute survey on Risk Management and Stakeholder Engagement for an instant comparison below.