GovernWith Blog

Mastering Director Transitions for Enhanced Board Effectiveness

In today's intricate board management landscape, increasing intricacies in operational realms have ushered in higher stakeholder expectations. There's a growing belief that director competencies should mirror those in the corporate world. Boards, irrespective of their sector, are now expected to play a pivotal role in risk management, offer strategic guidance to senior management, and lead succession planning initiatives.

Planning Transition Snippet

 

Navigating Director Transitions: Elevating Governance Through Collaboration

The query arises – who monitors the board? Though largely a self-regulated exercise, fostering a strong relationship between the board and senior management can yield superior governance outcomes. This collaboration transforms the board from being a risk to an invaluable asset. When structured and managed adeptly, a board can evolve into a competitive advantage, a desirable feature across various sectors.

In this context, a crucial question surfaces – how should boards navigate director transitions? A holistic response is vital, transcending industry boundaries. Veteran experts, Rebecca and Fi, guide us through the intricate director transition cycle, encompassing stages such as recruitment, induction, development, and retirement.

Proactive Measures for Director Vacancies:

The heart of the director transition cycle lies in its capacity to revolutionise how boards approach vacancies. Rather than reactive actions, foresighted planning is key. It involves projecting beyond immediate needs, aligning incoming directors with the organisation's ethos, culture, and long-term objectives.

Rebecca Murphy advocates for strategic planning as an antidote to director vacancies. Beyond addressing immediate gaps, a proactive stance demands a comprehensive strategy that unites incoming directors with the organisational values and overarching goals.

Embracing Diversity and Skills for a Robust Board:

Fi Mercer stresses the significance of cultivating diversity in board composition. Going beyond skill-centricity, contemporary recruitment demands a broader approach. Directors must possess a profound sectoral understanding, blend professional acumen with modern proficiencies, and encompass environmental, social, and governance skills – crucial for manoeuvring modern governance complexities.

Interestingly, diversity extends beyond skills and sector insights, encompassing leadership styles, behaviours, and representing minority groups. This holistic view enriches board dialogues, nurturing an all-encompassing perspective in sync with the organisation's intricate dimensions.

A Comprehensive Approach to Director Transition Planning:

Embracing the core tenets of the director transition cycle, boards – irrespective of their sector – should anchor their approach in foresight and strategic depth. A proactive strategy anticipates vacancies, aligns incoming directors with organisational objectives, and champions diversity in skills and viewpoints. The cycle's components of recruitment, induction, development, and retirement transcend sectors, fostering effective governance that propels organisations toward sustainable triumph.

In essence, the director transition cycle offers more than just reactive governance tactics. It heralds a paradigm shift that harmonises directors' roles across diverse sectors, elevating them to strategic architects. As organisations navigate the labyrinthine landscape of governance, the director transition cycle emerges as a guiding light, directing them toward a future where boards not only govern but also flourish, shaping their realms with unmatched precision.

Safeguarding Your Organisation Against Ransomware Attacks:

A Comprehensive Guide for Governance and Boards

In the ever-evolving digital landscape, the spectre of ransomware attacks looms large over organisations of all sizes. These malicious cyber threats can have catastrophic consequences, compromising sensitive data, disrupting operations, and causing financial and reputational harm. As ransomware attacks become more sophisticated, it is crucial for governance bodies and boards to take proactive measures to protect their organisations. This article delves into the significance of ransomware attacks, their implications for governance, and strategies to fortify cybersecurity defences.

Ransomeware Attacks Snippet

 

Understanding Ransomware Attacks:

Ransomware attacks involve the unauthorised encryption of an organisation's data, rendering it inaccessible until a ransom is paid to the attackers. These attacks often exploit vulnerabilities in systems, networks, and human behaviours. The cost of these attacks extends beyond the ransom itself, encompassing downtime, data recovery, legal and regulatory penalties, and damage to reputation.

The Role of Governance and Boards:

Governance bodies and boards play a pivotal role in safeguarding organisations against ransomware attacks. Their responsibilities encompass setting cybersecurity policies, allocating resources for cybersecurity measures, and overseeing risk management strategies. Recognising that ransomware attacks can have far-reaching implications, boards must actively engage in cybersecurity discussions and decision-making.

Implications for Governance and Boards:

Strategic Integration: Ransomware attacks have far-reaching consequences that extend beyond IT departments. Boards need to integrate cybersecurity considerations into their strategic planning processes. A cyber incident can disrupt operations, erode stakeholder trust, and undermine long-term objectives. Boards must ensure that cybersecurity is part of the overall risk management strategy.

Risk Mitigation: Ransomware attacks represent a significant risk to organisations. Boards need to collaborate with cybersecurity experts to identify vulnerabilities and implement robust risk mitigation strategies. This includes regular security assessments, employee training, and maintaining up-to-date security protocols.

Financial and Reputational Impact: Beyond the financial cost of ransom payments and recovery efforts, boards must consider the reputational damage that a successful ransomware attack can inflict. A breach can erode customer trust, damage brand reputation, and lead to customer attrition. Boards should oversee crisis communication plans and ensure transparency in case of an attack.

Regulatory Compliance: Many industries are subject to strict data protection regulations. Ransomware attacks can lead to violations of these regulations, resulting in legal penalties. Boards need to ensure that their organisations adhere to relevant compliance standards and that cybersecurity measures align with regulatory requirements.

Strategies for Fortifying Cybersecurity Defences:

Multi-Layered Defence: Implement a multi-layered cybersecurity approach that includes firewalls, intrusion detection systems, encryption, and endpoint security. Boards should ensure that cybersecurity budgets allocate resources to these critical components.

Employee Training: Human error remains a common entry point for ransomware attacks. Boards should emphasise the importance of ongoing cybersecurity training for employees. Phishing prevention and proper handling of suspicious emails are crucial aspects of employee education.

Incident Response Plan: Develop a comprehensive incident response plan that outlines actions to take in the event of a ransomware attack. Boards should review and approve this plan, ensuring that it covers communication strategies, data recovery processes, and coordination with law enforcement.

Vendor Risk Management: Third-party vendors can be a source of vulnerability. Boards should assess the cybersecurity practices of vendors and demand compliance with security standards as part of their contracts.

Conclusion:

Ransomware attacks are an ever-present threat that demands the attention of governance bodies and boards. By understanding the implications of these attacks, boards can actively contribute to the development of robust cybersecurity strategies. The collaboration between boards, management, and cybersecurity experts is essential in fortifying an organisation's defences against ransomware threats. Through strategic integration, risk mitigation, and proactive measures, governance bodies can safeguard their organisations and ensure their continued success in the digital age.

Risk Tolerance and Risk Appetite Statement in Governance

A risk tolerance statement is like a compass that helps organisations navigate the risky waters of risk management. It is an important tool that allows organisations to assess their ability to handle risks. Consider it as a test to determine your risk appetite.

Crafting a well-defined risk tolerance statement sets the stage for effective risk management. It establishes the boundaries within which an organisation can comfortably operate, ensuring that risks are neither ignored nor exaggerated. With this foundation in place, businesses can make informed decisions and take calculated risks that align with their objectives.

So, let's dive into the world of risk tolerances and explore how they empower businesses to navigate uncertainty with confidence. Get ready to unlock the secrets behind these powerful statements and unleash your potential for success in achieving your business objectives through effective project survey.

But first, what exactly are risk tolerance statements? And why do they matter? Let's find out in the following paragraphs.

 

Importance of Risk Management and Governance:

Effective risk management and governance are crucial for the success of any organisation. They play a vital role in identifying, assessing, and mitigating potential risks that could hinder the achievement of strategic goals and objectives. By implementing proper risk management practices, organisations can make informed decisions, capitalise on opportunities, and protect their stakeholders' interests.

Identifying Risks:

One of the primary purposes of risk management is to identify potential risks that an organisation may face in its projects. This involves conducting a comprehensive risk assessment to evaluate both internal and external factors that could impact the business and its front staff. By proactively identifying risks, organisations can develop strategies to address them before they escalate into significant issues.

Assessing Risks:

Once risks have been identified, it is essential to assess their potential impact on the organisation. This involves evaluating the likelihood of occurrence and the magnitude of each risk. By quantifying risks through various models and techniques, such as probability analysis or scenario planning, organisations can prioritize their response efforts accordingly.

Mitigating Risks:

Risk management aims to minimize or eliminate potential threats through effective mitigation strategies. These strategies involve implementing controls and safeguards to reduce the likelihood or impact of identified risks. For instance, organisations may establish internal policies and procedures to ensure compliance with regulations or enhance customer service standards.

Compliance with Regulations:

Compliance with regulations is a critical aspect of risk management and governance. Organisations must adhere to applicable laws and industry standards to avoid legal penalties or reputational damage. By incorporating risk management practices into their operations, companies can ensure they meet regulatory requirements while safeguarding their reputation.

Protection of Stakeholders' Interests:

Risk management also serves as a means to protect stakeholders' interests. Whether it's shareholders, employees, customers, or government agencies, all parties involved have vested interests in an organisation's success. Through robust risk governance frameworks that include oversight from committees or boards responsible for managing risks at different levels, organisations can demonstrate their commitment to protecting stakeholders' interests.

Informed Decision Making:

Risk management provides decision-makers with valuable insights and information. By considering potential risks and their potential impact on strategic objectives, organisations can make more informed decisions. This allows them to seize opportunities while minimizing the likelihood of negative outcomes.

Capitalising on Opportunities:

Risk management is not solely about avoiding or mitigating risks; it also enables organisations to capitalise on opportunities. By identifying and assessing potential opportunities, organisations can allocate resources effectively and pursue initiatives that align with their business objectives. Risk management helps ensure that these opportunities are evaluated within a controlled framework, balancing potential rewards with associated risks.

Understanding the Concept of Risk Tolerance:

Risk tolerance is a vital aspect of any organisation's decision-making process. It refers to the level of risk an organisation is willing to accept in pursuit of its objectives. By evaluating potential risks and their impact on business goals, companies can prioritize resources and make informed decisions.

What is Risk Tolerance?

Risk tolerance can be defined as an organisation's willingness to accept certain levels of risk. It serves as a measure of how much uncertainty a company is comfortable with when pursuing its objectives. Different organisations may have varying degrees of risk tolerance based on their industry, size, financial position, and overall business strategy.

Evaluating Potential Impact

Understanding risk tolerance involves assessing the potential impact that risks can have on an organisation's objectives. This evaluation helps identify which risks are acceptable and which ones need mitigation strategies. By considering the potential consequences of different risks, companies can determine whether they align with their risk appetite or if additional measures are required to manage them effectively.

Prioritising Resources

One practical application of risk tolerance is resource allocation. When organisations understand their risk tolerances, they can allocate resources more effectively by focusing on areas that pose higher risks or have greater potential impacts. This ensures that resources are utilized efficiently and that efforts are directed towards managing risks that could significantly hinder the achievement of business goals.

Making Informed Decisions

Another benefit of understanding risk tolerance is the ability to make informed decisions. With a clear understanding of their willingness to accept risk, organisations can evaluate various options and choose those that align best with their desired level of exposure. By considering risk tolerances during decision-making processes, companies reduce the likelihood of taking unnecessary gambles or overlooking critical factors.

Differentiating Between Risk Appetite and Risk Tolerance:

Understanding the Difference

It's essential to have a clear understanding of the terms "risk appetite" and "risk tolerance." While these two concepts are related, they focus on different aspects of risk management. Risk appetite pertains to an organisation's desired levels of risk-taking, while risk tolerance deals with acceptable levels of risk exposure.

Risk Appetite: Strategic Goals

Risk appetite reflects an organisation's strategic goals. It defines how much risk an organisation is willing to take in pursuit of its objectives. This concept helps establish boundaries for decision-making by outlining the level of uncertainty that an organisation is comfortable with. For example:

• A tech start-up aiming for rapid growth might have a high-risk appetite, as it seeks to disrupt existing markets and capture market share.
• On the other hand, a conservative financial institution may have a low-risk appetite due to its focus on stability and security.

By defining risk appetite, organisations can align their actions with their strategic objectives while avoiding excessive or unnecessary risks.

Risk Tolerance: Operational Capabilities

While risk appetite sets the overall direction, risk tolerance considers an organisation's operational capabilities. It determines the amount of risk exposure that an organisation can handle without compromising its ability to function effectively. Factors such as financial resources, expertise, infrastructure, and regulatory requirements influence an organisation's risk tolerance.

For instance:

• A small business with limited resources may have a lower risk tolerance compared to a large corporation.
• An industry heavily regulated by compliance standards may have stricter risk tolerance limits due to legal obligations.

By assessing their operational capabilities and identifying acceptable levels of risk exposure, organisations can ensure they operate within manageable boundaries while pursuing their objectives.

The Synergy between Risk Appetite and Risk Tolerance

Risk appetite and risk tolerance work together as complementary components in effective risk management. While one sets the overarching strategic direction, the other ensures that actions remain within acceptable operational limits. This synergy allows organisations to strike a balance between taking risks and maintaining stability.

By understanding their risk appetite and risk tolerance, organisations can make informed decisions when faced with uncertainties. Here are some benefits of integrating these concepts:

1. Enhanced Decision-Making: Having clarity on risk appetite and tolerance empowers decision-makers to evaluate potential risks against defined boundaries.
2. Improved Resource Allocation: Organisations can allocate resources more efficiently by aligning them with acceptable levels of risk exposure.
3. Strengthened Risk Management Culture: Integrating risk appetite and tolerance into an organisation's culture helps foster a proactive approach towards managing risks.
4. Effective Communication: Clear articulation of risk appetite and tolerance enables effective communication across all levels of an organisation, ensuring everyone understands the boundaries.

The Significance of a Risk Tolerance Statement:

Setting the Boundaries

A risk tolerance statement is more than just a piece of paper; it sets the boundaries for acceptable levels of risk across an organisation. It provides clear guidelines that help decision-makers navigate the complex landscape of uncertainties and make informed choices. By defining what risks are deemed acceptable, organisations can avoid unnecessary exposure to potential threats and ensure they stay within their comfort zone.

Aligning Objectives and Values

Organisations must align their decision-making processes with their objectives and values. A well-crafted risk tolerance statement serves as a compass, guiding leaders towards choices that are in line with their strategic goals. It helps them prioritize risks based on their impact on organisational performance, reputation, or compliance requirements. By incorporating these considerations into the decision-making process, organisations can ensure that they remain true to their mission while effectively managing potential pitfalls.

Effective Communication

In any organisation, effective communication is key to success. A risk tolerance statement plays a crucial role in facilitating this communication by providing a common language for discussing risks among stakeholders. When everyone understands the organisation's stance on risk-taking, it becomes easier to have meaningful conversations about potential threats and opportunities. This shared understanding fosters collaboration and allows for better-informed decisions at all levels.

To illustrate the significance of a risk tolerance statement further, let's delve into each talking point in more detail:

A clear risk tolerance statement provides guidance on acceptable levels of risks across the organization.

Imagine navigating through uncharted waters without a map or compass – you would be lost!  Similarly, without a clear risk tolerance statement, organisations may find themselves adrift. This statement acts as a guidebook that outlines what level of risk is considered acceptable within different areas of operation. It helps employees understand where they should exercise caution and where they can push boundaries within predefined limits.

It aligns decision-making processes with organisational objectives and values.

Every organisation has its unique set of objectives and values that guide its actions. These objectives and values should be taken into account. A risk tolerance statement serves as a bridge between the strategic goals of an organisation and the decisions made on a day-to-day basis. By explicitly stating the boundaries within which risks are acceptable, organisations ensure that their actions are consistent with their overarching mission.

The statement enables effective communication about risks among stakeholders.

Communication is the lifeblood of any successful organisation. Without clear lines of communication, misunderstandings can arise, leading to misaligned expectations and potentially disastrous consequences. A risk tolerance statement acts as a common language for discussing risks among stakeholders, whether they are executives, managers, or frontline employees. It helps facilitate meaningful conversations by providing a shared understanding of what risks are deemed acceptable and what level of risk-taking is appropriate in different situations.

Defining Risk Appetite, Risk Tolerance, and Residual Risk:

Risk appetite, risk tolerance, and residual risk are crucial concepts in understanding and managing risks within an organisation. Each term represents a different aspect of how organisations approach uncertainty and make decisions to protect their objectives. Let's delve into the definitions of these terms to gain a better understanding.

Risk Appetite:

Risk appetite refers to the level of uncertainty or risk an organisation is willing to accept while pursuing its goals. It sets the boundaries for how much risk an organisation is comfortable taking on in order to achieve its desired outcomes. Determining risk appetite involves considering factors such as financial capacity, strategic objectives, regulatory requirements, and stakeholder expectations.

Organisations with a high-risk appetite are more inclined to embrace uncertainty in pursuit of higher rewards. They may be open to exploring innovative strategies or investing in emerging markets with potentially greater returns. Conversely, organisations with a low-risk appetite prioritize stability and prefer conservative approaches that minimize potential losses even if it means sacrificing potential gains.

Risk Tolerance:

Risk tolerance defines the threshold at which specific risks become unacceptable or intolerable for an organisation. It helps determine when risks should be mitigated or avoided altogether. While risk appetite sets the overall tone for accepting uncertainty, risk tolerance provides a more granular assessment of acceptable levels of specific risks.

An organisation's risk tolerance can vary across different types of risks based on their impact on key objectives. For example, a company might have a higher tolerance for market volatility but lower tolerance for cybersecurity breaches due to potential reputational damage or legal consequences.

To assess risk tolerance effectively, organisations often establish criteria that consider factors such as financial impact, operational disruption, legal compliance, reputation damage, and stakeholder perception. By defining these thresholds clearly, organisations can make informed decisions about which risks require mitigation measures.

Residual Risk:

Residual risk refers to the level of uncertainty that remains after implementing risk mitigation measures. It represents the risk that persists despite an organisation's best efforts to reduce or eliminate it. Residual risk is an essential consideration as it helps organisations evaluate whether their risk management strategies and controls are effective in reducing the overall level of uncertainty.

When assessing residual risk, organisations need to evaluate the effectiveness of their existing controls and determine if additional measures are necessary. This evaluation may involve monitoring key risk indicators, conducting periodic assessments, and reassessing risks as the business landscape evolves.

It's important to note that residual risk can never be completely eliminated since some level of uncertainty will always exist. However, by understanding and managing residual risks effectively, organisations can minimize potential negative impacts on their objectives.

Defining Metrics for Risk Tolerance:

Having defined metrics is crucial. These metrics serve as quantifiable benchmarks that help evaluate an individual's or organisation's ability to handle risks.

Financial Metrics:

Financial indicators play a significant role in determining risk tolerance levels. Here are some key financial metrics commonly used:

1. Return on Investment (ROI): ROI measures the profitability of an investment relative to its cost. It helps assess how much return can be expected from taking on a particular level of risk.
2. Loss Thresholds: Establishing loss thresholds is essential for managing risk effectively. This metric sets limits on the amount of loss an individual or organisation is willing to tolerate before taking action.
3. Volatility Index (VIX): The VIX measures market volatility and investor sentiment. A higher VIX indicates higher perceived risks, while a lower VIX suggests lower perceived risks.

Non-Financial Metrics:

While financial metrics provide valuable insights into risk tolerance, non-financial metrics are equally important in assessing overall resilience and adaptability. Here are some non-financial metrics that can be considered:

1. Customer Satisfaction Ratings: Monitoring customer satisfaction levels helps gauge how well an organisation can withstand potential risks related to customer dissatisfaction or churn.
2. Employee Turnover Rates: High employee turnover rates may indicate underlying issues within an organisation that could impact its ability to handle risks effectively.
3. Regulatory Compliance: Adhering to regulatory requirements is crucial for mitigating legal and reputational risks associated with non-compliance.
4. Enterprise risk management: Assessing an organisation's innovation index provides insights into its ability to adapt and stay ahead in dynamic market conditions, while also evaluating the overall risk appetite and appropriate risk assessment.

By utilizing both financial and non-financial metrics, individuals and organisations can gain a comprehensive understanding of their risk tolerance levels and make informed decisions accordingly.

Exploring the Differences between Risk Appetite and Risk Tolerance

Understanding the Basics

Risk appetite and risk tolerance are two crucial concepts in managing risks effectively. Although interconnected, they serve different purposes in guiding decision-making and shaping operational capabilities. Let's delve into the differences between these two terms to gain a clearer understanding.

Risk Appetite: Strategic Objectives

Risk appetite primarily focuses on strategic objectives. It refers to an organisation's willingness to take on risks in pursuit of its goals and objectives. Think of it as the speed limit on a highway; it sets the range within which an organisation is comfortable operating. This concept helps define how much risk an organisation is willing to accept in order to achieve its desired outcomes.

To illustrate this further, consider a company that wants to expand its market share by entering new territories. The risk appetite would determine how aggressively they pursue this expansion, considering factors such as potential losses, competition, and market conditions. A high-risk appetite might lead them to enter multiple markets simultaneously, while a low-risk appetite may result in cautious expansion strategies.

Risk Tolerance: Operational Capabilities

On the other hand, risk tolerance deals with operational capabilities. It represents an organisation's ability to withstand or absorb risks at various levels without compromising its day-to-day operations. In our analogy, think of risk tolerance as your own driving skills and comfort level behind the wheel—how much uncertainty can you handle while still maintaining control?

A risk tolerance statement outlines specific limits or boundaries within which an organisation can operate comfortably given its resources, expertise, and capacity for absorbing potential losses. It helps determine how much risk an organisation can bear without jeopardizing its core functions or long-term sustainability.

For instance, let's say a manufacturing company has identified machine breakdowns as a potential risk that could impact their production schedule. Their risk tolerance statement might specify acceptable downtime limits and establish contingency plans for minimizing disruptions caused by equipment failures.

Interconnected Yet Distinct

While risk appetite and risk tolerance are interconnected, it's essential to understand that they serve different purposes. Risk appetite guides decision-making at a high level, helping organisations set their goals and determine the amount of risk they are willing to take on. On the other hand, risk tolerance influences day-to-day operations, ensuring that risks are managed within acceptable limits.

By having a clear understanding of both concepts and incorporating them into their risk management strategies, organisations can strike a balance between ambition and prudence. This allows them to pursue growth opportunities while mitigating potential losses effectively.

Practical Guidance on Writing a Risk Appetite Statement:

Identify key risks relevant to the organisation's industry and objectives.

When crafting a risk appetite statement, it is essential to identify the key risks that are most relevant to your organisation's industry and objectives. This step allows you to gain a comprehensive understanding of the potential challenges your organisation may face and enables you to develop strategies to mitigate those risks effectively.

To identify these key risks, start by conducting a thorough analysis of your industry. Look into any specific trends or developments that could impact your organisation's operations. Consider the unique characteristics of your business and its objectives. By understanding these factors, you can pinpoint the areas where risks are most likely to arise.

Once you have identified the key risks, categorize them based on their potential impact on your organisation. This categorization will help you prioritize which risks require immediate attention and which ones can be managed over time.

Clearly define desired levels of risk-taking aligned with strategic goals.

A well-written risk appetite statement should clearly define the desired levels of risk-taking that align with your organisation's strategic goals. It serves as a guiding principle for decision-making processes across all levels of your business.

To define these desired levels, first assess how much risk your organisation is willing to undertake in pursuit of its objectives. Consider both short-term and long-term goals when determining this threshold. For instance, if one of your objectives is rapid growth, you may need to tolerate higher levels of risk than an organisation focusing on stability or longevity.

Next, establish specific parameters for each category of risk identified earlier. These parameters should outline acceptable ranges within which decisions can be made without exceeding the defined risk appetite. Be sure to include quantitative metrics whenever possible so that stakeholders can easily understand and measure adherence to the stated limits.

Ensure the statement is concise, measurable, and easily understood by stakeholders.

When drafting a risk appetite statement, it is crucial to ensure that it is concise, measurable, and easily understood by stakeholders. This clarity will facilitate effective communication and decision-making throughout the organisation.

To achieve conciseness in enterprise risk management, it is important to use clear and straightforward language. Avoid unnecessary jargon or complex terminology that may confuse readers during the risk assessment process. Keep the statement focused on the essential points without sacrificing necessary details. This approach helps in identifying appropriate risk levels and determining if a particular risk is low or high.

Measurability is another critical aspect of a risk appetite statement. It allows stakeholders to assess whether their actions are within the defined boundaries. Incorporate specific metrics or indicators that can be used to evaluate risk levels and monitor compliance over time.

Lastly, make sure the statement is easily understood by all relevant stakeholders. Consider their varying levels of familiarity with risk management concepts and tailor your language accordingly. Use examples or analogies to illustrate key points and ensure everyone can grasp the intended meaning.

By following these practical guidelines, you can develop a robust risk appetite statement that aligns with your organisation's objectives, provides clear direction for decision-making processes, and enhances overall risk management practices.

Understanding the Relationship between Risk Appetite and Risk Tolerance

Setting Boundaries: Risk Appetite and Acceptable Risks

Risk appetite and risk tolerance are two crucial concepts that organisations must understand to effectively manage risks. While risk appetite sets the boundaries for acceptable risks, risk tolerance determines specific thresholds within those boundaries.

Risk appetite refers to an organisation's willingness to take on risks in pursuit of its objectives. It serves as a guiding principle that helps define the level of risk an organisation is prepared to accept. Think of it as a spectrum ranging from conservative to aggressive approaches. A conservative risk appetite implies a preference for low-risk strategies, while an aggressive one indicates a higher tolerance for taking on greater risks.

Within this overall risk appetite, organisations establish their acceptable level of risk – the maximum amount of risk they are willing to bear. This level varies depending on factors such as industry norms, regulatory requirements, and organisational goals. Defining an appropriate risk appetite ensures that organisations operate within acceptable limits and avoid unnecessary exposure.

Aligning Strategies with Operational Capabilities

The relationship between risk appetite and risk tolerance is critical for aligning organisational strategies with operational capabilities. By understanding their risk tolerance levels, organisations can develop strategies that reflect their ability to handle potential risks effectively.

For example, consider a technology company with a high-risk appetite due to its innovative nature. However, if the company's operational capabilities do not align with this high-risk approach, it may struggle to implement its strategies successfully. By assessing their internal strengths and limitations, companies can strike a balance between ambition and feasibility when setting their overall risk appetite.

Enhancing Decision-Making Processes

Another benefit of effective coordination between risk appetite and risk tolerance is enhanced decision-making processes throughout the organisation. When individuals at all levels understand the organisation's overall approach towards risks and their specific thresholds within those boundaries, they can make informed decisions aligned with these principles.

This alignment ensures that decisions are not made in isolation but rather take into account the organisation's risk appetite and tolerance. It promotes a consistent risk culture and helps avoid situations where risks are either overlooked or exaggerated.

Downloadable Examples of Risk Appetite and Tolerance Statements:

Risk appetite statements play a crucial role in defining an organisation's approach to risk management. They outline the level of risk that an organisation is willing to accept in pursuit of its objectives. Similarly, risk tolerance statements provide further clarity by specifying the acceptable limits within which risks can be managed. To help you create effective risk appetite and tolerance statements, we have compiled some downloadable examples for your reference.

Example 1: Conservative Approach

• Risk Appetite Statement:
  • We prioritize capital preservation and place a strong emphasis on minimizing potential losses in line with our overall risk appetite and enterprise risk management. Our risk tolerances are set to ensure that we maintain a low risk approach.
  • Our primary objective is to maintain stability and avoid excessive exposure to market volatility, in line with our overall risk appetite and risk tolerances as part of our enterprise risk management approach.
  • We are willing to sacrifice potential returns in favour of maintaining a conservative risk profile.

• Risk Tolerance Statement:
  • We set strict limits on individual investment positions to accommodate different risk tolerances, ensuring diversification across asset classes.
  • The maximum allowable drawdown, which is determined based on risk tolerances, is set at X% as a precautionary measure against significant market downturns.
  • Our risk tolerance reflects our commitment to protecting principal investments even during challenging economic conditions.

Example 2: Balanced Approach

• Risk Appetite Statement:
  • We seek a balanced approach between growth and stability, aiming for moderate returns while managing risks effectively.
  • Our objective is to achieve consistent performance over the long term without exposing ourselves to unnecessary risks. 
    
    
• Risk Tolerance Statement:
  • We understand that short-term volatility is inherent in financial markets, so we allow for moderate fluctuations in portfolio value to align with our clients' risk tolerances.
  • Our risk tolerances are reflected in our maximum allowable drawdown, which is set at Y% to accommodate normal market fluctuations without jeopardizing our long-term goals.
  • While we are open to taking calculated risks, we remain cautious about exceeding our predetermined risk thresholds.

Example 3: Aggressive Approach

• Risk Appetite Statement:
  • We adopt an aggressive investment strategy with a focus on maximizing returns through higher-risk opportunities.
  • Our primary goal is to achieve substantial growth while considering our risk tolerances, even if it means accepting higher levels of volatility and potential losses.

• Risk Tolerance Statement:
  • We have a high tolerance for risk and are willing to accept significant fluctuations in portfolio value.
  • Maximum allowable drawdown is set at Z% to accommodate the increased risk exposure associated with our aggressive approach.
  • Our risk tolerance reflects our confidence in our ability to navigate market uncertainties while pursuing substantial returns.

These downloadable examples can serve as valuable references when creating your own risk appetite and tolerance statements. Remember, tailoring these statements to align with your organisation's specific objectives, risk profile, and industry dynamics is essential. By clearly defining your risk appetite and tolerance, you can establish a robust framework for effective risk management that supports sustainable growth while safeguarding against excessive exposure.

Conclusion: The Significance of a Risk Tolerance Statement:

A risk tolerance statement holds immense importance in effective risk management and governance. By understanding the concept of risk tolerance and differentiating it from risk appetite, organisations can make informed decisions regarding their exposure to risks.

The significance of a risk tolerance statement lies in its ability to define an organisation's acceptable level of risk, helping them align their strategies accordingly. It acts as a compass, guiding decision-makers towards making choices that are in line with the organisation's risk appetite.

Defining metrics for risk tolerance is crucial as it provides measurable criteria to evaluate risks and determine if they fall within acceptable limits. This enables organisations to proactively manage potential threats while ensuring they stay within their predetermined boundaries.

Understanding the relationship between risk appetite and risk tolerance is vital. While risk appetite refers to an organisation's willingness to take on risks for potential rewards, risk tolerance focuses on the specific level of risks that an organisation can tolerate without compromising its objectives.

To gain practical guidance on writing a comprehensive risk appetite statement, organisations should consider seeking expert advice or referring to industry best practices. Examples of well-crafted statements can also be downloaded online for reference and inspiration.

In conclusion, having a clear and well-defined risk tolerance statement is essential for any organisation aiming to effectively manage risks. It provides a framework for decision-making, helps set boundaries, and ensures alignment with strategic objectives. By following established guidelines and seeking professional assistance if needed, organisations can create robust statements that contribute positively to their overall risk management efforts.

Frequently Asked Questions (FAQs):

Q1: How does a risk tolerance statement benefit an organization?

A1: A risk tolerance statement helps organisations define their acceptable level of risks, enabling them to make informed decisions aligned with their strategic objectives.

Q2: What is the difference between risk appetite and risk tolerance?

A2: Risk appetite refers to an organisation's willingness to take on risks for potential rewards, while risk tolerance focuses on the specific level of risks an organisation can tolerate without compromising its objectives.

Q3: Why is it important to define metrics for risk tolerance?

A3: Defining metrics for risk tolerance provides measurable criteria to evaluate risks and determine if they fall within acceptable limits, allowing organisations to proactively manage potential threats.

Q4: How can I write a comprehensive risk appetite statement?

A4: Practical guidance on writing a risk appetite statement can be obtained by seeking expert advice or referring to industry best practices. Examples of well-crafted statements are also available for download online.

Q5: What is the relationship between risk appetite and risk tolerance?

A5: Risk appetite defines an organisation's willingness to take on risks, while risk tolerance sets the specific level of risks that an organisation can tolerate without compromising its objectives. Understanding this relationship is crucial for effective risk management.

Q6: Where can I find examples of risk appetite and tolerance statements?

A6: Downloadable examples of risk appetite and tolerance statements can be found online, providing useful references and inspiration for crafting your own statement.

Q7: How does a risk tolerance statement contribute to governance?

A7: A well-defined risk tolerance statement helps establish boundaries and guidelines for decision-making, ensuring that risks are managed in line with organisational objectives and regulatory requirements.

Please let me know if you have any further questions about risk tolerances!

44% of Directors are not confident their induction process effectively prepares new directors for their role on the Board. A further 54% of Directors are not confident that their Board adequately addresses succession planning. If the start and end of the Director lifecycle are like this – what is the middle like? 

GovernWith’s CEO & Founder Fi Mercer will be joined by special guest Megan Motto, CEO of Governance Institute of Australia to discuss each stage of the Director's lifecycle and their learnings. They will also provide tips on how to ensure Directors have the tools and resources they need to succeed at each stage. 

A life cycle is a series of events bringing something new into existence, whether that’s a life, a product, or a director. The life cycle follows its growth and progression into maturity, eventual critical mass and finally, its decline. 

The stages of the Director’s lifecycle are recruitment, induction, development, mentorship, and retirement. These stages encompass the progression a director goes through over their tenure with a Board and whilst there are some common factors, the length of each stage is unique for every Board and Director. 

Let’s break down each stage: 

 Recruitment 

The first step of any life cycle is important, because without the right foundation being built at the beginning, you’re setting yourself up for failure. Therefore, having the right people on your Board is key to being able to achieve your purpose. Choosing the right Directors is hard, it’s a balancing act between choosing between the people you have apply and the skills, experience, qualifications, and behaviours you need to fill from the Directors departing. Knowing how these potential Directors are going to complement the existing ones, (or perhaps not), is critical to ensuring that the right people are recruited. 

Induction 

44% of Directors (from our governance data insights) are not confident their induction process effectively prepares new Directors for their role on the Board. This is not a comforting statistic for any new Directors who might be looking to join a Board. Having spoken to Directors old and new about what their induction programs looked like, and what works and what doesn’t, we’ve found that having an individually, targeted approach is key. It’s not a good use of time and resources to be educating new Directors on something they are already experts in, nor is it wise to assume that a director already knows something, especially when it is sector related. Connecting a directors induction program to their skills and capabilities is proving to help fast track a director’s confidence, engagement, and satisfaction. 

Development 

We’ve spoken about it at length in previous blog posts, such as Board Skill Sets - New Requirements for a New World , in this new world we find ourselves in when it comes to the skills required on a Board. With this in mind, it’s more important than ever that we’re not only upskilling Directors in the areas that they need, but also in a way that ensures the Board is well rounded. A well-rounded Board has a combination of Sector Specific Skills, Professional skills, Contemporary skills and, of course, Behavioural Skills. Knowing where each Directors areas are for opportunities of development is key for a sensible development plan rather than a scattered, generic approach. Targeted Education relevant to the identified capability gaps is proving to be far more important than the old “one size fits all” Governance Education that used to be rolled out regardless. 

Mentorship 

Whilst this may not be a stage that every Director goes through or spends much time in, it is a vital step to ensure the continuation of their organisational knowledge. Where possible, it is essential that more tenured Directors take newer Directors under their wing. Even something as simple as offering to have a cup of tea pre and post a Board Meeting to go over any items that they may want clarification on, helps build their understanding and confidence and ultimately helps meetings run smoother. What can then also be gained, is that they both bring forward something to the other, the more tenured Directors offer Board experience and knowledge, and the newer Directors can remotivate and remind those older directors who might be feeling stagnant or stuck in their Board roles. It reignites the question – Why are you on the Board? – What is my “Why”? because they have someone asking. 

Retirement 

And finally, after the Director has served their term and is ready for their next step, it’s time to consider their retirement. However, how is a director supposed to be assured that all their hard work will be continued when 54% of Directors (from our Governance Data Insights) are not confident that their Board adequately addresses succession planning. The fundamental piece to understand here is what skills are about to leave the Board, so that you can look for someone with similar skills to replace those gaps. Or it can be used as an opportunity to broaden the skills on the Board and diversify those around the table. 

As we’ve outlined in the life cycle progression above, being a director is a varied position that has five unique stages, each of which have specific requirements. 

 Thankfully, there is also the help of Boardroom Plus to assist with each stage of this life cycle as well. The Individual Director Development program that is now available – it helps people who want to be Directors become more prepared and the Whole Board Governance program that includes features to help with induction, development, recruitment, mentorship, and retirement. 

Book into a demonstration below 

Boardroom Plus

The Evolving Skillset for Directors

The skills needed to be a director is an ever-changing list and in an environment of legislation changes, added media scrutiny and increased requirements to the scope of work required of a director – not matter the industry, it’s getting trickier for Boards to keep them.

Rising Employee Well-being Concerns

Added to this is the stressor of increasing exhaustion and burnout levels throughout every staffing level of the organisation and the struggle to replace staff who leave. A recent Deloitte survey suggests that in their survey of 2,100 employees and C-level executives across the USA, UK, Canada and Australia “nearly 70% of the C-suite are seriously considering quitting for a job that better supports their well-being.”

The Great Resignation

Looking beyond the C-suit, with the great resignation now at our shores, the Bureau of Statistics confirms that there has been an increase in the proportion of workers switching jobs – from a low of 7.5% in 2021 to 9.5% as at February 2022. Compounding this issue is a talent shortage, which is making it harder, taking longer and more expensive to replace the staff that leave. 

The Impact on Boards and Communities

Anecdotally, we’re hearing about this a lot from Boards, CEO’s and Executives who are having long serving staff, executive and Board members leaving and taking their wealth of sector and organisation specific knowledge with them. And especially in the smaller communities where they’ve always had a hard time recruiting for Directors it has become that much harder with the added external pressures. 

A Call to Action

Fi Mercer, GovernWith’s CEO and Founder, has spoken a lot about this over the last 12-months in the Aged Care sector, from the 2021 and 2022 Govern with Care conference, 2021 LASA Aged Services Innovation: Owning the Future Now, however it’s an issue for all Directors and not just those in Aged Care. We believe that it is such as important element that Directors must be aware of an act upon before it’s too late. 

Reimagining Succession Planning

Whilst this situation could be framed negatively, we think that it’s the perfect time to shake up succession planning and director appointments to give both a fresh perspective. With only 46% of Boards in 2021 feeling that they address all levels of succession planning there is room for improvement for all Boards. 

Innovative Approaches to Director Appointments

Apart from a focus on the future skills required for successful Boards there are other aspects to consider for thinking outside the box in terms of achieving director appointments. As companies are getting more creative and flexible in order to attract and retain staff members, Boards should think about doing the same for Board positions where they can. For example, there is an increase in the number of virtual director positions available where Directors who aren’t living in the community but have the skills needed by the Board are able to virtually be a part of the meetings and only travel to in person meetings on occasion. Another example is Boards who are recruiting younger professionals who are interested in becoming part of the Board but need to be upskilled in a particular area. These young professionals are then put onto sub-committees to learn and be nurtured by the more experienced Directors to gain the skills they need. This helps ensure future succession for the Board and gives opportunity to those who might not normally get it. 

Investing in Director Development

Along the same lines, more Boards are offering development opportunities for their directors as well. By organising for their directors to participate in a skills matrix to identify relevant and targeted training opportunities to upskill themselves Boards better able to attract professionals who are still growing their careers rather than at the end of it. 

Building Collaborative Alliances in Governance

Another opportunity that boards should consider is growing their relationships with other boards in the community. These affiliations, especially in areas like health and aged care where there is a real focus on this notion of partnerships, can help to share the load of governance. 

A final question for you to think about heading into the second half of the year - Is your Board looking at the skills, qualifications, experience and behavioural attributes of everyone around the table to ensure that should something happen you’d know the real breadth of skills that were being lost? 

If you want to learn the skills, qualifications, experience and behavioural attributes of your board or for yourself as an individual, register to attend one of our demonstration sessions here 

GovernWith is about to publish our Governance Data Insights Whitepaper for 2021, covering the Top 5 Governance Risks identified in 2021 from our Governance Review and Development Programs. Each year, as part of our commitment to our governance community, we publish our findings to increase the awareness of issues in governance and help provide Board and Councils with guidance on how they can improve and assurance that they are not alone in their governance struggles, whether they undertake their evaluations with us or not. 

Our Governance Data Insights Whitepaper for 2021, covering the Top 5 Governance Risks identified from our Governance Review and Development Programs from 2018 to 2021 has been published. Each year, as part of our commitment to our governance community, for supporting a culture of continuous review and development for effective governance we publish and share these valuable insights.  

This year, our Governance Data Insights Report includes over 450 board contributions in more than 14 sectors, focusing on Corporate Governance & Director skill areas. 

The Top 5 Governance Risks for 2021 are: 

1. Stakeholder Engagement 
2. Strategic Direction 
3. Continuous Review and Development 
4. Risk Management and Compliance 
5. Sector Specific Skills 

With 4 years of data from our growing community the data insights are even more compelling for supporting continuous review and development as key to building effective governance. 

In crafting the Whitepaper Report this year, we decided to look at our data in a new way. Usually, we group the organisations together according to the year that they have undertaken the evaluation (Annual Benchmark). This year we’ve added a twist and grouped organisations together based on the number of the evaluation they’re up to (Number of Evaluation Contributions). 

We found looking at the annual benchmark the results remained relatively static year after year. However, when we sliced the data by number of evaluations contributions, we see collective improvement that isn’t seen in the annual benchmark. It is evident that the pathway to governance improvement is continued annual evaluation, both for whole Boards and Individual Directors. 

It’s been a great few months being able to bring our community some insights into Climate Change, Social Inclusion and Gender Equity. This series started on the back of the large amount of legislation and requirements Boards, Directors and Executives are needing to deal with. Everyone we’ve been speaking to who is undertaking our Governance Review and Development programs is saying that they understand they need to address these topics at the Boardroom table but don’t know where to start or how they can best lead their organisations in these topics.   

Why are these topics so important?  

According to a report published by Inclusive Australia The Inclusive Australia Social Inclusion Index: 2018 – 19 Report “one in four Australians experience major discrimination based on their age, gender identity, sexual orientation, religion, ability or origin.” 

In regards to climate change, as we all know and as the Bureau of Meteorology State of the Climate 2020 Report confirms “There has been an increase in extreme fire weather, and in the length of the fire season, across large parts of the country since the 1950s, especially in southern Australia.” Climate change itself relates to any governing body organisation (be it small, medium, large, rural, regional or metro), because it’s reach and impact is far greater than just a change in the weather. The flow on effect to the communities we serve relate to their health, safety, access to food, clean water, electricity, heating and other essential services. The ultimate impact is on the venerable members of our society and whilst this is of the utmost importance to everyone, it is especially important at the Boardroom table. 

And finally, gender equality whilst improving still has a long way to go in Australia. According to the Workplace Gender Equality Agency (WEGA) achieving gender equality will lead to “more jobs and increased GDP. These two important pieces of our economic strength, which could result in decreased poverty, higher life expectancy and better quality of life.” 

 Our Contemporary Governance Webinar Series  

To begin the series we spoke with Co-Founder & Non-Executive Director of Women on Boards Claire Braund about Gender Equity and Social Inclusion. 

Claire started her discussion by explaining the difference between equality and equity. To illustrate the difference, Claire used the image of people standing on the boxes below. Her image helped us to understand that equity is giving people access to what they need so that they have the same opportunity as everyone else, rather than giving everyone the same access irrelevant of their starting point which is equality. This point was crucial to her when she started Women on Boards, they identified that women needed a bigger leg up than men did due to the lack of women on Boards at the time. 

In the third image we can see that the supports aren’t needed anymore because the fence (source of inequity) has been removed. This third scenario is one that is not often seen but ideal to strive towards. 

Claire summed up gender equity with the wonderful quote - “Gender Equity is about how we think about creating a framework to produce equal outcomes for people of different genders.” 

Claire then talked about inclusion and how it broader than just social inclusion. There are in fact three types of inclusion: political, economic, and social. Political is about being able to have a say in decisions affecting your life, such as being able to vote. Economic is about being able to undertake paid or volunteer work. Claire points out that this is an area, as a country, in which we have work to do as the gender pay gap still sits at around 14-15%, fluctuating between different sectors. Social inclusion is about feeling valued and welcomed in interactions with other people. 

An important learning that came out of Claire’s talk was that it was “important to address that diversity and inclusion are not the same thing, diversity is a state of being and not something that is governed while inclusion is a set of behaviours that can be governed and can be changed.” This is saying that it is not only enough that we have a group of diverse people around the table but that we also must behave well towards all members regardless of who they are. 

In her summation Claire thinks that to address social inclusion we need to “look at our behaviours and we think about how we are behaving and what we're doing to make sure that we include all those people that are sitting on the edge of the circle.” 

 In our second State of Governance webinar we spoke with Jo-Anne Moorfoot from Australian Centre of Healthcare Governance, Micaela Drieberg from Victorian Healthcare Association and Julia Cookson an expert convener for Governance Evaluator. The group spoke about Gender Equity, Social Inclusion and Climate Change and the insights they have on these topics across the health, community health, human services, and aged care sectors. 

 This webinar went into great examples as to how our panellist have enacted and seen others address these key areas. If you haven’t seen it yet it’s a must watch regardless of what sector you’re in. Watch the recording here.  

 The main take away from this webinar was that real change starts from the top. Jo-Anne summed this theme up in such a thoughtful way – “it’s really important for boards to recognise the role they play in leading the organisation they are the apex they set the tone. We all know that the board sets the culture for the organisation so particularly with the issues that we've talked about today, social inclusiveness, climate change, and gender equality, if it's not important to the board how can we expect it to be important to the organisation. The board must take a leadership role and set the expectations around what they want to see happen in the organisation, what sort of actions they want to occur and then they have to follow it up with seeing the evidence. Seeing evidence means that there is actual proof that the organisation is living climate change responsibility, social inclusiveness and gender equity wholly, otherwise it won't happen.” 

This also ties in perfectly with one of Claire’s comments around Boards leading culture and how “you cannot be what you cannot see.” This means that if a Board is homogenic, non-inclusive and uncooperative that is the behaviour and culture that is on show and the tone that has been set from the top. 

 What Next?  

Whilst this is the end of the discussion series, it doesn’t mean that this is the last we will or should discuss these topics – this is just the start of the conversations that need to be had around the Boardroom table and beyond. 

At Governance Evaluator we have decided to include new sub-modules into both our Board Evaluation and Director Development and Skills Matrix to ask Boards if they regularly see, discuss, and respond to evidence, both qualitative and quantitative, about the top risks relating to climate change, social inclusion, and gender equity. We will also be asking Boards if they reflect on their leadership in these areas as well. To ensure that we also gain the whole picture of the Board, and as recognition that they are important skills, we are also going to be asking Directors to rate their skills, knowledge and experience around climate change, social inclusion, and gender equity. These changes will start to be rolled out across our portal from next month.  

Last year cybercrime increased 600% globally. In 2021, cyber is expected to be a $6 trillion business which will make it more profitable than the illicit drug trade. 

Blog by Claire Pales and Anna Leibel, co-authors of The Secure Board and Directors of The Secure Board Advisory 

“In our book "The Secure Board", which was released in March 2021, and at the May Governance Evaluator webinar we explain cyber risk in non-technical terms so you will have confidence next time your IT or security leader attends your Board meeting.” 
- Claire Pales and Anna Leibel, authors of The Secure Board and Directors of The Secure Board Advisory 

Written for current and aspiring Board members, "The Secure Board" provides the insights you need to ask the right questions, to give you the confidence your organisation is cyber-safe. Designed to be read either in its entirety or as a reference for a specific cyber security topic on your upcoming board agenda, "The Secure Board" sets aside the jargon in a practical, informative guide for Directors. 

"The Secure Board", is the second book from Claire Pales and the first for her co-author Anna Leibel. Claire and Anna are the founders of the boutique advisory firm The Secure Board and leading experts in cyber security and technology. They are independent advisors who have worked with many with boards and committees in both Australia and Asia. Anna is also a current director on the board of Ambulance Victoria. Based on their work with boards and executives, their local research and global trends in cyber, the book covers the 5 key elements of cyber knowledge that Directors expressed concerns about when it came to managing cyber risk. 

“I recommend The Secure Board as essential reading for all leaders. It will equip you with the knowledge and foresight to protect your information and your people.” 
– David Thodey AO, Chair of CSIRO 

“[This book] will challenge you to stop, to reflect and then re-set some of your governance thinking. Anna and Claire, you have made a great contribution to the development of all Directors who choose to pick up this book” 
– Ken D. Lay AO APM FAICD, Lieutenant-Governor of Victoria 

 

Blog by Brendan Moore, General Manager Member Services, Leading Age Services Australia. 

Aged care governing bodies need independent audits to reassure them of operational compliance. 

All organisations engage independent, external auditors for their financial reports. However, there is a strong case for governing bodies to engage independent, external auditors for their operational performance. 

While internal audit plays a key role in the corporate governance structure to provide ongoing assurance on the effective management of risk within an organisation, there are many organisations that do not have a formalised, structurally independent role of internal audit within their business. 

For those organisations that do have such a role, there is a case to be made for a fourth line of defence in the form of an external auditor of operational compliance. 

According to the Chartered Institute of Internal Auditors (CIIA), ‘internal audit is a cornerstone of an organisation’s corporate governance’. 

Many aged care providers will be limited in their ability to resource such a function and governing bodies will be reliant on the first and second lines to provide reports via senior management. 

There have been notable instances in the Aged Care Royal Commission where such an approach has been found wanting for a variety of reasons (e.g. management withholding information, inadequate systems for documenting and interpreting risk information, processes not identifying key risks). 

For these reasons, boards need to be aware of potential conflicts of interest and ensure they take measures to safeguard the objectivity of internal audit. 

The CIIA lists four key issues for Directors to ask about and be reassured upon in regards to any internal audit function: 

1. It must be structurally independent and report directly to the governing body. (Noting that any internal audit also needs to have access to management information and have a good relationship with management.) 
2. The function must be properly resourced and staffed by a person with appropriate knowledge, skills and experience. 
3. It should focus on the greatest risks to the organisation and have a plan executed to respond to these. 
4. The scope of activity is the whole business and it should be unrestricted in pursuing its role purpose. 

Leading Age Services Australia (LASA) is engaged by many operators to conduct ad hoc gap analysis/mock audit services. These engagements are invariably by management, who sometimes may be a contributing factor in operational compliance—for better or worse. 

As the diagram indicates, using LASA to substitute for internal audit in compliance risk/audit can be appropriate to circumstances where resourcing capability to fill such a role internally is not possible. 

While ad hoc, it is fair to say ‘at least it is happening’. For organisations that do not engage a substitute, or employ their own internal audit function, or an external audit service reporting to the governing body, only the first, second and fifth lines are active. With the fifth line being the regulator, this represents a risk retention setting that has left some aged care providers exposed to adverse compliance findings. Often stated responses such as ‘we didn’t know’ or ‘this result has completely surprised us’ do not invoke confidence in the regulator about the organisation’s audit and governance processes. 

Research conducted in 2019 with attendees at LASA’s Governance in Aged Care workshops indicated that governing bodies could increase their focus and time on ensuring statutory and regulatory compliance, particularly with the heightened focus on organisational governance in Standard 8 of the Aged Care Quality Standards. 

Reliance on management by governing bodies may expose them to liabilities and risks that independent audit of varying areas of operational performance may identify, mitigate and possibly eliminate. 

If you are a Director of an age services provider, the following questions are worth reflecting on: 

1. Do you have a compliance plan that considers the regulatory framework and a stand-alone compliance/clinical governance committee supplemented by independent auditing? 
2. Are you confident you are fully informed of the areas you are ultimately accountable for under Standard 8 of the Aged Care Quality Standards? 
3. Is there sufficient focus on quality, safety and clinical governance within your governing body’s activities?  

As we started to touch on in last month’s blog post, year three is a magic number in the evaluation journey. The third year is when we see surface level issues, such as risk management, board meetings and agendas, and governance systems and processes, resolving or resolved and the real work beginning for deeper level improvements. This resulted in ongoing increases in the average board evaluation results in years four and five. Boards often describe themselves at this time as being more discerning, strategic, able to have the tough conversations and knowing what they don’t know at this point in their journey. 

Our last webinar touched on this as well, our panel of chairs and CEO’s spoke about how they are using governance data to inform their decisions and what their journeys have been like over the last three years. The big take away was that it isn’t about turning every answer of the evaluation into a green, it was about becoming more discerning in their answers and self-evaluations and finding the areas that still needed to be worked on and improved. They didn’t see it as bad thing to have areas to work on, rather a positive that they were mature enough to identify these areas. By taking this approach, the boards are building their own resilience. 

Developing governance capabilities and governance resilience seems to go hand in hand, however, you’ve got to be in it for the long haul to see this occur. It’s not just about evaluating once – you’ve got to work on the actions from your results, you’ve got to keep coming back and most of all, you’ve got to surround yourself with the best people to help you grow and succeed. 

In this month’s data driven governance insights we wanted to showcase examples of resilience that we’ve seen in our Governance Evaluator Crowd data. For each of the eight key corporate governance modules in our governance evaluation we’ve mapped out the average board answers over five evaluation years and separated these by sector. 

Our eight key corporate governance modules are Strategic Direction, Risk Management and Compliance, Finance, Governance Relations, Board Composition, Board Processes, Stakeholder Engagement and Continuous Review and Development. We have data from 10 of our sectors with 5 years of data for Health and Community, 4 years for Water Boards, 3 years for Aged Care, 2 years for Local Government and Waste and Resource Recovery Groups, and for interest, we have also included the following sectors who currently have one year of data so far to show their starting point for Education, Associations, Finance and Sport. Totalling over 480 evaluations with over 5,000 directors results contributing to our Governance Evaluator Crowd. 

As we can see from the above graph, for all except the last two modules, the 10 sectors all follow a similar path in their results, starting low but over the 5 years increasing. Sometimes this increase is drastic, like in Risk Management and Compliance where we see an average 23% increase in the answers given. In terms of our evaluation scale this would increase the average answers from a yellow to a solid green. Though sometimes the increase isn’t as drastic, like in Finance, where we only see an average increase of 12%, but an increase none the less. 

The results are showing for the first 6 modules that the answers are low in the first year, a small increase in the second and subsequent increases in the  fourth and fifth year and overall, the answers are clustered closely together. 

The interesting part of these results is the great variance in year three, all of the sectors see increases in some modules and decreases in others which would account for why in last month’s data insights we saw a plateau in the overall results for the third year. This is where we see growth in resilience, the boards are becoming more discerning in their answers, they’re having those difficult discussions that our webinar panellists spoke about. The great thing that we see though is after every dip in the average answers across those first six modules, we see a subsequent increase. What this is showing to us is that boards are taking the results from the last evaluation and acting on them. They are working to create an action plan to address the areas that need attention and then over the course of the year completing the areas that they set out for themselves. 

The last two modules are completely different, Stakeholder Engagement and Continuous Review and Development do not look similar to any of the other graphs, the sectors are not clustered together – there is a definite spread in the way that these sectors are answering these questions no two sectors were similar in their journey with these modules. 

Stakeholder Engagement and Continuous Review and Development were both identified as part of our analysis of 2019’s Benchmark data as two of the top five areas of risk. If you want to see where you’re sitting compared to our 2019 Benchmark data, take our 2-minute survey on Risk Management and Stakeholder Engagement for an instant comparison below. 

Join Fi Mercer, Alex Aeschlimann (Chair, Gippsland Southern Health Service), Maryanne Puli Vogels (Chair, Timboon and District Healthcare Service) & Ben Maw (CEO, Cohuna District Hospital) as they discuss how they have been leading a culture of continuous governance review and development. Listen as they discuss their experience of using governance evaluation data for decisions about what to focus on, that has helped improve their identified risks. Our panellists can speak to the magic that starts to occur after doing so for three years.