@ the IERP® Global Conference, August 2024
The views and opinions expressed in this article are solely those of the featured speakers and do not necessarily reflect the official view or stance of the IERP®. The content is provided for informational purposes only.
Noting that many people unfamiliar with how a board works may not understand that, with oversight, the role of the board is to challenge the management as well as brainstorm and guide it in terms of how the business is planned and how strategies are executed. Moderator Tony Chin, a Board Member of Kanzun Ventures started the session by contextualising risk as anything that threatens the company’s ability to achieve its financial goals.
To Chin’s query about why she decided to become a panellist on this topic, speaker Ahila Ganesan, Independent Non-Executive Director with Velesto Energy Bhd, said this was usually not a topic at the forefront of business. “I thought it would be a good way to give my viewpoints and understanding of risk, and share that not everyone thinks it should be on the back burner,” she said. “A lot of us think that it is an important factor for us when charting the business.”
Speaker Tunku Alina Alias, on the other hand, said she accepted the invitation because she wanted to know more about the topic. “I think I know a lot about risk but I am also sure that there’s a lot I don’t know,” said the Independent Non-Executive Director of multiple PLCs. Asked who was responsible for developing, instituting and fostering company culture, Tunku Alina responded that it was the joint responsibility of the board and management. “It’s basically a partnership. One cannot do without the other,” she said.
“It’s a joint responsibility to institute and foster the risk culture within the organisation. Chin said that another perspective saw the CEO driving the culture of the organisation, with the board providing oversight, and ‘the tone from the top’ ensuring that the culture was aligned with company objectives and strategies. Ahila disagreed, saying, “That was traditionally the way things were done. Everything was top-down. It has to be in both directions, top to bottom and bottom to top.”
Citing the talent crunch currently experienced by the industry, she said there were not enough people staying for the long term. This was a risk; the people who are trained don’t stay. Many leave because they feel they are not being heard. “One of the key ways is to involve them in decision-making,” she said. “While it is important, the tone of the top has to be an inclusive tone, meaning, ‘I hear you; I want to hear your thoughts.’ You need to be agile as an organisation and discuss what works for both sides.”
Even with the democratisation of organisational culture today, risk culture is still tied to the type of company, and its level of maturity, Tunku Alina said, pointing out that in companies which are founder-led or family-controlled, this tends to reside in the CEO, who directs it. “In professionally-led companies, it is a more democratic type of management,” she said. “They rely more on the risk team, audit team and C-Suites to come up with the strategy and culture for the company, which will be sent to the board for feedback.”
Remarking that there was no ‘one size fits all,’ Chin queried the panellists about the steps involved in developing and implementing this culture in an organisation. The first, Ahila said, was to assess what the organisation already had, and what was lacking. “You need to know what your baseline is,” she advised. “Then you have to look at your strategic road map for the next five years. Once you know where you are and where you want to be, you can set intervention and implementation in motion.” Organisations may know where they want to be in five years, but that is not a static point.
Instead, she said a five-year strategy needs to be fluid enough so that checkpoints can indicate where it needs to be adjusted. “When you do your risk management, remember the world is fluid, your surroundings are fluid, so don’t get fixated with a point or strategy, she advised. “You have to be agile. It’s an iterative process, not a linear process.” Tunku Alina added that board directors needed help in one area: the company’s approach to its risk management and its risk appetite. “Please articulate the appetite of the organisation,” she said.
Board directors, she said, generally need help with four types of risk – operational, financial or sustainability risk, emerging risk, and external threats. Knowing the organisation’s risk appetite could also give some indication of how it needed to be governed. Ahila urged risk professionals to change the way they think because of the existence of different leadership and management styles. While it was important to know when to take risks and when to be risk-averse, she said, “As board members, we also want to see some level of trying to break frontiers or at least thinking about it.”
In the wake of the pandemic, scenario planning has gained importance as ‘black swan’ events are no longer a rarity. “A lot of these threat events are going to happen so it will be very helpful if scenario planners take this into consideration,” Ahila said. “Of course, it’s difficult because you don’t know what you don’t know, but there needs to be research and thinking, to determine what that is.” How does the board ensure that risk awareness and accountability permeate all levels of the organisation?
Tunku Alina responded, “Whenever I have people coming (to board meetings) to make presentations, I ask questions,” she said. “When you ask how to foster a risk culture, you ask questions surrounding risk. Creation of rapport is very important, as are site visits.” Ahila suggested embedding risk management in corporate KPIs as one way; and having a risk committee. While this will depend on company size, she suggested setting aside time within wider board discussions, to discuss risk.
Chin suggested conducting employee surveys to ascertain the pulse of the organisation, and whether they understood the risk culture being assessed by the board. He asked the panelists how organisations should keep pace with emerging risks and black swan events. “Do we employ more risk professionals, invest in tools and technology?” he queried. “Do the board and C-Suite need a change of mindset? Do we do more scenario planning?” Ahila advised building a base and foundation first, then looking at the current state of affairs.
“It all depends on the needs of the organisation,” she said. “As risk practitioners, try to build on that foundation; you also need help from the board to push it. Put in a paper for the board to consider, and force the board to talk about it. The next frontier is really the current frontier. Fix it now and you will be ready for the next frontier – the black swans etc.” Agreeing with Ahila on the need for strong foundations, Tunku Alina cited four points: people, technology, macroeconomics & geopolitics, and climate change.
“When we are talking about the frontiers of risk and the role of the board, this is what we are looking at now,” she said. “Also horizon scanning – what are the new things happening?” Questions should be asked about people and the future of work, how talent can be retained, how teams will work, if organisations are equipped for different ways of working, and what upskilling and reskilling will be required. Technology like AI and blockchain, and their impacts, need to be taken into account.
Laws in other jurisdictions must be considered, bearing in mind that directors may be personally liable under some laws. New regulations also require increasingly greater disclosures around sustainability. With growing awareness of climate change, organisations will also need to understand how it impacts them, how to take up climate change responsibilities, and how to identify and manage opportunities arising from it.
