Enterprise Compliance Today

Governance: How Company Directors should manage THEIR Risk Exposure

Posted by Greg Carroll on Sun, Mar 23, 2014 @ 09:30 AM

Board members need to consider their Risk exposure when considering needs of their organisation's corporate governance.  This weeks contribution is by Dr Lee Finniear. Lee is a Fellow of the Australian Institute of Company Directors.


Lee Finniear

Dr Lee Finniear is a Fellow of the Australian Institute of Company Directors and the Chief Operating Officer of Fast Track (Aust) Pty Limited.

Fast Track has been assisting companies with GRC challenges from the Board Room to the Boiler Room for the last 30 years. Watch Lee demonstrate pro-active Corporate Governance in action:

Watch »

I have served as a non-executive Director, Managing Director and CEO for international public and private companies and not-for-profit Boards for over 15 years.   The Boards on which I served were highly professional. We took Corporate Governance seriously and forced through change, we had strong Audit & Risk Committees, and our Auditors were both friendly and extremely well paid!  

But the common thread in the A&R Committee meetings was that Financial Risk & Controls, Sarbanes Oxley and related requirements always came first on the agenda.  Operational Risk got the time at the end.  Too often there was no time left.

If the Deepwater Horizon disaster taught us anything, it’s that a small operational risk, if realised, can destroy a company – financially and reputationally.  It can also land the Directors in Court.

So how can we be sure that, as Directors, we have the complete picture?

Historically the problem with Operational Risk is that it has been really hard to monitor.  So, to attempt to control it companies put processes in place, and occasionally audit compliance to check whether these processes are being followed.  Staff are appropriately trained, and Boards hope that when the CEO reports at a Board Meeting that they know what is going on and that they report fully and accurately on the risks the company is currently managing.

And that’s the problem – almost inevitably they don’t!

Board Papers are prepared through a process of successive summarising – from Section Head to Department Manager to Divisional Director to CEO – the tree of knowledge is pruned heavily at each stage to create a manageable set of work papers for the Board.  Major current issues dominate the end result.  The CEO may not even be aware of a looming risk – and most good CEOs can, with misplaced sincerity, convince their Boards that they have everything under control.

Now as a Director you could, and should, believe you can trust your CEO (if you don’t then fire them on the spot!).  But your risk exposure isn’t the CEO, it’s the system that feeds them their intelligence.

If that system fails, it’s not the system that ends up behind bars or bankrupt – it’s YOU!  So at your next Board meeting its time to take a good, long, hard look at where your intelligence is coming from.  The Board should ask:

  • if something bad happens, is the issue automatically and intelligently escalated up to CEO & Board level if it risks any Strategic KPI?
  • If something bad happens deep within the day to day operations of the business, how long is it before the CEO & Board know whether its material and requires intervention – is it seconds, or is it months?   
  • If the RISK of something bad happening materially increases   – how long before the CEO & Board knows about it – seconds, weeks, months – or never because the “bad thing” hasn’t actually happened yet?

Directors are paid, and legally obligated, to take all actions a reasonable person would consider necessary to manage the business and its risks.

Governance, Risk and Compliance (GRC) software is now sufficiently mature that a reasonable person would consider GRC necessary to manage most businesses.  Based on my experience, I believe that Boards should demand a capability which includes:

  • Real-time situational awareness across the operations of the entire business
  • Instant, intelligent alerts if any KPI, standard or legal obligation becomes at material risk of being breached.
  • A way of drilling down immediately to find out what happened and who is responsible so the Board and CEO can take decisive action.
  • Forward looking, intelligent insight into the future state of company risks, and proactive mechanisms to implement change programs to deliver risk-savings as well as cost savings.

In the end, as a Director it boils down to how much YOU are prepared to take on faith and hope.  If you don’t have a pro-active GRC system in your business then it’s time to ask why not?  After all, it’s your personal livelihood, your wealth and your freedom that is on the line…. That, in the end, is your ultimate risk!

 Product Guide


reduce compliance costs  reduce non-compliance  reduce compliance costs
Corporate Governance Data Sheet
How Fast Track provides real-time corporate governance
Demo Videos
Watch Lee demonstrate pro-active Corporate Governance in action
Product Guide
Technical specifications, pricing, and more.

Tags: corporate governance, due diligence, risk identification