RETHINKING RISK FOR THE FUTURE About ACCA ACCA (the Association of Chartered Certified Accountants) is the global professional body for professional accountants. We’re a thriving global community of 233,000 members and 536,000 future members based in 178 countries and regions, who work across a wide range of sectors and industries. We uphold the highest professional and ethical values. We offer everyone everywhere the opportunity to experience a rewarding career in accountancy, finance and management. Our qualifications and learning opportunities develop strategic business leaders, forward-thinking professionals with the financial, business and digital expertise essential for the creation of sustainable organisations and flourishing societies. Since 1904, being a force for public good has been embedded in our purpose. We believe that accountancy is a cornerstone profession of society and is vital helping economies, organisations and individuals to grow and prosper. It does this by creating robust trusted financial and business management, combating corruption, ensuring organisations are managed ethically, driving sustainability, and providing rewarding career opportunities. And through our cutting-edge research, we lead the profession by answering today’s questions and preparing for the future. We’re a not-for-profit organisation. Find out more at www.accaglobal.com © 2021 Association of Chartered Certified Accountants July 2021 RETHINKING RISK FOR THE FUTURE Our research for Rethinking Risk reveals views from a range of ACCA members working as risk professionals across the globe: whether it is the governance, risk and compliance (GRC) perspective or those of finance teams and internal audit. Some are chief financial officers (CFOs), chief executive Officers (CEOs), non-executive directors (NEDS) and board chairs, while others are among the increasingly more who are chief risk officers (CROs) and heads of risk or enterprise risk management (ERM). Through these members’ voices we get a fresh understanding of how risk management is evolving with the practice and principles of accountancy and what ways an accountancy background can shift the mindsets and behaviours needed to address the existential risks our organisations are facing today. Effective risk management is about creating a risk-conscious culture. Accountancy professionals need to reflect on the different roles they can play in fostering that and supporting their organisations in preparing for uncertainty and in achieving their objectives. Foreword Helen Brand, OBE ACCA's chief executive The global pandemic has catapulted risk management to centre stage. Many of us have learned new and vital lessons about effective risk management over the last year, so that disruption preparedness is now top of organisations' priorities. This report is, therefore, very timely. It looks at the reality, from our members’ points of view, about how COVID-19 has literally made them re-address risk and manage increasing uncertainty and faster shifting in this new digital era. Accounting Standards Board and the International Integrated Reporting Council. Businesses and investors have long called for more clarity and simplicity in the corporate reporting landscape, and this merger is a direct response to this call. We’re incredibly thankful for our members’ perspectives and their willingness to share views about what has changed, what will change in the future, and how the profession can make a difference by helping organisations with change management. They reveal their own experiences, and where accountancy fits into the new risk paradigm, especially as enterprise-wide risk management (ERM) and environmental, social and governance (ESG) converge more rapidly. Pleasingly, Rethinking Risk includes testimonies about how ACCA’s qualifications have helped members advance their career path in risk – whether that’s from the governance, risk and compliance (GRC) perspective; internal audit; consultancies; finance teams; chief financial officers (CFOs), chief executive officers (CEOs), boards and board committee chairs, nonexecutive directors (NEDs) or the increasingly more evident amount of chief risk officers (CROs) and heads of risk or enterprise risk management (ERM). The accountancy profession can help organisations large and small prepare for future disruption by building a more robust risk culture. This presents a unique opportunity for accountants to reflect on where they could add more value in this new normal, helping others to become more risk conscious. This is something each and every one of us needs to embrace. Risk management is a panorganisation mindset, and that’s the approach we take here at ACCA. This concept of value creation has recently come to the fore with the creation of the Value Reporting Foundation – established though the merger of the Sustainability Corporate reporting is going through its own transformation. It is more dynamic and integral to society than ever before, and has become a vital means to communicate how an organisation identifies and manages risks. There is an aligned good governance perspective here that also needs to be considered. Those responsible for oversight must be able to see things clearly so they can exercise their duty of care to companies fully and properly. The current complexity in global corporate reporting is a major block to this stewardship. For that reason, the formation of the Value Reporting Foundation is an important step in addressing this alphabet soup problem – and we hope leads to even further simplification. This is all transformational and transitional work, a field of expertise where professional members can and do lead. But there is more to come. That’s because while COVID-19 is the biggest crisis in a generation, we all face huge risks from rapid climate change. The opening section of this report discusses how failing to address sustainability is the biggest risk of all, and what needs to be done to better measure and manage the associated existential risks. The accountancy profession has a long history of being attuned to risks. It is often seen as a risk-averse profession. Now is the time for the profession to show in real ways how it helps organisations change behaviour, rethink risk, and how accountants can help set the tone from the very top. After all, as explained throughout this report, risk and sustainability are hand in hand, and they must be at the beating heart of every organisation’s strategy if they are to thrive in this turbulent and fast-changing world. Contents Executive summary 6 1. A new dawn for accountancy 9 1.1 The importance of quality data and data interpretation 9 1.2 Expanding the horizons to identify new risk landscape 10 1.3 Sustainability is about value creation and shifting the mindset 14 1.4 Reporting the risks 15 1.5 Building trust in the digital society 19 1.6 Third-party risks 22 2. ERM’s evolving doors 26 2.1 Crisis response 26 2.2 Optimising key indicators is central to effective risk management 28 2.3 Risk culture and integrated thinking in ERM 28 2.4 The value of whistleblowing 31 2.5 ESG: the new frontier of ERM 32 2.6 ACCA’s circle of CROs 33 3. Governance in the risk galaxy 36 3.1 What is your appetite for risk? 36 3.2 Risk governance structures 37 3.3 Board composition and diversity of thought 39 3.4 Board evaluations 39 3.5 Risk and audit committees: to be or not to be separate 40 4. Operational resilience and the unthinkable 46 4.1 New universe of risks 48 4.2 Risk and the new ways of doing business 48 4.3 Dealing with regulatory changes 49 4.4 The importance of re-assessments 51 5. Industry-centric risks and opportunities: no one size fits all 55 5.1 Pharma’s panacea 55 5.2 Comparing responses across borders 57 5.3 Eyes on public sector responses 57 5.4 How can SMEs and SMPs rethink risk? 58 Conclusion 64 Acknowledgements 65 References 68 RETHINKING RISK FOR THE FUTURE FOR THE FUTURE | EXECUTIVE SUMMARY Executive summary COVID-19 has triggered the biggest crisis in a generation having caused not only a global pandemic, but also unprecedented disruption to businesses and economies worldwide. While we have seen how the awareness of risk management and its scope evolve with previous crises, the COVID-19 pandemic is unique. It has extended longer than any of us ever imagined and was not sparked by a financial crash or political event. It has hit everyone between the eyes and accelerated many existential risks that were already emerging but had nevertheless been neglected by even the most mature risk frameworks around the world. Most best-practice risk frameworks saw either a high transmissible virus or the next economic crisis on the horizon but not the disruption of the two combined. No one could have predicted the extent of the lockdowns and other associated geopolitical risks. The question now is how can we rethink risk in this new fast-changing, complex world. A new dawn for accountancy Risk management as we knew it has been catapulted by the ongoing pandemic, and accountants have been presented with an unmissable opportunity to reassess how they can add more value in this transformation. Accountancy is playing an increasingly larger role in navigating organisations through the urgent problems and interconnected risks they now face by helping them find the missing links and better address stakeholders’ changing needs. For example, through their responsibility for reporting, accountants can provide deeper scenario analysis and optimise predictive analytics that generate more forward-looking insights for decision makers. This builds on previous discussions of these factors in both ACCA/PwC Finance Functions: Seizing the Opportunity (ACCA-PwC 2021) and ACCA/CA ANZ Analytics in Finance and Accountancy (Evett et al 2020). ‘In a world where trust has become vulnerable, the role of the accountant has become more necessary than ever. From the IFAC [International Federation of Accountants] perspective, the accountant of the future is the one who thinks about the planet, people, purpose, and then profits,’ says Sanjay Rughani, CEO of Standard Chartered Bank Tanzania and chair of the International Federation of Accountants’ PAIB Advisory Group. ERM’s evolving doors The role of accountancy in helping organisations understand and effectively manage risk goes beyond reporting about the past. It involves using the information that we gather to plan for the future. Accountancy is becoming more engaged in risk advisory in the sense that we help organisations change corporate mindsets to a new long-term thinking needed to survive and thrive in the new normal. Best-practice risk management requires staying ahead of risk, constantly refreshing our approaches to it and looking for new information to enable this. We have also learned that it is not enough to think about our risk frameworks and business continuity plans on an annual or even daily basis. Risk monitoring needs to be a continuous enterprise-wide activity. We discuss accountants’ understanding of business and data models further in ACCA’s The Digital Accountant (Webb 2020). Governance in the risk galaxy As guardians of information, accountants understand business models and how best to organise the frameworks needed to help companies achieve their objectives, while also meeting various stakeholder expectations and building the necessary trust. The world was already going through enormous geopolitical, social and digital transformations before COVID-19 struck, but the level of uncertainty these changes pose along with the exigencies of climate change have been exacerbated by the global pandemic. Accountants can help companies understand what these rapidly changing risks mean and make sure they do not miss the associated opportunities. In particular, they can help companies attain more sustainable outcomes for long-term success by integrating environmental, social and governance (ESG) matters into their decision making and assessing ESG impacts on the financial, industrial, agricultural, and ecological systems on which they depend. 6 RETHINKING RISK FOR THE FUTURE | EXECUTIVE SUMMARY Operational resiliency and emerging risks The accountancy profession can help unlock value for their organisations by looking further than the financial, operational and systemic risks that have dominated since the global financial crisis (GFC) to learn about the sheer uncertainty of the external environment and its effect on the business. Accountancy professionals must truly understand the strategic and business risks that their organisations face today if they are to help them maintain operational resilience in today’s fast-changing, interconnected environment. One size does not fit all Every organisation has its own risk journey, but companies large or small cannot ignore global risks, such as the pandemic, climate change and digital disruption. Accountants need to measure these not-so-easy-to-quantify risks and provide boards and senior management with the narratives needed to plan and prepare. Each industry has its own inherent risks, but we have learned how ferocious the chain effects can become. The lack of visibility in supply chains, for example, has proved that risk cannot be departmentalised. It needs to be aligned and put into context for everyone in the organisation to understand and embrace. ACCOUNTANTS NEED TO MEASURE THESE NOT-SO-EASY-TO-QUANTIFY RISKS AND PROVIDE BOARDS AND SENIOR MANAGEMENT WITH THE NARRATIVES NEEDED TO PLAN AND PREPARE. 7 RETHINKING RISK FOR THE FUTURE | EXECUTIVE SUMMARY What’s in a crisis? It seemed pertinent to initiate ACCA’s Rethinking Risk’s overarching call to arms by inviting Michele Wucker, author of The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore (Wucker 2016), to speak at the virtual meeting of ACCA’s Global Forum for Governance, Risk and Performance in October 2020. She enlightened us with how she came up with the metaphor for ‘a highly probable, high-impact yet neglected threat’ and how accountancy can pay fresh attention to the faster changing world we now find ourselves in. Wucker explained how the gray rhino compares with Nassim Nicholas Taleb’s ‘black swan’, which was introduced in his book The Black Swan: The Impact of the Highly Improbable and published on the eve of the GFC, focuses on ‘rare, unpredictable events (Taleb 2007)1’. She says the ‘unforeseeable’ black swan metaphor did a good job at getting everyone to understand that they cannot predict everything, but that it is often misused because it refers to risks that no one can see coming and, therefore, provides policymakers and business leaders with an excuse for failing to act on climate risk and economic insecurity. ‘The whole point of the gray rhino is that you have a choice because it is something that has been made clear, but you fail to do anything about it. You're more likely to ignore it than you want to admit, and the pandemic has proved that people who can admit this vulnerability actually have more power than everybody else,’ she told ACCA members. She discusses the role accountants can play in helping business and public policy leaders make better decisions in preparing for future gray rhinos in episode 1 of our Rethinking Risk podcast series. ‘THE WHOLE POINT OF THE GRAY RHINO IS THAT YOU'VE GOT A CHOICE BECAUSE IT IS SOMETHING THAT HAS BEEN MADE CLEAR, BUT YOU FAIL TO DO ANYTHING ABOUT IT.' 1 Nassim Nicholas Taleb says the pandemic was predicted and therefore not a black swan (Avishal 2020). 8 RETHINKING RISK FOR THE FUTURE | 1. A NEW DAWN FOR ACCOUNTANCY 1. A new dawn for accountancy The pandemic has increased climate change urgencies, social inequalities and negative impacts of a shareholder-first mentality and forced the world to look at risk in new ways. It has also transformed corporate reporting and turned it into a more dynamic language for doing business in the new norm. We are all risk managers who need to make betterinformed decisions about how we conduct ourselves and work together in creating a more resilient and sustainable world. Accountancy is fundamental to this transformation. The COVID-19 crisis has given the profession an opportunity to reflect on our competencies and how they can help to drive value. It is our duty as a profession to protect the public from these existential threats by preparing and providing accurate information that supports better decision making about these collective challenges the world faces today. Effective risk management depends on good decision making and accountants play a critical role in helping organisations navigate through this complex period not only by detecting and measuring risks, but also by advising boards and senior management on how to address them. As guardians of information, accountants are in a unique position to provide the insights and predictive analyses needed to shape sustainable business strategies for the future. 1.1 The importance of quality data and data interpretation Establishing what data is required in your organisation is essential to best-practice risk management. Accountants need to synthesise both internal and external data to drive the appropriate strategy and mindset required for unlocking value and managing risk effectively. The pandemic has made businesses appreciate the importance of data-driven risk monitoring and how essential it is in helping decision makers understand their purpose and progress – or lack of these. Accountants must constantly consider how to improve the matrices that help shape relevant key performance indicators (KPIs) if they are to unravel the challenges of pricing intangibles, such as carbon emissions and digital and data-related risks, and the impacts these have on their business and society at large. Accountants’ data interpretation skills and how they use those to help organisations appreciate their true risk profiles were put to the test in 2020. ‘Knowing how to communicate data-driven risk insights so that we are able to make the best-informed decisions and aid in the formulation of the organisation’s strategy for the future has certainly made a big difference for my organisation throughout this crisis,’ says Merina Abu Tahir, chief financial officer at Lembaga Tabung Haji in Kuala Lumpur. Data-based predictive analysis has proved particularly crucial in helping manage operational resiliency as well as in identifying emerging and non-financial risks, such as third-party risks whether they be rogue freelancers or bankrupt and non-transparent suppliers. It is essential that accountants provide more narratives to explain the data and learn about how to use new information technologies, so they can help organisations detect the risks before they materialise. Soft skills, such as communicating, collaborating and developing more long-term thinking, are also very important in helping companies extract more meaning from the data. See ACCA’s Analytics in Finance and Accountancy (Evett et al. September 2020) for a deeper discussion on data analytics. ‘Interpretation of the data is more important than trying to make it precise. Understanding the trends and direction of them is what counts.’ Oleg Lebedev, risk consultant and regional co-director of the Professional Risk Managers’ International Association (PRMIA) 9 RETHINKING RISK FOR THE FUTURE | 1. A NEW DAWN FOR ACCOUNTANCY 1.2 Expanding the horizons to identify new risk landscape Accountancy has become a multi-disciplinary profession that can add more value in the new norm by incorporating deeper scenario analysis and ‘what ifs?’ to help identify emerging and external risks before they materialise. Given the information that they gather, accountants should be organisations’ natural storytellers, the ones who understand where the company is and how it can adapt, diversify and progress. Accountancy professionals could be expanding their scenario analyses further by using more information from inside and outside the organisation and finding correlations to explore what could go wrong, how that might unfold over time, and what effects this can have on the company’s various stakeholders. Scenario analysis needs to consider all possible uncertainties, including very unlikely eventualities. Accountants should be leading these evaluations, detecting how one risk affects another, so that finance and treasury teams can feed all potential risks into their stress tests and learn more about what the various outcomes would mean. Getting to grips with the risks and rewards of environmental and social phenomena and appreciating their interconnectedness requires significant lateral thinking, especially as today’s world is changing at such a high speed. Expanding the narratives about these issues helps companies optimise their decision making. While speaking at ACCA’s virtual Accounting for the Future (AFF) conference in December 2020, James Lam, president of James Lam & Associates and an earlier pioneer of ERM said that one of the jobs of accountancy professionals is to identify the core risks that move the dial when it comes to creating value in this new normal and measuring performance of the future. ‘For example, how do we create the right ESG metrics for our organisation, and how do we incorporate them into our risk strategy and align that with our business objectives?’ James Lam, president of James Lam & Associates The necessity of horizon scanning in alerting us to emerging and eternal risks is evidenced by recent research conducted by Lam’s firm which found that when companies in the US lose significant value, 60% of the time it results from strategic risk, compared with 30% of the time from operational risk and 10% from financial risk. Lam, who is widely recognised as the world’s first chief risk officer when he worked at the US-based fund management company Fidelity in the early 1990s, refers to strategic risk as the risk that failed business decisions might pose to a company. Referring to Lam’s Animal Kingdom of Disruptive Risks paper, Tahir adds that in her mind rethinking risk starts with finding out where the organisation’s vulnerabilities are and then articulating what can be done to control them (Lam 2019). ‘As accountants, we are constantly looking for the next black swan, gray rhino or white elephant, but we also have learned that there always will be new types of risks and opportunities hiding out there. I am calling these the green crocodiles.’ Merina Abu Tahir, chief financial officer at Lembaga Tabung Haji in Kuala Lumpur ‘The pandemic proved how important accountancy’s role is in translating the language of risk. How we interpret the data that we gather and articulate it to business stakeholders and top management including CROs and CFOs is something critical.’ Adlin Haryati Arshad, principal in group risk management, a government-linked oil and gas company in Kuala Lumpur ‘The things that stakeholders say are material today, even if they are not yet treated as such, are exactly the things that may become financially significant tomorrow. Listening to stakeholders carefully means you can identify financially material risks early.’ Donato Calace, vice-president of innovation and accounts at Datamaran 10 RETHINKING RISK FOR THE FUTURE | 1. A NEW DAWN FOR ACCOUNTANCY New dynamic of corporate reporting Professor Mervyn King, creator of South Africa’s King IV Code of Corporate Governance and co-chairman with Michael Bloomberg of the Value Reporting Foundation, concludes that corporate reporting is not what it used to be and that accountants have the skills required to lead this transformation to save the planet. He sent this message to ACCA members in April 2021: ‘There has been an exciting rebirth in accountancy because information is the lifeblood of boards in making judgement calls and being accountable. The more informed and transparent companies are, the more accountable they will be.’ Professor King, an honorary member of ACCA’s Global Forum for Governance, Risk and Performance, believes accountancy professionals are the true ‘gamechangers’ in the C-suite given their professional training, which makes them well suited to be the ‘chief value officers’, persuading companies to act on environmental and social urgencies. ‘IT IS A NEW DAWN FOR THE ACCOUNTANCY AND AUDITING PROFESSIONS BECAUSE THEY CAN LEAD ORGANISATIONS IN CHANGING THE MINDSET FROM PROFIT AT ANY COST TO VALUE CREATION, ADDING VALUE TO SOCIETY AND [ACTING IN THE] PUBLIC’S BEST INTEREST.’ 11 FIGURE 1.1: Skill considerations for the risk professional Taxation Ethics and Professionalism Advisory and Consultancy Strategy and Innovation Audit and Assurance Stakeholder Relationship Management Competencies Corporate and Business Reporting Management Accounting Data, Digital and Technology Leadership and Management Governance, Risk and Control Financial Management Ethics and Professionalism Applying knowledge, sensitivity and judgement to act in accordance with fundamental principles of professional and personal ethical behaviour; ensuring the implementation of appropriate ethical frameworks, laws and regulation relating to business and promoting value in the public interest. Advisory and Consultancy Developing insight into both internal and external clients’ business issues, providing expert advice, and adding value to the business or organisational function. Supporting clients’ objectives and plans to improve, innovate and grow; identify efficiencies and respond to changing business conditions. Audit and Assurance Providing high quality audits by evaluating information systems and internal controls, gathering evidence and performing procedures to meet the objectives of advisory, audit and assurance engagements. Corporate and Business Reporting Preparing and communicating high-quality business reports to support stakeholder understanding and decision-making. Data, Digital and Technology Identifying opportunities and strategic options, using digital and data technology, to add value. Using appropriate technologies and tools to support business objectives and plans to improve, innovate and gain advantage; ensuring professional scepticism and ethics are applied when sourcing and using data and digital technologies. Financial Management Implementing effective investment and financing decisions within the business environment in areas such as investment appraisal, business re-organisations, tax and risk management, treasury and working capital management, to ensure value creation. Governance, Risk and Control Ensuring effective and appropriate governance, allowing evaluation, monitoring and implementation of appropriate risk identification procedures; by designing and implementing effective internal audit and control systems. Leadership and Management Managing resources and leading organisations effectively and ethically, understanding stakeholder needs and priorities. Management Accounting Assessing, evaluating and implementing management accounting and performance management systems for planning, measuring, controlling and monitoring business performance to ensure sustainable value creation. Stakeholder Relationship Management Managing stakeholder expectations and needs by aligning the organisation's objectives, engaging stakeholders effectively and communicating relevant information using all appropriate technologies. Strategy and Innovation Assessing and evaluating strategic options and identifying imaginative opportunities to improve performance and position; implementing innovative and cost effective solutions leading to effective change management and business process improvement. Taxation Complying with tax regulation and systems, communicating with relevant stakeholders to establish and ethically manage tax liabilities for individuals and companies, using appropriate tax computation and planning techniques. 12 FIGURE 1.2: Climate risk reporting Conceptual Framework for Financial Reporting Sets out the purpose of general purpose financial statements to provide financial information that is useful for investors, lenders and other creditors in making decisions relating to providing resources to the entity 3.3 Information in other statements and notes about: i. recognised assets, liabilities, equity, income and expenses including information about their nature and about the risks arising from those recognised assets and liabilities; ii. assets and liabilities that have not been recognised, including information about their nature and about the risks arising from them Questionnaires and scoring to help companies, investors, cities, states and regions measure and manage their environmental impacts C2 management processes for assessing risks and opportunities W7 water-related outcomes of climate-related scenario analyses to inform its business strategy F2 Processes and procedures for forest-related risks W3 Processes and procedures for water-related risks Practice Statement 1 Management Commentary Broad, non-binding framework for the presentation of management commentary that relates to financial statements that have been prepared in accordance with IFRS Standards 24 information essential to an understanding of the entity’s most significant resources, risks and relationships 29 clear description of most important resources, risks and relationships that can affect entity’s value and how those resources, risks and relationships are managed IASB IASB CDP CDSB CDSB Framework Scope on climate, environmental and natural capital and financial implications for climate risks. Useful for investors, lenders and other creditors or capital providers, but may also satisfy other stakeholders’ needs REQ-02 disclosures on management’s environmental policies, strategy and targets, including the indicators, plans and timelines used to assess performance REQ-03 Disclosures explain material current and anticipated environmental risks and opportunities affecting the organization SASB Standards Industry-specific standards aiming to facilitate the disclosure of sustainability information that is financially material, decision-useful, and cost effective SASB’s Standards Application Guidance, Section 5.0, suggests that for disclosure topics in the in Standards, companies disclose the entity’s process to identify, assess, and manage topicrelated risks, and how these risks are integrated into the entity’s overall risk SASB TCFD TCFD Recommendations Industry-driven recommendations for climate-related financial disclosures, aiming to ensure that the effects of climate change become routinely considered in business and investment decisions Risk management Disclose how the organization identifies, assesses, and manages climate-related risks Describe the organization’s processes for identifying and assessing climate related risks Describe the organization’s processes for managing climate-related risks Describe how processes for identifying, assessing, and managing climate-related risks are integrated into the organization’s overall risk management GRI GRI Standards Public sustainability reporting on an organization’s economic, environmental and/or social impacts and contributions, positive or negative, towards the goal of sustainable development 102-30 Effectiveness of risk management processes RBC-1 Statement on sustainable development strategy International Framework Integrated reporting promotes a more cohesive and efficient approach to enable a more productive allocation of capital 4.23 Specific risks and opportunities that affect organization’s ability to create value over the short-, medium- and long-term, and how the organization is dealing with them 4.24 Identify key risks and opportunities specific to the organization, including those that relate to the organization’s effects on, and the continued availability, quality and affordability of, relevant capitals in the short-, medium- and long-term *The IASB is undertaking a project to revise the Practice Statement on Management Commentary. The summary provided here relates to the Practice Statement that is applicable at the time of writing, which was issued in December 2020. 13 RETHINKING RISK FOR THE FUTURE | 1. A NEW DAWN FOR ACCOUNTANCY 1.3 Sustainability is about value creation and shifting the mindset In the new dawn of accountancy, and with the acceleration of existential risks, accountancy professionals should consider how they can add more value in helping organisations address the biggest risk of all – failing to address sustainability. There are many ways accountants can help boards and senior management foster a sustainable company culture and it starts by looking at the bigger picture keeping longterm values and stakeholders’ needs in mind. Stakeholder mapping is an effective exercise that involves identifying, analysing and prioritising the groups that have a stake in your organisation’s activities. Stakeholder mapping can help decision makers understand stakeholder expectations better and ensure that they consider the most impactful issues. Our research has found that while an increasing collective action driven by institutional investors and prudential regulators across the globe has produced a keener awareness of environmental and social matters, organisations are not taking as much action, for example, on net zero pledges as shareholders and stakeholders would now expect. This is often because the necessary mindset from the top, the board and senior management, is not evident. This adds on from an earlier ACCA report, Social and Environmental Value Creation (ACCA and CFA Institute, September 2019). Once stakeholders’ needs are considered, companies can identify both the risks that can damage the business as well as the external, systemic risks that the company’s activities can exacerbate for society at large, for example, with their GHG emissions or potential gender pay gaps. The role of accountants in creating applicable matrices to measure these risks is crucial for understanding the impacts and opportunities pertinent to their companies and in providing the transparent information that shareholders and other stakeholders are demanding. These measurements are the basis for setting the right objectives and deciding on which reporting frameworks can help to achieve them. If firms can measure the risk, then they can improve business decisions affected by it. Accountants also cannot overestimate the importance of how they communicate these risks and opportunities because materiality is becoming an ever more powerful driver of strategy and risk management. Accountants can help the board and senior management understand materiality, as materiality itself also evolves, while driving the development of the key KPIs needed to work out how the company is doing and key risk indicators (KRIs) to uncover what might hinder its performance in the future. By evaluating the ESG concerns most relevant to the company and assessing the resources required to manage them, accountants can provide decision makers with the insights needed to prioritise risks and opportunities. Managing risk and sustainability requires a set of values that must be embraced in both top-down and bottom-up fashion if ESG issues are to be addressed successfully. Accountants can position themselves as the ones cultivating this cultural mindset by making sure boards and senior management are well-informed and that the appropriate systems are in place to ensure that the organisation and its stakeholders are adhering to the same values. ‘When we talk to senior management at our investee companies, most of them admit that their business has fared better for using ESG as a warning mechanism for dealing with potential risks. Being more transparent and attractive to new investors simplifies their corporate structure and allows them to be more resilient and cost effective.’ Nguyen Nhu Yen Minh, senior investment manager, at Dynam capital, which manages VietNam Holdings (VNH), an ESG fund, in Ho Chi Minh City ‘Sustainability is about creating value and I believe this is where risk management is headed. Missing the opportunities that these strategic risks present is itself a massive risk to the business.’ Israel Opio, CRO, Ecobank Uganda, member of ACCA’s Global Forum for Governance, Risk and Performance ACCOUNTANTS CANNOT OVERESTIMATE THE IMPORTANCE OF HOW THEY COMMUNICATE THESE RISKS AND OPPORTUNITIES BECAUSE MATERIALITY IS BECOMING AN EVER MORE POWERFUL DRIVER OF STRATEGY AND RISK MANAGEMENT. 14 FIGURE 1.3: The biggest risk of all is failing to address sustainability Source: “Collapsing biodiversity is another looming wave of destruction” by Graeme McKay, Artizans Entertainment Inc. 1.4 Reporting the risks In the polling results from our ‘Addressing Sustainability Risks’ roundtables, members around the world said they believe that reporting changes behaviour with many arguing that it is a mechanism for accountability. Nonetheless, the roundtable discussions also reminded us that sustainable reporting is far more than a marketing exercise. As a member in the US, who is head of internal audit of a household brand in the travel and leisure industry, said: ‘It is difficult to find the evidence to back our sustainability statement.’ ‘Companies are at risk if they have policies to be net zero by 2050 but at the same time do not identify climate change as a significant risk. There's something that they're not understanding, or they might be introducing net zero-related policies for the wrong reasons,’ added another member. One of the pain points for companies engaging in the sustainability reporting journey is deciding what to focus on and which issues to address. Materiality helps to answer this question. It is important to focus on the issues that matter to your business, but also on the issues on which your company may have an impact. There are several reporting frameworks and using them is largely voluntary. Then there is also the question of where you publish the information. Do you include it in a sustainability report and/or in your regulatory disclosures? Members are increasingly migrating to a combination of both. This is discussed further in another recent ACCA report, Invisible threads: communicating integrated thinking (Chen and Hawksley, 2021) 15 RETHINKING RISK FOR THE FUTURE | 1. A NEW DAWN FOR ACCOUNTANCY The art of climate reporting A wide range of factors, such as the nature of production processes and value chains, the location of the business sites and relationships, and interdependencies with customers and suppliers, all play a part in how companies are affected by climate risks. Francis Kamulegeya, senior partner at PwC in Kampala and panellist for the Uganda ‘Addressing Sustainability Risks’ roundtable event in March 2021, said support for clients in eastern Africa tends to be more sector-centric, but that in terms of the frameworks no single one fits all. ‘We help them understand the interconnectedness of financial and non-financial risks, but I always explain that it is becoming trickier to distinguish between the two because at the end of the day all these risks have a financial impact and that's why reporting on them is becoming mainstream.’ A UK member attending another ‘Addressing Sustainability Risks’ roundtable added that accountants need to be looking at certain costs as ‘value adders’. ‘Accountants should be attaching a value to those necessary costs that have benefits to the company, its stakeholders, and the planet. That way, you can also decipher which costs are not adding value and how to avoid that.’ We have found that when it comes to sustainability, the quality of reporting is often for personal preference. Standards that allow people to be held accountable are not being used, especially in sectors such as, mining and healthcare where it's vitally important. Organisations often do the minimum required and this is a bigger problem in that the costs are borne by society not by the company. ‘Right now, companies can defer those costs to the government or to the community involved and therefore keep the benefit, but not the costs. The need to associate costs is a big argument from an economical point of view,’ he concludes. ORGANISATIONS OFTEN DO THE MINIMUM REQUIRED AND THIS IS A BIGGER PROBLEM IN THAT THE COSTS ARE BORNE BY SOCIETY NOT BY THE COMPANY. 16 FIGURE 1.4: The reporting audience Media & Researchers Investors & Shareholders Managers & Directors General Public Employees NGOs & Charities Partners Competitors Consumers Suppliers & Distributors Governments & Regulators ‘ACCOUNTANTS SHOULD BE ATTACHING A VALUE TO THOSE NECESSARY COSTS THAT HAVE BENEFITS TO THE COMPANY, ITS STAKEHOLDERS, AND THE PLANET. THAT WAY, YOU CAN ALSO DECIPHER WHICH COSTS ARE NOT ADDING VALUE AND HOW TO AVOID THAT.’ UK ROUNDTABLE PARTICIPANT 17 FIGURE 1.5: Addressing sustainability risk roundtables, by country Canada and US No Yes 71% 29% No 53% Yes 47% Has your organisation pledged to be net-zero by 2040? Does your organisation have an ESG policy, sustainability statement or strategy for aligning business with UN SDGs? * Polls with 284 responding attendees, March 2021 From an ESG perspective, what do you believe presents the biggest risk to your organisation over the next two years? Biodiversity loss 7% Diversity and Inclusion 31% Mental Health 30% Extreme weather 12% Low-carbon economy 21% Ireland No 62% Yes 38% Yes > a year 9% Yes < a year 9% Don’t know 40% No, plan to within a year 22% No 20% Biodiversity loss 6% Diversity and Inclusion 13% Mental Health 52% Extreme weather 6% Low-carbon economy 23% Has your organisation pledged to be net-zero by 2040? Are you incorporating Data Analytics in your ESG reporting or to advance your sustainability goals? * Polls with 157 responding attendees, April 2021 From an ESG perspective, what do you believe presents the biggest risk to your organisation over the next two years? Western Europe Some 61% None 9% Significant 30% Not yet 42% Yes 32% Working on it 26% What impact did the emergence of the pandemic have on your perception of ESG risks? Does your organisation have a sustainability statement or defined sustainability strategy? * Polls with 77 responding attendees, December 2020 UNGC 1% IFRS 96% GRI 3% Which accounting standards do you use or are aware or in favour of using? 18 RETHINKING RISK FOR THE FUTURE | 1. A NEW DAWN FOR ACCOUNTANCY 1.5 Building trust in the digital society The acceleration of digitalisation and technology adoption was necessary to keep businesses going during the COVID-19 disruption, but the new bag of risks and opportunities that this produces has also intensified the need to build a safer digital society. This is another key area of risk management where accountants can be adding more value in the new normal. As digital capabilities become increasingly vital to most business models, best-in-class practices for cybersecurity and data stewardship are essential. This requires a new level of risk awareness and mitigation where accountants could be helping their organisations better distinguish better between risks and their consequential loss events and outcomes; for example, productivity loss, reputational damage and response costs. Nicola (Nick) Sanna, president of the FAIR Institute and CEO of RiskLens in Washington DC, explains that the world is grappling with a new type of digital risk as we put all our assets online. As a panellist at ACCA’s ‘Addressing Digitalisation Risks’ roundtable in October 2020, he said this is becoming more of an intersection between cybersecurity and operational risk. ‘For example, a trucking company now using driverless trucks is worried about hackers hijacking them and what the repercussions on production and reputational risks are. Same for the financial sector, as firms move applications and data into the cloud. Does that increase or diminish risk? The landscape is changing.’ Nicola (Nick) Sanna, president, FAIR Institute and CEO, RiskLens in Washington DC Accountants understand budgets and profit and loss, so they can use this knowledge to help allocate risk resources. They can do this not only by taking the opportunity to invest in the right resources, but also by understanding the potential losses if management makes a conscious decision not to address certain risks, such as cybersecurity. A previous ACCA report, Cyber and the CFO (James 2019), delves further into this issue. Accountants are also trained to spot suspicious behaviour or inexplicable numbers and to make sure processes are in place to control such hazards. We are living in fast-moving, uncertain times, so accountancy professionals need to optimise their skills in detecting signals and looking for red flags given the reported increase in fraud, money laundering and data breaches. Criminals will take advantage of the lack of effective internal controls at many companies whether by hacking systems or faking documents. Knowing what to look out for means accountants can advise and make sure the necessary controls are in place to mitigate these threats. Accountants can enable the board and senior management to address these risks more proactively and instil a culture that is more risk-conscious and of good behaviour. For more details, please refer to another recent ACCA report, KYC: Is It Time to Digitalise the First Line of Defence (ACCA 2021a) Money laundering enforcement actions and penalties are increasing rapidly in the US, Europe, China and other parts of Asia. According to Global Regulatory Fines Report by Fenergo, a digital client lifecycle and regulatory compliance technology firm, penalties across the globe increased to US$10.4bn in 2020 from US$8.14bn in 2019. In 2020, European anti-money laundering penalties totalled US$5.1bn, exceeding the US$4.4bn in the US. UK regulators gave out penalties totalling US$231.3m, while the largest fine in the world was US$3.9bn and originated from Malaysia (Fenergo 2020). Making sure the proper risk controls are in place can save both the company’s reputation and bottom line. Having found that corporate fines are not always particularly effective, regulators are stepping up their enforcement action and also focusing more closely on holding liable the individuals, such as compliance officers, company lawyers and accountants, who fail to report suspicious activity. WE ARE LIVING IN FAST-MOVING, UNCERTAIN TIMES, SO ACCOUNTANCY PROFESSIONALS NEED TO OPTIMISE THEIR SKILLS IN DETECTING SIGNALS AND LOOKING FOR RED FLAGS GIVEN THE REPORTED INCREASE IN FRAUD, MONEY LAUNDERING AND DATA BREACHES. 19 FIGURE 1.6: Western Europe market roundtable on Rapid Digitalisation What is your knowledge of current digital technologies impacting your company or industry? Very aware, 22% Somewhat aware, 71% Not quite there, 7% Do you understand your company’s appetite for risk? My company has not yet created its risk appetite statement, 39% My company has created its risk appetite statement but I do not know the extent of it, 33% I am well-aware of my company’s appetite for risk, 28% Does your company have an enterprise-wide approach to risk management? Yes, 51% No, 27% We are planning / implementing now, 22% * Polls with 127 responding attendees, October 2020 20 FIGURE 1.7: Western Europe market roundtable on Anti-Money Laundering What industry do you currently work in? (select one or multiple) Banking / Currency Exchange (MSB) / Money Transfer / Payment, 15% Insurance, 5% Retail and Wholesale trade, 4% Casinos & Gaming, 1% Investment, 5% Real Estate, 1% Professional services, 35% Technology, 8% Other industry, 28% Not applicable, 4% Does your Company have an AML program? (select one) Yes, 62% No, 24% Don’t know / Not applicable, 14% What are the biggest AML compliance challenges that you are currently seeing? (select multiple) Increased regulatory expectations and enforcement, 61% Understanding national regulations, 26% Compliance with multiple jurisdictions, 42% Lack of a central EU AML watchdog, 13% Raising awareness among employees and customers, 34% Having sufficient trained staff, 30% Too many false positive results, 11% Budget / Cost of Compliance, 33% Sanctions compliance, 20% Other, 8% * Polls with 191 responding attendees, June 2021 21 RETHINKING RISK FOR THE FUTURE | 1. A NEW DAWN FOR ACCOUNTANCY 1.6 Third-party risks Third-party risks have become more material throughout given the COVID-19 crisis’ accelerating effect on digitalisation transformation. Vigilant companies are realising the importance of thorough monitoring considering that they often lacked oversight of third-party relationships and the complex layers around them. We see these companies investing in more horizon scanning, gap analysis and scenario analysis to address this. With the continuing rise in fraud cases, as members have attested, it is crucial to allocate more resources to due diligence, including in those stakeholders working from home and the new information technologies that have been adopted due to the fast workplace shifts. Organisations have learned that the approaches used before for onboarding and screening third-parties do not address the risks we now face, particularly as these processes are mainly done digitally now. It is important that organisations do not forget the upside in putting necessary resources into managing risk, and view this as an opportunity to make their controls more effective at mitigating losses and taking advantage of opportunities to modernise. ‘We can’t do business as usual anymore. We need to look at extended amounts of time in order to get the full picture and it is going to require a very increased level of integrated thinking. We can’t look at 2020 in isolation and we can’t look at third-parties in isolation,’ says one forensic accountant member in the UK. ‘Just because there is an auditor's report does not mean a company is safe. Likewise, some credit reference agencies are not risk-free because they tend to look at only a single set of accounts for one year and then turn around and give a company reassurance that they can grant an organisation £200k worth of credit. Accountants know that if they examined accounts from previous years, they might find serious issues to flag that would be critical to their decision making,’ the forensic accountant in the UK warns. With processes everywhere becoming digital, the risk of chain reactions are greater than ever before. As most organisations are either already digitally enabled or moving that way more quickly than planned, susceptibility to data breaches, power outages and broadband failures becomes unavoidable. Companies need to be prepared and check that their suppliers and other third-party vendors have the necessary business continuity plans in place. The consequences of something going wrong with a vendor’s digital capability could be even more damaging to your own operations. Third-party problems can lead to a string of other business risks, such as dissatisfied customers. Reputational risk can erupt out of nowhere in the digital world in the event of security breaches, inappropriate interactions, poor recommendations, legal violations or any disruption that prevents a company from delivering its goods and services reliably. Accountants play a vital role in helping their organisations detect these blind spots and understand how they affect and trigger other knock-on effects. ‘Tech is kind of the way we do things, isn't it? And so, in terms of emerging tech risks, you're only ever as safe as your weakest link in the whole system. So, if you're suddenly using a different supplier or platform, that might be a much wider risk than you may think.’ Jane Walde, independent risk consultant, the Holistic Risk Practice, London ‘There are so many evolving risks across the landscape that we didn’t have to face before, and they are bubbling up at the same time and all interlinked. Those companies that operate their risk management in silos are heading into some rough seas in the next few years.’ Tony Manahan, head of Europe office, group internal audit at Takeda Pharmaceuticals in Zurich ‘For many businesses, whether digitally enabled or digitally led, their biggest value is intangible, and that requires governance protection and discussions that are central to accounting.’ Steve Bailey, tech entrepreneur, NED, and member of ACCA’s Global Forum for Governance, Risk and Performance 22 RETHINKING RISK FOR THE FUTURE | 1. A NEW DAWN FOR ACCOUNTANCY The CRO of the future is about turning risk into opportunity Akindele Phillips, co-founder and chief risk officer, at Farmcrowdy, a global agricultural technology (agtech) company based in Nigeria. Phillips is a serial entrepreneurial accountant who started his career at KPMG before first setting up Porter’s World Consult, an outsourcing accountancy service provider that continues to support SMEs around Africa in creating business strategies, putting financial information together and ensuring tax compliance and risk awareness. ‘By outsourcing to more seasoned accountants, they get more value for time and money while at the same time building important relationships as they scale up.’ The visionary of Farmcrowdy is co-founder and CEO Onyeka Akumah, who was a previous client of Phillips as the founder of Anozim Ltd, a digital media company. After selling Anozim, he approached Phillips with another disruptive idea. This time it was about supporting farmers in Africa who often work with tools and practices handed down from generations before and struggle to obtain loans or insurance from traditional financial institutions, which find them too risky. Now as a co-founder and CRO at Farmcrowdy, Phillips is focused on connecting and supporting over 420,000 food value chain stakeholders in maximising output and increasing profits. ‘Data and technology are our bedrock,’ he says. In 2016, the start-up created its unique digital marketplace, Farmgate, which connects all types of food participants and supports them in financing, accessing affordable insurance and obtaining new tools to reduce production costs, grow their businesses and make food access more convenient. During the first lockdown, the company launched Farmcrowdy Foods for people in Lagos. ‘Our technology team is in-house, so we quickly developed this delivery app and took it straight to the market. Consumers could purchase highly affordable food from farmers or supermarkets and have it delivered to their doors during the lockdown. It has grown phenomenally since,’ he says. Identifying the funding risks involved in the food production cycles has been integral to the business as it has scaled up. From learning why poultry needs to be transported before sunrise to convincing insurance underwriters to reap the benefits of an agricultural a co-production system, Phillips says that Farmcrowdy’s innovation has always been driven by solving the risk issues associated with the financial needs of farmers and food producers. ‘By analysing the funding gaps and solving the problems, we are able to generate better returns and still stick to why we exist. We exist to solve the food problems associated with the United Nations Sustainable Development Goal on achieving food security and improved nutrition and promoting sustainable agriculture. Our work started within Nigeria and quickly expanded to other nations in the food value chain,’ Phillips adds. One of the disruptive innovations that he feels proudest of is the development of micro insurance. ‘We worked on getting this into the food value chain to hedge the risk related to our activities in protecting production and to give the stakeholders access to public healthcare, for example. We saw a huge gap in insurance to ensure that when a farmer dies the family can carry on producing and managing the property. We had a lot of convincing to do, but I spoke to an underwriter earlier this year about the returns they are getting from this market now, and they are beyond pleased. We’re talking about a US$10 premium for a year’s coverage, and the beneficiaries can access as much as US$1,000. We’re solving real risk issues and making an impact,’ he says. 23 RETHINKING RISK FOR THE FUTURE | 1. A NEW DAWN FOR ACCOUNTANCY It’s time accountants think ‘outside the box’ Josam Watson, chief risk officer at TYME, a digital banking group headquartered in Singapore, agrees we need to view risk more as a human phenomenon since we are all risk managers in everyday life. Watson, who worked at financial institutions in Africa, Europe and Australia before joining TYME, explained: ‘The first thing you start to see in this transition from big banks to fintechs is how much the financial profession has tried to standardise the way of doing things and cater to the variability of how people in an organisation perceive risks.’ In his opinion, financial professionals in general at big financial institutions have ‘industrialised’ the way we look at risk by creating layers of processes and policies on top of the mountains of data and reports. The result is a huge ‘industrial complex’ that leads to job creation to some extent, but completely misses the point of managing risk. ‘You end up getting stuck in processes and compliancetype activities, which do not work towards meeting the objectives of the organisation.’ TYME is involved in several projects across Africa and South-East Asia, currently planning to launch a new digital bank in the Philippines. ‘One thing I have realised in these critical conversations with potential partners is that I am the only person in the room with a risk governance focus. I ask myself why CFOs and CROs are often excluded in these early conversations when we are starting up a new entity and essentially starting to set the tone. It’s because we generally have been associated with failing to add value by putting fixed ideas into people's minds about risk,’ he explains. He says the financial profession has tainted risk management as we know it by putting it in a ‘box’ where there is a fixed perception of ‘what do I need to tick’ when a difficult conversation arises. ‘It’s as if risk professionals feel they need to demonstrate that they have done their part without creating noise or causing a problem even if there might be one that needs addressing.’ Watson, a member of ACCA’s Global Forum for Governance, Risk and Performance, calls for accountants to reverse this notion by educating stakeholders and convincing them to address risk in a new way that is more helpful for their organisations. He sees nothing wrong with the current content, whether it is ISO 3100 or the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework, but is instead concerned with how we interpret and apply them to everyday life. ‘We have created processes for the sake of processes, and we have lost the true meaning of why we do things. I think the true risk lesson from the pandemic is to ask ourselves why we do something in the first place, rather than trying to reinvent the actual content itself.’ 24 RETHINKING RISK FOR THE FUTURE | 1. A NEW DAWN FOR ACCOUNTANCY AS GUARDIANS OF INFORMATION, ACCOUNTANTS ARE IN A UNIQUE POSITION TO PROVIDE THE INSIGHTS AND PREDICTIVE ANALYSES NEEDED TO SHAPE SUSTAINABLE BUSINESS STRATEGIES FOR THE FUTURE. 25 RETHINKING RISK FOR THE FUTURE | 2. ERM’S EVOLVING DOORS 2. ERM’s evolving doors As organisations rethink their risk management practices, the opportunities presented to the accountancy profession are profound. Yet above anything else, the pandemic has shown the business benefits of addressing risk from an enterprise-wide perspective. We have found that organisations with established ERM frameworks were able to respond to the pandemic with more speed and suppleness. We have also seen how ERM has enabled these companies to leverage on the opportunities that the crisis presents. 2.1 Crisis response An established ERM framework encompasses all risks, including business resilience, so even if a global pandemic was not identified as a specific risk, the possibility that the company could be interrupted would be considered and the structure for responding to the crisis defined. This is crucial because if additional finance is needed the framework serves as a neutral basis to help senior management decide which risks should take priority over scarcer resources. Sharley Koo, head of enterprise risk management at Zurich Insurance Malaysia in Kuala Lumpur, says the beauty of effective ERM is that it allows you to deal with these uncertainties more strategically. ‘Non-financial risks can be quite subjective with a lot of assumptions, ratings and varied tolerance levels, but I feel that the art of risk management is in addressing operational risks.’ She says the company conducted more frequent reviews throughout the pandemic to assess whether there needed to be more provisions on certain issues and that senior management had to make a lot of quick decisions that could not have happened without its ERM framework. ‘The risk register, for example, does not fully proof you, but it does capture potential risks and our ERM processes give us the opportunity us to act on them immediately.’ A model ERM Dorina Cosbuc, chief risk officer at NN Romania, part of an international financial services group focusing on life insurance, asset management and banking in Europe and Japan, says the wider ERM lens also provides assurance. ‘We have rigorous processes for testing the effectiveness and timeliness of our business continuity and disaster recovery plans, so the fact that this is part of our ERM framework helped us adapt quickly in meeting all the stakeholders changing needs.’ ‘Risk is involved in all aspects of our strategy, including our product development needs in terms of adapting to what is happening in the external environment, for example, adapting to consumer expectations and extending grace periods and expanding coverages,’ she explains. AN ESTABLISHED ERM FRAMEWORK ENCOMPASSES ALL RISKS, INCLUDING BUSINESS RESILIENCE, SO EVEN IF A GLOBAL PANDEMIC WAS NOT IDENTIFIED AS A SPECIFIC RISK, THE POSSIBILITY THAT THE COMPANY COULD BE INTERRUPTED WOULD BE CONSIDERED AND THE STRUCTURE FOR RESPONDING TO THE CRISIS DEFINED. 26 FIGURE 2.1: What is Enterprise Risk Management (ERM)? What else can go wrong and how are risks interconnected? What are we doing about the risks? Response Stress Testing Coverage What are all the risks to our business strategy and operations? How well do we manage the risks? Control Evaluation Culture Risk Appetite How much risk are we willing to take? Measurement & Evaluation How do we determine the size and scope of the risks? Risk Data & Infrastructure Governance & Policies How good are we at overseeing risk taking? How do we ensure we have the right information to manage risk? MISSION, VISION & CORE VALUES STRATEGY DEVELOPMENT BUSINESS OBJECTIVE FORMULATION IMPLEMENTATION & PERFORMACE ENCHANCED VALUE Governance & Culture 1. Exercises Board Risk Oversight 2. Establishes Operating Structures 3. Defines Desired Culture 4. Demonstrates Commitment to Core Values 5. Attracts, Develops, and Retains Capable Individuals Strategy & Objectivesetting 6. Analyses Business Context 7. Defines Risk Appetite 8. Evaluates Alternative Strategies 9. Formulates Business Objectives Performance 10. Identifies Risk 11. Assesses Severity of Risk 12. Prioritises Risks 13. Implements Risk Responses 14. Develops Portfolio View Review & Revision 15. Assesses Substantial Change 16. Reviews Risk and Performance 17. Pursues Improvement in Enterprise Risk Management Source: Adapted from COSO, Committee of Sponsoring Organizations of the Treadway Commission Information, Communication & Reporting 18. Leverages Information Technology 19. Communicates Risk Information 20. Reports on Risk, Culture and Performance 27 RETHINKING RISK FOR THE FUTURE | 2. ERM’S EVOLVING DOORS 2.2 Optimising key indicators is central to effective risk management A successful ERM framework allows an organisation to detect future risks and opportunities. By using the right KPIs and KRIs, organisations not only optimise the decisions they make about risk appetite and future strategy, but also measure the effectiveness of ERM itself. Every company is different, so accountants are best advised to use their own scoring and assessment strategy as a guide for determining the most relevant indicators. Finding the most important KRIs can be especially challenging today given that so many of the risks are intangible and hard to measure. KRIs should be based on any signal that suggests the company could be harmed or headed in the wrong direction and lose value as a result. Areas to consider in developing KRIs include: compliance; business objectives; performance metrics; previous losses or incidents; stakeholder commitments; and various risk assessments, such as audits, self-assessments and stress tests. Once all the KPIs and KRIs are gathered, the next step is to whittle down the broader picture into a core set of measurements that warrant continuous monitoring. Accountants play a key role in both reporting on the KPIs and KRIs and providing more analysis on them. It is important that accountants articulate how these measurements should shape the organisation’s strategy. The board and senior management are not only interested in what risks the finance team sees, they also want to know the team’s views about the consequences should these risks materialise. BY USING THE RIGHT KPIs AND KRIs, ORGANISATIONS NOT ONLY OPTIMISE THE DECISIONS THEY MAKE ABOUT RISK APPETITE AND FUTURE STRATEGY, BUT ALSO MEASURE THE EFFECTIVENESS OF ERM ITSELF. 2.3 Risk culture and integrated thinking in ERM ERM requires integrated thinking, hence understanding risk from all parts of the business and providing a unified platform for oversight and accountability. ERM guides companies to manage risk holistically and as they arise, so that when unanticipated risks such as COVID-19, strike each person knows what their role is and works collaboratively to manage the impacts. The pandemic has given companies, large, medium or small, a strong wake-up call for thinking more about risk culture and how it contributes to long-term success. A business is more able to adapt to change and react to disruption when risk is in the conversations with stakeholders at all levels: when everyone is accountable to some degree and understands why certain processes exist to control the risks. ‘ERM includes everyone in the organisation, so from employees in the lowest grade of the hierarchy structure up to the board. With ERM, everyone in the organisation holds some accountability for the risks that the organisation takes,‘ affirms Israel Opio, chief risk officer of Ecobank in Uganda and Chairman of the Uganda Bankers’ Association Risk Committee. He says that effective risk management cannot be left to one unit. ‘Risks should be taken seriously by every individual in the organisation to be sure the company survives such turbulent times as COVID-19.’ An organisation’s culture always determines the effectiveness of its risk management. ‘To me it is the elephant in the room because a healthy risk culture means risks are reported and raised, not stuck somewhere inbetween,’ adds Jane Walde, independent risk consultant at The Holistic Risk Practice in London. ‘We have a strong mitigating controls framework but needed to train and increase awareness of the staff given the unprecedented situation.’ Sharley Koo, head of enterprise risk management at Zurich Insurance Malaysia ‘You see how much value is added when you get the organisation to align its operations and take a horizontal view of risk. I think this is one of the most crucial lessons learned about achieving operational resiliency given the accelerating digitalisation we are seeing across all sectors today.’ Atif Shaikh, operational risk lead at Facebook 28 FIGURE 2.2: What do you believe presents the biggest risk to your organisation over the next two years? China Hong Kong, Malaysia and Singapore 4% 26% 15% 19% 26% 1% 6% 3% 16% 30% 13% 10% 27% 3% 1% Nigeria Pakistan 12% 14% 14% 28% 29% 2% 12% 20% 22% 20% 24% 2% Uganda Western Europe 18% 18% 15% 44% 5%* 13% 19% 9% 22% 29% 2% 6% * Combined figures for Extreme weather and Transition to low-carbon economy ** Online polling questions to members, March 2021 Cyber threat (including fraud, data theft/misuse) International trade (eg geopolitics, tariffs, supply chain) Workforce disruption (eg mental health, reskilling) Regulatory changes Industry disruption (eg consolidation, defaults, bankruptcies) Extreme weather Transition to a low-carbon economy Other 29 FIGURE 2.3: What risk activity is your organisation most likely to upgrade in 2021? 37% 4% 20% 7% Nigeria and 4% Uganda 29% 14% 8% China 5% 19% 30% 1% 38% 23% 7% Hong Kong, 5% Malaysia and 8% Singapore 32% 4% 33% 4% 13% 12% Western 2% Europe 27% 18% * Online polling questions to members, March 2021 Risk register and scenario development Operational resilience 10% 51% 2% Pakistan 20% 12% Risk culture for new working conditions Board engagement with risk 30 Insurance and risk transfer More defined objectives Other RETHINKING RISK FOR THE FUTURE | 2. ERM’S EVOLVING DOORS 2.4 The value of whistleblowing While the pandemic proved how important ERM is in addressing risk during turbulent times, more could be done when it comes to ensure that there is a neutral platform where people across the firm to speak up and share information. This is especially true for whistleblowing, when someone suspects wrongdoing, such as, a financial misconduct or harassment. With rapid digitalisation, remote working and rising mental health issues, the world is ripe for increased fraud and unethical behaviour. As noted in Part 1, anti-money laundering enforcement is increasing globally (Fenergo 2020). The person doing the whistleblowing can be anyone associated with the organisation, whether internally or externally, so for example, it might be a supplier or even a customer. It is important that stakeholders understand how important whistleblowing is to an organisation and the wider society, and how it can protect an organisation from suffering steep fines and reputational damage, particularly if matters are resolved internally before becoming public in the press or leaked on online platforms. Accountants themselves have a duty to assess any risk of material misstating, fraud or error, and indeed could be liable if they do not report this through proper channels. The profession is well placed to help create effective whistleblowing systems that enable confidential reporting of irregularities and help mitigate losses stemming from wrongdoings. Making sure the entire company and its stakeholders know about their whistleblowing system and feel comfortable using it is key. Fear of recrimination is probably one of the biggest reasons for not reporting suspicious behaviour beyond not realising it is something they should speak up about. More also needs to be done to ensure that the escalation process works, so that when investigations are launched, they are not closed without good reason, for example. Boards and senior management could be doing more to ensure that staff and other stakeholders are educated to recognise the warning signs of wrongdoings are and how valuable and much appreciated whistleblowing is. The whistleblowing channels need to be clear and accessible to encourage people to report wrongdoings and be risk conscious. Accountants could advise the boards and senior management on how to assess whether stakeholders understand the system and their obligation to use it. There must also be a known level of tolerance, especially when you consider more qualitative risks, such as health and safety and other important social issues. ‘It can become horribly political when you try to articulate these risks to the board because they will come back and say they have no appetite for failing on these things, but then you ask why are they operating in such a way. It’s a very tough conversation,’ Walde adds. Transforming risk management as a value creator in this respect requires new levels of education, engagement and collaboration with stakeholders. This becomes easier said than done at a time when trust in public leaders is at an all-time low.2 ‘Risk workshops are always helpful exercises, but it can take time to convince people lower down the organisation that they won’t be called out for speaking up about risk or wrongdoings. The challenge is getting employees to trust management, but once they do you will find that some things potentially very detrimental to the organisation can start to surface. Often some of the best input comes from people lower down the food chain because they're the ones who really see what’s going on.’ John Reidy, ex CRO Amersham Plc and risk consultant in Toronto AREAS OF ERM THAT THE PANDEMIC PROVED COULD BE IMPROVED ✓ Better alignment between ESG disclosures and sustainability statements ✓ Greater due diligence and visibility in supply chains ✓ Mitigating third-party risk in the digital world ✓ More effective whistleblowing policies ✓ Overhauling cybersecurity and data protection policies ✓ Enhancing engagement between senior management and board/ audit and risk committees 2 The 2021 Edelman Trust Barometer reveals that people do not know where or whom to turn to for reliable information (Edelman 2021). 31 RETHINKING RISK FOR THE FUTURE | 2. ERM’S EVOLVING DOORS 2.5 ESG: the new frontier of ERM As ESG issues intensify and increasingly interconnect, the need for proper integration is essential to an organisation’s long-term success. An enterprise-wide view is necessary to attain the mindset needed to integrate ESG-related risks effectively. Hence, the convergence of ERM and ESG continues to be an important focus for accountants as regulators and other stakeholders increasingly require companies to report their ESG impacts. Integrating treatment of ESG risks makes sense to do from an enterprise-wide perspective because it allows the company to deal with them in a structured and more strategic way as part of its aggregate risk management. Organisations with an enterprise-wide view of their aggregate risk can monitor and report on KPIs and KRIs more efficiently and accurately, and leverage existing metrics by repurposing them towards ESG goals. ERM allows the organisation to reduce the downsides more effectively while also capturing opportunities and enhancing long-term performance. Dorina Cosbuc, CRO at NN Group in Bucharest, who also sits on NN Romania’s board and board risk committee, says accountancy professionals are in a unique position to identify the issues that are relevant to the organisation in shaping strategies for the future with the pertinent ESG matters in mind. ‘We use six different sets of accounting standards, so there are a lot of computations to process and connect. Our analysis of this information is what helps steer the business by supporting our decision making and helping to define our risk appetite and consequence impacts on our stakeholders, society and the environment,’ she says. Nevertheless, we see companies struggling to cope with the potential hurdles involved in integrating ESG risks into ERM frameworks. The first challenge is getting commitment from the board and persuading it and senior AS ESG ISSUES INTENSIFY AND INCREASINGLY INTERCONNECT, THE NEED FOR PROPER INTEGRATION IS ESSENTIAL TO AN ORGANISATION’S LONG-TERM SUCCESS. management to set the right tone. Everyone across the company will have their own interpretations of what ‘risk’ and ‘sustainability’ mean, so objectives need to be well publicised and understood. For example, climate change risks while urgent can be exceptionally broad and lead to a multitude of questions and different scenarios. Various teams across the company will also have their own idea about which of the UN Sustainable Development Goals to consider and what to report on in this regard. In addition, the roundtables show that finance teams and internal audit teams often find it difficult to align ESG disclosures with sustainability statements, which in practice means that some organisations could be exposed to risks that are not always being accounted for as intended. ‘When we talk about ESG, we have steering committees, leadership teams and support from our top executives. We know what our objectives and targets are and how they match up to the 17 SDGs. I also feel like we have the right numbers, but it goes beyond this because when it comes to Integrated Reporting, how are both internal and audit going to provide assurance on what's been collected versus what we're putting out there and saying this is what we've achieved,’ one member in the US confides. See also ACCA’s recent report, Invisible Threads: Communicating Integrated Thinking (Chen and Hawksley 2021), which discusses how integrated thinking of the organisation supports decision making. This is also addressed with examples of each capital in ACCA’s Financial Insights – Reimagined (Furness et al. 2020). ‘What’s special about environmental and social factors is that these risks are very much interconnected, and they potentially threaten the whole stability of the financial and industrial systems as we know them. This is why it becomes vital that the risk management of a company has a set of reliable information on which to take decisions, and also discloses the information to external stakeholder investors in particular that are sort of calling for this type of information.’ Giovanna Michelon, head of the accounting group at University of Bristol School of Accounting and Finance, and chair of ACCA’s Global Forum for Governance, Risk and Performance ‘Over the past 18 months we have moved in the right direction and the objectives are all well-intended, but there are some functions that don't seem to be connecting together and that’s when it becomes more difficult to integrate.’ ACCA member who preferred not to be named 32 RETHINKING RISK FOR THE FUTURE | 2. ERM’S EVOLVING DOORS 2.6 ACCA’s circle of CROs The governance structures of ERM in the financial sector are mainly regulatory driven with a chief risk officer often having a reporting line to the risk committee chair and the Chief Risk Officer. Chief risk officers are present across non-financial corporates with established ERM frameworks. We reached out to nearly 150 CRO members around the world to hear their views on how the role of accountancy is evolving with risk management and where it adds value in today’s fast-changing risk landscape. Patrick Schueepp, CRO at Bank Avera in Switzerland, says the shock of the lockdown required a ‘technical understanding of accounting on all sides’ to come up with anything telling about what the sequence of events might be. ‘Q2 2020 was a helpful experience in terms of what we had learned about the risk transmission mechanism and how we combined that with the CFO’s understanding of what was happening P&L [profit and loss] and balance sheet-wise. We still faced an unprecedented challenge of putting any meaningful values behind the numbers because we were talking about a V-shaped recovery one minute and a “U” or “W” the next.’ Patrick Schueepp, CRO at Bank Avera in Switzerland Schueepp says working through the pandemic in real-time ‘has been an exhilarating learning experience since the various outcomes have been so difficult to grasp compared with previous crises.’ He notes how financial professionals in the banking sector tend to look at expected value but suggests that in hindsight, given the experiences of 2020, we should be focusing more on fat tail risk variances. ‘If you wrap these pictures together, you’ll get more narrative around the numbers.’ See also ACCA’s report The CFO of the Future (Webb and Lawson 2020). H. Hakan Ekinci, head of global operations at S.P. Hinduja Banque Privée in Geneva, says the pandemic reminded us why those in senior management should interact more like business partners. He says a key goal for CROs is finding the right balance between controlling the risks and allowing the business to pursue its objectives. ‘The best CROs don’t stunt the business, they think strategically about the future, and earn trust along the way. The CRO needs to be in the loop on everything to understand the company’s objectives,’ explains Ekinci, who has worked as both CFO and CRO in the private banking sector. Akofa Dakwa, CRO at Bank of Africa in Ghana, says ERM in Ghana’s financial services sector was already evolving fast following the country’s banking crisis in 2018, which led its central bank to impose new risk governance directives to ensure boards understand their risk profiles better and operate more in line with international best practices standards, for example, by at least forming an independent risk committee. While this has consequently forced larger non-financial corporate borrowers and suppliers to become more risk aware over recent years, most of them still address risks in silos and do not have business continuity plans in place. ‘The need for managing strategic risk has really come to the fore in Ghana. Companies in all sectors are looking at how they can diversify their business to survive the transformations that the pandemic has accelerated by considering the future needs of customers and how to employ more digital methods of doing business with them. Our economy is also facing increasing sovereign and fiscal deficit risks due [owing to] the pandemic, so companies need to gain a better understanding about how these macro risks impact all parts of the business moving forward.’ Akofa Dakwa, CRO at Bank of Africa in Ghana Even though Africa had experienced Ebola and other epidemics, COVID-19 has forced the bank to think more than ever before about the interdependencies of risks. ‘We cannot afford to ignore how something that happens across the world might affect us, and that includes the various recoveries from country to country.’ ‘We’re in the business of taking on risk, so it’s important to have varied perspectives of accountancy and risk blended together to help decision makers consider what legal, people-related and other strategic risks are worth taking.’ H. Hakan Ekinci, head of global operations at S.P. Hinduja Banque Privée in Geneva She says the pandemic has forced the bank to rethink its attitude and approach to ESG risks, particularly within its portfolio. ‘We now look at the risks of climate change on every company that we finance and how each individual business monitors environmental impacts.’ 33 RETHINKING RISK FOR THE FUTURE | 2. ERM’S EVOLVING DOORS How does an accountancy background suit the CRO? Rizwan Ikram, chief risk officer at Mobilink Microfinance Bank in Islamabad, recalls how an accountancy background has helped him work through the past three crises, particularly in conducting different sorts of analyses and creating crucial matrices for risks that are not easily quantified. ‘In my first risk role, Pakistan was feeling the impact of 9/11 and given the sanctions the economic situation was not great. Then we got struck by an earthquake, which made things even more challenging.’ After the GFC, risk management gained more recognition in Pakistan’s microfinancing sector as being relevant to something more than credit- and market-related issues and Ikram immersed himself in getting the right risk mitigation and transfer strategies in place. One of the microfinance CEOs recently thanked him for making the case for these improvements back in 2008. ‘He told me that all these things make even more sense to him now.’ Ikram says the COVID-19 crisis put a new spotlight on people-related risks and why it pays to align risk management with all business units. For example, he points out that it is now very important in today’s world to consider how operational weakness and credit risks are interlinked. ‘If a loan has gone delinquent, it may not be due to the borrower’s inability to pay. Delving into underwriting processes and HR’s involvement in this provides you with more insights about the exposures.’ He has been analysing data correlations between delinquencies and income losses for years to identify such vulnerabilities and build matrices to help quantify them. This helps decision makers at the top implement necessary new controls and product changes. ‘It’s the tone at the top that is pivotal in setting risk culture,’ he concludes. Mobilink, a telco allied bank, is the largest bank in Pakistan with 30 million-plus depositors3. 3 By the time of publication, Ikram will be working in a new role as CRO at Telenor Microfinance Bank in Pakistan. 34 RETHINKING RISK FOR THE FUTURE | 2. ERM’S EVOLVING DOORS ERM REQUIRES INTEGRATED THINKING, HENCE UNDERSTANDING RISK FROM ALL PARTS OF THE BUSINESS AND PROVIDING A UNIFIED PLATFORM FOR OVERSIGHT AND ACCOUNTABILITY. 35 RETHINKING RISK FOR THE FUTURE | 3. GOVERNANCE IN THE RISK GALAXY 3. Governance in the risk galaxy One of the primary roles of accountants is protecting the interests of stakeholders by ensuring that the relevant risk controls and frameworks are in place and that the board receives accurate and reliable information for planning and strategising for the future. The pandemic has reinforced the importance of accountancy in also providing crucial advice about the risks and opportunities to consider in the post-pandemic environment. 3.1 What is your appetite for risk? There is a recurring realisation, particularly among CRO and NED ACCA members, that risk managers need to focus more closely on how we take on risk rather than only on how we mitigate it. This requires a consideration of both quantitative and qualitative elements, and the risk appetite statement can serve as a customised compass for decision makers. A risk appetite statement effectively sets the tone for risk management at an organisation and should be determined and owned by the board. It is a subjective exercise and can be one of the most confusing and controversial topics for stakeholders, especially in turbulent times because actual risk appetites can change but the risk appetite statement itself is commonly updated only on an annual basis.4 Even so, employing a risk appetite statement has proved to be useful for many organisations during the pandemic to the extent that it enables decision makers to accept in a conscious way the risks that correspond with their organisation’s purpose and strategy and with the available resources required to manage them. The organisation is also more likely to meet its strategic goals when its appetite for risk is linked to operational, compliance and reporting objectives. In episode 2 of the Rethinking Risk podcast series, David R. Koenig, CEO of the Directors and Chief Risk Officers (DCRO) Institute and author of The Board Member’s Guide to Risk (Koenig 2020), explains that boards must in future move away from the ingrained notion of risk as a loss, and focus on opportunities that help organisations achieve their goals more efficiently. He emphasises how fundamental an organisation’s risk culture is to gaining ‘The risk appetite statement is not perfect, but it keeps us focused on the right risks because we constantly have to measure what we are doing against this benchmark, since as we know uncertainties and their values can change quickly. We’re always getting better at how we address credit and market risks, but operational risks are trickier to quantify, and this is another way to help us manage them.’ Curtis Wong, chief risk officer at GE Capital China and the Asia-Pacific in Shanghai the trust of its shareholders and stakeholders, and how purposeful businesses create value not just for themselves but for the society at large.5 ‘If we want to continue serving those who rely on us in better ways, we need our organisations to be the best they can be at taking risk.’ He says accountants play an influential role in driving more qualitative discussions about the organisation’s risk appetite, especially when thinking about emerging risks, such as climate change and digital divides. This also is another area where more stakeholder mapping could help by gauging perceptions of risk appetite and the required resource allocations for managing specific risks. Risk appetite is referred to as ‘risk attitude’ in some cultures because of the different translations. Although non-financial corporates have struggled to apply it over the years mainly because of difficulties in reaching a consensus on an agreed level of tolerance, the pandemic has forced companies to understand their appetite for risk more and realise the value of staying within it when making decisions. Accountants could be helping companies adopt the risk appetite concept more practically to improve their ability to choose the right risks. 4 The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published new guidance on risk appetite in May 2020 (Martens and Rittenburg 2020). 5 The DCRO website is at . 36 RETHINKING RISK FOR THE FUTURE | 3. GOVERNANCE IN THE RISK GALAXY Alfred Brian Agaba, managing director and founder of the consulting firm ACLAIM Africa, has been involved in training 100 SMEs in sub-Sahara Africa as part of a programme funded by the German government, and says understanding risk appetite is fundamental to all decision making. ‘If you are in construction and your capacity has enabled you to construct 20 houses a month, but you find an opportunity to construct 50 units by sharing that risk with a partner firm that you approve of and feel comfortable sharing that risk with, what would you do? On the other side of the coin, let’s say you have been constructing three-bedroom apartments, and an opportunity to construct a multi-store shopping mall comes up. It’s a great proposition, but also out of your depth even if you have experienced alliances. Let’s then look at it from a risk reduction point of view. If you have an opportunity to construct 50 units, and you negotiate your way around to 30 even though your capacity is 20, that still stretches you, but what would you do?,’ he explains. 3.2 Risk governance structures The pandemic continues to draw renewed attention to the importance of good risk governance and how structures should be applied more practically in a way that suites an organisation’s objectives and the risks inherent in its activities. Structures, such as the risk appetite statement, are designed to be guides, not handbooks, and boards have learned that they need to be more proactive to ensure that these help address the tougher challenges of managing stakeholders’ changing needs. We have seen that management at companies with even the largest market capitalisation can become disconnected from their long-term objectives. Boards could be asking more questions about the business risks to ensure, for example, that supply chain management is aligned with operational risk objectives. Accountancy professionals can add more value by ensuring a better flow of information between the two lines and by a) providing additional insights on the risk reporting requirements themselves and b) encouraging more alignment across business units. ACCOUNTANTS COULD BE HELPING COMPANIES ADOPT THE RISK APPETITE CONCEPT MORE PRACTICALLY TO IMPROVE THEIR ABILITY TO CHOOSE THE RIGHT RISKS. In 2020, the Institute of Internal Auditors (IIA) revised the Three Lines of Defence Model it first published in 2013 (IIA 2013; BDO UK 2020) to help define the roles, responsibilities, and relationships between internal audit and operational management, risk management and compliance function.6 The updated version, which the IIA now refers to as The Three Lines Model, can provide, when applied practically, integrated assurance that the organisation is under control and on track to achieve its Pragmatic best-practice in the public sector Emma Costello, chief financial officer at the Reserve Bank of Australia, says risk governance must be applied in a pragmatic way if it is to be effective, especially in today’s complex world. ‘Risk appetite can start with aspirational statements, but you quickly need to get into the nitty gritty of metrics and tolerances as this is how the organisation understands what the rules are.’ for staff and other stakeholders. She also says that drawing the link between risk appetite and gaps within a control environment is key to making more beneficial, risk-based decisions. Costello, who is new to the public sector after working for more than 25 years in financial services both in Ireland and Australia, most recently leading the Controls Office and Business Performance agenda for Risk Management at Commonwealth Bank in Sydney, emphasises that if the foundation for risk management is set from the top, meaning the board and senior management, the organisation’s risk appetite becomes much more tangible ‘Maybe it's my accountant mindset, but in my view if you cascade risk tolerances as metrics it becomes pretty obvious where the limits are. Understanding how risk is assessed and measured clarifies when we are out of tolerance. Clear reporting to governance committees seeking to accept a risk – on the understanding that there is remediation under way to bring us back within our risk tolerance – drives a positive pro-active risk culture.’ 6 In July 2020, the IIA announced an update to the Three Lines of Defence Model, . 37 RETHINKING RISK FOR THE FUTURE | 3. GOVERNANCE IN THE RISK GALAXY goals. The Risk Coalition, another partner association, advocated this in its Raising the Bar paper (Risk Coalition 2019), and in more recent commentaries has added that the revised version can encourage even greater collaboration across all three lines to provide integrated assurance to the board on the achievement of strategic objectives.7 The Three Lines of Defence Model is also discussed in further detail in both ACCA’s Risk and Performance: Embedding Risk Management (Ashby et al. 2019) and Risk and the Strategic Role of Leadership (Ashby et al. 2018) In the 2109 ACCA report, the authors reformulate the original Three Lines of Defence Model by explaining why it is not black-and-white and by considering modes of accountability rather than lines of defence. See Figures 3.1 and 3.2 “Within the three modes of accountability, the risk management function is accountable for designing the organisation’s formal risk management mechanisms (registers, risk matrices, etc.) and overseeing the risk-taking and control decisions that are made by other business units and functions. In turn, these business units and functions are accountable for using the mechanisms provided by the risk management function to help make risktaking and control decisions that are consistent with the organisation's risk management and strategic objectives. The internal audit function is accountable for providing assurance that all risk-taking and control decisions and the risk management mechanisms used to support these decisions are appropriate. An important difference between these three modes of accountability and the three lines of defence is that the former overlap in how accountability is distributed, though the degree of overlap can vary. This overlap is important, because it facilitates trust and cooperation across the three accountabilities. Trust and cooperation that can help to mitigate the adverse consequences of risks or exploit the opportunities that can come from risk exposures. The arrows which turn from red to blue in the shaded area where the three modes overlap illustrate potential threats which have been turned into opportunities,” as stated in the report. Dinisha Sasietharan, risk and audit partner at Spark, New Zealand’s largest telecommunications company, agrees it is important to tailor the governance structure in a way that most helps your organisation best meet its objectives. ‘From a risk and audit perspective, we don't have separate three lines of defence since my team is responsible for both risk management, line two, and internal audit, line three. We made this change to combine them five years ago because we felt we could advise our stakeholders better by working more closely with the business units in understanding the potential risks and providing the appropriate assurance for mitigating them.’ Dinisha Sasietharan, risk and audit partner at Spark, New Zealand FIGURE 3.1: The Three Lines Model EXTERNAL ASSUARNCE PROVIDERS GOVERNING BODY Accountability to stakeholders for organisational oversight Governing body roles: integrity, leadership and transparency MANAGEMENT Actions (including management risk) to achieve organisational objectives First line roles: Provision of products/ services to clients; managing risk Second line roles: Expertise, support, monitoring and challenge on risk-related matters INTERNAL AUDIT Independent assurance Third line roles: Independent and objective assurance and advice on all matters related to the achievement of objectives KEY: Accountabilty, reporting Delegation, direction, resources, oversight Alignment, communication coordination, collaboration 7 . 38 FIGURE 3.2: The Three Modes of Accountability Model BUSINESS ENVIRONMENT RISK RISK MECHANISM: IMPLEMENTATION MECHANISM: DESIGN MECHANISM: ASSURANCE CONSEQUENCES OF RISK TO FIRM 3.3 Board composition and diversity of thought Diverse composition of boards and board committees is an important ingredient for managing risks effectively and not missing the opportunities they present. The pandemic forced many to reconsider their policies for board succession planning and processes for appointing new directors to ensure they have the right people for the job and represent the range of stakeholders and their priorities. The crisis has also proved how critical diversity is for better decision making and that it doesn’t stop at gender and race. Social and professional diversity, where board members have varied backgrounds, is proving very important in making sure risks relevant to the organisation are being addressed properly. Diversity of thought helps boards detect the gaps in their planning and the emerging risks that are connected to climate change, digital disruptions and protectionism, for example. It is important to appoint directors relevant to the company’s line of business and customer-base, but it also is important to have members with different backgrounds asking hard questions. Kathryn Kerle, chair of the audit risk and evaluation committee at the Microbiology Society says: ‘I think I was put on the committee in part as a nod to diversity as I'm the only non-microbiologist. Although microbiologists might have expected a pandemic at some point, we all need to rethink what tools we need to deal with uncertainty. The crisis has highlighted non-balance sheet risks, such as health and safety issues and cybercrime as more work moves online.’ She attests that having diverse points of view helps the board committee to create more in-depth narratives about the problem of risk versus uncertainty by trying to ascertain what the consequences would be if a given risk materialised, including estimating what the financial impact would be. ‘If we're managing risk, and we know the range of potential outcomes, our job is to figure out which one of those is most likely. But if we are dealing with uncertainty, and we don't know the range of potential outcomes, probability analysis and statistics have nothing to tell us about it. We are living in an uncertain world, and that's why we need to start thinking about what could happen and creating those narratives.’ 3.4 Board evaluations Assembling a team of intelligent, well-meaning directors doesn’t always guarantee the board will work effectively in exercising their governance and risk oversight responsibilities. Regular board and board committee evaluations can help boards set and achieve the objectives best suited for the organisation, given the market it operates in. Whether such evaluations are conducted externally or as self-assessments, we find that those who commit to conducting them regularly benefit from: stronger leadership; increased clarity of roles and responsibilities; improved teamwork and communications; greater accountability; better decision making; and more efficient board operations. Board evaluations are included as part of corporate governance codes in many jurisdictions and by most stock exchanges around the world. We have found that more 39 RETHINKING RISK FOR THE FUTURE | 3. GOVERNANCE IN THE RISK GALAXY shareholders are asking for independent board evaluations for the year 2020 to measure their board’s ability to govern effectively during a crisis and address emerging issues, such as diversity and inclusion, disruption preparedness, geopolitics, cybersecurity, innovation and ESG initiatives. Boards are also increasingly being asked to do more individual director self-assessments. Boards can use these to improve accountability and communications, and ensure that the organisation is progressing in the right direction and meeting its objectives efficiently. Self-assessments of boards or individuals should not be a ‘tick the box’ exercise and while there is no perfect template, self-assessment is an opportunity for continually improving governance. managing risk today, whether this is done depends on the organisation and its appetite for risk. He notes that the board is accountable for risk whether there is a separate board committee or not, and that companies must decide what their risk oversight objectives are. In his view, ‘banking has had the independent capital adequacy assessment process for some years now, and if you include the risks of the pandemic that we're seeing now in the operational risk space, they have been in the ‘too-difficult to measure” pile for some time. So, in terms of the effectiveness of the committee, it's always going to be difficult to manage a crisis through a board committee only.’ Since there is no prescriptive methodology, boards can design the process to meet their own relevant objectives and tailor evaluation methodologies to their current circumstances. It is important that accountants help spot the gaps between what the board is striving for and how it currently operates. 3.5 Risk and audit committees: to be or not to be separate Before the pandemic, boards of non-financial corporates rarely set up a separate risk committee if it was not required to by regulators, but we have found that this is changing as risk has risen to top of board agendas and concerns about ESG, digital transformations, and other non-financial risks have become more pressing. Some companies with carbon-neutral targets have decided to put in place combined risk and sustainability board committees. Sharley Koo, head of enterprise risk management at Zurich Insurance Malaysia, says ESG is gaining momentum in her country and refers to initiatives by the central bank, Bank Negara, and the Securities Commission Malaysia in getting financial institutions to address climate risks. She says her firm is addressing ESG at the board-level now and considering green bonds and other green finance investments for its insurance portfolio. ‘It has to start from the top because it is a mindset and we successfully convinced the board in Malaysia, in April 2020, to change the name of our “Serious Management Board Committee” to the “Risk Management and Sustainability Board Committee”, and I think if it weren’t for the pandemic we’d be farther along in this process.’ Pragmatism and flexibility within the organisation are what is needed to manage the existential threats that we're seeing today and the board should be driving that. There is also no one-size-fits-all approach because there are many factors, such as the size and complexity of the organisation and its business interests. The other aspect is organisational because ‘you've got to cut your cloth to meet your means’ so you can argue that it makes sense for some organisations to combine risk and audit into one committee even if they are technically two separate lines of defence. In ACCA’s ‘Audit & Risk Committees’ virtual roundtable, held in January 2021 and co-hosted with the Professional Risk Managers’ International Association (PRMIA), members debated the different cases for creating separate risk committees and moreover how to do it (ACCA2021b). One non-executive board member and audit and risk committee chair in the UK said that, in his view, more organisations believe that risk oversight is much more effective with the combined audit and risk committee than with separate committees. ‘If you go back to the role of the audit committees, it is to ensure that business objectives are achieved. This is underpinned by the internal control framework, which includes compliance and makes sure that we are delivering those strategic objectives. It also includes internal and external verification, so if you look at it from that perspective, it is difficult to disaggregate that as the two naturally come together to provide board assurance.’ Financial sector companies in most jurisdictions around the world are required to have standalone board risk committees, often requiring the chief risk officer to sit on the committee and reports to the chair. One member in the UK who works in banking says that while there are more than enough reasons to put a standalone risk committee in place, given the complexities of What can be learned from the pandemic, from a risk governance perspective, is that the board is accountable for assuring that the organisation is operating within its risk appetite and that emerging risks are being identified. Boards need to make sure these existential and catastrophic risks are being monitored and that plans to address them are in action. 40 RETHINKING RISK FOR THE FUTURE | 3. GOVERNANCE IN THE RISK GALAXY A separate risk committee or combined risk and audit committee should be looking at those risks that have escalated and those that have been reduced, with particular emphasis on what the consequences could be if any of these risk materialise. It is important that members of these committees ask themselves why these risks are reducing or increasing, and understand what impacts these trends may have on the organisation in future. The pandemic has also proved the mutual dependence between audit and risk management and that it makes sense to see how the two committees can work together more closely to help organisations meet their objectives. Accountants are crucial in this case because risk and audit committees rely on accurate information and analysis to effectively manage risk. ‘I think the pandemic and increased focus on climate change financial disclosures, particularly TCFD [the Task Force on Climate-related Financial Disclosures] which links risk with financial disclosures, have brought audit and risk together more whether there are two separate committees working together or one combined,’ another UK member added. FIGURE 3.3: PRMIA-ACCA UK roundtable on Audit and/or Risk Committees How does your organisation's board oversee audit and risk? Separate Risk and Audit Committees, 31% One Audit & Risk Committee, 57% Other, 12% Which sector is your organisation in? Financial Services (including insurers, challenger banks, fintech unicorns), 20% Asset Management, 3.5% Public Sector (including public sector investment management), 19% Industrials, 2% Retail and e-commerce, 4% Audit Firms, Consulting Services, 10% Utilities and Oil & Gas, 3% * Polls with 172 attendee respondents, January 2021 41 Telecommunications, 1% Transportation, 1% Leisure and Hospitality, 0.6% SMEs, SMPs, start-ups (including fintechs), 3.5% Technology, 3% Food, Beverage, Tobacco, 0.6% Pharmaceuticals, 0.6% Government, Public Policy, 6% Real Estate and Construction, 3.5% Other, 19% RETHINKING RISK FOR THE FUTURE | 3. GOVERNANCE IN THE RISK GALAXY ‘Students didn’t have a voice at the Board level before, but now that we have one as a director we can strategise about our qualifications better. Same goes for SMEs, the majority of our membership work with SMEs, so we can’t be truly effective without having their viewpoints represented at the table. That difference in thinking when you truly think about diversity is so important to why Boards exist. Boards must think about its purpose, who they’re meant to be serving and making sure that those insights come into the discussions.’ Shakil Butt, chair of the audit committee at CIPD, the professional body for human resources and people development, in London ‘Storytelling is something that all human societies engage in and it may well have evolved in order to help us deal with uncertainty.’ Kathryn Kerle, chair of the audit, risk and evaluation committee at the Microbiology Society ‘If I reflect back from March of 2020, everything sped up: the flow of information, the communication of risk, and the velocity of certain risks. These weren't necessarily new risks, but different sorts of angles around those risks. So, there was a real sense of a heightened alertness and my role was very much about supporting the organisation, articulating what some of those risks are and ensuring that the audit and risk committee was accelerating with that with more frequency and quick decision making. The role was almost more of a facilitator in deciphering out the relevant risk information and ensuring a clear sense of direction and line of sight.’8 Simon Rose, group head of internal audit and risk at Wates Group, audit committee chair and non-executive director at Two Saints in the UK PRAGMATISM AND FLEXIBILITY WITHIN THE ORGANISATION ARE WHAT IS NEEDED TO MANAGE THE EXISTENTIAL THREATS THAT WE'RE SEEING TODAY AND THE BOARD SHOULD BE DRIVING THAT. 8 By the time of publication, Rose left Wates Group to join Crest Nicholson in the same role. 42 RETHINKING RISK FOR THE FUTURE | 3. GOVERNANCE IN THE RISK GALAXY Attitudes about risk vary across cultures Hidy Chan, board director and audit committee chair of China Brilliant Gold Ltd (CBG), chair Hong Kong Belt & Road, founding partner of Lincoln Edward, a CPA, points to the different perceptions of risk across cultures and why she believes Hong Kong and China’s economies will recover faster than those in the Western hemisphere. ‘We had SARS [severe acute respiratory syndrome] 17 years ago, so we have experience in track and tracing and social distancing in offices. Hong Kong and China are not afraid of COVID-19 the way Western societies are. We look at threats and think what opportunities there are to grab,’ she says. CBG’s group of companies includes a gold and jewellery retail store which faced a double whammy during the first lockdown in Hong Kong because that coincided with the Chinese New Year when Chinese people buy more gold than at any other time of year. ‘We shifted our business model quickly to online corporate sales, so even though our shops were closed during our peak season, our corporate sales increased in the end and we earned a golden star from the Hong Kong Stock Exchange.’ During the pandemic, CBG also transformed its lending business into a digital bank and is now working to elevate it as the world’s first digital supply chain finance bank. ‘Our lending business was disrupted by not being able to see customers face-to-face, so we applied for a banking licence in early 2020 and hired a lot of top talent who were being made redundant. We worked on user acceptance tests, choosing a banking system, and a lot of other preparation work and got the banking license within one year, so now we can accept customer deposits and provide credit services,’ Chan explains. She says CBG had essentially captured a whole new business line in a high-growth area in Hong Kong and the Greater Bay Area. MSCI recognised CBG’s business development and diversification during the pandemic by making the company a new constituent of the MSCI Hong Kong Micro Cap Index from November 2020. Chan also says that strategic risk taking is core to CBG’s business model and explains how the audit committee members’ varied backgrounds contribute to more thoughtful decision-making. ‘I am an accountant, but we have members from a mix of industries, not only in gold. Boards and board committees should have experts in the industries that the company is involved in and exposed to, but I also feel that audit committees should have at least one non-accountant to ask those questions the rest of us might not think of.’ While SMEs in Hong Kong were generally not as prepared as listed companies, many small firms there knew they had to act quickly in organising work operations and staff health and safety. She explains: ‘I remember our small SMP [small and medium-sized practitioner] company during the SARS outbreak. We had a business continuity plan and acted on it immediately. We divided our staff into two teams to go in at different times and it worked in protecting us from spreading or contracting the virus.’ Chan, a member of the corporate governance committee of the Hong Kong Independent Non-Executive Director Association (HKiNED), says 95% of companies in Hong Kong are SMEs, defined there as firms with fewer than 15 employees. ‘In trade, Hong Kong is like a middleman between businesses, so a lot of SMEs are flexible in their nature and we see more smaller retailers shifting their business to new platforms because they need to if they want to stay alive.’ During the pandemic, Chan became ACCA’s SME chairman in Hong Kong and has helped coordinate online seminars to support local SMEs in managing stock and cashflows better. ‘In Hong Kong, many of the SMEs have had to refinance their mortgages to get the resources they need to keep operating. We have been teaching them how to control these risks better because they could lose their homes and not have a place to live.’ 43 RETHINKING RISK FOR THE FUTURE | 3. GOVERNANCE IN THE RISK GALAXY The power of purpose-led risk management COVID-19 has forced boards to think about purpose and sustainability and how the two come hand in hand. The reality for many, however, is that the gap between where they are right now and where they should be remains significant. Shahid Qureshi, chair of the board of directors of Calgary Parking Authority, and member of ACCA's Global Forum for Governance, Risk and Performance, says becoming a sustainable, purpose-led business is a journey that requires vision and integrated thinking. ‘You cannot go from step 1 to step 10 overnight. You have to think it through, and that starts with finding the right balance for all of your stakeholders – customers, employees, suppliers, the local community and your shareholders.’ In December 2020, the Calgary Parking Authority was featured on CNN for its ‘placemaking’ approach in creating innovative spaces as demand for parking continues to shift. It publicised the construction of a stateof-the-art multi-purpose building in Calgary being built to support local tech start-ups and their parking needs.9 Qureshi says the idea for housing a tech ecosystem for Alberta had been part of the board’s strategy sessions held with senior management to explore the future of the parking business and decide how the organisation should position itself in it. ‘We are aiming to help diversify Alberta’s economy which is predominantly based on the oil and gas industry. We put a lot of thought and resources into strategy and came up with a building design that is future-proof and able to be converted into other commercial and residential uses as demand evolves.’ Investing in relevant technologies has resulted in dynamic pricing, smart infrastructure, Internet-of-Things (IoT) applications, sensor-equipped physical assets and payment systems based on license-plate recognition. Technology has also enabled the organisation to provide drivers with real-time information on parking spaces and to broaden its customer base and flexibility to provide services in any part of the world. By leveraging and investing in a ‘software as a service’ (SaaS) strategy, it has been able to transform its business model to be more agile and has optimised its growth strategy. Qureshi points out that customer needs and technological developments were already changing in this market before the pandemic and it was realised that traditional parking businesses would be less viable given the emergence of shared mobility, bike sharing, e-scooters and, ultimately, shared autonomous vehicles. ‘When we look at our purpose in the parking business, some people think that it’s about generating revenue by an individual standing and waiting to give you a parking ticket. Parking has a much broader context and focusses on a mobility system that provides faster, cheaper, cleaner, safer, and more efficient transportation. As our city is growing, the parking is part of a bigger picture of making Calgary an attractive choice to accommodate an additional 1.2 million people and to improve their quality of life. Balanced growth, achieving GHG [greenhouse gas] targets, less energy consumption, improved mental health, more transportation choices, and reduced obesity, are all part of the vision. This community-centric approach is also supported by a strong business case of expected savings of CAN$16bn infrastructure costs and an annual CAN$390m savings in operating costs over time.’ The board’s vision from an ESG perspective is expressed through investment in communities, mental health initiatives, diversity and inclusion, being a better civic partner, and improved financial and operational governance. The Calgary Parking Authority has also been recognised for repurposing parking spaces it owns into outdoor art gallery parks and play areas for children. ‘PARK PARK’ is another award-winning multi-use recreational space and parking lot. In 2020, the Canadian Parking Association named the Calgary Parking Authority and ‘PARK PARK’ the winner of its 2020 Innovation in Parking Award. ‘High Park’ is another example of where Calgary Parking Authority has repurposed underused parking space into a public park, engagement hub and event rental space. As CNN notes, it has exemplified how organisations can monetise and make a positive impact on the community at the same time. 9 Placemaking is a multi-faceted approach to the planning, design and management of public spaces. Placemaking capitalises on a local community's assets, inspiration, and potential, with the intention of creating public spaces that promote people's health, happiness, and well-being. 44 RETHINKING RISK FOR THE FUTURE | 3. GOVERNANCE IN THE RISK GALAXY BOARDS MUST MOVE AWAY FROM THE INGRAINED NOTION OF RISK AS A LOSS AND TREAT UNCERTAINTY AS AN OPPORTUNITY TO EXCEL. 45 RETHINKING RISK FOR THE FUTURE | 4. OPERATIONAL RESILIENCE AND THE UNTHINKABLE 4. Operational resilience and the unthinkable The operational challenges brought on by the COVID-19 crisis have forced companies to rethink what it means to be resilient. It is imperative that organisations address emerging risks that can hinder the business from fulfilling its commitments to customers and other stakeholders. Accountants are trained to understand how business models work, so they should make sure the necessary measures are in place and the right questions asked. Operational risks depend on the organisation’s activities but require constant assessment, analysis and adaptation if the organisation is to be able to address the unique challenges of every type of disruption. Operational resiliency is another risk journey that must be defined from the top, by the board, and include the engagement of all business units and people working within them. The lesson learned is that operational resilience demands long-term investment of resources and time. By focusing on critical activities and testing their processes, controls and documentation, organisations can start laying valuable foundations for a more resilient future. Accountants can help their organisations with this by creating specific metrics for the tolerable levels of operational disruption. These should be measures that identify potential harm to: consumers or market participants; business integrity; policyholder protection; safety and soundness; threat to financial stability (PwC 2020). Metrics are crucial because without them you cannot assess the impact tolerances of your organisation and therefore know what needs improving. In an interview, one ACCA member in Europe said that accountants who can successfully marry industry expertise with technology will be the biggest value adders. ‘The critical success factor will be the deployment of digital technology in identifying emerging risks. In the past, everybody in accountancy, especially, was more in an after-it-happened mode, and in a mindset of finding out why something that happened. Auditors would focus on identifying historical root causes, for example. Now business leaders are saying this is not good enough because we need you to tell us about any risks signals before the risks materialise. They need to have an indication of where the weaknesses in the chain are, so they can make decisions to remediate the risks ahead of the impact. This is where digitally empowered risk monitoring comes in with vast quantities of data that can now be mined. For risk management, finance and audit functions, the key will be to having teams of openminded flexible thinkers who can adapt to all kinds of new situations and are comfortable utilising technology.’ ACCA members around the world have also been calling for more scenario analysis. While this would never have predicted the pandemic, organisations that go further into the ‘what ifs?’ mode learn more about emerging risks and therefore would have been better prepared. As with all risk journeys, the challenge is in getting the necessary board and senior management commitment. Accountants can help by making sure there is a ‘value-adding’ mentality across business units rather than just keeping the head of risk management and audit and risk board committees happy. Otherwise, senior management will not pay attention and will not be proactive. An ACCA member from a small company in Eastern Africa said brainstorming has proved to be the best risk methodology: ‘We are a team of only 15 people, but we want everyone to share their thoughts on what risks we should be concerned about. There are new risks popping up all over the place so we all need to own it.’ Operational resilience has become the subject of day-to-day discussion. Tobias Cook, head of risk at Aztec Group, which provides fund and corporate services to the alternative asset industry, says that although his industry has been relatively resilient to the pandemic, after what has happened in 2020 it is imperative to look at risks through a different lens and consider different parameters. ‘Our operational resilience planning has become more dynamic and we are looking hard at our risk taxonomy to ensure that operational resilience risks are appropriately captured. Risk professionals need to be conscious that nothing can be in silos anymore.' He continues: 'Whilst we’ve always considered business continuity risks, COVID-19 has changed the way we look at these risks and the management of operational resilience is at the forefront of our discussions with our executive team. The inconceivable has now become conceivable and the impact of the pandemic has enabled us to look at business continuity risk in a way that traditional risk models would not always allow.’ Tobias Cook, head of risk at Aztec Group, UK 46 Moretraremvseotlr/vitcertameddeent Weeamkcoeannjooinmrgies FIGURE 4.1: 2020s Universe of Risks taedcohApnbtrioluoopntgy ptrcrooil/satoiersdndaaFiguapenictildatnutirogeonofinvessturpLemaspecopnkrott/onfscerisis Less LIKELIHOOD More breITakdown dDeienccaglriblnoeoebfnfaoislrattsion anHstiei-bgnuhtiesmirneensts 100% Worsened long-term military conflicts Prolonged global recession cboannsoklrMiudpoarttceioiens/ reIcfnoadviluetrsotries unemplHoyigmhent 68.6% 49.35%5.596.%8% 80% 2.3% 3.42.%66%.9% 60% 40% 1132.8.71%.%8% 20% 14.7% 11617.74.10.%67%.%9% 444825.7..18%%% 38.0% 242.243%.08.%387%.8% Healthcare becomes too expensive /ineffective Wesaokceinaled security 119.81.684.2%%% 20.2% 222311.3..93%%% Naotifoinnadliussattriioens reLte/ipsresesmnaseviinontngs foLorewiingevnredsitrm(eFcDetnI)t striantectlogimiiFenasavitleeusrte gddoiisvstesPrreuomnslittetiancnat dl fhotcourreiWmrsieegoadsnrnus(iadecteianuddreeiadn Sharp increase in global inflation Winode/riqssvoeuicsnaiielaoildtnys Womrsheeennatealtdlh Greeotmvatien.pr/igeonrecwgoinvesciirlyoslniboefrty sPurdpoilpsorlnyugpchetidaoinn Emerging market collapse Remote cybweroratktiancgks ocfriCseixOspVlGIoeDi-ot1apt9ioluoitnincealmarpuletloIoayntcemmradeetiantsoen-d oudtiAbsnreoeatashkeer ECONOMIC SOCIETAL GEOPOLITICAL TECH ENVIRONMENTAL Source: Adapted from World Economic Forum COVID-19 Risks Outlook 47 RETHINKING RISK FOR THE FUTURE | 4. OPERATIONAL RESILIENCE AND THE UNTHINKABLE 4.1 New universe of risks The pandemic has showed us that existing risks were not being accepted or addressed and that we need to rethink how we detect them if we are to be prepared for the next disruption. Every year, the World Economic Forum (WEF) releases its annual Global Risks Report and for the past few years we have seen how the risk landscape has been shifting from traditional financial risks to more environmental and social threats, such as migration conflicts, social inequality and climate change. The pandemic has not only exacerbated these, but also showed us how simultaneous and interconnected they are (WEF 2021).10 In hindsight, it can be seen that these changes were happening over a number of years, but they were not being addressed. Those in charge at organisations often become more concerned about the threats that they read in the news, such as cyber risk, data breaches and regulatory fines, and looked at them in isolation more than on ensuring that the appropriate measures are in place to address the various consequences. There are also massive organisational changes happening due to rapid digitalisation, and we know the pandemic has intensified risks arising from the interdependencies of them, such as risks of fraud and outsourcing to third-parties. The systemic impacts of these, for example, reputational risk, also must be considered. How can we make sense of the potential chain reaction of these risks? n Decide which risks have the most impact on your organisation. Fraud, for example, is appearing on everyone’s risk register, but organisations need to analyse the different loss events that have happened to them and to others in their sector. Furthermore, it is important to know how harmful the consequences would be if the risk materialised and consider whether the losses would be major compared with other risks. This helps the board prioritise the risks in order of importance across the organisation. n Learn the organisation’s level of exposure to each identified risk, so that you can decide what allocation of resources is required to address each one. You must also ensure that the right culture is developed and that your concerns have led to clear action in addressing each risk. What have we done about it, and should we be doing more? 4.2 Risk and new ways of doing business New ways of working mean new ways of viewing risk. The best risk practices are focused on humanising risk and making it seem a natural part of our everyday life rather than treating it as a back-office function. Dev Ramnarine, partner at a boutique audit and risk consultancy based in Miami and member of both ACCA's Global Forum for Governance, Risk and Performance and ACCA’s Global Technology Forum, says we need to humanise risk if we are to address emerging risks. How companies welcome employees back into the workplace is a prime example. ‘I ask clients how they are interacting with the people-related risks associated with returning to the office, and they start talking about temperature checks and cleaning systems. When I ask about the mental health and well-being challenges and whether they have planned for the potential mixed emotions, for example, after losing a loved one to COVID-19, they don’t know what to say. Many company leaders still think about risk in the traditional sense and don’t get that the world has become more complicated.’ Dev Ramnarine, partner at a boutique audit and risk consultancy based in Miami Alignment is also key to operational resilience, especially as most financial transactions today are digitally processed. Atif Shaikh, a member from San Francisco, moved to Facebook during the pandemic to become its operational risk lead after working at Wells Fargo in the previous five years helping to start up a new operational risk group established following an internal audit review of risk and controls. ‘They were taking on a risk and control (RCSA)-based approach for the first time, so I learned a lot about data quality and security. It’s not just about the many IT risks; with everyone moving their business offerings online and to mobile phones, there’s also a new range of regulatory requirements, fraud and third-party risk issues that surround online transactions. It is building up a second line that is fit for purpose in today's faster changing world.’ Shaikh suggests non-financial corporations could learn from the increasing business continuity and operational risk management requirements that are mandatory in the banking sector if they are to remain resilient in the new digital-driven world.11 This notion is delved into further in episode 3 of ACCA’s Rethinking Risk podcast series with 10 W EF 2021 analyses the risks from societal fractures – manifested through persistent and emerging risks to human health, rising unemployment, widening digital divides, youth disillusionment, and geopolitical fragmentation. Businesses risk a disorderly shakeout which can exclude large cohorts of workers and companies from the markets of the future. Environmental degradation – still an existential threat to humanity – risks intersecting with societal fractures to bring about severe consequences. Yet, with the world more attuned to risk, lessons can be drawn to strengthen response and resilience. In 2020, the risk of a pandemic became reality. As governments, businesses, and societies grapple with COVID-19, societal cohesion is more important than ever. 11 The Basel Committee on Banking Supervision revised its Principles for the Sound Management of Operational Risk in March 2021. (BIS 2021a) and with an additional paper on resilience (BIS 2021b). 48 RETHINKING RISK FOR THE FUTURE | 4. OPERATIONAL RESILIENCE AND THE UNTHINKABLE Dr Ariane Chapelle, specialist consultant and author of The Origins of Operational Risk Management – Best Practices in the Financial Services Industry, which won Risk magazine’s book of the year award for 2020. James Kennedy, an ACCA member in Germany and risk manager at BayWa r.e. Energy Trading, agrees that non-financial corporates could better align to financial institutions’ deployment of risk tools and governance structures that are designed to meet regulatory and shareholder expectations in the financial services sector. He notes that risk accounting could help quantify the current and future effects of the COVID-19 disruption, for example, on future rental contracts and other types of receivables. Value-at-Risk, a metric used by banks to measure the level of potential risk over a specific time frame. ‘This methodology could be applied by more non-financial corporates to generate wider value-added analysis and greater risk awareness. It is a waste to view accountancy only from a reporting perspective. Accountants in general could be thinking more proactively, giving decision makers deeper analysis about future projections and profit and loss drivers that are based on different risk assumptions and scenarios.’ Some members also referred to the importance of legal agreements and thinking about contracts they have with various stakeholders and third-parties in building resiliency and business continuity. Arpit Vashishtha, an ACCA member from Bengaluru, India and management analyst at ED&F Man, a global agricultural commodities merchant trading in sugar, coffee, molasses, animal feed and pulses, says companies in India have also been considering their options for ensuring business continuity. 4.3 Dealing with regulatory changes New and updated regulatory requirements for reporting on operational business continuity plans have made companies take additional steps in ensuring that they can deal with emerging global risks and adapt to the fastchanging environment. Edmond Tambara, senior vice-president, financial risk management at Ameris Bank in Atlanta, says that the pandemic proved why communication is a key ingredient of operational resilience. He also started this new role during lockdown after Ameris Bank acquired Fidelity, suddenly expanding its assets to over US$20bn and therefore subject to further regulations owing to its increased size. ‘We are currently building different risk processes and documentation, which ultimately forces everyone to think and interact in a new way,’ he says. Tambara, who held similar roles in New Zealand, attests how his ACCA qualifications provide a strong foundation for presenting to Boards, for example, in articulating where the blind spots are and getting directors committed to proactively addressing them. He says that making sure teams across the organisation understand the vision is essential. ‘Before implementing this new framework, there were no considerations about the downstream and upstream impacts. It really is about upskilling the whole mindset of the bank.’ Edmond Tambara, senior vicepresident, financial risk management, Ameris Bank, Atlanta ‘A supermarket, for example, is not active during the lockdown, but they still have to pay the rent. An Act of God legal provision could be contended to avoid paying those rental amounts since the property wasn’t actually being used due to circumstances out of the hands of either party. Although most of these contentions would not stand in a court of law, legal risk, or the importance of having a tightly knotted contract, is something companies are waking up to and considering more comprehensively now than before.’12 Arpit Vashishtha, ACCA member from Bengaluru, India and management analyst at ED&F Man We find that regulatory change management is becoming an integral layer in best-practice risk frameworks. Businesses of all sizes are also having to think about macro risks, and how governments are going to pay for the pandemic bills and in what ways that may affect them, for example. Simon Young, a fintech and tech risk strategist member in Hong Kong, who had been working at Tencent, emphasises how the whole world’s risk profile is changing and says that standard setters and regulators will also be thinking about their impacts on society. ‘Fintech was unregulated for years amid all the innovation, but now Chinese and Hong Kong authorities are recognising the data privacy issues and we can see that they are concerned about how AI [artificial intelligence] and other technologies could be biased. We should expect more regulatory change management for these converging sectors.’ Simon Young, fintech and tech risk strategist member, Hong Kong He adds that in this new norm successful applications for virtual banking licences will become increasingly challenging. 12 Vashishtha explained: ‘Generally, under Indian laws, an ‘Act of God’ is understood to include only natural unforeseen circumstances, whereas force majeure is wider in its ambit and includes both naturally occurring events and events that occur due to human intervention.’ 49 Figures 4.2 and 4.3: Understanding regulatory risk Regulations for public health risks 100 80 60 40 20 0 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 Source: Datamaran and DLA Piper, . Utilities Technology Equipment and Services Oil and Gas Industrials Financial Services Health Care and Pharmaceuticals Consumer Goods and Services Basic Materials Regulations for climate change risks and management 200 150 100 50 Utilities Technology Equipment and Services Oil and Gas Industrials Financial Services Health Care and Pharmaceuticals Consumer Goods and Services Basic Materials 0 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 Source: Datamaran and DLA Piper, . 50 RETHINKING RISK FOR THE FUTURE | 4. OPERATIONAL RESILIENCE AND THE UNTHINKABLE 4.4 The importance of re-assessments The way the pandemic has accelerated existing trends means organisations have had to rethink their KPIs and KRIs because the risks they face have changed so fast. Po Yee Loh, a member in Malaysia who heads up internal audit globally for Tupperware Brands, explains how the pandemic has forced business models to change so quickly, owing to the disruption and new market forces. ‘We have so many moving parts because while we are trying to keep up with the fast changes happening in the world, we also are confronted with rising risks, including cyber risks, data security and climate change matters, all of which impact our business severely,’ she explains. She says the company had to ‘chase automation like a bull’ to keep the business going and adapt to changing market demands by stepping up its sustainability plans. ‘I wouldn't say we’re the only ones in the world aware of the importance of data analytics, but it is absolutely essential in making informed decisions in this new risk landscape.’ She says they are hiring more new data analysis roles, and the candidates are not always accountants. This echoes ACCA’s report Analytics in Finance and Accountancy (Evett et al. 2020) THE WAY THE PANDEMIC HAS ACCELERATED EXISTING TRENDS MEANS ORGANISATIONS HAVE HAD TO RETHINK ALL OF THEIR KPIS AND KRIS BECAUSE THE RISKS THEY FACE HAVE CHANGED SO MUCH AND SO FAST. Coming from the internal control perspective, Loh says the company is also conducting re-assessments on how new technologies can help them manage risk better. ‘We have been re-thinking the whole risk profile of the company since we have accelerated our digital transformation, from selling on eBay and other online platforms.’ Yonghao Guo, deputy general manager of Beijing Tourism Group (BTG), says that innovation has become top of the agenda since BTG’s annual income dropped by 90% in 2020. ‘We quickly had to establish a financial shared service centre for diverse business units, which reduces redundancies, improves standardisation, and helps the top management with decision-making backed by financial data. The centre not only deals with routine accounting tasks, but also shares taxation and capital information. Besides, it is equipped with sharing analytics for diverse business units. For instance, if data shows an increase of room booking, the system will automatically tell the staff there not to increase the price because a boom season is coming. In this way, staff can make further investigations with the help of algorithm-enabled data pattern and predictions for the purpose of improving business revenues and decision-making.’ BTG has also been engaging in data cleansing and analysis, a process that is a bit like holographic profiling, to monitor business operations and assess financial risk alerts from six dimensions, including assets management and solvency. ‘When the results are improved, the management will find out the causes and identify potential risks. We are trying to learn some best practices from peers in order to identify and manage risks during the process better,’ he adds. ‘There’s a serious need to constantly reassess the strategic risks around this ongoing shift of operational environments. With new technologies rapidly changing everything, demands from consumers, investors, employees, as well as regulators and legislators are evolving faster than ever.’ Hong-Jie Chong, risk and change management professional, Aon, Singapore 51 RETHINKING RISK FOR THE FUTURE | 4. OPERATIONAL RESILIENCE AND THE UNTHINKABLE Spotting the weakest links Companies with some of the most mature risk frameworks were stunned by how easily and suddenly their supply chains were disrupted during the pandemic. The Suez Canal blockage and cyberattack on Colonial Pipeline in the first half of 2021 also proved that risk management requires more inquisitiveness about the consequences of risks – what could potentially go wrong and how to understand the context either side of the situation – rather than just the likelihood that a potential event could occur. The lack of visibility in supply chain management has forced companies to remap how they procure, supply and deliver materials relevant to their business. Making sure supply chain management includes more thorough due diligence and deeper scenario analysis is key but the other important lesson is the need to ensure this is aligned with the across all the organisation’s operations. Asad Nadeem, audit, compliance and fraud lead at Toyota Motors Saudi Arabia, says that despite having a tested and regularly assessed comprehensive continuity plan in place, the reality is that when COVID-19 struck, the ports closed, and his firm was nearly out of supplies for 12 months. ‘There was a total point of breakdown, so we went back to the drawing board, appointed a consultant and rebuilt our supply chain plan from scratch based on much deeper scenario analysis.’ The company has since found alternative supply routes for getting the auto parts needed and changed its strategies for procurement and delivery to customers. Nadeem points out that there needs to be constant learning about new technologies and anticipation of new regulatory requirements. ‘We have a robust three line of defence model in ‘the Swiss cheese cake kind of framework’ so in our mind there was no possibility of a loophole existing or being exploited. Our supply chains were affected in ways we never anticipated, so we need to provide assurance on everything that is possible,’ he says. Manufacturers have been forced to put more risk resources into their supply chains to deal with the changing environment. Aleksandr Troshin, head of internal audit at Russia’s largest pharma company, JSC Pharmstandard in Moscow, agrees that supply chain risk took on a new meaning and must be aligned with the ERM framework because it can easily compromise a company’s purpose at any stage of its existence. ‘In Russia’s pharma industry we mainly produce medicines and drugs, we do not specialize in the substances that go into them. We import these substances from China and India, mainly. So, during the lockdown in the early months of 2020, cross-border traffic was shut down and supply chains were damaged. There were some problems with arranging the new supply of the raw materials to produce drugs.’ Five principles for rethinking risk in your supply chains are discussed further in (Johnson 2020). Troshin says the pandemic has made his company think more about the long-term prospects in supply chains and the quality of doing business with Russian pharma companies. ‘The long-term strategy of Russian pharmaceutical companies is to go forward with our partners, including AstraZeneca, GlaxoSmithKline, and Johnson & Johnson, so they can produce their products in our factories and in doing so share their formulas, their medicines, and their drugs so we can increase their product sales here in Russia. One of the perspectives is to shift their production to the factories in Russia and these factories are quite attractive to them because they are actually high-quality production facilities, all Good Manufacturing Certified (GMP) of course.’ Asad Nadeem, audit, compliance and fraud lead at Toyota Motors, Saudi Arabia 52 Aleksandr Troshin, head of internal audit, JSC Pharmstandard, Moscow RETHINKING RISK FOR THE FUTURE | 4. OPERATIONAL RESILIENCE AND THE UNTHINKABLE Budding accountancy professionals with eyes on risk Our research also unveiled a growing number of new members pursuing risk careers straight after finishing their qualifications. Aanchal Makwani became a risk management associate at Abans Group, a financial and non-financial end-to-end consultancy in Mumbai, after passing her ACCA exams just before lockdown in March 2020. ‘Risk fascinated me throughout my studies because you're always soaking up something new whether you're designing a product or building on a strategy.’ She is currently working on project risk management for the creation of a commodities trading application with multiple built-in automated features to improve client engagement and user experience. The application can also make business run more efficiently by reducing human errors and long-term costs. ‘In India, there’s a lack of faith and familiarisation with online processes in some areas, but the digital shift is happening whether we like it or not and there will always be a case for adding value during changing times.’ Shern Koe, a management trainee focusing on operational risk and business continuity at Hang Seng Bank in Hong Kong, is another one of ACCA’s budding risk professionals applying his accountancy skills in ways he had not imagined before the pandemic. ‘I found that I have more of a passion for streamlining operations, trying to find out the reasons things don't work out. I like to resolve issues.’ He believes third-party risks are among the most material emerging risks accentuated by the pandemic. ‘We foresee what situations might happen in the future and ensure the risk management processes are aligned with the bank’s risk appetite. We assess what the impacts could be and what could be material. We also assess the materiality of the impacts that have happened and work out how to prevent them from happening again. This involves a lot of critical thinking.’ Accountants’ knowledge of business models also gives them better understanding of the risks that have been exacerbated by the pandemic. Owais Ali, an ACCA member in Karachi, who is in the early stages of his career in risk management, says that the lockdowns have prompted banks in Pakistan to take a stricter look at cybersecurity and people-related risks. He joined Al Baraka Bank Pakistan Ltd in July 2020 as an operational and liquidity risk analyst in the ERM department, working across all aspects of risk assessment, after having been at Habib Bank in its anti-money laundering department. ‘If you want to understand the risk profile of an organisation, you need to understand how that business works: its domain, the environment it is working in, the people who come to it and what threats could impact it. For banking you need to learn everything you can about credit and counterparty risks, and what lies beneath non-performing assets.’ Aanchal Makwani, risk management associate, Abans Group, Mumbai 53 Owais Ali, operational and liquidity risk analyst at Al Baraka Bank Pakistan Ltd., Karachi RETHINKING RISK FOR THE FUTURE | 4. OPERATIONAL RESILIENCE AND THE UNTHINKABLE BY FOCUSING ON CRITICAL ACTIVITIES AND TESTING THEIR PROCESSES, CONTROLS AND DOCUMENTATION, ORGANISATIONS CAN START LAYING VALUABLE FOUNDATIONS FOR A MORE RESILIENT FUTURE. 54 RETHINKING RISK FOR THE FUTURE | 5. INDUSTRY-CENTRIC RISKS AND OPPORTUNITIES: NO ONE SIZE FITS ALL 5. Industry-centric risks and opportunities: no one size fits all Every organisation faces risks that are influenced by the type of industry or jurisdiction in which it operates. Taxes, for example, can have systemic risks but a lot of the consequential business risks will always vary firm to firm and can change over time, depending on the organisation’s operations and approach to risk. Yonghao Guo, deputy general manager of Beijing Tourism Group, explained how changing consumer behaviour has made the Group rethink its whole business strategy as noted above. ‘The changing consumption patterns caused by the failure of the existing offerings to meet the 1990s born generation is an important strategic risk that affects the future of our business.’ 5.1 Pharma’s panacea The pharmaceutical industry has several inherent risks. Although demand has soared owing to the pandemic, the risks and opportunities that have coincided in the new norm distinct from those affecting other industries and vary from firm to firm. From managing increased fraud and alleged hacking to rolling out vaccinations that save lives around the world, the range of ‘what-ifs?’ in this sector can be spellbinding. The coronavirus has been a major macro risk for the pharmaceutical industry, according to Shanhua Yang, China National Pharmaceutical Group Corporation (known as Sinopharm), who also points out that the not-to-bemissed opportunities. ‘On the one hand, many hospitals suspended business due to the pandemic and consequently suffered a big financial loss, but on the other side it has encouraged further research, production and sales of anti-coronavirus drugs like Remdesivir and the Chinese medicine Lianhua Qingwen. These drugs may not be as efficacious as expected, but they lend themselves to brand marketing and sales.’ Shanhua Yang, China National Pharmaceutical Group Corporation (known as Sinopharm) Tony Manahan, head of Europe office, Group Internal Audit at Takeda Pharmaceuticals in Zurich, echoes the concern with heightened cyber risks in the life sciences industry not only from a fraud risk point of view, but also from a regulatory one, given tightened data privacy requirements, especially in Europe. ‘For example, we consider not only the risk of fraud when auditing payroll file encryption but also the risk of a potential data privacy breach, which can result in fines of up to 4% of revenue in certain cases.’ Rising raw materials prices were also an issue that forced more collaborative decision making. ‘Internal auditors try to develop an internal consulting function to consolidate our work in terms of risks, strategy, internal controls and to implement best practices. With the pandemic we decided that the internal auditor must look to provide more value in a practical way to help the whole organization move crisis management to issue management,’ JSC Pharmstandard’s Troshin says. In interviews and roundtable discussions, ACCA members talked about legal patents and how some governments disregard others, especially if they release a vaccine first, which has made headlines. During the pandemic, international media reports suggested that Russianbacked hackers groups were stealing documents from Pfizer and German partner BioN-Tech. There have been reports suggesting that Russian companies have been sabotaged by suppliers selling them false ingredients. As a result, one pharma company having to recall medicines that were being used to treat COVID-19 patients. The industry must also deal with media reports about sideeffects from the vaccines and the apparently short trials. Regulatory management issues require constant monitoring in pharma companies. This includes food and drugs audits, where traditional financial auditors are not allowed, to ensure that the drug development and manufacturing are safe, for example, audits and checks required by the Food and Drug Administration in the US. 55 Figures 5.1 and 5.2: Key changes in risk rank Financial Services: change in risk rank September 2019 – April 2021 1 5 FAIR AND INCLUSIVE WORKPLACE 10 15 GEOPOLITICAL EVENTS HUMAN RIGHTS SOLVENCY AND ECONOMIC VALUE 20 25 Pharma: change in risk rank September 2019 – April 2021 1 5 10 15 20 25 DIVERSITY AND INCLUSION GOVERNANCE HUMAN RIGHTS EMPLOYEE RECRUITMENT, ENGAGEMENT AND RETENTION WATER WORKPLACE HEALTH AND SAFETY Source: Datamaran 56 RETHINKING RISK FOR THE FUTURE | 5. INDUSTRY-CENTRIC RISKS AND OPPORTUNITIES: NO ONE SIZE FITS ALL As for many other industries, forecasts of the future of products and services in pharma are changing fast. Shanhua Yang from Sinopharm in China says that the company’s rapid digital transformation has made some progress with the deployment of financial robots, financial centre, logistics robots, e-medicine, e-pharmacy, and e-health – a sure sign how rapid the industry is changing from tablets and a curing-focus to diagnosing apps and what is called outcomes-based products. ‘Digital is the future mode of the economy. In this sector, innovation has become a social responsibility for our country. Besides, digital is not the whole story of transformation, it includes change management, for example. In this sense, what we need to do first and foremost is to change our mindset and transform the traditional decision-making mechanism. Driven by transformation, we see a lot of digital operations and digital assets that are posing a great challenge for our financial management, accounting, or even financing methodology. I think this is a big issue worth our further investigation,’ he explains. Pharma companies must also consider societal expectations. ‘Sinopharm is just doing what it should do – developing vaccines to protect public health in honour of its social commitment. From the financial perspective, Sinopharm’s social commitment is reflected in its donations of face masks, medicine and protective gears in the first half of the year. From the management perspective, Sinopharm has set up a special pandemic fund worth 1 billion yuan and streamlined donation procedures,’ Yang adds. 5.2 Comparing responses across borders The need to compare risk appetites and responses across different geographic cultures was a recurring theme in our discussions with members. Curtis Wong, CRO of GE Capital for China and the Asia-Pacific, says the Chinese government learned by trial and error early on, as the virus emerged in Wuhan. He comments: ‘Our government is efficient at implementing and changing policies partly because they don’t have to go through public consultations or worry about reactions from the public. In this kind of crisis, everyone needs to respond in a speedy manner and it might take drastic measures to address the impacts effectively.’ unfolded, her team set up a specific COVID-19 business continuity plan taskforce made up of team leaders, dubbed the Leadership Squad, who meet daily to discuss risk impacts and needed actions. Jiahong Li, chief financial officer at Varian Medical Systems, says his finance team has been using the ‘Political, Economic, Sociological, Technical, Legal and Environmental’ (PESTLE) model to help navigate the uncertainties. He argues that the general trend is for the centre stage of the global economy to shift from the West to the East and that the Chinese market, therefore, is becoming more and more important. ‘Sino-US relations will bring more political uncertainties, our economic cycles will be shortened, and rising labour costs will push businesses to overseas markets.’ 5.3 Eyes on public sector responses Throughout our research, members from the public sector talked about the pressure of knowing that, in responding to the crisis, they serve as a role model. Many also argued that it presented them with a unique opportunity to emphasise their purpose and why their role exists. Apollo Ekelot, senior project control officer for the UNHCR, the United Nations Refugee Agency in Nairobi, who has worked in the public sector his entire career says having an existing risk management infrastructure in place enabled his team to enact business continuity arrangements quickly that have so far allowed them to minimise significant disruptions due to the pandemic. ‘We have encouraged the UNHCR leadership in the country operations we work with to anticipate emerging risks and opportunities so to be agile in detecting, acknowledging, and responding to changes in the operating environment, and especially to work with external stakeholders to ensure that risk management is inclusive and transparent.’ Apollo Ekelot, senior project control officer, UNHCR, the United Nations Refugee Agency in Nairobi Dinisha Sasietharan, risk and audit partner at Spark, New Zealand’s largest telecommunications company, adds that all industries irrespective of how they have been hit by the pandemic face more urgencies than ever before given the ‘VUCA’ (volatile, uncertain, complex and ambiguous) world we now live in. She says the first and foremost priority for Spark was protecting the health and safety of its stakeholders. ‘In New Zealand, our borders were closed off immediately, and we were in lockdown when the first case was reported. This kind of disruption is rare, so we had to think fast about what it meant for our business.’ As news from Wuhan Emerging risks, he added, include challenges in deploying emergency response teams due to COVID-19 travel restrictions as well as supply chain or market disruptions in sourcing, procuring, or transporting health and relief items. Price increases are another risk they needed to address. He says that clear communications with partners – NGOs and governments counterparts, and employees – helped ensure stability in delivery of services to the people they serve. ‘We needed to know how our partners were coping and to what extent their capacity was being constrained. We also kept them up to date on what we were doing and 57 RETHINKING RISK FOR THE FUTURE | 5. INDUSTRY-CENTRIC RISKS AND OPPORTUNITIES: NO ONE SIZE FITS ALL allowed a higher level of flexibility for them to manage in these [previously] unimagined situations. My main mantra was that it is important not to use COVID-19 as an excuse but rather an opportunity to do things better.’ Emma Costello, CFO at the Reserve Bank of Australia, attests that there is a role model side to working in the public sector. ‘In this organisation, I have seen early on that one of our values is probity. We have several guidance and tools, for example, Commonwealth procurement rules where we go to tender and treat all participants fairly. What’s important is that we don't just talk about it, we do it and I've been struck by how that value is held at the very core of what we do. If we lose trust with our public and key stakeholders, then our purpose is immediately nullified,’ she explained. It was not difficult to find several ACCA members working in the public sector space in Australia and New Zealand (ANZ) who were happy to share their insights into how the two countries have contained the outbreak of COVID-19 so effectively relative to the rest of the world. Ahmed Mohamed, who has held many risk and internal audit roles across sectors and countries, has most recently been working in two of New Zealand’s councils as head of risk and internal audit, having moved from Christchurch City Council to South Taranaki District Council in 2019. He says the key to handling the coronavirus crisis was acting quickly, and that New Zealanders treated it as a matter of national security from the start. ‘New Zealand’s population rate is small at about 4.8 million, so if the infections spread across communities the whole population could be affected within a very few days. The government’s early action and strong focus on communications and collaborations helped the country get through it.’ Ahmed Mohamed, head of risk and internal audit at South Taranaki District Council in New Zealand Mohamed says the accountancy profession could help organisations manage risk better by putting a greater focus on the practicalities, by considering the possible outcomes of a wide range of scenarios but also by forming a plan of action for addressing such analyses. ‘What I have learned from the public sector here is that they actually do risk management but with no documentation.’ It is something that he has seen in other sectors during his years at KPMG and private sector companies. ‘Some of the businesses that I have worked with think about risk management as a reporting channel, so they find an issue and record it in the risk register, but then what? Awareness is one thing, but you have to have a strategy and act on it.’ 5.4 How can SMEs and SMPs rethink risk? We also found finance roles in small to medium-sized enterprises (SMEs), especially, have traditionally been pigeon -holed as people who keep the books rather than as colleagues who can add value and help shape the strategy of the organisation. Accountants at SMEs and the SMPs that serve them are sitting on a significant amount of valuable information that could be used to analyse future projections or predict when and where something could go wrong, such as revenue leakage. Dev Ramnarine, partner at a boutique audit and risk consultancy based in Miami, argued that any approach to risk needs to be holistic. ‘What I see with finance and accounting personnel, at SMEs in particular, is that they view themselves as a necessary evil instead of seeing themselves as people adding value to the business through education and training, ultimately making other colleagues’ jobs easier,’ he added. Accountancy as a profession should be working on destigmatising risk, and Ramnarine suggested that we do that better through advising and educating. ‘When I think about rethinking risk, I put aside all the processes and classifications we have created and ask what our workplace would look like and what would our interactions with employees, customers, and various stakeholders be like if we were thinking about risk as a human phenomenon rather than a finance or back-office function,’ he explained. In this respect, SMPs could be thinking harder about the work they have done for their SME clients and how that can help them optimise business plans and future strategies for these companies. This is a question of unlocking business value, not creating more of the same repetitious models as before. More on what SMPs can be doing to help SMEs can be found in ACCA’s The Passionate Practitioner: Developing the Digitalised Small and Medium Practice (James 2019b). Alfred Brian Agaba, managing director and founder of ACLAIM Africa, adds that SMPs could also provide more advice to SMEs on concentration risk and diversification. He says one of the most serious concentration risks for SMEs is their founders, for instance. ‘Founding partners can be both the biggest asset and the most damaging risk to the company since decisions and vision are concentrated in one place. Accountants should ask themselves how they cascade that to staff, and if the leaders are out of the picture, how can they ensure continuity.’ Alfred Brian Agaba, managing director and founder of ACLAIM Africa 58 RETHINKING RISK FOR THE FUTURE | 5. INDUSTRY-CENTRIC RISKS AND OPPORTUNITIES: NO ONE SIZE FITS ALL SMPs are presented with a great opportunity to take a more active role in helping SMEs understand their environmental and social impacts and take these into account in their future business plans. By their nature, SMEs will have an accountant who is well positioned to help them to think about how their business can progress and prepare for the future. Carol Lynch, an ACCA member from Dublin, who has worked in credit, operational and regulatory risk management in Financial Services and now freelances, argues: ‘SMPs have a unique opportunity to be a leading light in this space as they shift their own focus from that traditional profitability approach for measuring business success to business resilience, sustainability and long-term goals.’ Carol Lynch, ACCA member, Dublin SMPs can guide SMEs on deciding where and what to do in terms of reducing their carbon footprints. Lynch says SMEs in Ireland could be more proactive at tapping resources, such as Enterprise Ireland that provides grants and other types of support. This is covered more specifically in ACCA’s report, Responsible SMP Pacesetters (Zaronina-Kirillova 2020). We also see larger companies realising the benefits of supporting their SME suppliers and other smaller thirdparties more in this respect. Tesco recently became the first UK retailer to offer online tools and preferential sustainability-linked supply chain finance services to suppliers, including SMEs and farmers, who can prove they are making positive changes to their business in reducing GHG emissions. Alexander Ashby, head of treasury markets at Tesco Plc, says that the new programme can help unlock renewable energy procurement for SMEs which do not have access to the same finance that larger companies with bigger turnovers have. ‘The supply chain finance part is a great stepping stone. It is voluntary, but has already been helpful for SMEs in our supply chain.’ Capital markets will continue to encourage SMEs to think about their impacts as larger companies become more concerned about the damage that smaller firms in the supply chains can cause. ‘One of the suppliers on whom you most depend could be using child labour and when that becomes disclosed, you're going to lose 40% of your market cap tomorrow. I'm advising companies to augment their supply chain reporting on how their major suppliers and service providers conduct themselves and whether they practise quality governance,’ insists Professor King. WE SEE LARGER COMPANIES REALISING THE BENEFITS OF SUPPORTING THEIR SME SUPPLIERS AND OTHER SMALLER THIRD-PARTIES MORE STRATEGICALLY. 59 RETHINKING RISK FOR THE FUTURE | 5. INDUSTRY-CENTRIC RISKS AND OPPORTUNITIES: NO ONE SIZE FITS ALL Sustainable risk management: Lush’s story Lush, the eco beauty and cosmetics company, was started up in Dorset, England 25 years ago by a team of environmental and social-minded founders, who had been protesting for animal, human and planetary rights for many years. Simon Brewer, who works in Lush’s finance team managing its environmental impacts, says the company’s ambitious culture is infectious. ‘We feel that the state of the planet has eroded so much that sustainability is not enough anymore. We need to go beyond that and regenerate the environment as well.’ For many companies, the risk of climate change and environmental degradation may not have been traditionally viewed as a financial risk until more recently, but Brewer says that risk accounting is a key part of the firm’s sustainability journey, using the planetary boundaries framework, a concept defining nine Earth system processes with environmental boundaries, and the World Economic Forum’s annual Global Risks Report (WEF 2021), as guides for prioritising risks and objectives.13 ‘To maintain a habitable planet, we look beyond carbon footprints to measure the environmental impact of everything that we do, so I work with internal teams to analyse the risks and strategies around that.’ Brewer says the WEF’s annual Global Risks Report also influences Lush’s approach by illustrating the likelihood that risks will materialise and the severity of the consequences if they do. In his view, the pandemic has served as a dress rehearsal of what is yet to come, so the world needs to be prepared Source: Stockholm Resilience Centre_J. Lokrantz/Azote based on Steffen et al. 2015.jpg 13 The planetary boundaries framework defines the nine boundaries for a safe operating space for humanity on Earth and gives governments, companies and civil society a precondition for sustainable development. 60 RETHINKING RISK FOR THE FUTURE | 5. INDUSTRY-CENTRIC RISKS AND OPPORTUNITIES: NO ONE SIZE FITS ALL Sustainable risk management: Lush’s story and not walk into the next disruption blindly. ‘We know how COVID-19 has disrupted our business, but if you look at the WEF’s report, you see that climate change, biodiversity loss and natural disasters are going to have an even more severe impact and are very likely to happen, so we are using that knowledge to drive our objectives.’ Moving towards a regenerative business presents many challenges, the biggest being how to quantify these risks. ‘Our initial thinking, we started off with the Five Capitals Model, a framework for sustainability developed by Forum for the Future, which says if you want to look after financial capital, you need to look after social and environmental capital, so that triggered something in me and I have been researching how we can best measure our environmental risks and impacts for the past five years. We have an internal team doing similar work for the social elements too.’ (See Forum for the Future n.d.) Lush’s approach to quantifying environmental impacts is very much data-led, building on both external risk data and data developed internally, such as lifecycle assessments, a method that quantifies the environmental impacts of a commercial product, process or service over its entire lifespan. ‘We ask ourselves how significant these impacts are and what low hanging fruits and big material things we should be focusing on.’ Lush uses external expert data on a number of ESG issues ranging from human rights to biodiversity to deforestation and the physical risks of climate change. As buyers, Lush has been thorough about building transparency in its supply chain over the past 10 to 20 years, so they are able to map that against country level risks and monitor how it changes over time. ‘That internal data is key because it gives us a basis to start new conversations with suppliers. If we identify a high risk, we ask them about it and that opens up a conversation about how we can work together to solve any potential issues or capitalise on opportunities for improvement.’ As Lush is a major buyer of natural ingredients, its supply chain is very agricultural based and therefore exposed to risks from threats to pollination and the use of agrochemicals, such as highly hazardous pesticides. Vanilla is one example of a key ingredient substantially affected by pollination risks from widespread losses of insect species needed to pollinate the crops. Brewer says the challenge with biodiversity loss is that the specific issues become more contextual and regional. ‘The point being that you need transparency of what is happening in the place you are buying from. It is important to address all these cultural, ecological and economic elements, preferably not in isolation, because we need to be aware of the trade-offs between solving one issue and perhaps starting another.’ The pandemic disrupted Lush’s supply chains significantly and forced more collaboration with suppliers who needed financial support. ‘We are working closely with quite a few suppliers and in some cases have provided funding to aid them through this difficult time. This has opened up some discussions about long-term resilience and how can we work together to help mitigate the most pressing issues around climate change and biodiversity loss that have a direct impact on community groups across the supply chain.’ Lush’s business strategy is based on its strong ethical values, as well as data and scientific evidence, which add to the level of transparency and have been integral to building trust with stakeholders and limiting greenwashing. ‘We are a storytelling business and that has led to a very high level of engagement with our customer base and staff. So, coming from an accountancy background, my role has been 1) developing and using data to guide people in their decisions, which has really been about taking them out of their day to day to focus on the bigger picture and 2) prioritising – because we don’t have all the time and money to do absolutely everything. As a business, we need to keep moving forwards as swiftly as possible.’ 61 RETHINKING RISK FOR THE FUTURE | 5. INDUSTRY-CENTRIC RISKS AND OPPORTUNITIES: NO ONE SIZE FITS ALL When telco risks call The pandemic’s ripple effects across industries continue and for telecoms there have been significant challenges and opportunities. On one hand, the increased demand due to working from home and rising online consumerism have been positive for the telecoms sector globally. Nevertheless, it also faces a myriad of new risks as the industry grows with rapid digital transformation. This is particularly true in developing countries. Wasiu Yusuf, an audit and risk professional in the telco sector in Ghana, and former head of Ethics and Compliance in AirtelTigo, says that the industry is exposed to a multitude of risks ranging from fraud to power outages. There is also the fact that its services and activities are so ubiquitous. ‘Even people with no portable water still have access to telecom services,’ he points out. At the end of January 2020, the total number of mobile voice subscriptions in Ghana was 41,380,751 whereas the total population was estimated as 30,250,461. To put that into context, he says, mobile phone penetration was almost 137% of the entire population, compared with the recorded 57.7% of population above the age of 15 years old who have a bank account. As in other countries around the world, mobile banking has surged in recent years and telecom service providers are taking advantage of this gap, and reaching out to the unbanked population. Regulatory and geopolitical risks are complex issues for telecom sectors in Ghana and other African countries. To start, Ghana’s government is a key stakeholder with high bargaining power. ‘The government continues to piggyback on the telecommunication service providers to achieve its objectives. Despite the high uptake of mobile services in Ghana, the sector has its own issues and risks that continue to dilute the gains it makes,’ he explains. Regulators should make policies that promote a level playing field, but trust is an issue in developing countries, such as Ghana, and this is an opportunity for the accountancy to work with the companies and the authorities as stewards in encouraging a more positive societal influence. ‘The government through the regulator has implemented a number of measures to monitor and confirm the revenues reported by the telecom operators, but many industry experts and civil society organisations feel there is inefficient use of funds.’ Airtel and Tigo initially merged to sustain their operations, but that did not yield the intended dividend for shareholders. Over reliance on Huawei also posed a risk when the US ban on the Chinese company was enforced in May 2019. ‘Any further escalation of that ban may result in some telecom companies having to completely stop using the services of Huawei, which all the telecom companies are overly reliant on for the provision of services.’ Cyber risk is a growing concern across all ACCA markets, and members told us they expect criminals will continue to look for areas of convergence considering the new environment of IoT. Telecom and financial sectors are fertile grounds for criminals, and one strike could have a widespread impact given that almost every other sector depends on these two industries. Money laundering is an inherent risk in the financial sector and therefore as more telecom service operators move into banking it immediately becomes another vulnerability for them. ‘The issue is compounded since the level of rigorous due diligence conducted when opening a bank account is not happening when acquiring a SIM card and mobile money wallet.’ Accountants could be helping telecoms enhance their due diligence and partner with public policymakers to help make the validation of national IDs more reliable and transparent, as well as help develop a secure national ID database. The lack of such system has created a lot of disingenuous ways of acquiring fake ID cards and fraudulent SIM registration, which is not good for business or Ghanaian society at large. 62 RETHINKING RISK FOR THE FUTURE | 5. INDUSTRY-CENTRIC RISKS AND OPPORTUNITIES: NO ONE SIZE FITS ALL Public sector and the pandemic’s light on purpose While a non-profit organisation manages money differently than the corporate world, the pandemic has proved how important accountancy is for helping public sector organisations prove their purpose. Hamzah Chorghay, director of risk and compliance at Turkish Red Crescent in Ankara, an ACCA member who worked in business risk advisory at Grant Thornton as well as in risk-based internal audit at Toyota in Saudi Arabia before entering the public sector, says that when COVID-19 struck, the Turkish Red Crescent set up a special commission to make sure there was continuous monitoring of the practical effects and what that meant for the stakeholders it serves in Turkey and across the globe. ‘I think this crisis has given accountants a mandate for providing a new level of insights for boards and senior management, and in getting risk involved in every conversation across the organisation.’ The crisis presented an opportunity to show how the Turkish Red Crescent makes a positive impact on society during catastrophes. ‘We want our organisation to be ready to withstand what's coming at us, but at the same time make sure we are agile enough to capitalise on the opportunities that a crisis presents. This is what I advise to my Board and this is what we try to emphasise to stakeholders. Our job is to be by your side during the bad days whether in getting food to people or providing hospitals with much-needed equipment.’ Keeping the KPIs updated and relevant is crucial during a fast-changing situation. ‘When you think of how much aid was delivered, the many lives that were impacted, as well as the money we raise and spend, there are a lot of risks and KPIs that we are constantly monitoring.’ Regarding the inherent risks, geopolitical risk is a key concern for them when it comes to aid and humanitarian organisations. ‘Even local individual donors who used to donate for international causes now are tending to become more supportive of causes closer to home because of the pandemic and this requires everyone in the industry to change their fundraising and aid deployment strategies.’ Chorghay says that timely risk data proved vital to decision making and helped Turkish Red Crescent respond quickly during the pandemic. ‘As we have learned, whether they are financial or non-financial, the risks are increasingly interconnected.’ The Turkish Red Crescent also owns relevant businesses, for example, a tent manufacturer and a water company, as well as a medical supplies manufacturer. Some of the natural disasters that have happened recently have increased demand for these, but ‘external risks that are not apparent one day can also hit from behind the next, so our matrices are always changing’. While non-financial risks are considered in a ‘subtler’ way, he says the pandemic is giving everyone an opportunity to consider how to get other non-key metrics-related risks recognised. ‘In terms of projections and profitability, one needs to talk about the underlying operational risks that are hiding under those numbers. I think accountants everywhere need to take on that ownership a little bit more if they are to add value in the new norm.’ 63 RETHINKING RISK FOR THE FUTURE | CONCLUSION Conclusion Risk can no longer be managed in isolation and accountants, given their skills and professional duties, are in a privileged position to build more effective and ethical enterprise-wide risk management in this faster-moving world we live in today. As guardians of information, accountants can help organisations not only detect and better understand the emerging risks and opportunities facing them, but also foster the mindsets needed to think more long-term. Accountancy professionals can optimise their storytelling skills in new ways by creating more dynamic metrics and reporting methodologies. Accountants should be taking on a more advisory role in explaining the facts and possibilities behind the numbers, breaking them down and putting them into context for their organisations. There is an unmissable opportunity for accountancy to encourage more collaboration and collective action on environmental, social and governance matters by working with public policymakers and partnering with leaders to help grasp how digitalisation and new technologies can help avoid harm to people and the planet. Accountancy will also be important in building trust in today’s digital society by ensuring information is accurate and transparent. Accountants should work to reverse the ingrained notion of risk as purely a negative and instead recognise it as an opportunity to create value and resilience. Reflecting on our competencies, we as a profession must reassess our role in the world as stewards of reporting, which can and must be used to promote changes in behaviour and encourage the attitudes needed to build a greener, fairer and more sustainable future. ACCOUNTANTS SHOULD WORK TO REVERSE THE INGRAINED NOTION OF RISK AS PURELY A NEGATIVE AND INSTEAD RECOGNISE IT AS AN OPPORTUNITY TO CREATE VALUE AND RESILIENCE. 64 RETHINKING RISK FOR THE FUTURE | ACKNOWLEDGEMENTS Acknowledgements The contributions of the following individuals in the development of this research are noted with thanks. Aanchal Makwani, ACCA, Risk Management Associate at Abans Group, Mumbai Adlin Haryati Arshad, FCCA, Principal, Group Risk Management at PETRONOS, Kuala Lumpur Ahmed Mohamed, FCCA, Risk and Audit Manager, South Taranaki District Council, New Zealand Ahsan Jamil, Chief Risk Officer at Pakistan Institute of Corporate Governance Akindele Phillips, FCCA, Chief Risk Officer, co-Founder, Farmcrowdy, Nigeria Akofa Dakwa, FCCA, Chief Risk Officer, Bank of Africa, Ghana Aleksandr Troshin, FCCA, Head of Internal Audit at JSC Pharmstandard in Moscow Alexander Ashby, FCCA, Head of Treasury Markets at Tesco Plc Alfred Brian Agaba, FCCA, Managing Director at ACLAIM Africa Limited, Uganda Andrew Garth, FCCA, Head of Risk, Renault-NissanMitsubishi, UK Antonis Bargilly, FCCA, Partner, Governance, Risk and Compliance at KPMG, Cyprus Apollo Ekelot, FCCA, Senior Project Control Officer, UNHCR, the United Nations Refugee Agency, Nairobi Arpit Vashishtha, ACCA, Risk Management Analyst at ED&F Man, Bengaluru, India Asad Nadeem, FCCA, General Manager, Audit, Compliance and Fraud Risk Management, Abdul Latif Jameel Motors/Toyota Motors, Saudi Arabia Atif Shaikh, FCCA, Operational Risk Management Lead at Facebook, San Francisco, CA Bryan Foss, ACCA, co-Founder and Director at the Risk Coalition, Non-Executive member of the FRC Council Carol Lynch, FCCA, Risk Management Professional, Regulation and Culture, Ireland Charalampos Tsekouras, FCCA, Senior Risk Officer, Credit, at Eurobank in Athens Claire Jenkins, FCCA, Forensic Accountant, Companies House, UK Curtis Wong, FCCA, Chief Risk Officer, GE Capital China and the Asia-Pacific, Shanghai David Hilton, FCCA, Managing Director at KPMG, Washington DC David R. Koenig, President and Chief Executive Officer, The DCRO Institute, author of The Board Member’s Guide to Risk Dev Ramnarine, FCCA, partner at boutique audit and risk consultancy, Miami, ACCA Global Forum for Technology, ACCA Global Forum for Governance, Risk and Performance Dinisha Sasietharan, FCCA, Head of Risk and Audit at Spark, New Zealand Donato Calace, Vice-President of Innovation and Accounts at Datamaran, Member EFRAG Task Force on reporting of non-financial risks and opportunities Dorina Cosbuc, ACCA, Chief Risk Officer, NN Group, Bucharest, Romania Dr. Ariane Chapelle, Managing Partner at Chapelle Risk Management Advisory and author of Operational Risk Management – Best Practices in the Financial Services Industry Edmond Tambara, FCCA, Senior Vice-President at Ameris Bank, Atlanta Edward Jones-Stanley, FCCA, Internal Audit Leader, Risk and Controls, Accor, Ontario, Canada Elisabeth Seep, Executive Director ESG Products at MSCI, New York Emma Costello, FCCA, Chief Financial Officer, Reserve Bank of Australia, Sydney Felipe Silva, ACCA, Risk Management Analyst at Zurich Santander Seguros, Brazil Francis Kamulegeya, Country Senior Partner PricewaterhouseCoopers Uganda Gerald Paul, FCCA, Chief Investment Officer at National Social Security Fund, Uganda 65 RETHINKING RISK FOR THE FUTURE | ACKNOWLEDGEMENTS Giovanna Michelon, Head of the Accounting Group, University of Bristol, Chair of ACCA’s Global Forum for Governance, Risk and Performance H. Hakan Ekinci, FCCA, Head of Global Operations, SP Hinduja Banque Privée, Geneva Hamzah Chorghay, FCCA, Director of Corporate Risk and Compliance at Turkish Red Crescent Hidy Chan, FCCA, Board Director and Audit Committee Chair, CBG, Hong Kong Hong-Jie Chong, FCCA, Regional Business Analyst and Project Management at Aon, Singapore, ACCA Global Forum for Governance, Risk and Performance Ian Carrier, ACCA, Finance Business Partner, at Lush, UK Imelda Buckley, FCCA, Head of Project Delivery, Credit Risk, Group Risk at Bank of Ireland Ingrid Huang, FCCA, Senior Manager of Wholesale Credit Policy at HSBC, British Columbia, Canada Israel Opio, FCCA, Chief Risk Officer at Ecobank, Chairman Uganda Bankers Association’s Risk Committee, ACCA’s Global Forum for Governance, Risk and Performance James Kennedy, FCCA, Risk Manager, BayWa r.e. Energy Trading GmbH, Germany James Lam, Founder and President at James Lam & Associates, Board Director, Enterprise Risk Management author and guest lecturer Jane Walde, FCCA, Risk Management Consultant at the Holistic Risk Practice, former Head of Group Risk at Informa plc, UK Jayrani Bungsy, FCCA, Senior Internal Auditor, Enterprise Risk and Audit Services, Region of Peel, Canada Jiahong Li, Chief Financial Officer at Varian Medical Systems, China Johan Opperman, Chief Risk Officer at Ristco, South Africa, ACCA’s Global Forum for Governance, Risk and Performance John Hoeppner, Head of US Stewardship and Sustainable Investments at Legal & General Investment Management America, Chicago John Lelliott, OBE, FCCA, Chair of the Audit and Risk Committee at The Environment Agency, Chair of the Audit and Risk Committee at Covent Garden Market Authority, Chair of the Natural Capital Coalition, Chair of ACCA’s Global Forum for Sustainability John Reidy, FCCA, Chief Financial Officer and Chief Operating Officer at SOR Consulting, former Chief Risk Officer at Amersham plc Josam Watson, FCCA, Chief Risk Officer, co-Founder, TYME, Singapore, Australian Institute of Corporate Directors, ACCA’s Global Forum for Governance, Risk and Performance Julia Graham, Chief Executive at Airmic, ACCA Global Forum for Governance, Risk and Performance Justin McCarthy, Chairman of the Board of Directors at the PRMIA Institute, Head of Compliance and Risk at BlackBee Kate Lazarus, Senior Asia ESG Advisory Lead at International Finance Corporation Kathryn Kerle, Chair of the Audit, Risk and Evaluation Committee at Microbiology Society, Independent NonExecutive Director at Al Rayan Bank Lisa Mashonganyika, FCCA, Director of Finance at Walgreens Boots Alliance, New York Lise Mejholm, Product Manager at Nasdaq OMX, Copenhagen Maeva Charles, Vice-President of Partnerships and Client Solutions at Datamaran, UK Manoj K Raut, Chief Executive Officer and Director at the Institute of Directors, India Marie-Josée Privyk, Head of ESG Innovation and Customer Success at Novisto, Montreal, Canada Merina Abu Tahir, FCCA, Chief Financial Officer at Lembaga Haji, Kuala Lumpur, ACCA Global Forum for Governance, Risk and Performance Michele Wucker, risk adviser, speaker and author of The Gray Rhino and You Are What You Risk Mihnea Sebastian Rotariu, FCCA, Associate Director at Forensic Risk Alliance, Washington DC Milena Olszewska-Miszuris, FCCA, Chief Executive Officer WM Advisory, Corporate Governance Committee at Warsaw Stock Exchange Minh Nguyen, ACCA, former Senior Associate, Assurance and Due Diligence, PwC, Hanoi, Vietnam Nguyen Nhu Yen Minh, FCCA, Senior Investment Manager at Dynam Capital/VietNam Holdings in Ho Chi Minh City, Vietnam Nick Nicolaou, FCCA, Director at NVN Consultancy on Audit, Risk and Compliance monitoring, Non-Executive Director Nicola (Nick) Sanna, Chief Executive Officer at RiskLens, President of the Fair Institute, Cyber Risk and Corporate Governance Working Group at World Economic Forum Nii Ardey Tagoe, FCCA, Senior Credit Risk Officer at Ghana Export-Import Bank 66 RETHINKING RISK FOR THE FUTURE | ACKNOWLEDGEMENTS Oleg Lebedev, Managing Director at Ten Diffusions, Chair of London Steering Committee at Professional Risk Managers’ International Association (PRMIA) Owais Ali, ACCA, Risk Analyst, Market Risk and Operational Risk, Al Baraka Bank, Karachi, Pakistan Paige Marrow, Human Rights Lawyer, Geneva Patrick Schueepp, ACCA, Chief Risk Officer at Bank Avera, Zurich Po Yee Loh, FCCA, Global Internal Auditor at Tupperware Brands, Selangor, Malaysia Professor Mervyn King, Senior Counsel and former Judge of the Supreme Court of South Africa, creator of South Africa’s King IV Code of Corporate Governance and co-Chairman, of the Value Reporting Foundation Ricky Cheng, ACCA, Director and Head of Risk Advisory, BDO, Hong Kong, ACCA Global Forum for Governance, Risk and Performance Rizwan Ikram, FCCA, Chief Risk Officer, Telenor Microfinance Bank Ltd, Pakistan Sanjay Rughani, Chief Executive Officer of Standard Chartered Bank Tanzania and Chair of the International Federation of Accountants’ PAIB Advisory Group Sarah Whale, FCCA, Founder at Profit Impact, Financial Sustainability Consultant, UK Shahid Qureshi, FCCA, Chair, Board of Directors, Calgary Parking Authority, ACCA Global Forum for Governance, Risk and Performance Shailen Bhat, FCCA, Chief Control Officer, HSBC Global Communications, London Shakil Butt, FCCA, HR Consultant, Honorary Treasurer, Chair of the Audit Committee at CIPD, the professional body for HR and people development, London Shanhua Yang, China National Pharmaceutical Group Co. Sinopharm, China Sharley Koo, FCCA, Head of Enterprise Risk Management, Zurich Insurance Company, Malaysia Shastri Creed-Harry, ACCA, Valuations Executive at EY, London Shern Koe, ACCA, Operational Risk Associate, Hang Seng Bank, Hong Kong Simon Brewer, CGMA, Finance Team, Environmental Impacts, at Lush, UK Simon Rose, FCCA, Group Head of Internal and Risk at Crest Nicholson, Audit Committee Chair and nonexecutive director at Two Saints, UK Simon Young, FCCA, Compliance, RegTech, FinTech Consultant, Blockchain firm co-founder, PING AN, Tencent, Octopus, Hong Kong, ACCA Global Forum for Governance, Risk and Performance Stephen Dowling, CEO of ETM, Australia, ACCA Global Forum for Technology Steve Bailey, FCCA, Founder of Aim Proactive, Chief Financial Officer at Neotas, ACCA Global Forum for Governance, Risk and Performance Suman Murthy, FCCA, Business Risk Advisor at Grant Thornton, Bangalore, India Tobias Cook, FCCA, Head of Risk at Aztec Group, UK Tony Manahan, FCCA, Head of Europe Office, Group Internal Audit at Takeda Pharmaceuticals Valentina Paduano, Chief Risk Officer Sogefi Group, Board Member and Chair of the FERMA Sustainability Committee Vikram Patel, FCCA, Group Finance Control Manager, SC Johnson Lifestyle Brands, Ecover + Method, UK Vincent Leung, FCCA, Managing Director, Protiviti, Hong Kong Wai Ting Loke, Chief Financial Officer at DHL Supply Chain, Kuala Lumpur Walter Viguiliouk, FCCA, Principal, Responsible Investing at Ontario Teachers’ Pension Plan, Toronto, ACCA Global Forum for Sustainability Wasiu Yusuf, FCCA, an audit and risk professional in the teclo sector in Ghana, and former head of Ethics and Compliance in AirtelTigo Yonghao Guo, Deputy General Manager of Beijing Tourism Group, China 67 RETHINKING RISK FOR THE FUTURE | REFERENCES References ACCA (2021a), KYC: Is it Time to Digitalise the First Line of Defence? Downloadable from , accessed 2 June 2021. ACCA (2021b), ‘PRMIA-ACCA UK Virtual Roundtable on Audit and Risk Committees: To Be or not to Be’ [website announcement] , accessed 10 June 2021. ACCA and CFA Institute (2019), Social and Environmental Value Creation. Downloadable from , accessed 9 June 2021. ACCA/PwC (2021), Finance Functions: Seizing the Opportunity, . Ashby, S., Bryce, C. and Ring, P. (2018), Risk and the Strategic Role of Leadership. Downloadable from , accessed 10 June 2021. Avishal, B, (2020), ‘The Pandemic isn’t a Black Swan but a Portent of a more Fragile Global System’ [online article], The New Yorker, 21 April , accessed 9 June 2021. BDO UK (2020), ‘Article: The Three Lines of Defence Model (3LOD) Has Been Updated – What Does this Mean for Internal Audit?’ [website article], October 2020 , accessed 3 June 2021. BIS (Bank for International Settlements) (2021a), Principles for the Sound Management of Operational Risk, , accessed 10 June 2021. BIS (2021b), Principles for Operational Resilience, , accessed 10 June 2021. Chen, Y-P. and Hawksley, F. (2021), Invisible Threads: Communicating Integrated Thinking, , accessed 3 June 2021. Edelman (2021), Edelman Trust Barometer 2021, , accessed 10 June 2021. Evett, C., Webb, C., Lyon, J. and Sood, S. (2020), Analytics in Finance and Accountancy, , accessed 7 June 2021. Fenergo (2020), Up Close and Personal: The Year of Personal Accountability. Downloadable from , accessed 7 June 2021. Forum for the Future (n.d.). ‘The Five Capitals – a Framework for Sustainability’ [website report] , accessed 7 June 2021. Furness, B., Webb C., Hildreth, G. and Lyon, J. (2020), Finance Insights – Reimagined. Downloadable from , accessed 10 June 2021. IIA (2020), “IIA Issues Important Update to Three Lines Model', [website press release] . IIA (Institute of Internal Auditors) (2013), IIA Position paper: The Three Lines of Defense in Effective Risk Management and Control, , accessed 3 June 2021. James, M. (2019a), Cyber and the CFO. Downloadable from , accessed 9 June 2021. James, M. (2019b), The Passionate Practitioner. Downloadable from , accessed 7 June 2021. Johnson, R. (2020), ‘Will your Supply Chains Snap?’ [online article], AB Accounting and Business, October , accessed 10 June 2021. Koenig, D.R. (2020), The Board Member’s Guide to Risk, (Independently published, ISBN-13: 979-8629628125). Lam, J.C. (2019), “An Animal Kingdom of Disruptive Risks’ [online article], NACD Directorship, January/February, , accessed 9 June 2021. Martens, F. and Rittenberg, L. (2020), Risk Appetite – Critical to Success: Using Risk Appetite to Thrive in a Changing World, , accessed 10 June 2021. PwC (2020), Operational Resilience: How to Set and Test Impact Tolerances, , accessed 10 June 2021. Risk Coalition (The Risk Coalition Research Company) (2019), Raising the Bar. Downloadable from , accessed 4 June 2021. 68 RETHINKING RISK FOR THE FUTURE | REFERENCES Stockholm Resilience Centre (n.d.), ‘The Nine Planetary Boundaries’ [website article] , accessed 10 June 2021. Taleb, N.N. (2007), The Black Swan: The Impact of the Highly Improbable, ... Webb, C. (2020), The Digital Accountant: Digital Skills in a Transformed World, Downloadable from , accessed 9 June 2021. Webb, C. and Lawson, R. (2020), The CFO of the Future. Downloadable from , accessed 10 June 2021. WEF (World Economic Forum) (2021), The Global Risks Report 2021, 16 edn , accessed 7 June 2021. Wucker, M, (2016), The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore (New York: St Martin’s Press). Zaronina-Kirillova, A. (2020), Responsible SMP Pacesetters. Downloadable from , accessed 7 June 2021. 69 PI-RETHINKING-RISK-FUTURE ACCA The Adelphi 1/11 John Adam Street London WC2N 6AU United Kingdom / +44 (0)20 7059 5000 / www.accaglobal.com