Welcome to Directors Australia’s blog

Directors Australia works with the boards, directors and executive managers of organisations to achieve the highest standards of corporate governance. Our aim is to improve board and organisational performance, and on this blog we’ll be posting regular articles on issues of relevance to directors, boards and senior management. We welcome thoughtful comments on the topics raised as well as suggestions on any topics you would like covered via This email address is being protected from spambots. You need JavaScript enabled to view it.

Disclaimer: This blog site has been prepared by Directors Australia for the purposes of providing general information only. Nothing on this blog site should  be used or relied on for legal or other advice by any party. Each party's individual circumstances may change the effect and relevance of any matters discussed.

By Greg Fraser
Senior Consultant

In our last blog we considered risk oversight from the board’s perspective and offered some questions for boards to ask around risk management as well as outlined some red flags to look for.

At an organisational level, risk management must be a continual process. Based on my extensive experience working with a range of organisations in developing and continually reviewing and improving risk management systems, I have developed the following practical tips for managing risk effectively in organisations:

  1. Treat risk management as a thinking exercise and develop a thorough understanding of the internal and external operating environment and its impact, through generating risk, on achieving the organisation’s objectives
  2. Consult widely with stakeholders and staff in understanding the risk environment
  3. Build risk management into the early stages of an initiative or project so it can be used to improve outputs and outcomes – it is too late when problems or disasters occur
  4. Look for opportunities as well as potential threats when identifying possible risks
  5. Risk treatments need to be cost effective, practicable and aim to reduce likelihood and/or impacts and improve controls – generally, do not spend $1 million to mitigate a $50,000 risk
  6. Document your assessment of risks to facilitate accountability, communication and monitoring and review – but it is not necessary to create War and Peace
  7. Identify responsibilities, accountabilities and timeframes for implementing risk treatments - this facilitates monitoring and review of risks
  8. Formally monitor and review implementation of risk treatments regularly through normal management processes and adjust risk management strategies for any changes or emerging risks
  9. Seek professional advice and assistance where accountability is high or you do not have the skills and experience

10.  Involve colleagues in key steps of the process, e.g., assessing the level of each risk

11.  Inform management about the risks and how they are being managed - escalate to the right level of management for sign-off and acceptance of risks

12.  Create a culture of openness and confidence around the management of risk – it is alright to have high risks provided they are being managed effectively.


By Kerryn Newton
Managing Director

Over the last few months there has been considerable media regarding the potential and increasingly emerging risks caused by cyber terrorism, data theft and corporate espionage, and a concern that businesses aren’t adequately safeguarded against these risks. A question arises as to whether boards have the collective skill set to oversee such risks.

The administrator’s report in the Hastie collapse also highlights the importance of culture in risk management with the administrators reporting to ASIC a “general culture of ignoring bad news” and an ineffective audit and risk committee.

In our work with boards, the questions we ask around board oversight of risk management include:

  • Has the board got the right collective skill set to identify, understand and oversee risk management?
  • Has the board set a clear risk appetite for the organisation?
  • Is the board and organisational culture conducive to appropriately managing and reporting risks to the board?
  • Has the board set appropriate mechanisms in place to oversee risk (eg a board risk policy and a board committee with risk responsibilities)?
  • Does the board regularly receive a risk report?
  • Has the board defined what it requires to be reported in that risk report (eg strategic/corporate risks v operational risks, ‘by exception’ reporting, potential and actual risks)?

The board’s performance regarding risk should be an issue which is addressed in regular board performance evaluations.

At board level, there are a number of flags which should be considered when it comes to risk oversight. Globally respected Professor Richard Leblanc of York University, Canada considers that risk management oversight failure by boards comes down to three things, all in control by the board:

  • tone at the top
  • internal controls, and
  • incentives.

According to Professor Leblanc, when it comes to risk management oversight boards should be looking for red flags including:

  • weak or defective internal audit
  • lack of internal controls over acute risks (cyber-crime, derivatives, anti-money laundering, terrorist financing)
  • defective board/committee risk reporting and assurance
  • lack of stress testing
  • overloaded audit/risk committees and a lack of focus on non-financial risks
  • lack of written risk appetite framework and limits
  • static not dynamic risk registers without emerging, interdependent risks and accountabilities
  • defective whistle-blowing procedures dominated by management
  • tone at the top and not firing wrong-doers
  • lack of risk-adjusted compensation
  • audit committee and board not understanding how fraud is committed in their company
  • acceptance of facilitating payments and not understanding bribery and corruption red flags
  • over tenured and pedigree auditors and directors
  • management dominance and over-ride of controls
  • lack of independent, coordinated assurance over controls
  • board not recognising basic risk, fraud and control flags
  • complex structures and related party transactions, and
  • use of, and reliance on, experts.
by Tim Murray
Managing Director of Culture Strategy Partners

The GFC has given us a new business landscape, and what was important to your customers, staff and shareholders in 2007, may simply have lost relevance today.

If your organisation is running with the same purpose & vision now as you were in 2007, it might be timely to rethink them in light of what’s happened to your stakeholder base over the past 5 years. Your purpose & vision is the driver behind your organisation’s culture. Culture drives performance. Performance drives strategy. Strategy determines sustainability.

How the GFC has affected your customers, staff and shareholders
After five years of the GFC, we live in a new business landscape, and it’s highly likely your customers – in fact all your stakeholders, staff and shareholders included - have very different drivers now than they did in 2007.

The question is, if your organisation is running with the same purpose & vision now as you were in 2007, is it appropriate for 2013 and beyond?

Are you focusing on what your existing customers are now looking for?

Will you attract new customers the GFC may have created for you?

Are your employees still passionate about what you’re doing, and loyal to your organisation?

Are your shareholders still happy to leave their capital where it is?

Developments in the world economy over the past five years have driven a social and global transformation of capitalism. For example:
  • People are saving more, spending less, and debt has become a dirty word
  • Consumerism has shifted away from material accumulation and more towards “experiences” and “meaning”
  • “Customer service” has become a more potent brand differentiator than “product”, necessitating more and better communication within our workforces
  • The explosion of social media has shifted the balance of information power to the masses, democratising information flow, increasing consumer awareness, accelerating the spread of trends, and forcing companies to operate with greater transparency
  • Economic power shifting from West to East has had enormous impacts on consumers and businesses globally, including giving consumers more choice and making it easier to “flip”
  • The institution of business has probably never been held in such low esteem, driven by corporate scandals, executive greed, and morally impoverished corporate cultures where profit matters above all else.
So what was important to your customers, staff and shareholders in 2007, may simply have lost relevance.

Why are purpose & vision so important?
A compelling, inspiring purpose & vision are key to creating and maintaining a high-performing workplace, deserving just as much attention as strategy, execution and innovation.

With the right purpose as your ‘North Star’, employee engagement is higher, competition is less threatening, customers are more loyal, and innovation flows.

If you’d like to re-think your purpose & vision in light of what’s happened to your stakeholders over the past five years, contact me at This email address is being protected from spambots. You need JavaScript enabled to view it.. If you decide to make any adjustments, we can support you with whatever you need to bring your refined purpose & vision to life in your marketplace: collaboration technology, management consulting, learning & development programs. You can read more what CSP does at www.culturestrategy.com.au.

When a crisis happens, it's too late to wish you had a Risk Management Communications Plan in place

By Kathryn Britt

Good governance has many aspects. When risk management is being discussed, organisations first look to meeting their statutory obligations but often put other risk management components in the "too hard" basket.

Most businesses have prepared emergency operations plans and business continuity plans to deal with a crisis. But their brand and reputation is not properly protected unless there is also a crisis communications plan in place.

For some industries, such as financial services, it has been a statutory requirement to have in place a Risk Management Communications Plan.

For other industries it is not required by law – but it is certainly best practice.

If an issue or full blown crisis occurs, it's too late to start thinking about what communications strategies you need.

To ensure your organisation doesn’t enter the “what not to do” list of PR disasters that includes the likes of BP (for their reaction to the Deepwater Horizon oil spill) and Gasp retail (for their harsh treatment of a client that received saturation TV, radio and social media coverage), you need to commit time and resources to a decent plan.

A worthwhile plan is not from a “cookie cutter” template, it is tailored specifically for an individual business and will recognise the industry that business is operating in.

It will look at likely at-risk scenarios for your business, taking into account your organisation’s history and risk profile.

It’s also important that the plan provide systems and tools to deal with those totally unexpected scenarios that can cripple a business, especially in today's fast-paced world of social media engagement.

A properly formulated communications plan will ensure that your people are prepared, and know what their roles would be in a crisis situation.

It will identify your key stakeholders and provide background and assessment on specific risks and best methods of communications to these diverse groups.

You'll need to give consideration to essentials such as:

  • Who to have on your crisis team and how best to train them (because your plan is only as good as the team tasked with implementing it)
  • Positioning and key messages
  • Spokespeople (and it’s not always the CEO who is best)
  • Media policies and procedures
  • Best communication methods for different audiences and situations
  • Stakeholder analysis
  • Template materials
  • Interview tips and media training

A Risk Management Communications Procedures Manual can help your organisation stay calm and communicate clearly when dealing with an issue or crisis.

It should be a living document, regularly updated – not a 200 page manual that is written, paid for and never looked at again.

Ideally it will contain easy-to-read checklists, because in a crisis you don't want to be flicking through an enormous manual reading pages and pages of text to find what you are looking for.

Lastly, the plan should include performance indicators (quantitative and qualitative), so you can document evidence of whether you achieved the desired outcome when managing an issue.

Kathryn Britt is managing director of public relations consultancy Cicero Communications. Connect with her on Linked In au.linkedin.com/pub/kathryn-britt/2/311/747, email This email address is being protected from spambots. You need JavaScript enabled to view it., or phone 0414 661 616 for a confidential discussion about your business' risk management and general PR/communications needs.


By John Williamson

Boards meet intermittently. In most cases they require professional corporate governance support to ‘make things happen’ in between, as well as for, board meetings. The Company Secretary will generally be the chief administrative officer of the board, and will often in medium to large organisations be supported by a professional secretariat.
Management also require professional corporate governance skills to ensure appropriate governance frameworks, policies and processes exist and that any external or internal compliance requirements are met. The Company Secretary will in also in most cases be the chief governance officer and ‘keeper of the corporate conscience’.

For Corporations Act companies, the Company Secretary appointment is a statutory one and attracts statutory duties.
The Company Secretary and the CEO are often the only ‘direct’ employees of a board. While the Company Secretary will be responsible to the board on board-related issues, from an organisational perspective he or she will most likely also directly report to the CEO or another senior executive – particularly if other organisational duties form part of a role description. The Company Secretary role can be difficult at times with various inherent tensions – especially where multiple role responsibilities are involved.  (The High Court decision in James Hardie also made it clear that where a Company Secretary’s role is combined with another role - in that case, General Counsel - the degree to which a person participates in decision-making will determine their duties as opposed to their title.)

So in this complex context, what makes a good Company Secretary? Based on my long experience both as a Company Secretary and in mentoring current and ‘budding’ Company Secretaries, the following key attributes are the ‘essential basics’:
  • Governance expertise: Company Secretaries should be the corporate governance professional in their organisation – they should be the ‘go to’ person for governance issues. To be this they should have undertaken at least some initial formal training in governance and company secretarial practice. They then need to ensure a current knowledge of both current developments affecting governance and also best practice in corporate governance – continuing professional development is key.
  • Organisational knowledge. The Company Secretary must understand the business and the context of their organisation. They must be able to translate governance theory into appropriate frameworks, policies and processes for their organisation. They must be able to develop and implement these in a way that their organisation can readily understand and comply with.
  • Planning skills. A good company secretary is usually a very organised person. This is essential given that board and committee meeting cycles are schedule-driven and that external and internal compliance obligations must be met on time.
  • An eye for detail. A ‘command of the detail’ is required. A Company Secretary must ensure that the work of the board in particular as well as the larger organisation is well planned and executed and that compliance with relevant requirements, policies and procedures is facilitated. On the other hand he/she must also understand the strategic goals and plans of the organisation.
  • Effective communication. Company Secretaries work with senior people – board members or directors, CEOs, senior executives and often many senior external stakeholders (including regulators, investors and funders). They must possess discretion, diplomacy, tact, emotional intelligence and good negotiation skills. They must able to listen to well and effectively communicate both orally and in written form.
  • Integrity and independence. As the ‘keeper of the organisation’s conscience, a Company Secretary must possess outstanding integrity, and be able to provide impartial, frank and fearless guidance and advice. He/she must possess the courage to raise issues and concerns and be accountable and transparent for his/her actions and decisions.
  • Solid judgment. The ability to assess and make sound judgements, often in circumstances involving conflicting issues and ends, is a key requirement for a Company Secretary. This is especially so given the senior people a Company Secretary has to deal with.
  • Commitment. A commitment to doing ‘a good job’ is essential. This could be said to apply to many organisational roles. However it particularly applies to a Company Secretary given the continuing ‘spotlight’ he/she is under form both internal and external stakeholders.

The above is not an unrealistic set of requirements. Many good Company Secretaries I have encountered possess all of the above (and more!) The mix of a seemingly never-ending round of board meetings, senior stakeholder requirements and interactions, and time-driven compliance requirements can be challenging! The attributes outlined above are all needed to discharge a Company Secretary role well.