“Three lines of defence are central to the corporate governance framework. However, with COVID-19, there is an indication that these lines have not worked as well,” he said.

“A board is like a general sitting on top of the mountain ... and making sure three lines of defence are talking to each other.”

Mr van Jaarsveldt said, ultimately, the board is responsible for the risk management framework and needs to ensure everyone understands the framework and appetite. 

VIEW ALL

“The board also needs to monitor emerging risks. It’s encouraging that boards are talking more about risk,” he said.

“If the three lines model isn’t working, it may be the board’s fault, and it is important that everyone in the organisation needs to understand how the three lines model works.”

Holding Redlich general counsel Lyn Nicholson said that maintaining ongoing alignment of stated objectives and actions in organisations will continue to be the biggest challenge.

“Be clear and transparent in communicating what it is the organisation is doing, and then ensuring that your processes are in fact doing what you say they are, throughout all levels of organisational complexity,” she said.

“Look at examples of recent failed attempts to maintain this, such as ‘fees for no services’ supported by employee ‘sales incentives’. There are many other examples. The challenge for governance is to operate effectively at a broad overview level, while also making sure that down in the weeds of the organisation things are not going astray.” 

Lucienne Layton, chief risk officer, Crestone Wealth Managements, said the key objective is to ensure organisational ownership of risk management and separation of duties. 

“Risk people love it ... but business people hate it. So how to embed it? Get the culture right. It’s important to make sure people within an organisation understand the intent of risk management.... Three lines risk management must be cognisant of culture and change,” she said.

Director of research at Protecht, David Tattam, believes the three lines of defence “is also about attack”.

“Risk teams in audit and legal can defend against risk coming in, but also need to capitalise on the opportunities,” he said.

“A risk manager should be able to say you guys are taking too little risk and not capitalising on opportunities. Every single person is a risk manager, and increasingly training now is for line one people.”

With the pandemic delivering a sharp lesson on risk in 2020, leaders and decision-makers must also develop new approaches to risk, with the conference highlighting the importance to work with risk leaders to build a multi-stakeholder risk management plan.

The risk function will create a future-ready board that adds value by augmenting opportunity identification and maintaining its duties to investors and stakeholders, the conference heard. Leadership teams are expected to lead well and reflect respectful, strong stakeholder values. 

The conference also highlighted that the greatest compliance challenges boards expect to face in 2020 are balancing budgets in the face of increasing compliance costs, the volume of regulatory change, driving demonstrable cultural change, increasing personal accountability, and the implementation and embedding of regulatory change.

Jason Brown, national security director at Thales, said boards must own the risk, and accept accountability, and approve appropriate resources to achieve objectives.

“And the best boards think about the world in five years, not just next year. Successful risk management happens when the board is asking questions. Risk people need to think about enabling things to happen, not just prevent things from happening,” Mr Brown said.

“Risk managers must understand the purpose of the company, and principles-based behaviour is very important. But they also need to think very broadly and bring in other ideas. And they need to bring imagination into risk.”

Minali Gamage, manager risk and assurance, Fortescue, said risk management can be very process driven and siloed, or it can be a response to strategy and what is driving a business.

“There’s no right or wrong — risk management has to be fit for purpose and help you make better decisions to achieve your objectives. In the future, it will become more important for risk managers to maintain a childlike sense of curiosity,” she said.

“They need to ask better questions, without judgement or bias. And listen ... they need to listen when people respond and be humble and willing to learn from others.”

With cyber security and digital transformation a key part of governance and risk concerns moving to the future, there are also increasing questions around the use of data and artificial intelligence, and how boards should respond.

Rachael Falk, chief executive of the Cyber Security Cooperative Research Centre, said that with change happening so quickly, the question boards should be asking is “not just whether it’s legal, but whether it’s right”.

“The law will take time to catch up, so don’t wait for the law. The question is whether it’s right for the business and right for customers. And while automation is growing, that doesn’t give boards any excuse to devolve responsibility,” she said.

“Part of a board’s obligation is good governance around data ... and that is when higher-order thinking skills come in — what do we want to automate? Who is doing the checking? The board has to remain at the centre of this and be comfortable with the level of risk being taken.”