Australian businesses and organisations are currently facing an unprecedented confluence of five major risk factors — including surging regulation and skilled labour shortages — that could threaten future performance and even viability.
The impact of business risk hit home in July 2013 when the Rudd Government suddenly abolished Fringe Benefit Tax (FBT) for employer-provided cars. The decision damaged a number of car- leasing companies and shares in salary packaging outfit McMillan Shakespeare crashed more than 50 per cent.
We believe that the following five key risks have the potential to affect Australian businesses in the short to medium term and should be included in any board or governing body discussions on risk management. The background information on each risk area is provided to assist individual organisations in assessing the level of risk to their specific context.
The background information was created by using the Bow Tie analysis technique whereby causes and impacts of a risk event are analysed to determine key causes and consequences, so that controls along with key risk indicators (KRIs) and key performance indicators (KPIs) can be developed and assigned.
The ‘big five’ risks we have identified are: changing government regulations; security risk management; impact of new technology; reduced access to skilled labour; and supply chain disruptions.
It is our opinion that organisations should be seriously considering appropriate preventative, detective and remedial controls to mitigate these risks. But nimble organisations should also be looking to exploit these risks for their benefit.
Interventionist governments (regulator risk)
The plight of the likes of McMillan highlights the first major risk: governments, at all levels, and of all political persuasions, have embraced interventionist action. The number of acts passed by the Australian Federal Parliament has surged from just 17 in 1901 to 206 in 2012. But the government is often acting without consideration of the broader economic and social consequences of its actions.
To mitigate this risk, businesses need to look at lobbying government, as well as changing business processes, strategies and target markets; but they also need key risk indicators to detect changes in government regulations.
KRIs that can be employed to detect changing government regulations that may affect business outcomes include tracking:
- politicians’ statements in parliament and to the media, giving an indication as to their thinking regarding new regulations
- the progress of legislation through the various legislative processes, giving the organisation the ability to prepare for the change ahead of time
- changes to obligations which are linked to risks and controls to ensure that controls are amended (if required) in time. This is especially significant in regard to changes in workplace health and safety regulations and rules which are changed often.
Security risk management
Organisations need to take a forward-looking view and work towards creating an integrated security risk management strategy to deal with evolving external and internal security threats. Security threats can be to people, physical assets and information assets and can take the form of cyber-attacks, data and privacy breaches, and blackmail and ransom demands against staff or the organisation as a whole. Many organisations currently focus on reacting to security threats rather than being proactive in avoiding or minimising the threat.
The challenge presented to organisations functioning in a reactive environment is that it may prove to be more costly in both financial and reputational terms in the long run and provides no scope for future growth or adaption of a security framework. To be proactive and detect advanced threats before they can do damage, organisations need to reconsider their approach to security risk management and intelligence, with a view to achieve a balance between security and opportunity.
Creating an integrated, centrally managed security framework for a unified defense against threats and data loss will enable organisations to understand their future security posture, identify threats and respond to incidents.
Impact of new technology
New technology is causing a fundamental shift in the entire business landscape; the internet, for example, has changed communications and commerce globally. But there are also smaller technological innovations that are affecting — both positively and negatively — businesses and market sectors.
Street map publishers, for example, have had to dramatically change their business model due to the rise in the use of GPS devices; in turn smart phones are affecting GPS device manufacturers.
Resilient organisations identify opportunities from the advent of new technologies and quickly adapt their business models. It is not always the inventor of the technology who can best exploit it or fully understand the long-term implications. Carl Benz, the inventor of the first automobile, believed that there would be probably no more than 1,000,000 automobiles in the world as that was the total number of chauffers at that time!
Skilled labour shortages
Automation of business practices has increased, but human capital is still an essential resource for organisations of all sizes. Skilled labour is becoming a ‘Catch 22’ for many organisations. Training unskilled or lower skilled staff requires time and cash - cash that, as seen in the liquidity risk section, may not be available. But without training, and the experience to shift labour from unskilled to skilled, firms face a diminishing pool of skilled labour. Also the associated costs of hiring and retaining these skills increases.
This risk can be either negative or positive. It will be negative for those organisations which struggle to hire and retain skilled labour, or positive for those which take advantage of the skills shortage to increase their own productivity and/or take the opportunity to sell their services to others.
Supply chain disruption
No organisation exists in isolation to its suppliers and customers, which creates supply chain risk. The risk was highlighted recently when Fonterra was forced to recall eight tonnes of whey product due to potential botulism contamination, possibly caused by a contracted cleaner not doing its job properly.
Supply chain disruptions are varied and often outside the immediate organisation’s controls, so detective and remediation controls are likely to be more beneficial.
Other organisations see supply chain risk as so great that they expand their operations to incorporate both downstream and upstream elements of the chain — an approach taken by many of the large global conglomerates. For Australian companies which are often increasingly dependent on Asian suppliers, the potential risk of supply chain disruption needs to be taken into account.
The key is for organisations to not only mitigate risks, but also seek opportunity. Regulatory changes can be either positive or negative; new technology throws up major growth opportunities; and skilled shortages provides opportunities for organisations to use technology to boost skills, or to sell services to others.
But at the very least, the board and senior management of all organisations need to be discussing how they respond to the ‘big five’ risks identified here.
Alf Esteban can be contacted by phone on (02) 8005 0024 or by email at firstname.lastname@example.org.