All the incidents were realised risks that the boards assumed were being managed effectively within the organisation. To that end, it may be time to for boards to reconsider the questions they ask of the business in relation to the risks they face.
Boards, whether they are overseeing an ASX listed company, a privately owned company, a not-for-profit entity or a community group, are reliant on the information provided to them regarding the organisation’s risks and the level of those risks. But what these many incidents have demonstrated is that the information provided may not be entirely reflective of the status of those risks, given the significant control gaps that emerged in the subsequent investigations.
Board accountability
Of course, it is not the role of a board to insert itself into the risk management activities of the organisation, but herein lies the challenge: They are accountable for the incidents if they occur.
So, how can boards get the information to satisfy themselves that risks are being effectively managed without overstepping the boundaries of their remit?
The answer is relatively simple and, ironically, is already a requirement in many audit committee charters and terms of reference that I have reviewed. In the majority of these terms of reference, ensuring the robustness of the internal control environment is one of the key purposes of the committee. The issue I have encountered in organisation after organisation is that they either don’t do this at all or address it in a very cursory manner.
There are several reasons for this, but the main ones in my observation are:
- The risks that are being presented to the board are not risks, they are causes or consequences
- There is a lack of understanding of the organisation’s critical controls
- The assessment of likelihood is based on time, frequency, and/or probability instead of control effectiveness, and
- The measurement of the effectiveness of a control is almost entirely based on the fact that the incident hasn’t occurred yet, so it must be effective
To illustrate my point, I am going to use some high-profile incidents to demonstrate how boards might have changed the course of events by not only asking a series of questions but also insisting on evidence being provided.
Integrity Care SA
In April 2020, Ms Ann Marie Smith of Adelaide, who had cerebral palsy, died aged 54, a day after she was rushed to hospital semi-conscious. It emerged that her carer, Ms Rosemary Maione, had left her in the same chair for more than 12 months, stolen cash and jewellery and misused her vehicle racking up over A$2,000 ($1,365) in fines.
The risks that materialised in this case were:
- Mistreatment of in-home client by a member of staff or volunteer
- Theft of in-home client property (including manipulation of a will) by a member of staff or volunteer
Both these risks, if they materialised, would have severe consequences to the organisation.
Two of the most critical controls in the prevention of these risks (and others) are:
- Ensuring all staff and volunteers have the appropriate working with children and vulnerable people certificates, and
- Ensuring welfare checks are being conducted on all in-home clients on a regular basis by supervisors and/or managers. Obviously, in this case, welfare checks were not occurring
If I provide the benefit of the doubt and these were risks in the organisation’s risk register, they would most likely have been reported as having a low likelihood because there may not have been any reported incidents.
Imagine, however, if the board required that the following be reported, with evidence, at each audit committee meeting:
- What percentage of staff and volunteers have a current/valid working with children and vulnerable people certificates? Show me – prove it
- What percentage of welfare checks have been undertaken on in-home clients in accordance with policy requirements? Show me – prove it
The board is not overstepping its remit. It is just insisting on evidence being provided. In this case, had the board required these assurances, it is arguable that this incident would not have occurred because a welfare check would have uncovered the abuse.
Too much? I am not sure that can be argued given that in June 2022 two directors were charged with criminal neglect causing death and failing to comply with a health and safety duty of care.
Dreamworld incident
In my book, A One in 30 Year Incident – 30 Years in the Making, I explore the causes of the Dreamworld incident in 2016 that tragically led to four fatalities. In it, I highlight that the risk that the company should have been managing was: Incident occurs on or within an attraction that threatens the health and safety of patrons.
As was the case in the previous example, even prior to the incident of 2016 this would (and should have) been considered a risk with severe consequences. That is, of course, if there was a risk register at Dreamworld, which, unfortunately, was not the case.
That notwithstanding, the board should have recognised that any major incident on a ride or within an attraction would have significant implications to the business. The board also had a responsibility to be familiar with all legislation and regulations pertinent to the operations of their amusement parks.
Whether or not they were familiar with the regulations in place prior to, and at the time of the tragedy, it would appear, based on the evidence presented at the coronial inquiry, that they relied on reports provided to them rather than proactively seeking assurance. Had they been more proactive, I believe they would have been able to ask some very telling questions of the executive, such as:
- What percentage of the rides at Dreamworld have comprehensive and accurate maintenance documentation? Show me – prove it. The answer, in this case, would have been none
- What percentage of the rides at Dreamworld have been accredited by a qualified engineer in accordance with the regulations? Show me – prove it. The answer, in this case, would have been none
- What percentage of the rides at Dreamworld have undergone major inspections as detailed in the regulations? Show me – prove it
- What percentage of staff have been deemed competent to operate the rides using a formal, documented competency framework? Show me – prove it
Once again, the board would not have been overstepping its remit, but would certainly have been able to satisfy itself that these most basic controls were in place instead of finding out they weren’t after the tragedy unfolded.
What do boards need to do?
It is my belief that boards need to be far more proactive in seeking information to gain assurance that the necessary controls are in place to manage their risks. But it is not just about asking the question – it is about seeking evidence.
To do this, however, they need to understand their risks and not just rely on reports of control effectiveness, but to insist on seeing evidence that it is occurring.
In short: Show me – prove it should become a phrase in the lexicon of boards. A
Mr Rod Farrar is a director with Paladin Risk Management Services.