key: cord-0065912-yl0pv0f0
authors: Guerin, Turlough
title: Questions that board directors should be asking about emerging governance issues and risk: a practitioner’s view and implications for the extractive industries
date: 2021-07-20
journal: Miner Econ
DOI: 10.1007/s13563-021-00278-z
sha: 0e005d8322d5b3d8bfbb2bbd7c11397500bd9a56
doc_id: 65912
cord_uid: yl0pv0f0

This article synthesises and highlights outcomes from a governance and risk forum that identified emerging risks for businesses and organisations. A governance framework is first presented followed by a discussion of recent developments in relation to elements of the framework as part of a mini-review of the literature. Emerging risks and opportunities around the changing nature of work, corporate culture, blockchain and cyber security were highlighted, with a particular emphasis on climate-related risks. Key questions to ask as a non-executive director or governance and risk committee members regarding these risks include could our sector or organisation be impacted by these emerging risks and opportunities? What could be the implications if these risks were to materialise and to what extent will our current business and operating model be impacted? How could our organisation be seizing the opportunity created by the pending changes in these areas? The findings and implications of the governance and risk issues are highlighted for the extractives sector and are especially important as the extractive sector faces challenges in its transformation. The study is novel as it highlights insights from the practitioner perspective of governance which is not captured in the literature. Recommended remedies for each risk are provided, and businesses are advised to undertake a focused review of non-financial risks, including corporate or organisational culture.

Worldwide, organisations have seen a high level of risk crystallise due to climate risk, cyber risk and as recently demonstrated, COVID-19 (Blades 2020). Such risks are effectively a tax on businesses and the operations of organisations. They have the effect of redirecting and reallocating resources and cause cost distortions, shifts in supply, disruption to business and operating models and changes in expectations from investors. Good governance requires effective oversight of risks which is the role of board directors and governance and risk committees of those boards (Nicholson and Kiel 2004) . Importantly, risks, whether emerging or long standing, provide an opportunity for organisations to differentiate themselves from their competitors if action is taken expeditiously to get in front of the changes that arise. How businesses in the extractives sector approach risk governance and management is important as it impacts upon supplier relationships through to how they are perceived in the market (Bravo-Ortega and Muñoz 2018; Gruenhagen and Parker 2020; Guerin 2020) , through to relationships with customers and society more broadly.

The Governance Institute of Australia 1 held a governance and risk forum in Melbourne, Australia. This report distils insights from the forum. This forum report highlights areas relevant to professionals working in the area of risk management and governance. 2 It also summarises other emerging issues arising from the literature. Key questions arising for non-executive directors have been developed as a result of the forum and subsequent literature review. The forum highlights are important as it provides a practitioner view of developments in governance and risk management and provides insights from the Australian practitioner community that acknowledges current challenges facing corporations, as well as insights from the lived experience of governance and risk professionals. It does not solely draw upon insights from the academic and therefore provides a new contribution to the literature.

The focus of the current paper is on the practitioner perspectives gleaned from a recent governance and risk forum for practitioners in Australia. To provide context, a short literature review introduces a framework for governance and highlights novel insights and developments emerging in the governance and risk field and how these relate to the governance framework presented. Highlights are then provided from emerging governance and risk issues raised from a forum of practitioners in an Australian context. The sources of these emerging risks are provided by a range of professionals presenting at the governance and risk forum which are listed in Table 1 . A particular focus has been given to the emerging risks of climate change. Key definitions used throughout the review are provided in Table 2 .

There are several key roles that boards play in corporate governance. The main roles of a board director are illustrated Fig. 1 . This model follows that of the previous researchers in governance (Nicholson and Kiel 2004) . These researchers developed a holistic board framework based upon inputs into the roles on a board, with the exact nature of these roles Risk management In a business context, the forecasting and evaluation of financial risks together with the identification of procedures to avoid or minimise their impact Board directors A non-executive director is one who is not employed by the organisation. This is not the same as an independent director who is one who is not only not employed by the organisation (non-executive director), but also has no relations with the organisation other than being a director. Current good practice recommends that a majority of directors on listed company boards be independent non-executive directors Corporate governance Corporate governance is the framework of rules, relationships, systems and processes within and by which authority is exercised and controlled in corporations. It encompasses the mechanisms by which companies, and those in control, are held to account Climate risks Climate risk refers to risk assessments based on formal analysis of the consequences, likelihoods and responses to the impacts of climate change and how societal constraints shape adaptation options Directors duties

The role of a company director is to govern a company on behalf of the shareholders or members of that company. In Australia, the Corporations Act 2001 specifies what these are. Fidelity and prudence are foundational requirements of directors in relation to their responsibilities to their organisations TCFD

The Financial Stability Board Task Force on Climate-related Financial Disclosures (TCFD) is a market-driven initiative, set up to develop a set of recommendations for voluntary and consistent climate-related financial risk disclosures in mainstream filings depending on the organisation's specific requirements. Thus, the governance outputs of organisational performance, board effectiveness and director effectiveness will depend on the match between the board's intellectual capital and the roles required of it, and they have used this model as the basis of a diagnostic tool for measuring board effectiveness. This model, in its essence, forms the overall approach taken in structuring the current short review with selected parts of the model reviewed in the literature and then updated from the forum insights. The most critical of these governance roles is contributing to and overseeing strategy, finance, risk management and legal compliance (Huse 2005; Masli et al. 2018) . The challenge for non-executive directors is to be aware of the emerging issues, not necessary over all the detailed issues, but need to know what questions to ask and to seek clarity of the business' position on related issues, and get assurance on material risks (Åberg et al. 2019; Anonymous 2020a; Halstead et al. 2019) . It is also a responsibility for directors to seek specialised advice on issues that are beyond their capability or competence. The important monitoring role that boards play influences how firms allocate resources. Proactive organisations who engage with their stakeholders on environmental matters such as climate risk, and have independent boards, tend to perform at a higher level in relation to corporate social responsibility (CSR) and in environmental matters (García-Sánchez 2020). Financial oversight is one of the critical roles of a director (Adams et al. 2010) . From a fundamental governance perspective, given that climate risk can threaten business models in the extractives sector, there should be sufficient concern by directors of the risk of insolvency and other financial shocks to their business to warrant further exploration and a demonstration of additional vigilance in this aspect of corporate governance.

Increasing warning signs concerning the financial consequences of climate change, as well as of social inequality across and within countries, may signal a change in the mainstream perception of the role of the corporation and of their boards (Levillain and Segrestin 2019) . The financial risks of ignoring the impacts of operating in an unsustainable manner have the potential for bringing sustainability full circle into the core of profit-seeking purpose of the corporation (Sjåfjell 2018) . In each of the traditional areas of corporate governance, climate risks will manifest in various ways, according to the model of described (Nicholson and Kiel 2004) , and directors should keep abreast of these impacts (and potential) impacts to avoid shocks to their own businesses and to be open to the impacts that may reasonably be expected to arise during the course of executing their duties as directors. The following 4 roles are the focus of the current paper:

• Strategy • Finance • Risk • Legal issues and fiduciary duties

Strategy is a plan of action designed to achieve a long-term or overall aim for an organisation. Finding the balance between risk management and achieving the strategy of an organisation is becoming a critical role for board directors. Recent research highlights the importance of understanding director motivation, the role of incentives and therefore the importance of culture in this area of business (Shaikh et al. 2019) . Some of the high-profile risks in this area are big data, cryptocurrency, blockchain, artificial intelligence (AI), remote working technologies, the sharing economy and crowdsourcing (Brennan et al. 2019 ). There are a wide range of forces now creating distributed workforces. This is becoming increasingly obvious as the impacts of the COVID-19 pandemic are felt through businesses, organisations and society (Blades 2020). Along with increasing flexibility of work, employees also require balance and structure when, for instance, it comes to the boundaries between their personal and business life (Brennan et al. 2019) .

Expectations are increasing for corporations, as powerful socioeconomic actors in society, to lead the innovative transformations required to attain sustainability (Bui et al. 2020) . Despite this, there is limited action on tacking climate change by many corporations (Anonymous 2020b). One of Fig. 1 The main elements of the roles of a non-executive director the implications of climate risk is its impact on investment decisions and loans. Banks face a dilemma in choosing between maximising profits and facilitating the sustainable use of resources within a carbon-constrained future (Herbohn et al. 2019) . These authors suggest that investors perceive that banks incorporate carbon risk considerations into their lending decisions.

Boards must define purpose, code of conduct, remuneration and how it is aligned with risk appetite. Directors must also take responsibility for culture as the tone is set from the top (Anonymous 2020a; Barnett 2019; Halstead et al. 2019 ). The expectation from stakeholders including government regulators is that culture should be a board priority (Petschler 2019) . A strong culture of compliance should be a goal for any board in the extractives sector so that safety risks are identified, remedied and reported in a timely manner. Systems and mechanisms for monitoring organisational culture are required if progress is to be made in further understanding the impact of culture on board behaviour and vice versa. An orientation towards organisational safety is likely to be important for being effective in keeping abreast of emerging risks. Also how a board perceives the long-term risk, another aspect of culture, will be important (Slawinski et al. 2017) .

Having the right financial governance systems in place keeps financial issues of organisations in order. Good financial governance results in accountability, helps to identify financial risks and focuses minds on the organisation's business plan. Financial governance is a critical role for any director. Details of the Royal Commission into the banking and financial services held in Australia are summarised in recent publications (Casson 2019; O'Brien 2019; Petschler 2019) , and this commission identified many weaknesses in the current financial system in Australia.

Blockchain is a digital ledger of transactions. It enables the creation of records that are secure, reliable, transparent and accessible. It is an alternative to traditional financial ledgers based on classic double-entry bookkeeping. Other researchers indicated that it represents "a leap forward in financial record-keeping not seen in the introduction of double-entry bookkeeping centuries ago" (Brennan et al. 2019) . The same authors have used the phrase "triple-entry bookkeeping", which is traditional double-entry bookkeeping, together with parties to a transaction recording each side of the transaction in a shared blockchain ledger, i.e. representing the third entry. Participants in a transaction would then confirm the integrity of the transaction (Brennan et al. 2019) .

There are numerous implications of blockchain technology for governance and accounting systems (Brennan et al. 2019 ) which is highly relevant to governance and risk oversight. It could be used in real-time accounting, continuous monitoring and continuous auditing, as well as fraud detection (Brennan et al. 2019) . The implications of blockchain are highly significant within governance and risk. It also includes, for example, where banks ensure that their governance and control frameworks embrace existing and emerging risks, such as anti-money laundering, information technology (IT) risk and non-financial risks including cyber risks (Walter and Narring 2020) .

An example of where blockchain technology may radically transform the extractive sector is in energy (Bürer et al. 2019) . The financing element stimulated by blockchainbased fintech innovations could lead at least towards a significant increase in the democratisation of the ownership (and even the democratisation of value creation) for future energy systems (Bürer et al. 2019) or other utility applications. What is likely to occur is that new business models and new ways of thinking about energy services (and new value propositions) will be inspired or stimulated by the hype around blockchain (whether it is indeed just hype or actually real change in the market).

Other authors have questioned the application of blockchain in accounting, questioning the immutability of blockchain through decentralisation and its technological rigour (Brennan et al. 2019) . Others have challenged the notion that blockchain will prevent fraud and discusses ways in which fraud may not be constrained by blockchain, such that senior management will continue to be able to perpetrate fraud. The high-energy consumption associated with block chain may also present a medium-to long-term risk depending on the sources of energy used to power the processing data centres.

Risk management should be a key concern of board members to enhance corporate governance in any organisation (Grove and Clouse 2017) . Risk can be defined as the "effect of uncertainty on objectives". Risk is important as it assists organisations in setting strategy, achieving objectives and making informed decisions. Taking risks is fundamental to organisations making profits and not-for-profits delivering the services to the community. Recognising and managing risk is a crucial part of the role of the board and management. Oversight of risk management is the responsibility of the board. So it should regularly review and approve the risk management policies and frameworks. In this way the board decides on the nature and extend of the risks it is prepared to take to meet objectives. Critical risks for the extractive sector include climate change and cyber security among many others.

In Australia, climate change is often framed as a political issue and a threat to Australia's economy (Potter 2019 ). This has distracted many business leaders from a focus on opportunity and risk management (around climate-related matters). Climate risk should, however, regardless of political debate, be treated as other business risks (Scheltus 2012 (Scheltus , 2015 Scheltus et al. 2021) . While the federal government in Australia has not set targets for net zero emissions, state governments have to varying extents, as have local governments. A belief in the business case for sustainability is growing within the public and business communities, which has started to influence corporate environmental behaviour and market performance, despite the lack of strong and stable federal government policy support (Qian et al. 2020) . The absence of strong government policy may in turn lead to an increase in sovereign risk for companies operating in such policy environments where there costs of production are underestimated if a carbon price is not costed into revenues from outputs (Mehling et al. 2019) .

From an investment perspective, climate change is a critical risk issue for businesses. In recent years, BlackRock's chairman and CEO, Larry Fink, has written an open letter 3 to shareholders and has made it clear as to what his organisation's view is in relation to social purpose, and as the world's largest investor, this has particular significance for company directors in relation to climate change and other sustainability-related matters. In the 2020 letter, BlackRock has made it clear that they are asking the companies that they invest in on behalf of our clients to (1) publish their disclosures aligned to industry-specific Sustainability Accounting Standards Board (SASB) guidelines 4 by yearend, if they have not already done so, or disclose a similar set of data in a way that is relevant to their particular business, and (2) disclose climate-related risks aligned with the TCFD's recommendations, if they have not already done so. BlackRock makes it clear that they should include their plan for operating under a scenario where the Paris Agreement's goal of limiting global warming to less than two degrees is fully realised. The implications for the extractives sector are therefore significant. Table 3 highlights selected climate change risks and their impact on the extractive sector.

Recent literature demonstrates the growing interest of digitalisation in organisations and how this brings cyber risk into the area of strategy and governance (Brennan et al. 2019; Manita et al. 2020; Radanliev et al. 2018) . Cyber risks are becoming increasingly important for governance professionals and directors. It is, however, a double-edged sword (Verbeke and Hutzschenreuter 2020) . For example, digitalisation is having an impact on audits within organisations and how it can improve the role of the audit function.

A recent European study (Manita et al. 2020 ) has shown that digitalisation improves the audit's relevance by in particular improving the audit quality by analysing all of a customer's data and the benefits that arise from that. This research highlights the importance of implementing digital strategies to provide regulators with the necessary modifications that are needed for auditing while still enabling the business to operate effectively. An example of how some sectors are ill-equipped in relation to cyber risks is the US healthcare sector. It is inadequately prepared to deal with the reality of cyber threats through the increasing use of smart medical equipment and mobile devices which are making healthcare organisations more susceptible to cyber attacks (Abraham et al. 2019) . Valuing cyber security risk involves estimating the negative cost associated with different attack and breach scenarios and taking appropriate executive action. From a healthcare organisation's standpoint, cyber risk valuation must take into consideration negative consequences such as ransomware payment, replacing equipment and implementing additional security measures (Abraham et al. 2019) . The extractive sector is also vulnerable in different ways including through the existence of sensors across diverse geographies and operating network systems (Tubis et al. 2020) .

A fiduciary duty exists in law when a person or entity places trust, confidence and reliance on another to exercise discretion or expertise in acting on behalf of the client (Baxt 2016) . These duties and responsibility for meeting legal requirements of an organisation sit with the directors of a board. The directors of a board are charged with both fiduciary duties and strategic development responsibilities (Baxt 2016; Hayne and Free 2014; Huse 2005; Masli et al. 2018) . Recent research has studied the impact of increased tightening of regulations on corporate risk taking; however, the results are not certain. This research tends to support the view that stricter corporate governance reform can have a positive effect on corporate risk-taking and corporate investment decisions in an evolving regulatory environment (Walter and Narring 2020). Other researchers have found that governance mandates, e.g. Sarbanes-Oxley regulations from the US, can tighten, but not eliminate, the value gap between poorly and well-governed firms and that firms affected by market shocks continue to have less shareholder friendly governance cultures long after regulatory intervention (Aggarwal et al. 2019) . Reporting of material misconduct is also now critical in an organisational and business context as described in the recent Royal Commission (Anonymous 2020a; Petschler 2019; Walter and Narring 2020).

The challenges of disruptive technologies such as blockchain as well the type of risks posed by the cybersphere and from flexible working arrangements mean that directors Table 3 Examples of the emerging impacts from climate risks on extractive industries 1. The TCFD ranking is based on the latest TCFD report 2. BAU Is business as usual; day 0 is when a city runs out of drinking water 3. Risks also include business opportunities Industry sector flood-and fire-exposed property loan books must upskill themselves and become agile in these emerging risks areas. Another area of emerging risk and opportunity for boards, related to legal and director's duties, is artificial intelligence (Kaplan and Haenlein 2020) . While the benefits of AI and its counterpart, machine learning, intuitively lead us to see how they could deliver business value through increased competitiveness and efficiencies, knowing how to assess the downside risk is more challenging. Still, as these authors point out, it is not too early to prepare for what may come in the distant future. The association between culture and technology is now leading boards to consider these as high-priority governance issues (Levine 2019) . Boards have a responsibility to gain deeper insights into culture and the impact that technology has on it. Boards should take a fresh look at how they are approaching risk oversight, which should increasingly be reliant upon data. This should include how the company's enterprise risk management system is informing that oversight. The nature, velocity and persistence of risks have changed (Anonymous 2020a). Consequently, it's time for boards to revisit their governance model and skill sets and refresh the focus of their risk oversight efforts. Recent advancements in artificial intelligence, machine learning and the other areas of technology discussed above are transforming businesses and organisations. Despite these advancements, the ethical issues of business automation and artificial intelligence-and who will be affected and how-are less understood (Wright and Schultz 2018) . These are new risks that boards have not previously had to deal with including the need to balance digitalisation risks with those of not acting fast enough to reap the benefits for organisations in the extractives sector (Verbeke and Hutzschenreuter 2020). Each company and organisation will need to implement effective oversight of the technology that they and their employees use to stay competitive, requiring a much deeper understanding from existing board members, especially as technology evolves. One solution to the technological disruption problem is to add a technical expert to the board of directors (Brennan et al. 2019 ).

There are numerous emerging risks arising on the business and organisational landscape. While many are technologyrelated, others are a manifestation of risks previously experienced by organisations but have been modified by changing work practices or from accelerated changes (or shocks) in the natural environment such as climate risk. As the forum highlighted, directors and risk professionals need to become fluent in the language and issues associated with emerging technology and seek advice if need be, to ensure sufficient knowledge to know what questions they should be asking of their executives. This is true for the extractive sector as for any other sector reliant to technology, and that is undergoing a rapid transformation.

The areas covered in the remainder of this paper include a cross-section of emerging risks and are described in the following order of topics, aligned with the governance model followed in this paper. It includes updates of knowledge identified from the governance and risk forum, which are built around selected roles of directors, and considers the implications for the extractive industries:

• Strategy • Finance • Risk • Legal issues and fiduciary duties

The risk and opportunities from the nature of changing work practices were highlighted at the forum. Areas of work in the future for governance and risk professionals (including those working in the extractives sector) will focus of what and how work is done, not where and when it is done. This concept is driven by the emerging convergence of technologies that has occurred over the past decade. A key point made was that it is hard to differentiate when employees are working or not. An example was given of Shell which is trying to bring people back into their offices. Professionals also need to separate work from relaxing in a digital world, which can be easier for their blue collar colleagues. The point was also made that 60% of knowledge workers switch roles after 4 years. Therefore, boards need to consider their posture towards disruption, i.e. reactive, active and proactive. An interesting (and concerning) observation given was that most fraud occurs after hours. Executives need to look for trends from the IT systems they use and directors need to be aware of this issue so they question the executive on these issues. Risk and governance professionals play an important role in directing executives where to look for problems in an organisation's business model.

What this governance issue means for the extractive industries in terms of its significance is that remote working, therefore, should now be factored into business plans, particularly as the COVID-19 pandemic continues. These workplace issues could affect the extractive industries, both in the short and long terms, through accelerating the transition to AI and remote mining strategies. It could also mean a loss of talent. The issue could be addressed, both in the short and long terms, by the sector embracing the remote and distributed workforce model, agreeing on what level of risk from this working model is acceptable to enable business objectives to be met, ensuring risks are mitigated, and redesigning work forces accordingly to enable more nimble approaches to ore development, and processing and overall delivery of business strategy.

One of the roles of boards is the development of board-level policies for an organisation. For example, boards must consider the risks posed by climate change on operations and strategy, and any risk policy, and the company's risk appetite statement. Boards should also be turning their minds to the direct and increasingly indirect impacts of climate change on their businesses such as increasing energy costs and energy security and ensuring their operations have measures in place to counter these impacts. A further consideration around policy is how company boards posture themselves in relation to government positioning on climate action.

There is growing consensus in management circles that one of the major challenges of our time including climate change and a call for questioning business as usual (BAU) corporate governance models and practices. The chaotic political battles and ongoing changes in climate policies are making Australia in particular a country at risk of missing its overall goals and ambitions for reducing carbon emissions. In Australia, the business community, the capital market and investors are all in urgent need for climate policy certainty at the state and federal levels to ensure the positive effect of carbon performance on financial returns over the long terms. Directors therefore should remain alert to the need for driving their businesses to improve the way in which they govern for climate risks and harness whatever levers they are able to, to demonstrate leadership in climate risk mitigation and seizing the opportunities it presents. Millennial-aged investors and consumers are taking action with their feet on climate-related issues and are already changing the flow of capital. This will have profound impacts on allocation of capital and both the emergence of new sectors and destruction (or stranding) of incumbent technologies, industries and their assets.

What this governance issue means for the extractive industries in terms of its importance and size is that climate change is, therefore, one of the most important emerging risks among the many other areas that governance professionals should be considering as they preside over board room discussions. This issue is already impacting the extractive industries, both in the short and long terms, through slowing (and in some cases eliminating) the extraction of certain minerals, e.g. thermal coal, which is a major contributor to climate change. The risk is being addressed, both in the short and long terms, by businesses in the sector decarbonising their ore assets, as well as their business operations (e.g. by diversifying energy inputs), and offsetting any residual carbon emissions. Table 4 identifies the actions directors can take under each of their governance roles in relation to overseeing climate-related risks. Further discussions of climate change are provided later in the article under "Legal issues and fiduciary duties".

A clear impression from the forum was that the lessons learnt from the finance and banking sector should be not only considered by risk and governance professionals in that sector, but also in other sectors where trust and ethics are important such as the extractives sector. Regardless of the sector directors are working in, it should be part of their mission to inculcate risk responsibilities through to all levels of a modern organisation. The forum highlighted insights leading up to the Royal Commission.

Directors should look closely at customer (or stakeholder complaints). These are gold mines for getting insights into real risks for an organisation. Directors need to ask what is "the invisible thing", above our offering, that keeps customers coming back. For banks (and most organisations), it is trust. Directors need to look to where the incentives in an organisation are, and this will give hints as to where risks will be hiding. Greed has manifested itself in the banking industry through bad behaviour as was revealed during the recent Royal Commission held in Australia. Increasing transparency of incentives in an organisation' business model is critical. The more people can see these, the more others can point out the emerging/ likely risks so they can be managed appropriately.

What this governance issue means for the extractive industries in terms of its importance and size is that therefore customer transactions and interactions and financial probity should remain as a critical governance issue and directors should be considering these as they have the potential to impact their businesses. These risks could affect the extractive industries, both in the short and long terms, impacting the reputation of businesses found to not be acting in the best interest of customers or other stakeholder groups, e.g. landowners in an extractive industries context. The issue could be addressed by the sector ensures it brings all extractive companies along the journey of improvement through continued or even increased focus on voluntary legislative reform and supporting these as appropriate. Putting emphasis on professional developments (as discussed in the next section) is another interaction that directors could champion in the organisation to increase ethical and awareness and strengthen corporate trust and reputation.

Organisations must be ready for the technology and its application to finance. If not, chasing the technology will be too expensive when its time comes for your sector or business. One thing is for certain that each industry will be impacted by blockchain. It is expected to massively reduce costs of handling, verifying and auditing in any supply chain.

The other main insight in relation to finance was a discussion of the APRA 5 report into the Commonwealth Bank of Australia (CBA). The APRA/CBA report, inquiring into the shortcomings of the CBA, was a critical milestone for governance and risk professionals, and directors were encouraged to read this. 6 The more recent Royal Commission into the banking and financial services (referred to in the previous section) has also revealed new insights into the Australian financial system; however, some of the themes from the APRA report were also highlighted. These provide practical insights for directors as follows. First, success can dull the moral senses of executives and non-executive directors. The financial institutions had become deaf to their customers. Another was the reactive, rather than proactive and pre-emptive approach, in dealing with financial risk and Table 4 Roles and responsibilities of directors in relation to emerging climate risks

The entries for the aspect column above were taken from the main sections of the Company Directors Course (offered by the Australian Institute of Company Directors)

The TCFD and AASB set out how financial business models can be assessed for climate risks and how to disclose this risk to the marketplace The finance sector is driving the corporate and regulatory interest and reform in the disclosure of climaterelated risk Board role and being a director Boards set the "tone at the top" and provide the enabling environment for climate risk discussions

The approach to climate risk and opportunities will be impacted by the values of the board Climate risk should be included in engagement discussions with key stakeholders The skills matrix of a board should reflect its capacity to oversee the climate risks relevant to its business Depending on extent of risk exposure, climate risk and opportunity evaluation must be part of decision-making at the board level Decision-making Timeliness of decisions should reflect the degree of climate risks as climate risks are already crystallising in most sectors Effective decision-making at the board level should include impacts of climate risks where this is material.

Climate change can also impact upon the certainty associated with key organisational decisions Directors' duties Diligence and fidelity are the cornerstones of director's duties as set out under the Corporations Act (2001) in an Australian context, and these apply to climate risks and their disclosure Conflicts of interest may impair the judgement of directors in making effective decisions that involve climate change and the causes of it Climate change can impact the long term value of an organisation and must be recognised as such Climate risks can impact on the viability of a business and therefore its ability to remain solvent Legal environment

There are a range of laws that directly and indirectly impact on climate risks. Directors and executives (officers) of the company should be aware of consequences of non-compliance as these usually lead to direct personal liability Contracts will be impacted to varying extent by climate-related risk and opportunities and can impact long term viability of an organisation Individual directors need to be able to demonstrate that they are showing due diligence in relation to legal implications from climate risks Risks

Climate risks are foreseeable. The fact that the impacts are "foreseeable" is now settled within the legal profession Risk appetite, risk policies and frameworks should reflect climate risks Climate risk should be considered as an emerging risk if it hasn't already crystallised in an organisation or an organisation's sector An assessment should be made as to how climate risk is likely to impact value (of the company and its offering) Strategy

Leadership must acknowledge climate risk and if executives don't then boards should ask if they are the right people to be leading the business at this time Climate risk should be factored into the forces that impact upon and shape an organisation's strategy Climate risks should be considered in the strategic planning process that the organisation had become insular, not reflecting and learning from its mistakes and from those of others. Risk and governance professionals need to bring risk to life in their organisations. Organisations must take care not to put the desire for collaboration over the need for challenging and addressing real issues. The pursuit of consensus can be dangerous. Finally, a wide-spread sense of complacency had developed throughout the organisation's culture and particularly around non-financial risks. The APRA/CBA report provides an instructive overview of corporate governance. It has brought a focus to corporate culture in Australia, 7 reinforcing what governance and risk professionals, and many directors, have known for a long time. Regulatory oversight of governance and risk in businesses and organisations can only be expected to increase into the short and medium term. Directors should prepare for this and help shape the creation and measurement of risk-aware cultures within their organisations. In summary, directors and senior executives must put in a serious effort to understand the culture of their organisation.

What this governance issue means for the extractive industries in terms of its importance and size is that blockchain risks and opportunities don't jump in but keep a close eye on developments as they develop your sector: keep open to it. It will have teething problems. Professionalism, ethics and culture also need to be kept front of mind for directors. This issue could affect the extractive industries, both in the short and long terms, through the need for keeping professional in the business at their highest levels of professional development, and if this doesn't occur, then staff could become weak links in maintaining the reputation of an organisation in the sector. The issue could be addressed, both in the short and long terms, by companies measuring their corporate cultures and act on the findings of these on an ongoing basis. Encouraging or even supporting professional development, incorporating ethical training, would be another means of acting on these findings to ensure a strong bench of professionals and prospective leaders.

During the forum, the topic of cyber risk was mentioned numerous times. The point was made that directors should remember cyber risk is not a technology risk. It is essentially a people risk. The Equifax cyber breach was referred to. Equifax, which owns the credit history data and personal information of 800 million people around the world, confirmed in late 2017 that the personal data of 143 million people had been hacked. This was a catastrophic breach of Equifax's systems which it was found to be inevitable because of a cultural issue of disregard for cyber security policies and practices, in addition to Equifax's reliance on employees who did not have appropriate education and training in information security. 8 Phishing attacks are increasingly being "tailor made" to executives. This is easy to do with so much information about executives now readily available online via social media. Insurers are going to become more selective about who they will insure. Premiums for cyber insurance are likely to increase rapidly soon. While healthcare provides a critical industry where cyber risks must be kept first and foremost in the risk register, all business sectors and governments have vulnerabilities and must ensure risk oversight in this area is adequately resourced.

Common technology-enabled disruptive forces have been instrumental in significantly changing business models in unprecedented ways, including their risk profiles. Some of the high-profile risks in this area are big data, cryptocurrency, blockchain, artificial intelligence, remote working technologies, the sharing economy and crowdsourcing. This includes through converging technologies such as decentralised and collaborative platforms, e.g. blockchain, the sharing economy and video conferencing.

What this governance issue means for the extractive industries in terms of its importance and size is that cyber risks will only continue to present a threat to operations and their supply chains. This issue (risk) could affect the extractive industries, both in the short and long terms, and operations and supply chain partners will need to continue to invest in cyber risk protection. Directors should also be skilled in this area of emerging risk and governance. The issue (risk) could be addressed, both in the short and long terms, through ongoing investment in preventing cyber attacks and by rigorous training across all levels of business and regularly bringing in external expertise to advise the board and executives on preparation in the event of an attack (i.e. help to develop business continuity plans) and to enable best practice in prevention. It was recommended that penetration testing (of IT systems) be conducted regularly. Organisations in the extractive sector are urged to look hard at the details of the coverage of their cyber risks in their insurance policies. This is an area where boards should seek external advice. Companies should be asking executive responsible for IT what risks are being identified and how are these being managed and where necessary reported.

Everyone in an organisation should be involved in risk identification and mitigation, not just those delegated with its formal ownership, e.g. directors, risk committees and risk managers. At the same time, people in organisations (contractors or staff) need to be held to account for mitigating these risks. As was stated at the forum, "Individual risk events do not necessarily repeat but they do rhyme" was a point made by one of the presenters. Directors and risk managers should not forget about "long-tail" risks in an organisation such as contingent liabilities, remediation costs (environmental, financial, others), liability-related to leave, health costs and others. These could and often do manifest and cause current, operational problems. Success in the past (in governance and risk management) does not necessarily mean success it the future. Directors and risk managers need to keep sharply focused on emerging risks and the fitness of their organisation to manage them.

Other implications for risk and governance professionals are that organisations can't eliminate risk, but they can mitigate them. But the classic 5 × 5 risk matrix is no longer fit for purpose. Rather the attendees were challenged to determining the quality of risk controls in place in their businesses and operations. Interestingly, according to the risk experts that presented, risks across organisations and sectors don't change that much, but the quality of the controls do. Many of the insights from the forum were in this area (Table 5) .

What this governance area means for the extractive industries in terms of its importance and size is that risks ownership will need to be an important message to continually get across to internal stakeholders and suppliers. This issue (risk) could affect the extractive industries, both in the short and long terms, and operations and supply chain partners will need to continue to train their people and invest in the most appropriate and effective risk tools for their business and not assume standard packages will be suitable for managing risks. Directors should also be skilled in this area of risk and governance. The issue (risk) could be addressed, both in the short and long terms, through ongoing investment in training, as well as culture development programs, and ensuring risk culture is measured in any employee survey that may be used in a business or organisation in the sector. In terms of quality of risk controls, there was a recommendation to start internally and start with actual risks and their controls and work backwards when mitigating risks in an organisation. This is a departure from traditional risk assessment processes.

There are a range of laws that directly and indirectly impact on corporations. Directors and executives (officers) of a company should be aware of consequences of non-compliance as these usually lead to direct personal liability. For example, many operational aspects of an extractives company will be influenced by changes in laws such as contracts. Individual directors need to be able to demonstrate that they are showing due diligence in relation to changes in the legal environment.

This is an evolving area of corporate regulation and risk and governance professionals can expect to see changes in the short-to mid-term. How regulators respond to the landscape of emerging risks is currently uncertain. In Australia, the prudential regulator and corporate regulator are increasingly tightening the controls on banks for lending and introducing new advisory position papers on emerging risks including climate change. This is a signal that further regulation impacting upon governance and risk is likely in Australia.

In addition to the strategic issues regarding climate change, there are emerging legal risks associated with this risk. For example, the Hutley Opinion 9 ("Climate Change and Directors Duties"), a significant legal opinion that was published by highly respected lawyers in Australia in recent years, has been an important step for clarifying responsibilities of directors and officers in Australia. Directors will be liable for failing to ask about the climate risks impacting their organisations. APRA, Australia's prudential regulator, has Table 5 The following quotes capture the essence of the Governance and Risk Forum "Wrong is wrong even when everyone is doing it. Right is right even if no one is doing it" "Do the basics, do them well" and "Good risk done well is a proxy for good management" "As risk managers and non-executive directors, be courageously authentic" "The recent APRA report into the behaviour of CBA didn't find out much new, but it has reminded us where the bar is" "The future [of organisations and their governance] is about moving away from complacency" "Individual risk events do not necessarily repeat, but they do rhyme" also come out with a position and has indicated that listed companies would be prudent to comply with the TCFD recommendations regarding climate risk disclosures. 10 Over the past 3-4 years, corporate Australia has seen climate risk go from a niche issue to now being incorporated into guidelines referenced by our financial regulators. Climate-related risks present an upside too. Specific to climate-related risks are the following four examples which reflect changes that have occurred which are relevant in company director setting in Australia, and many of these examples are manifestations of what has transpired from the experience of Europe as it has systematically dealt with the issues of climate risk governance and its critical linkage to financial stability (Fisher 2020) .

Few things will get the attention of a board director or company officer than the risks posed by strict liability. Nonexecutive directors are particularly interested in matters that could result in laws being breached that have strict liability associated with them such as mine safety risks fall into that category. Though these changes in this section are relatively new and untested in the courts in Australia, they provide illustrative examples of how financial and corporate regulators are turning their minds to climate-related risks and are likely to come into law in the near future as is evident from the European experience (Fisher 2020), for example, how the rule of law is changing in relation to climate risk and how these impact on the roles of directors. They don't just apply to the extractive industry risks but have broad application to corporate climate change risks and how directors should prepare for these.

There are four examples described here that illustrate how emerging thought leadership, regulatory notes and white papers and shifting positions from the director industry body are shaping the discourse at the board level and potentially will become a requirement for doing business in Australia. These examples, which were introduced at the forum and are from organisations that regulate and oversee corporations in Australia, illustrate that climate-related risks must now be dealt with as any other risk faced by an organisation: under its jurisdiction in late 2018. These are voluntary guidelines that provide the financial reporting profession advice as to how to consider material financial impacts from climate change on an entity's financials. These have adopted the principles set out in standards that are now appearing internationally including the Task Force for Climate-related Financial Disclosures or TCFD, as well as the initiatives of investor groups. While voluntary in Australia, internationally, the TCFD recommendations are becoming integrated into law. Many companies are now reporting against them including those in the extractive sector. The model of the TCFD is set out in Fig. 2. Example 2 For the ASX Corporate Governance Principles 4th Edition (published in February 2019), these are guidelines that Australian Stock Exchange (ASX) listed entities are required to comply to.

These principles state: "One of the key roles of the board of a listed entity is to monitor the adequacy of the entity's risk management framework and satisfy itself that the entity is operating with due regard to the risk appetite set by the board. This includes satisfying itself that the risk management framework deals adequately with contemporary and emerging risks such as conduct risk, digital disruption, cyber security, privacy and data breaches, sustainability and climate change. One particular source of environmental risk relates to climate change. This includes: 1. risks related to the transition to a lower-carbon economy, including policy and legal risks, technology risk, market risk and reputation risk; and 2. physical risks, such as changes in water availability, sourcing, and quality; food security; and extreme temperature changes affecting an organisation's premises, operations, supply chains, transport needs, and employee safety".

Many listed entities will be exposed to these types of risks, even where they are not directly involved in mining or consuming fossil fuels. The council would encourage entities to consider whether they have a material exposure to climate change risk by reference to the recommendations of the Financial Stability Board's Task Force on Climate-related Financial Disclosures ("TCFD") and, if they do, to consider making the disclosures recommended by the TCFD.

It is important to note that the council takes an "if not, why not approach" to reporting disclosures on all of its reporting requirements. These changes have implications for companies with extractives supply chains and therefore have vulnerabilities in relation to climate risks.

The Australian Prudential Regulation Authority (APRA), the Reserve Bank of Australia (RBA) and Australian Securities and Investment Commission (ASIC) have all released statements and positions on climate-related risks. Companies in the value chain will be keeping a watching brief on all of these regulators now that they have signalled their concerns to the market. The following quote from RBA is important. It shows an expectation that companies should look at modelling different scenarios and time horizons to explore potential implications, not just "document static metrics". This implies sophisticated analysis of climate risks.

"Financial entities should consider their need to be able to model the potential impact of CCR [Climate Change Resilience] risks under different scenarios and over different time horizons, beyond mere documentation of static metrics. ….. it is incumbent on both APRA and its regulated entities to consider CCR risks, and put in place actions to mitigate those that could have a significant financial impact if left unaddressed".

The Australian Institute of Company Director's (AICD) updates for the past 3 years have highlighted climate-related risks as material matters boards need to consider routinely. Coupled with energy policy, and social licence issues, climate risk is now front and centre as an issue for board directors to consider. It is worth pointing out that the AICD is a conservative organisation and does not typically raise risk issues unless they have considered them to be real and critical for their members.

What this governance area means for the extractive industries in terms of its significance is that climate risks issues, and related regulatory pressure, will only increase over time. This issue could affect the extractive industries, both in the short and long terms, and operations and supply chain partners will be increasingly impacted in a wide range of ways. One of these will ultimately be in gaining access to new ore reserves (or not) and shifting away from carbon-intensive assets and operations. The issue could be addressed, both in the short and long terms, through modelling of vulnerabilities in the supply chain as well as examining the risks particular to a particular business' financial and operating model. Directors need to understand what questions that they should be asking in relation to climate change. The overarching questions in relation to the board, non-executive directors and risk are:

• "Does our organisation's approach to risk management demonstrate care and due diligence for the type and size of organisation that we as directors are governing?" • "Does our approach to risk management create value or is it a tick and flick exercise?"

Further questions for directors in relation to climate change are provided in Table 6 . With what we are trying to achieve as an organisation, what impact will it have on the workforce including on their health and wellness? How do we prove where our data is given the mobility of our workforce? How could assurance of this, or its absence, impact our relationship with customers and regulators? What further advice and assistance may we need as a board to ensure we can give sufficient care and diligence to the wellbeing of our employees and contractors? In relation to our culture, what is the tone that we are setting? Does our corporate culture help to create shareholder value over the long term? Does our culture increase our brand loyalty and therefore build our public reputation? What interventions as a director and or governance and risk professional can we make to create or enhance our culture?

In what ways are we as directors informing ourselves about the organisation's culture? Do we know what is driving behaviours that are creating the culture? Are we disclosing our climate risks in a transparent and credible manner? What standard or recognised approach are we following? What are our climate-related risks and opportunities and have we quantified these? What vulnerabilities are we exposed to across our value chain? Do we know how our organisation could be impacted under various future legal, market and other scenarios?

In what way are we protecting our balance sheet from stranded assets? What contingency strategies do we have to protect our revenues in the event our supply chain is impacted negatively by climate risks? Directors should ask management: How do we measure culture? What does positive culture look like? What is the risk maturity of our organisation? What part of our business or business model could be impacted if staff behaviours go unchecked? How prepared are we as an organisation in a dramatically increased regulatory environment? Finance

In terms of its application, how do we solve today's problems in our organisation with blockchain? How do we as a board prepare for it? Where is it going to go in our sector and how is its application likely going to impact our business' sector? Could blockchain disrupt our business or operating model? Will it likely destroy or create value in our industry?

In what parts of our business could the deployment of blockchain catch us unaware? Are we investing in sufficient research and development to ensure we remain ahead of this particular curve? Risk

In having risk discussions about issues, ask what must go right? What are we afraid of happening as an organisation? How may changes in the regulatory environment, including more regulatory supervision, impact your organisation's business model? What is the worst thing that could go wrong? Are we leaving any critical issues undiscussed in the board room? Are we listening to the voice of our customers even where we think we are ahead of the market or have an issue under control? Do we as an organisation have a digital strategy? If so, what is it? Does it align with our business and operating models? As a director, have I understood the cyber risks to our organisation? Are we monitoring cyber risks? What cyber risks are we willing to accept as an organisation? Are penetration tests being conducted routinely on our IT systems? If not, why not? If so, how vulnerable are we? Do we have a cyber risk management plan in our organisation? From a digital perspective, what innovation should we be looking to for solving our emerging business challenges? What are the risks likely to be faced by my organisation emerging from disruptive technologies and disruptive forces more broadly? How can our board be better prepared to address (prevent and mitigate) these risks? Will our board have to change its composition?

To what extent should we as a board be advocating for research and control in the area of AI and how it applies to our business model and sector? Are we as a board giving sufficient attention to the ethical issues related to disruptive and emerging technologies? Are we (as a board) prepared to improve our risk management and risk oversight, or do we face the challenges of the next 10 years in the digital age with what we've been doing over the past 10 years?

Directors are responsible for culture. Table 5 captures the essence of the forum and the sentiment of the presenters on this important issue of culture and governance. Good governance, risk culture and ethical behaviours help promote a more sustainable business model. This is especially relevant in a rapidly dynamic financial and governance landscape. The issues of governance, culture and ethics are neither readily observable nor measurable directly because they are mostly qualitative. From the regulatory supervisor perspective, this calls for the development of specific tools, for example, tools that can identify the factors that characterise a bank's governance and culture (Walter and Narring 2020) . The Australian corporate regulator, ASIC, has taken a strong interest in how standards are set and the type of culture exhibited within organisations. Businesses must ensure that the customer is put at the centre of all culture conversations. Other recommendations at the forum were the need for a more rigorous view of non-financial risks. 11 The regulator at the forum stopped short of mandating regulatory supervision at the board table.

The need for deep, cultural change across Australian organisations was the resounding message of the forum. It was reported that boards must define purpose, expected codes of conduct and how their remuneration policies are aligned with their stated risk appetite. Codes of conduct are usually more detailed than company values. An interesting insight and development at the forum was that a business can now predict and measure culture using algorithms (in other words in real time). This can lead to the identification of what were defined "culture carriers" who should be recognised (in a positive way). 12 The essence of this is the need for social belonging which was considered more important than the conventional wisdom espoused in Maslow's hierarchy of needs. Management reports should include non-financial requirements.

What this governance area means for the extractive industries in terms of its importance and size is that cultural change will need to be an important message to continually get across to internal stakeholders and suppliers and other external stakeholders. This issue could affect the extractive industries, both in the short and long terms, and operations and supply chain partners will need to continue to support culture change efforts starting with awareness, through to survey, training and (potentially) exams through a relevant professional body. Directors should also be skilled in this area of risk and governance. The issue could be addressed, both in the short and long terms, through ongoing investment in culture development programs and ensuring risk culture is measured in any employee survey that may be used in a business or organisation in the sector (as mentioned under "Risk ownership"). Executives should prepare (or revise) codes of conduct and provide these for board approval. As pointed out during the forum, they must be more than a poster on a wall.

This article synthesises and highlights outcomes from key literature and a governance and risk forum that identified emerging risks for businesses and organisations. Governance and risk oversight is emerging as a critical issue for boards. Businesses are advised to undertake a focused review of non-financial risks, including corporate or organisational culture. The novelty of this short review is in the practitioner perspective provided. A governance framework was presented followed by a discussion of recent developments in relation to elements of the framework. Emerging risks and opportunities around the changing nature of work, climate What are our climate-related risks and opportunities? Do we know how our organisation could be impacted under various future legal, market and other scenarios? How are we protecting our balance sheet from our assets becoming stranded? Do we as an organisation know our pathway to zero emissions? Have we stressed tested plausible pathways? What contingency strategies do we have to protect our revenues in the event our supply chain is impacted negatively by climate risks? What do the two and 10 year outlooks say about how climate risks will impact our business model and operating model? Does the business' strategy consider the projected outlook(s) or scenarios? change, blockchain and cyber security were also highlighted in this mini-literature review. These findings from the literature review and forum apply to the extractives sector as it undergoes challenges to transform. While it is critical for executives to understand how their businesses work, it is equally, if not more important, that board directors also gain an understanding of the businesses and the risks that are emerging in the light of the expected influence of a changing climate and the overwhelming need to reform corporate culture. Boards typically consider all risks under the broad categories of operational, financial and strategic risk categories (as described through this paper). The questions developed from the literature and the forum provide a range of questions that will enable directors to probe deeply and broadly across the array of risks raised in this article.

For each of the risk and governance issues reviewed, suggested actions for directors have been provided. Overall, the management implications of this review for extractives businesses are in the need for directors in the extractive industries to remain current with emerging regulatory, technical and investment sector changes and ensure executives are challenged on how the business is managing emerging risks, in particular, cyber and technology risks and those associated with corporate culture and climate change. These will require upskilling of directors and ensuring they are capable of engaging meaningfully with the many and varied governance risks now emerging in the extractives sector. Opportunities for future research are in testing and further validating the risks identified in the paper and for businesses to ensure they have the management capability to address these risks. There is also considerable value in future research to provide deeper analysis of governance literature focused on the extractive sector.

The author declares no competing interests.

Service tasks of board of directors: a literature review and research agenda in an era of new governance practices

Muddling through cybersecurity: insights from the U.S. healthcare industry

The role of boards of directors in corporate governance: a conceptual framework and survey

Do corporate governance mandates impact long-term firm value and governance culture?

Anonymous (2020a) Sharpen your board's risk oversight process NACD directorship

Anonymous (2020b) TCFD: 2019 status report

Governance in practice: what is the role of "tone at the top" in setting culture?

Duties and responsibilities of directors and officers, 21st edn. The Australian Institute of Company Directors, Sydney Blades A (2020) COVID-19: responding to business interruptions

Mining services suppliers in Chile: a regional approach (or lack of it) for their development resources policy

Corporate governance implications of disruptive technology: an overview

Climate governance effects on carbon disclosure and performance

Use cases for blockchain in the energy industry opportunities of emerging business models and related risks

Royal commission: culture and dishonesty

Making the financial system sustainable

The role of risk management in corporate governance: guidelines and applications

Factors driving or impeding the diffusion and adoption of innovation in mining: a systematic review of the literature

Perceptions of supplier impacts on sustainable development in the mining and minerals sector: a survey analysing opportunities and barriers from an Australian perspective

Hybridized professional groups and institutional work: COSO and the rise of enterprise risk management Accounting

Evidence on whether banks consider carbon risk in their lending decisions

Accountability and creating accountability: a framework for exploring behavioural perspectives of corporate governance

Rulers of the world, unite! The challenges and opportunities of artificial intelligence

From primacy to purpose commitment: how emerging profit-with-purpose corporations open new corporate governance avenues

Seeing the link between culture and technology is a fast-growing governance issue

The digital transformation of external audit and its impact on corporate governance

Attributes and structure of an effective board of directors: a theoretical investigation

Designing border carbon adjustments for enhanced climate action

A framework for diagnosing board effectiveness

Culture, truth and power: an anatomy of failure

Advocacy: APRA focuses on governance, culture and accountability

Directors' climate liability increasing 'exponentially'. Melbourne Qian W, Suryani AW, Xing K (2020) Does carbon performance matter to market returns during climate policy changes? Evidence from Australia

Future developments in cyber risk assessment for the internet of things

Climate change -another flavour of risk

Market inflection points

Is there a role for not-for-profit or for-purpose organizations in supporting governance professionals to engage with climate-related opportunities and risks? Environ Qual Manag

What motivates directors to pursue long-term strategic risks? Economic incentives vs. fiduciary duty

Beyond climate risk: integrating sustainability into the duties of the corporate board

The role of shorttermism and uncertainty avoidance in organizational inaction on climate change

Risk assessment methods in mining industry-a systematic review

The dark side of digital globalization. Acad Manag Perspect

How can supervisors and banks promote a culture of strong governance and ethical behaviour?

The rising tide of artificial intelligence and business automation: developing an ethical framework

Publisher's note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations