Optus, then Medibank, who's next?
Recently, Australian cybersecurity has copped a thrashing. It started with the Optus data breach in September. Over 9.8 million Australians (including myself) received a message informing them that their data had been compromised. Then, the Medibank hack compromised the data of a further 4 million Australians.
This means, with the sheer number of victims and an Australian population just short of 26 million, it is more likely than not that you've been affected in some way.
While the recent weeks have impacted us all as customers, it also affects us as investors. And while Optus is wholly owned by a Singaporean telecommunications conglomerate (which has seen its share price sink around 6% since the data breach), locally-listed Medibank (ASX: MPL) has seen its share price plummet 18% since the hack was revealed.
So is cybersecurity the issue?
Yes, but beyond that, it falls under a bigger umbrella, risk management.
Cast your mind back to late 2019, when it was revealed that Westpac (ASX: WBC) breached anti-money laundering and counter-terrorism financing laws an unbelievable 23 million times. As you'd probably expect, heads rolled soon after at Westpac - with the bank's managing director and CEO Brian Hartzer and chair Lindsay Maxsted announcing their resignations. Just short of a year later, the bank agreed to pay out the largest fine in Australian corporate history (a $1.3 billion civil penalty).
From the time the bank revealed it could face fresh penalties from AUSTRAC to the time it agreed to pay out the penalty, its share price had fallen around 40%.
So could any of the companies in your portfolio be next?
In this wire, I spoke to Perpetual's long/short manager Anthony Aboud for his insight into risk management analysis. Additionally, Aboud shares a recollection of a corporate risk failure and the warning signs investors should’ve paid attention to. As a final bonus, Aboud shares one stock that boasts excellent risk management. Keep reading to find out if you already own it.
Does it all come down to luck?
Aboud acknowledges that "it's very hard to handicap the unknown." So what hope do investors have in identifying corporate failures?
Well, Aboud believes that even if a large negative event occurs, it doesn't mean there was a "failure of risk management" at the company level.
"There is risk in everything we do as human beings as there is for every decision made by an executive at a company," he said.
"To be completely risk free we could live in a bubble and never go outside, however this is impractical. The point is, luck can play a big part in whether or not there is a large corporate failing."
Unfortunately, Aboud believes that, sometimes, it all comes down to luck.
"Companies with great risk management might get unlucky and companies with very poor risk culture and processes might just be lucky and have no scandal," he said.
"Therefore predicting scandals is very difficult to do. “
So is luck all that we can rely on? Rest assured, Aboud doesn't believe that to be the case.
“Most decent-sized corporates have large risk management departments so it is not a lack of human capital which is the issue," he said.
The bigger issue is “group think”, Aboud said, and thus, it's important for companies to have a culture where employees feel they are able to question management or identify when there is an inbuilt culture of "short-term profit maximisation at all costs".
"There is a lot of focus on the “E” in the ESG, however, we also spend a lot of time on the “G” of the ESG and making sure that appropriate corporate governance measures are in place and that the CEO does not surround him/herself with “yes” people," he said.
How to identify business blow-ups before they happen
Aboud noted that in Perpetual's investment process, the team hopes to identify three areas where companies need to display appropriate standards:
- Processes
- Culture
- Cognitive diversity
These components help identify the unique risks of each individual business.
"Understanding the unique risks to each individual business and making sure that the management team has appropriately considered the risks is part of our analysis when considering an investment," Aboud said.
Although Aboud points out that good risk management does not equate to taking zero risks. In fact, he encourages companies to take risks in the sense that the risks taken are calculated, and the necessary contingencies are put in place.
The goal of Perpetual's risk management analysis is to "understand the processes and culture within an organisation."
In practice, that may be difficult to achieve. After all, "it is hard as an outsider looking in," Aboud said.
To understand a company's internal processes, the methods we can take tend to be either quantitative or qualitative. In Perpetual's case, there is greater weight on the qualitative side. This part of their investment process is quite subjective in nature.
That said, there are definitely quantitative elements to this process. Aboud shared that his team uses quantitive screening to measure what they can. This may include the lost time from injury measures, amongst other things.
Beyond that initial analysis, given the difficulties in understanding the inner workings of a company, the revelation of new information can alter Perpetual's view greatly. Often, this takes the form of a scandal.
"Often a scandal or a royal commission will shine a light on the culture of an individual company which we were unable to identify from our initial analysis," he said.
"Some industries are much higher risk than others and hence we are more sensitive to red flags we identify in these sensitive industries."
When should investors sell?
The Perpetual team embraces the idea that the market is efficient. For that reason, negative news will not always have them jumping on the sell button. In saying that, it is important for them to compare their opinions to what is reflected in the market.
"We will only look to sell if we believe that the market has not fully reflected the negative news into a company's share price," Aboud said.
"There may be situations when the market has not completely thought through the full ramifications of the new piece of information."
One recent example of corporate risk failure: Crown Resorts (ASX: CWN)
For those who have been living under a rock, Crown - one of Australia's largest and most well-known casino operators - was caught in a money laundering scandal in early 2021. This cost them their licence in Sydney and put their operations in Melbourne at risk.
For a company so dependent on this licence, it's no understatement to say it was critical news for investors. Sliding from its peak in May, Crown fell roughly 34% to a low in July. Its share price has since recovered.
Aboud reflected that at the time, there was too much focus on short-term profitability and not enough focus on doing "the ethical thing."
"At the end of the day the core value in this business is its licences and doing anything which could remotely jeopardise the licence is extremely bad risk management," Aboud said.
So what were the red flags, if any?
After doing their own due diligence at the time, Perpetual noticed that "there was plenty of negative press on Crown Resorts about these issues".
This prompted them to do more investigation. On reflection, one red flag Aboud and his team said they should have paid closer attention to was "how aggressively the board hit back at the media when in hindsight it was clear they would not have had enough time to ensure that their management team had done nothing wrong."
One example of great risk management: Macquarie Group (ASX: MQG)
Now for the stock that you've all been waiting for. Aboud reveals their stock pick for strong risk management is Macquarie Group. For the readers already holding this stock, this must be quite reassuring. As for the rest of us, Macquarie is definitely worth checking out.
While Aboud acknowledges that this company has had it easier than most, given that "identifying, addressing and handicapping risk is a central part of the business," like any investment bank, it does face regulatory and liquidity risks.
In addition, Macquarie is significantly concerned with reputational risk. Aboud explained that the difficulties with this particular risk involve "the complexity of the business and the sheer number of investments which are diversified by industry and geography."
While Macquarie's list of risks is "extremely long and varied", Aboud believes this should reassure investors, as it shows that they have done the work to identify and mitigate the various risks that involve their business.
At the end of the day, Aboud backs Macquarie as it has proven it can adapt its business model to suit "the times" without changing its core culture.
"Macquarie has gone through the Global Financial Crisis, Banking Royal Commission and COVID-19 and come out the other side a different but stronger business," he said.
Never miss an insight
If you're not an existing Livewire subscriber you can sign up to get free access to investment ideas and strategies from Australia's leading investors.
And you can follow my profile to stay up to date with other wires as they're published – don't forget to give them a “like”.
4 topics
5 stocks mentioned
1 contributor mentioned