Westpac — the risks of non-financial risks
AUSTRAC’s proceedings against Westpac for serious and systemic non-compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) on 20 November 2019 have unleashed a series of events which are likely to play out for some time to come. AUSTRAC alleges Westpac contravened the AML/CTF Act on over 23 million occasions. From a governance perspective, these proceedings highlight the critical importance of managing non-financial risks, accountability and good information flows.
ASIC Chair, James Shipton observed in the recent ASIC Report on Director and officer oversight of non-financial risks that the ‘reality is that non-financial risks have very real financial implications for companies, their investors and their customers’. The events of the last week have made this abundantly clear. In the meantime, much media commentary has focussed on the reaction of investors —large and small — to the AUSTRAC proceedings. Community and investor expectations of director and executive accountability continue to rise post the Financial Services Royal Commission.
In its Report on oversight of non-financial risk, ASIC talks about expanding APRA’s definition of non-financial risk so that it includes:
- operational risk — the risk of loss resulting from inadequate or failed internal processes, people and systems or external events, and includes legal risk but excludes strategic and reputational risk
- compliance risk — the risk of legal or regulatory sanctions, material financial loss, or loss to reputation an organisation may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards and codes of conduct applicable to its activities
- conduct risk — the risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees.
Recent events indicate all too clearly that these risks — particularly operational risk and compliance risk — can cause significant damage to companies.
ASIC’s report is intended to give the broader market insight into the corporate governance practices it has observed in the four major banks and AMP so that other companies can learn and improve their own practices. In light of the last weeks, the ASIC Report is a must-read for all governance and risk professionals regardless of sector. Its findings included:
- management was often operating outside board-approved risk appetites for non-financial risks, particularly compliance risk. Boards need to actively position themselves to hold management accountable to operate within their stated appetites
- monitoring of risk against appetite often did not enable effective communication of companies’ risk positions. Boards need to take ownership of the form and content of information they are receiving to better inform themselves of the management of material risks
- material information about non-financial risk was often buried in dense, voluminous board packs and it was difficult to identify key non-financial risk issues in information presented to the board. Boards should require reporting from management that has a clear hierarchy and prioritisation of non-financial risks, and
- companies generally sought to use board risk committees to achieve desired outcomes, but their effectiveness could be improved. These committees should meet more regularly, devote enough time and be actively engaged to oversee material risks in a timely and effective manner.
In reflecting on the last weeks, governance and risk professionals may want to look again at some of the questions for boards and committees posed in our Insight: Governance issues arising from the Financial Services Royal Commission (exclusive for members).