ASIC’s review into how Australia’s largest financial services companies oversee and manage non-financial risk highlighted important shortcomings. We found that in general, non-financial risks have not received sufficient attention until recent times — in contrast to the intense focus on financial risk.
Following the release of our Director and officer oversight of non-financial risk report, many people have asked why ASIC is reviewing corporate governance practices.
First, we have seen the harm that can occur to customers, shareholders and companies themselves when governance and accountability are ignored. This is why ASIC formed the Corporate Governance Taskforce back in 2018 that performed this review, and made improving corporate governance and accountability one of our strategic priorities. A key purpose of the review was to shine a light on actual governance practices of these companies, in contrast to the policies and frameworks described in their corporate governance statements.
Second, all risks can ultimately have financial consequences. If not well managed, non‑financial risks carry very real financial implications for companies, their investors and their customers — particularly if not identified and prioritised early enough.
The Corporate Governance Taskforce is one of ASIC’s enhanced supervisory initiatives. Supervision heightens engagement, assessment and feedback loops between regulated entities and persons with ASIC. It aims to identify problems before they become breaches and seeks to improve the practices of our regulated population and address the root causes of problems before they cause significant harm.
The Financial Services Royal Commission highlighted what happens when proper oversight and management of non-financial risks are not made a priority. We have seen first-hand that poorly overseen and managed non-financial risks can result in systemic misconduct and hundreds of millions of dollars of consumer losses.
It also leads to remediation costs and ‘catch up’ spending on risk and compliance by firms. In the financial services sector these costs are now reported to be in the billions of dollars, to say nothing of the considerable reputational damage done and community trust lost. In turn, this impacts future cash flows, intangible asset values and thus, ultimately, the profitability and longevity of a company.
There is no right or wrong type of archetype or behaviour.
Just as the global financial crisis was the watershed moment for banks to focus and mature their oversight over financial risks — particularly credit and liquidity risk — ASIC believes that now is a watershed moment for companies to significantly improve their focus on non-financial risks. A primary focus of the report is to provide boards with a tool to assist them in addressing the challenges involved in the oversight of non-financial risks.
ASIC’s report is not asking directors to step into the role of management or to manage non-financial risks themselves. We are concerned with ensuring the board exercises effective oversight of non-financial risk. The board does this by holding management accountable, ensuring that management operates the business within the risk appetites set by the board, and ensuring that the board has sufficient information to make informed decisions on material non-financial risk issues.
What is non financial risk?
Different entities adopt different definitions of non-financial risk. For this review, ASIC’s Corporate Governance Taskforce adopted a definition of non-financial risk that aligns with the definition APRA used during its prudential inquiry into CBA1. This definition captures operational risk, compliance risk, and conduct risk.
Making the necessary changes
ASIC’s review found that:
- All too often, management was operating outside of board-approved risk appetites for non-financial risks.
- Reporting of risk against appetite often did not effectively communicate the company’s risk position.
- Material information about non-financial risk was often buried in dense, voluminous board packs, making it difficult to identify key non-financial risk issues in information presented to the board.
- The effectiveness of board risk committees could be improved.
Based on these observations, the Corporate Governance Taskforce drafted a series of questions to serve as guidance for boards. These observations were formed following the review of large ASX-listed financial services companies, however, they can still be a useful guide to companies of any size, listed or unlisted, for-profit or not, or holding or subsidiary entities.
We are acutely aware that there is no ‘one-size-fits-all’ approach to governance and these questions have been prepared with this in mind. ASIC suggests that directors carefully read the report and look for the questions that are relevant for your business.
Risk appetite statements
- Should we default to the position that the company should be operating within the board’s stated appetite in the ordinary course of business?
- When we fall outside appetite, are we requiring management to do everything within their power to return the company to within appetite, or otherwise cease activities that place it outside appetite?
- Do I understand why our compliance risk appetite has been articulated in the way it has, and why certain metrics have been chosen (to the exclusion of others) to measure compliance risk?
- Does our stated compliance risk appetite reflect our actual appetite? If not, what is the purpose of stating the appetite in this way and how will it help us oversee this type of risk in practice?
- Are the metrics we have approved sufficiently representative to provide a picture of what we are trying to measure across the organisation?
- Do our metrics allow us to measure performance against our articulated appetite?
- Are we measuring non‑financial risk in a way that provides us with early warnings of rising risk levels?
- How do our compliance risk metrics and other non‑financial risk metrics compare to those metrics used to measure financial risk; for example, for credit or liquidity risk?
- Does management report to the board against the metrics in the RAS?
- Do management committees receive reporting against the metrics in the RAS?
- Is the breadth and materiality of information we are receiving from management correctly calibrated to help us perform our oversight function?
- Is the information we receive on non‑financial risk of a similar quality to that we receive on financial risk?
- Are significant issues receiving sufficient prominence in reports?
- Does management reporting make it easy to identify the materiality of non-financial risk across the organisation?
- How are we ensuring that board members not present during closed sessions are informed about material non‑financial risks?
- How are action items coming out of closed sessions recorded and conveyed to the board and management?
- Do our minutes adequately capture key discussion points, reasons for decisions, and significant issues raised with management?
- How are we ensuring that all directors have the benefit of material information obtained during informal conversations or meetings?
- Are the methods we use to update the full board sufficient to ensure it receives reliable and timely information about material non-financial risks?
- How robust are our processes for cross‑committee information sharing?
Board risk committees
- Are we dedicating sufficient time to risk issues, including non‑financial risks at the BRC level?
- For BRC chairs: Am I allocating sufficient time to perform my duties as BRC Chair, taking into account the scale and complexity of the company?
- Does the BRC meet often enough to oversee material risks in a timely manner?
- Does the frequency of our BRC meetings allow for the timely elevation of material risks to the committee?
- Are we receiving the right kind of information to discharge our duties?
- How are we satisfying ourselves that this is the case?
- Are we demonstrating active oversight of, and engagement with, matters being put to the BRC?
- Do we require management to act where we are not satisfied with what is being presented or recommended to the board?
- Do we have transparent and effective processes for escalation of urgent material to the board?
- Are these processes followed consistently?
- Are all board members (whether or not they are formal members of the BRC), fully informed, and do they have an opportunity to participate and be heard on risks?
- Is the BRC the right size to be effective?
- Does the BRC’s charter accurately reflect the BRC’s actual practice?
Be conscious of your behaviour
Behavioural interactions between members of the board and between board and management are relevant to the effectiveness of the oversight of non-financial risk. To assess how board behaviours enhance or impede their oversight and monitoring role, ASIC commissioned behavioural analysis from Kiel Advisory Group.
The Kiel Advisory Group report looks at behaviour and behavioural dynamics between boards and management. It identifies mindsets and behaviours common to the boards reviewed that were helpful to the oversight of non-financial risk, as well as those that presented challenges to this task. It then categorises four different archetypes or models and identifies characteristics for each archetype. To read the Kiel Advisory Group report visit: https://bit.ly/2IAv46D
There is no right or wrong type of archetype or behaviour. Different dynamics in the board environment will produce different strengths and weaknesses. The challenge is to be conscious of those dynamics, and the different models, and to work to amplify the good aspects and avoid the bad. ASIC believes the Kiel Advisory Group report is a helpful resource for boards in identifying their own behavioural style so they can maximise the effectiveness of that style.
- Stemming from the Basel Committee on Banking Supervision and ASIC’s market supervision guidance.