The year ahead: Governance, risk and compliance in 2020

  • In 2020 there will more scrutiny of the following areas — how non-financial risks are managed, culture, governance, remuneration and accountability.
  • Organisations will need to consider the quality of compliance and other non-financial risk management documentation.
  • Moving away from high-level, generic or template documentation towards tailored, specific and higher quality governance, risk management and compliance documentation will be key.

When considering what we can expect for the year ahead in 2020, many of us in the governance, risk and compliance (GRC) space probably feel the need to lie down. There is no question there is a tsunami of regulatory change on the horizon for many industries, particularly for the banking, financial services and superannuation industries.

However, in addition to specific regulatory changes, which unquestionably will need to be carefully planned, prioritised and managed, there will also be a need for organisations to take a broader look at how they approach GRC management, or, as it is increasingly being referred to, 'management of non-financial risk'. What all organisations can expect in 2020 is that there will more scrutiny in the year ahead over how non-financial risks are managed, culture, governance, remuneration and accountability. This is likely to include more reports on where organisations are failing, new or revised regulatory guidance setting the standard expected in these areas and further regulatory action. Regulatory action is unlikely to end with the organisations themselves with actions against individual directors already announced against individual directors for breach of directors' duties and criminal liability. 

Key GRC focus areas

While there is a heavy focus on management of non-financial risk by banks, insurers and superannuation entities in the wake of the Royal Commission Inquiry into Misconduct in the Banking, Superannuation and Financial Services Industry, it is important to note that the drive for improvement in the management of non-financial risk over the next 12 months is not limited to these industries. 

According to recent commentary, ASIC has indicated it will be looking at the adequacy of boards, culture and pay, not just in banks, but also listed companies in other industries as well1). In a keynote address at the Australian Business Ethics Network Conference in late 20192 (9 December 2019), ASIC Commissioner, John Price gave what may have been ASIC's final messages for 2019 in setting the scene for 2020. The focus of this speech was directed at boards from all industries needing to drive change by improving the way entities manage non-financial risk. In particular, Shipton told the audience: 

‘In proposing theories and practical solutions to address these challenges, ASIC concluded that: 

  • boards need to hold management more accountable for operating within the business’s risk appetites
  • boards need to take ownership of the form and content of information they are receiving so that they can understand and oversee the management of material risks
  • boards should require reporting from management that has a clear hierarchy and prioritisation of non-financial risks, and finally
  • board risk committees should meet more regularly, devote sufficient time to their considerations, and more purposefully engage in their oversight of non-financial risk’

Mr Shipton further highlighted that board reporting would be key as he surmised, In my view, a key insight from our work is that asking questions is essential to learning and to the practice of ethical decision making. That is unlikely to occur unless boards are getting the information they need in a form they can understand.’ 

Also, both of the 'twin peaks' regulators (APRA and ASIC) have published enforcement plans for the coming year promising a wider focus on culture, governance and remuneration. Thus, ensuring that organisational GRC plans for 2020 incorporate defining and assessing culture, reviewing and improving governance and implementing effective accountability frameworks, will also be critical.

To improve the quality of information flowing up to boards, organisations will also need to consider the quality of compliance and other non-financial risk management documentation.

What should you do to prepare

The first step to enhancing the way Australian organisations manage non-financial risk would seem to be in defining what is meant by non-financial risk and more specifically, ‘compliance risk’ for individual business areas. This will need to go further than how organisations have traditionally defined compliance risk. Many organisations are likely to have an identified risk in their registers which is or is similar to the following definition adopted in recent reports issued by ASIC and APRA which is:

‘the risk of legal or regulatory sanctions, material financial loss or loss to reputation an organisation may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards and codes of conduct applicable to its activities'3

While this definition provides the basis for defining compliance risk, often how compliance risk is identified for individual business activities, has remained at this base level. In the same way that financial and other operational risks are identified, the specific business activities or risk events that are likely to lead to a compliance risk will need to be identified in a more granular form in 2020, if how compliance risk is managed is to be improved. The ASIC Corporate Governance Report is calling for the same level of detail in the identification of non-financial risk as the detail which is included for financial risks. While certain types of non-financial risks have been identified in some detail, compliance risks seem to be an area which requires more attention.

     Advertisement

For instance, organisations will need to consider what is meant when they say they have low or very low tolerance for compliance risk? Specifically, what is the extent of compliance risk tolerated and how will the organisation measure how it is operating against its appetite and tolerance? When considering specific compliance risks, organisations will need to be careful to ensure they do not fall into the trap of merely describing an obligation when it is the activity or event which leads to the compliance risk is likely to be more meaningful.

The specific business activities or risk events that are likely to lead to a compliance risk will need to be identified in a more granular form in 2020.

To improve the quality of information flowing up to boards, organisations will also need to consider the quality of compliance and other non-financial risk management documentation. Boards and senior managers will be ill-equipped to effectively challenge and question the approach taken to managing non-financial risk, if it is not clear at the outset what is being done by the organisation to manage these risks. Moving away from high-level, generic or template documentation towards tailored, specific and higher quality governance, risk management and compliance documentation will be key.

Reporting to boards will also require detailed examination. To effectively report to boards a key area to review will be monitoring activities in the first, second and third lines of defence, to ensure monitoring activities are comprehensive, coordinated and result in meaningful information and insights on the effectiveness and performance of the management of non-financial risk and more specifically, compliance. This will require organisations in 2020 to consider the adequacy of performance metrics.

Also, culture, governance and remuneration practices are of course areas that cannot be ignored this year. Not only do these areas support effective management of non-financial risk, they are critical to success.

Conclusion

While the inevitable regulatory changes necessitate investment in time and money to ensure minimum requirements are being met, the biggest challenge in 2020 will be ensuring that in prioritising the implementation of these changes, the bigger picture of maturing and enhancing management of non-financial risk, is not missed.

The broader focus by regulators on management of non-financial risk, culture, governance and remuneration indicates that a cursory review over these areas will not suffice. In ASIC’s words, a ‘revolution’ will be required.4

Notes
  1. Patrick Durkin, ASIC widens culture and pay crackdown, Australian Financial Review, 14 January 2020.
  2. https://asic.gov.au/about-asic/news-centre/speeches/business-ethics-new-challenges-better-theories-practical-solutions/.
  3. APRA, Prudential Inquiry into the Commonwealth Bank of Australia, April 2018 (APRA CBA Report) and later cited in the ASIC Corporate Governance Taskforce Report — Director and officer oversight of non-financial risk report, October 2019 (ASIC Corporate Governance Report.
  4. Patrick Durkin, ASIC widens culture and pay crackdown, Australian Financial Review, 14 January 2020.

Samantha Carroll can be contacted on 0438 323 584 or by email at scarroll@ashstreet.com.au

Material published in Governance Directions is copyright and may not be reproduced without permission. The views expressed therein are those of the author and not of Governance Institute of Australia. All views and opinions are provided as general commentary only and should not be relied upon in place of specific accounting, legal or other professional advice.

Author disclaimer

Liability limited by a scheme approved under Professional Standards Legislation.