At the AICD Essential Director Update forum in Sydney on 2 October, ASIC chair James Shipton released the results of the Corporate Governance Taskforce Director and officer oversight of non-financial risk report. The report examined how non-financial risk was overseen and managed at seven of Australia’s largest financial services companies — the big four banks, AMP, IAG and IOOF. It examined almost 30,000 documents, interviewed 60 directors and senior executives, and took external advice on international trends and behavioural factors that influence decision-making.
The report considered how directors and officers of large and complex financial services companies are discharging their duties on oversight and monitoring of non-financial risk. It also highlighted ways to improve governance practices.
Shipton told the audience the taskforce was one of two new supervisory initiatives that seek to improve the practices and address the root causes of problems before they cause significant harm. He said while a lot of the media coverage of ASIC’s remit was focused on enforcement, the reality is the regulator uses a variety of regulatory tools and is increasingly using supervision — and that up until now, much of what the regulator knows about the corporate governance of large listed companies has been limited to their own statements.
“While these documents do a good job of describing the various frameworks and policies companies have in place, they don’t give us a practical insight into what is actually going on inside the company. Particularly, they don’t answer the important questions — how are those frameworks implemented in practice and who is being held to account if they aren’t?”
The report found:
- All too often, management was operating outside of board-approved risk appetites for non-financial risks, particularly compliance risk. Boards need to actively hold management accountable for operating within stated risk appetites.
- Reporting of risk against appetite often did not effectively communicate the company’s risk position. Boards need to take ownership of the form and content of information they are receiving so that they can adequately oversee the management of material risks.
- Material information about non-financial risk was often buried in dense, voluminous board packs. It was difficult to identify key non-financial risk issues in information presented to the board. Boards should require reporting from management that has a clear hierarchy and prioritisation of non-financial risks.
- The effectiveness of board risk committees (BRCs) could be improved. BRCs should meet more regularly, devote enough time and be actively engaged to oversee material risks in a timely and effective manner.
Shipton said the companies ASIC reviewed were challenged by important elements of non-financial risk management and their oversight of these risks was less mature than required. “What clearly emerged from our work is that where there were deficiencies in process and governance, we nevertheless see concrete and achievable steps that can be taken by boards and management to fix or mitigate them. Indeed, some of the companies we studied have already made good progress in doing so. By non-financial risk, we mean operational risk, conduct risk (including risks from not treating customers fairly) and compliance risk (risks from not following the rules).”
The review particularly focused on compliance risk. “The truth is that all risk ultimately has financial consequences,” said Shipton. “If not well managed, non-financial risks carry very real financial implications for companies, their investors and customers — particularly if not identified and prioritised early enough. Boards cannot afford to ignore the oversight of non-financial risks. As we have seen, all risk can have financial consequences.
“The Royal Commission and ASIC work has highlighted what happens when proper oversight and management of non-financial risks are not made a priority. We have seen first-hand that poorly overseen and managed non-financial risks can result in systemic misconduct and hundreds of millions of dollars of consumer losses. It also leads to remediation costs and ‘catch-up’ spending on risk and compliance by firms. In the financial services sector, these costs are now reported to be in the billions of dollars, to say nothing of the considerable reputational damage done. In turn, this impacts future cash flows, asset values, intangible asset values and thus, ultimately, the profitability and longevity of a company.
“Just as the global financial crisis was the watershed moment for banks to focus and mature financial risks — particularly credit and liquidity risk — we believe now is a watershed time for companies to significantly improve their focus on non-financial risks.”
Focusing primarily on the oversight and management of compliance risk, the ASIC review found oversight of non-financial risk was immature. The review revealed that boards — some more than others — were grappling to oversee non-financial risk and their oversight was less developed than what ASIC had hoped to see. “This is in stark contrast to the approach to financial risk for these companies, which was well developed, understood and managed, with clear metrics to assess success, or failure,” said Shipton.
Risk appetite statements
The taskforce looked at risk appetite statements as a foundational tool that boards of complex organisations can use to assist in their oversight of risk.
“Nevertheless, we observed that the quality and content of these statements was only developing, and that the articulation of risk and metrics were nowhere near as mature, or effective, as those for financial risks,” said Shipton.
“It is true that metrics in the financial sphere are often more readily defined than in the non-financial realm. However, too often the metrics for non-financial risk only covered particular and discrete issues so they would be unlikely to provide boards with a representative picture of where the company sat in respect to non-financial risk more broadly.
“We also found significant reliance on metrics that were ‘lag indicators’. Accordingly, we suggest boards look to develop, and incorporate, more ‘lead’ and ‘proxy’ indicators for non-financial risks. Critically, boards must recognise that lagging indicators, such as past compliance, are not necessarily accurate in predicting emerging risk. Boards could look to the assessment of work, health and safety, where reporting of near misses is a useful indicator for emerging risk.
“Of most concern was that we found that management was often operating outside of board-approved risk appetites for non-financial risks for months, and in some cases years at a time, without any serious attempt by boards to rein them in. Boards were not actively holding management nor themselves to account for prolonged failures to operate within the risk parameters the board itself had determined.”
Reporting to boards
Shipton said board reports were found wanting in a number of ways. “Board packs were so dense and voluminous it was unclear whether their primary purpose was to inform directors in the most effective manner; or to avoid the authors having to make a call on what material to exclude or provide a hierarchy of those risks.”
The average pack provided to the board risk committees in the companies ASIC studied was 293 pages long. “Many directors acknowledged the problem of being overwhelmed with information before a board meeting,” said Shipton. “The issue becomes particularly acute where directors cannot even begin to identify and prioritise key risks.”
ASIC’s report indicates that the regulator will place great stock on minutes that evidence active board oversight of management, and calls for additional detail of key discussion points and reasons for decisions to be included (referencing the AICD and Governance Institute of Australia’s joint statement on board minutes). The statement is available here.
Board risk committees
Shipton said ASIC had concluded board risk committees, charged with doing the “heavy lifting” on risk, were being seriously under-utilised, especially against a the backdrop of international developments and a number of reports and inquiries suggesting non-financial risk was something that required greater attention.
“At a basic level, the time spent together, and frequency of meeting was modest in the circumstances,” he said. “Accordingly, we question why the board risk committee isn’t being used more effectively to triage and prioritise non-financial risks and, particularly to consider the root causes of key risks.”
Shifts in practice
“We observed some directors and officers starting to think innovatively to overcome these challenges,” said Shipton.
The report identified positive examples to demonstrate better practice in the oversight of risk. For example:
- The use of management-level non-financial risk committees to raise the visibility of risks and go on to assist the board in their oversight of them.
- The minutes of key issues by board committees that are automatically referred to other committees — thus ensuring the transfer of this important risk information in complex companies is not solely reliant on cross-committee membership.
The report also included a separate independent report prepared by Kiel Advisory Group, which looked at how behaviour and behavioural dynamics between boards and management can influence oversight of non-financial risks. It examined eight board meetings, held 35 discussions, had 287 responses to an anonymous survey and reviewed documentation of 19 entities. The report categorised four different archetypes or models of boards — advisory, collaborative, sceptical and director.
Shipton said there is no right or wrong type of archetype or behaviour. “Different dynamics in the board environment will produce different strengths and weaknesses. The challenge is to be conscious of those dynamics, and the different models, and to work to amplify the good aspects and avoid the bad.”
ASIC believes this will be a helpful resource for boards in identifying their own behavioural style so that they can maximise the effectiveness of that style. It will also supplement a growing trend of behavioural experts being engaged in internal board effectiveness reviews. Shipton said ASIC is not proposing to put behavioural experts in every boardroom on an ongoing basis.
“We do feel such inputs into a report like this has been very beneficial and, most importantly, will be helpful to directors. There are no easy fixes here. Just like the journey these companies embarked on to improve their management of financial risk, the journey to improve the management of non-financial risk will likely be iterative and take effort. But effective oversight and management of non-financial risk is not novel or impossible. Companies have managed some of these risks well in the past and continue to do so today”.
Shipton added that board focus on safety risk was a good example. “It was the focus on safety risk that led in many instances to a safety first corporate culture, which is good for everybody. We are acutely aware there is no one-size-fits-all approach to governance and these questions have been prepared with this in mind.”
ASIC says the report has wider relevance beyond the financial sector and urges boards of all listed companies to review the report.
Download the AICD summary of the report here.