The Serious Consequences of not Managing Non-Financial Risks
The ASIC Chair’s Foreword to the Taskforce’s Director and officer oversight of non-financial risk report (NFR Report) includes a reminder to readers that the Taskforce was established with special funding from the Government following the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission). Mr Shipton observes that we have seen the damage that can result when priority is not given to the oversight of non-financial risks:
“Mismanagement of non-financial risks in the banking and wealth sector has resulted in institutions announcing hundreds of millions of dollars in customer remediation costs. Industry analysts have also projected remediation costs and increased spending on risk and compliance in the sector in the billions of dollars.”
The Royal Commission’s Final Report noted that financial services entities had placed a significant emphasis on managing financial risk after the Global Financial Crisis. APRA’s prudential standard on risk management, CPS 220, released at the beginning of 2015, required APRA-regulated organisations to maintain a risk management framework and a risk appetite statement dealing with all material risks. According to the Royal Commission, many financial services entities struggled to develop frameworks to effectively manage the types of non-financial risk that are associated with misconduct — compliance risk, conduct risk, regulatory risk and operational risk — which are more difficult to measure than most types of financial risk (page 405 of the Final Report).
In relation to boards, the Commission stated that (at page 395):
“The evidence before the Commission showed that too often, boards did not get the right information about emerging non-financial risks; did not do enough to seek further or better information where what they had was clearly deficient; and did not do enough with the information they had to oversee and challenge management’s approach to these risks.”
The Taskforce’s Findings
The ASIC Chair’s foreword to the NFR Report explains that the Taskforce deliberately targeted large firms, in the expectation they would have “mature procedures and the highest standards of governance and accountability in relation to non-financial risks”. The Taskforce suggests, however, that all boards — not just those of companies in the financial services sector — should make non-financial risks a priority. The Taskforce urges the boards of all listed companies to read the NFR Report and review their governance practices and accountability structures. Throughout the NFR Report, the Taskforce provides questions for boards to ask themselves — these questions are also consolidated in Appendix 1 to the NFR Report.
The Taskforce points out that its observations do not stand alone but are reinforced by other reports, requirements and guidance such as the Royal Commission’s Final Report, the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations, APRA’s Prudential Standards and its Final Report of the Prudential Inquiry into the Commonwealth Bank of Australia.
In discussing non-financial risks, the Taskforce is referring to:
- operational risk: the risk of loss relating from inadequate or failed internal processes, people and systems or from external events; it includes legal risk but excludes strategic and reputational risk
- compliance risk: the risk of legal or regulatory sanctions, material financial loss, or loss to reputation an organisation may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards and code of conduct applicable to its activities
- conduct risk: the risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees.
Risk Appetite Statements
The Taskforce found that boards’ risk appetites and the metrics for measuring non-financial risk were less mature than those for financial risk. The metrics were not only less granular and comprehensive than those for financial risks, they were not always representative of the risk being measured. For example, if the Risk Appetite Statement indicates, in relation to compliance risks, that the board has no appetite for breaches, metrics need to provide insight into the organisation’s broader compliance behaviour and not just discrete areas of compliance.
The Taskforce points out the usefulness of including leading indicators — those that create early warning systems or identify rising risk levels, for example, the number of reopened internal audit issues — as well as lagging indicators, which measure breaches that have already occurred.
The Taskforce noted that many of the Risk Appetite Statements it observed included a statement about the company’s expectations when a breach occurred, such as the process for escalation and remediation. But in many cases, management was operating outside board-approved risk appetites for long periods, so actual risk appetite was not aligned with the stated risk appetite.
How Boards Hold Management Accountable
The Taskforce points out that active stewardship requires the board to hold management to account when a company operates outside the board’s stated risk appetite, so that the company can return to operating within the appetite. The board needs access to sufficient information to enable it to identify systemic issues and perform root cause analyses.
One of the companies included in the Taskforce’s review provided compliance reports that showed how the company was operating against its compliance risk appetite, with risk mapping that identified trends in particular categories of compliance risk. On the whole, however, the Taskforce found that information about material non-financial risks was buried in dense and voluminous board packs. A review of the minutes of meetings did not show that directors were seeking to be better informed about companies’ exposure to, and management of, non-financial risks. The Taskforce points out the importance of appropriately detailed minutes in helping boards to demonstrate they are performing their oversight and monitoring functions effectively, including how they hold management to account.
Listed companies would be aware, as we have noted previously, that in the new Fourth Edition of the Corporate Governance Principles and Recommendations, the ASX Corporate Governance Council emphasises that a board’s charter includes among the board’s responsibilities the responsibility to challenge management and hold it to account.
The Taskforce cites the Joint statement on board minutes recently released by the Australian Institute of Company Directors and the Governance Institute of Australia, which sets out key principles for determining what should be recorded in the minutes.
The Taskforce also notes the international trend, with reference to the three lines of defence model, for first-line business units to participate in, own and be held accountable at the board level for risk management, rather than the second line (the risk function).
Relationships Between Boards and Board Committees
The Taskforce discusses the issues to be considered when all non-executive directors are invited to attend the meetings of the risk committee. If it is assumed that all directors are thereby fully informed about material non-financial risks, it may be that the full board is not formally receiving sufficiently detailed information about those risks.
The Taskforce suggests that, judging by the timing and frequency of their meetings, risk committees are spending only a “modest” amount of time considering risk issues and are not being fully used to resolve the challenges non-financial risks represent to companies.
The Taskforce notes that all of the companies reviewed had a stand-alone risk committee, consistent with the increasing international trend. The NFR Report states that “ASIC encourages all large listed companies to consider whether creating a dedicated [risk committee] would benefit their long-term interests. One of the relevant factors to be considered, according to the Taskforce, is “the inherently backward-looking nature of the work of audit committees, compared with the forward-looking nature of risk committees”. Also relevant is the large workloads associated with both audit and risk matters within a company.
What Boards Can Do
As noted above, Appendix 1 to the NFR Report consolidates all the questions the Taskforce suggests boards should be asking themselves. In summary, boards should:
- review their Risk Appetite Statements and the metrics for measuring non-compliance risks against the stated appetite
- consider whether the information from management they receive about non-financial risks enables them to adequately perform their oversight function, and whether the minutes of board meetings reflects how the board is holding management to account
- consider the flow of information between the board and its risk committee, and whether the risk committee is giving sufficient time to overseeing material risks.
How CompliSpace Can Help
Combining specialist advice with practical, technology-enabled solutions, CompliSpace helps corporate and financial services entities, both listed and unlisted to manage their governance, risk and compliance requirements in an increasingly complex regulatory environment.
For more information, contact us on 1300 132 090.