Inadequate management of non-financial risk was a key finding both of the Financial Services Royal Commission and the APRA Prudential Inquiry into the CBA, so it is unsurprising that the first report from the ASIC Corporate Governance Taskforce established in their wake examines director and officer oversight of non-financial risk.
The Report focuses on the practices of seven large listed financial services companies identified as non-compliant by the Royal Commission, but emphasises that its observations and recommendations can be applied to listed entities across all sectors, reasoning that the recommendations are principles-based and may be moulded to suit different types of entities. Nevertheless it is recognised that different entities may legitimately adopt different governance practices based on a range of factors such as the industry it operates in and its size, complexity, history and corporate culture.
Nevertheless the Taskforce's limited scope approach raises uncertainty on whether the Report's findings are translatable to companies in other industries, or even to financial services companies that already have appropriate non-financial risk management strategies. It would have been more valuable if ASIC had conducted analyses of a wider range of companies, and produced a more comprehensive picture of how Boards operate across sectors, and useful insight into non-financial risk management across public companies generally.
Definition of non-financial risk
The scope and definition of non-financial risk adopted by the Taskforce is limited and was adapted from the definition of non-financial risk used in the CBA Prudential Inquiry. The definition includes operational, compliance and conduct risk but specifically does not include other risks such as strategic, reputational, environmental, cyber-security and data protection or social and corporate governance (ESG) risks. During the review, the Taskforce focused predominantly on compliance risk as the primary risk in respect of which poor director and officer oversight of non-financial risk was observed. In our view, the types of non-financial risks which will be of material concern to entities will differ across different industries. For example, industrial sector entities may have material non-financial risks which are ESG-related.
We caution management that operational risk, conduct risk and compliance risk are only a limited set of non-financial risks to consider when reporting to the Board on non-financial risk. Management should adopt a holistic approach to non-financial risk that is not limited to these specific types of risk.
Three key areas where Boards' oversight of non-financial risk is falling down
The Report reinforces that active stewardship is the key to effective oversight of non-financial risk. Boards must ensure that they have all of the relevant information for material decision-making and make inquiries to management when they suspect that they do not have the relevant information. Boards need to be properly informed so that they can hold management to account in relation to the operation of the company, especially where management action is inconsistent with the Board-approved risk appetite for non-financial risk.
The review identified pitfalls in the practices of the seven companies it reviewed, which were categorised into the following three key areas:
- risk appetite statements (RAS);
- information flows; and
- Board risk committees (BRC).
Risk appetite statements
The Taskforce considered how risk appetite statements were being used as a tool to assist Boards in overseeing and monitoring non-financial risk. The review found that:
- risk appetite and accompanying metrics for non-financial risk were immature compared to those for financial risk;
- management was operating outside Board-approved risk appetites for non-financial risk for months or years at a time;
- metrics designed to measure risk often failed to provide a representative sample to the Board of the level of risk exposure, and did not allow accurate benchmarking to the Board’s stated appetite; and
- Board engagement with the RAS was not always evident.
The concept of an RAS has been around for many years but has only come into greater focus as best practice through a reinvigorated focus in the fourth edition of the ASX Corporate Governance Principles and Recommendations and APRA Prudential Standard CPS 220 on risk management. The Taskforce's strong focus on RASs is reflective of this.
In our view: the recommendations identified by the Taskforce should be carefully considered against the current practices of companies. In particular, companies should consider how they currently measure and report on leading and lagging indicators of failure to appropriately manage risk.
The Taskforce reviewed information flows from management to the Board and from Board committees to full Boards. The review found that:
- material information about non-financial risk was often buried in dense, voluminous Board packs – Boards did not own or control the information flows from management to the Board to ensure material information was brought to their attention;
- management reporting often did not identify a clear hierarchy or prioritisation for non-financial risks;
- care needed to be taken to ensure undocumented Board sessions and informal meetings between directors did not create asymmetric information at Board level;
- information flows between Board committees and full Boards were sometimes informal and ad hoc.
An outcome of the Taskforce's review was that there was currently poor practice in communicating non-financial risks to Boards and Board committees in order for them to make informed decisions regarding those risks.
In our view: to address these pitfalls, entities will need to review their information management processes and consider instructing personnel to ensure information is effectively communicated from management to Boards and Board committees.
Management should be prepared to make decisions as to which information goes to the Board or BRC, and will need to ensure that meeting minutes adequately capture the non-financial risk decision process at the particular meeting
Board risk committees
The Taskforce observed the practices of BRCs and found that:
- There was little evidence in minutes of directors actively engaging with the substance of proposals submitted by management or information reported to them, in terms of offering alternative viewpoints or driving action by management. While minutes are not the sole source of evidence of the extent of directors’ stewardship, the minutes reviewed would not on their own support an argument that directors were exercising active stewardship.
- The timing and frequency of BRC meetings was generally modest considering they are the Board’s risk workhorses.
- Material risk issues were often escalated in an informal and unstructured manner outside regular committee meetings.
- There is a trend toward full Board attendance at BRC meetings (instead of a subset of Board members). However, directors were rarely made formal members of the committee, creating the risk of disenfranchising Board members through lost voting rights, and entrenching reduced information flows to the full Board.
Noting the emerging trend for all directors to attend BRC meetings the Taskforce considers that entities should consider their reasoning for this, whether it is as a result of insufficient information flows or otherwise. The Taskforce recommends that if an entity has full Board attendance at BRC meetings, it should consider formalising membership to ensure that attending directors have voting rights and are not disenfranchised from material risk decisions.
In our view: companies should implement policies to ensure that outcomes of BRC meetings are effectively documented and communicated to the Board.
Future challenges for managing your non-financial risks
There is no doubt that this report will be instructive and helpful to many entities in assessing their management of non-financial risk particularly in respect of the areas identified: operational, compliance and conduct risk. However as noted these risks are only part of the non-financial risks entities will need to address including strategic, reputational, environmental, cyber-security and data protection and ESG risk.
The challenge for many entities will be to determine whether the Taskforce's findings will be applicable to their management of other non-financial risks, and to ensure that this management can be adequately undertaken by their Board along with its many other responsibilities