Chair’s remarks at the AICD Australian Governance Summit 2023
Speech by ASIC Chair Joe Longo at the Australian Institute of Company Directors’ (AICD) Australian Governance Summit, 2 March 2023.
Check against delivery
It is a great pleasure to be speaking with you today, and I look forward to sitting down with AICD CEO Mark Rigotti to answer your questions.
Before I begin, I would like to acknowledge the Traditional Owners and Custodians of the lands on which we meet today, and to pay my respects to their elders past, present and emerging. I extend that respect to Aboriginal and Torres Strait Islander people present today.
I want to start by commending the AICD for its ongoing commitment to good governance and building the capability of Australian directors. The wide-ranging program for this year’s Australian Governance Summit shows the range of issues and challenges facing directors today.
Part of our role at ASIC is to know when, and in what circumstances, to test the boundaries of what we expect of company directors. With over three million companies in Australia and hundreds of billions contributed annually in GDP, company directors play an integral role in the Australian economy.
We have public and private, large and small, family businesses, start-ups and not-for-profits. Together, these companies employ millions of Australians, and they operate against the background of an ever-widening range of legal obligations and regulatory requirements. The interests of shareholders and indeed of the company itself can no longer be the sole focus of a director's attention. So how can you be sure you are operating with the care and diligence that the law requires, and which your shareholders, your regulators and the public expect?
Today, I want to:
- talk about ASIC’s role in enforcing compliance with directors’ duties
- address some practical aspects of directors’ duties and ASIC’s expectations of directors
- provide some insights on ASIC’s recent actions which help explain our approach, and
- discuss two areas of non-financial risk which demonstrate the changing landscape that boards and directors are grappling with: cyber resilience and the issue of greenwashing and sustainability-related disclosures.
ASIC’s role in relation to directors’ duties
As Australia’s integrated corporate, markets, financial services and consumer credit regulator, we have a very broad remit. We are here to promote and support an economic environment that delivers for all Australians. We do that in a range of ways – including guidance, education, surveillance, licensing and through our enforcement activities.
Of course, not everything that goes wrong in a company will attract ASIC’s limited enforcement resources.
One question often raised is the personal accountability for corporate misconduct. Where a company breaks the law, should individuals also be held accountable?
To answer this, we have to distinguish between accountability for individual wrongdoing and director accountability for corporate governance. Not all poor company behaviour or even contraventions of the law by a company can be said to be failures of governance. There may well be an individual who can be identified as responsible for the wrongdoing and the issue may not be one of directors’ duties.
Many companies have their own industry-specific regulator. It may be that other sector-specific regulators have more appropriate powers to deal with individual accountability for wrongdoing.
For example, personal responsibility of directors for their involvement in contravening civil penalty provisions is increasingly reflected in legislation dealing with anti-money laundering, fair work and telecommunications.
And so, in determining how ASIC enforces directors’ duties, I want to stress two things:
- care must be taken to weigh up competing priorities and select matters that are most likely to promote the highest standards of corporate governance
- extensive work and significant resources go into investigating a matter and assessing whether there is a real prospect of success in a court action.
What do directors’ duties mean in practice?
The late Professor Baxt AO, a prolific contributor to the work of the AICD over many years, spoke about an important yardstick by which a director may safely judge their own actions.
This yardstick is one important question: Taking into account all the circumstances — Is what I propose to do ‘in my honest belief’ in the best interests of shareholders and the company?
This is a good start. But in practice I believe we need to go further.
The law requires that a director should exercise due care and diligence in discharging their duties. What does this mean in practice? To begin with, recent action taken by ASIC demonstrates that there are some fundamental principles that should be on every director's mind.
- Do I understand the business of the company of which I am a director?
- Do I have a continuous curiosity in understanding all aspects of the company's core business, the reasonably foreseeable financial and non-financial risks posed by that business?
- And am I committed to challenging management to ensure my understanding is well-founded?
While expectations will vary from company to company, the importance of being able to answer these questions should resonate with all directors.
The law requires, and ASIC expects, that the key role played by the CEO be performed honestly, competently, and diligently. This applies in turn to senior officers leading, for example, the legal and compliance, finance and the company secretariat functions, among others. Once the board has asked the questions, and challenged management based on what is reasonably knowable to the board at material times, then it can be immediately seen how significant the board's reliance on management is.
To satisfy their directors’ duties in relation to a company’s compliance with legal and regulatory obligations, directors need to pay attention to information and reporting systems. Here again it is important for directors to consider a few fundamental questions:
- What resources need to be allocated?
- What compliance systems and processes should be established? and
- How can the board ensure they have the right people in place to enable the company to comply in an effective way?
Finally, a few words need to be said about identifying and addressing reasonably foreseeable risks. I acknowledge risk taking is a fundamental part of being a director and an inherent feature of growth and innovation. Directors must balance those risks against the potential benefits expected to accrue from the course of action being contemplated. Nevertheless, every board must take an active interest in understanding the magnitude and consequences of the risks their company faces and consider whether and how to address them.
We all know that sometimes things will still go wrong. Boards should also consider how they will respond when this happens.
To summarise, there are four main areas to which directors must turn their mind in discharging their duties:
- They must ensure they are across the work their company does.
- They must act with honesty and integrity and take responsibility for their role in the actions of the company.
- They must review information and reporting systems, plan for and consider the consequences and risks of all options on the table; and
- They have a fundamental duty to build a culture of compliance and transparency.
ASIC’s recent corporate governance enforcement actions
I now want to turn to some recent actions ASIC has commenced that go some way to illustrating the application of these principles.
ASIC is looking carefully at the provision of false and misleading information by directors and company officers. For example, in December last year, we commenced a case against McPherson’s, a health, beauty and wellness company, alleging that the former CEO authorised a misleading statement to the market about a profit downgrade.
This was our first civil penalty case under the amended provision concerning the giving of false or misleading information to the market, fellow directors, auditors or shareholders. This provision essentially puts the onus on officers to take reasonable steps to ensure information provided to various parties is not materially false or misleading.
This week, ASIC commenced two additional cases involving this provision: one against mining resources company Terracom, which relates to statements to the ASX about alleged falsification of coal quality certificates, and one against plant-based milk producer Noumi Limited (formerly Freedom Foods Group Limited), which relates to misleading financial statements that failed to disclose significant write-downs of inventory and other material information. In both cases, we are alleging there was a breach of director and officer duties.
In Terracom, we were also concerned about statements by directors to the market which discredited a whistleblower. ASIC alleges that directors and other senior officers failed to understand and take appropriate steps upon receipt of an independent investigator's report into issues raised by a whistleblower. In doing this, we argue the directors failed to exercise reasonable care and diligence in the discharge of their duties. The case should also put directors on notice to avoid any conduct that could lead to the victimisation of a whistleblower.
This morning, we issued our report on good practices for handling whistleblower disclosures. As directors, you have a key role in ensuring your company’s whistleblower program is useful and effective. A culture of compliance and transparency cannot be mere lip service. The report identifies seven features of a strong whistleblower program, and summarises the good practices we observed.
Before moving to cyber resilience and sustainability-related disclosure, I want to conclude this part of my remarks by making some brief observations about the Star matter.
We commenced civil penalty proceedings in the Federal Court against 11 current and former directors and officers of The Star Entertainment Group Limited in December last year. We are alleging that Star’s board and executives failed to give sufficient focus to the risk of money laundering and criminal associations. This case raises important issues about what reasonably foreseeable risks directors should pay attention to. For example, we view money laundering and criminal associations as inherent risks in the operation of a large casino with an international customer base.
While I cannot say much about ongoing proceedings, our investigation into directors and officers of Star raises important issues about the role of senior officers such as General Counsel. As I mentioned earlier, as a general principle, boards are entitled to rely on what they’re told by senior officers, and these officers themselves have a duty to do the right thing. The Star case offers an opportunity to explore expectations around the interaction between directors and senior officers.
I now want to turn to two key areas that pose non-financial risks that directors need to turn their mind to — cyber resilience and the issue of greenwashing and sustainability-related disclosure.
Addressing cyber risk is something all company directors have front of mind.
Major cyber attacks against Optus and Medibank last year were a ‘wake-up call’ for directors. These attacks exposed the personal data of millions of current and former customers of these companies. And last month we saw an attack on ION, a global technology vendor that provides software to derivatives clearing participants, including a number in Australia. Customers disrupted included some of the world’s biggest banks, brokerages and hedge funds.
This month, ASIC commissioned a survey of over 1,000 Australian consumers about their understanding of, and expectations around, cyber security and their views on environmental, social and governance (ESG). The results showed that 92% of consumers surveyed believe companies need to do more to protect personal data, and only 51% said they had a good understanding of how companies do that.
Recent events should make it clear that cyber preparedness is squarely a board-level issue. How the board ensures sufficient oversight of threats, vulnerabilities and mitigating controls will set the tone for the cyber resilience of an organisation. Among the many issues boards need to consider when addressing cyber risk are:
- Is cyber risk included in your organisational risk management framework?
- What is your response and recovery plan, and has it been tested?
- Is it clear how you would communicate with your customers, regulators, and the market when things go wrong?
This is because experience shows that sometimes even robust defence systems can be circumvented.
I would encourage every director to read AICD’s Cyber Security Governance Principles published last year to help you navigate the many areas of responsibility.
The challenge for companies is to determine the appropriate level of investment to minimise the risk of an intrusion. That will depend on risk appetite, the size and nature of the business, and its identified threats and vulnerabilities.
Uplifting cyber resilience requires close collaboration between industry, government and regulators to protect consumers and financial services infrastructure. In the case of ION, for example, we worked closely with international peer regulators and the ASX, RBA, Cyber and Infrastructure Security Centre (CISC), and the Australian Cyber Security Centre (ACSC) to address the impact of the incident on Australia’s futures trading and clearing participants, and on the market.
Earlier this week, the Minister for Home Affairs and Cyber Security The Hon. Claire O’Neil released the Australian Cyber Security Strategy discussion paper. One of the issues the paper canvases is whether or not the obligations of company directors should specifically address cyber security risks and consequences. This issue, and many of the other issues canvased in the paper, are matters for legislators. One of the key points in the paper is the need for meaningful engagement across all levels of government, industry and the community to set us up for success. I encourage all of you to engage in this important consultation process.
Since 2016, ASIC has been asking financial market firms to complete self-assessment surveys about their cyber resilience. This year, we will test the cyber pulse of corporate Australia more broadly. We will run a voluntary cross-sectoral survey to ask entities to self-assess their cyber security and controls, governance arrangements and incident preparedness.
The more responses we receive the more accurately the results will reflect the way regulated firms view their investment in prevention and planning, and where the strengths and weaknesses are. This will allow us to tailor our regulatory approach to cyber resilience to what is needed in different sectors.
I would strongly encourage you to participate in this initiative.
Greenwashing and sustainability-related disclosure
The last topic I will talk about is greenwashing and sustainability-related disclosure – another area of non-financial risk that continues to evolve quickly and is transforming markets worldwide.
Reliable disclosure practices are vital to a well-functioning market. The Treasurer has spoken about attracting green capital to Australia as the world decarbonises. This can only happen if Australia’s market is reliable and transparent about sustainability claims.
Consumers and investors should be able to make informed decisions with trust and confidence. Our consumer survey I mentioned earlier asked Australian consumers about their experience of identifying a company’s ESG credentials. Only 23% of the 1,000 consumers surveyed said they found this information easy to find. The findings also suggested that consumers really do take ESG credentials into account when making investment choices: 73% of those who invested in shares in the last 12 months said they have declined to invest in something because of the company’s poor environmental record.
When I last spoke at the AICD conference in March 2022, ASIC’s focus was on educating our regulated population about the need to develop good practices in this area.
A lot has happened in the past 12 months. In June, we published an information sheet to help the entities we regulate comply with their existing legal obligations when offering or promoting sustainability-related products.
We are now taking enforcement action where we see disclosures fall short and where misleading sustainability claims are made by the entities we regulate. ASIC has issued over $140,000 in infringement notices in response to concerns about alleged greenwashing against four entities.
On Tuesday, we announced our first court proceedings in Australia for alleged greenwashing, in this instance by a superannuation fund. We are alleging that sustainable investment options offered by Mercer Superannuation exposed investors to industries the fund said were excluded from the offering, such as coal, alcohol production and gambling. And this is just one of the investigations we have on foot. We will do what we need to do to make sure entities are not misleading the market.
It is worth noting that greenwashing is not just about environmental claims. It also includes statements about the extent to which products are sustainable or ethical. For example, last year we issued three infringement notices against investment management firm Vanguard Investments for misleading statements about the extent to which their funds applied investment exclusions for tobacco-related investments.
Climate disclosure and mandatory reporting
We are working with our national and international colleagues to establish consistent climate-related disclosure standards.
I welcome the Australian Government’s consultation, released at the end of last year, on mandatory climate-related reporting for large businesses and financial institutions.
ASIC has for many years advocated for voluntary disclosure in this area, and we now support the shift to mandatory disclosure. We will continue to work alongside our peer regulators, both internationally and domestically, as these disclosure standards develop. In particular, we continue to work closely with the Treasury and other financial regulators through the Council of Financial Regulators working group on climate risk. Internationally, we are contributing to the global ISSB standards through our role in IOSCO.
Industry too plays an important role and we recognise the valuable contribution the AICD continues to make.
Given the pace of change domestically and internationally, boards should already be thinking about how to embed robust corporate governance practices ahead of more rigorous reporting requirements coming into place.
In conclusion, as we consider the theme of this conference, ‘The opportunity of tomorrow’, historical perspectives must inform our outlook. In his recent book ‘For Profit: A History of Corporations’, William Magnuson begins his fascinating survey of the historical contributions of corporations to society with the Roman Republic.
I want to leave you today with an observation from that book that speaks to the most fundamental duty a director has, and is a fitting reminder of the significance of companies and their directors to the Australian economy and community: ‘Despite the endless argument today over what the purpose of a corporation is, whether social goals can be considered, and whether directors must focus entirely on maximising profit, when we examine the corporation as a historical phenomenon, a clear picture emerges… of their true founding purpose, and that is to promote the common good of the nation.’
This speech was updated on 3 March 2023 to clarify that ASIC’s civil penalty proceedings are against 11 current and former directors and officers of The Star Entertainment Group Limited, not The Star Entertainment Group Limited itself.