Launch of ASIC’s report on director and officer oversight of non-financial risk
A keynote address by ASIC Chair James Shipton at the Australian Institute of Company Directors, Essential Director Update, Sydney, 2 October 2019
Thank you, Angus.
Good morning everyone, both here and following by live stream.
I’d like to extend my thanks to Angus, the AICD and everyone else who assisted in facilitating my appearance here today.
I would particularly like to thank Yvonne for that very thoughtful Welcome to Country. Yvonne is right to say: 'Your leadership is indeed important to our communities'.
I will also begin by acknowledging the Traditional Custodians of the Gadidgal land on which we meet today and pay my respects to their Elders past and present. I extend that respect to Aboriginal and Torres Strait Islander peoples here today.
I think this is an especially fitting event at which to launch a report that is directly aimed at enhancing good corporate governance.
It’s also appropriate to launch the report in front of so many directors at an event organised by the AICD, which does such good work in leading the discussion around what good governance looks like.
Too often ASIC is forced by circumstance to communicate to those affected through intermediaries – and what I have to say today directly concerns each and every one of you, in your important roles as directors of organisations large and small.
Today ASIC released a review by our Corporate Governance Taskforce examining director and officer oversight of non-financial risk. It is the first of a series of reviews which will be examining corporate governance practices.
Why have we done this review?
Improving governance and accountability is a key strategic priority for ASIC. It is one of our seven key strategic priorities for the year ahead.
It is a key priority, as we have seen the harm that can occur to customers, shareholders and companies themselves when governance and accountability are ignored.
However, until now, much of what we know about the corporate governance of our large listed companies has been limited to their own statements.
And while these documents do a good job of describing the various frameworks and policies that companies have in place, they don’t give us a practical insight into what is actually going on inside the company. Particularly, they don’t answer the important questions of:
How are those frameworks implemented in practice?
Who is being held to account if they aren’t?
While a lot of the media coverage of ASIC’s remit is focused on enforcement, the reality is that we use a variety of regulatory tools, often in a multi-dimensional way, to achieve our goal – and that is to create a fair, strong and efficient financial system for all Australians.
One really important regulatory approach that we are increasingly using is supervision.
Supervision is an approach that heightens engagement, assessment and feedback loops between regulated entities and persons with ASIC.
It also has the aim of identifying problems before they become breaches.
The Corporate Governance Taskforce is one of two new principal supervisory initiatives underway that seek to improve the practices of our regulated population and address the root causes of problems before they cause significant harm.
We launched our Corporate Governance Taskforce to conduct proactive and targeted reviews into corporate governance practices in large listed companies.
We did this so that we could highlight better practice and identify where improvement was required – with the ultimate aim of lifting governance practices in all listed companies.
What did we do in the review and what was our focus?
In the course of this review we:
- examined almost 30,000 documents, interviewed 60 directors and senior executives, and
- received external advice on international trends and behavioural factors that influence decision making.
We focused initially on director and officer oversight of non-financial risk because of ASIC’s very important responsibility to regulate the duties of directors and officers under the Corporations Law.
As you well know, these duties include the duty to act with due care and diligence, in the best interests of the corporation, and for a proper purpose.
These duties rightfully impose great responsibility on directors. They are vitally important, and must be discharged diligently.
Each of you, as directors, carry these profound duties.
This does not mean directors need to do the job of management. Nevertheless, directors need to be sufficiently informed to hold management to account. Today’s report should be viewed as a guide to help directors exercise their responsibilities more effectively.
And that’s the key point – this report is primarily aimed at assisting directors adhere to their important obligations, discharge their profound responsibilities and ultimately for boards to be more effective.
To drive that point home, what clearly emerged from our work is that where there were deficiencies in process and governance, we nevertheless see that there are concrete and achievable steps that can be taken by boards and management to fix or mitigate them. Indeed, some of the companies we studied have already made good progress in doing so.
I’d now like to dive into what some of the report found.
What is non-financial risk and why did we focus on it?
As I’ve said, we looked at how non-financial risk was overseen and managed at seven of our country’s largest financial services companies – these were the big four banks, AMP, IAG and IOOF.
By non-financial risk we mean risks such as operational risk, conduct risk (including risks from not treating customers fairly) and compliance risk (that is risks from not following the rules).
In our report we particularly focused on compliance risk given our mandate.
The truth is that all risk ultimately has financial consequences.
If not well managed, non‑financial risks carry very real financial implications for companies, their investors and their customers - particularly if not identified and prioritised early enough.
The Royal Commission’s and ASIC’s work has highlighted what happens when proper oversight and management of non-financial risks are not made a priority.
We have seen first-hand that poorly overseen and managed non-financial risks can result in systemic misconduct and hundreds of millions of dollars of consumer losses.
That’s hundreds of millions of ‘other people’s’ dollars.
It also leads to remediation costs and ‘catch up’ spending on risk and compliance by firms. In the financial services sector these costs are now reported to be in the billions of dollars, to say nothing of the considerable reputational damage done.
In turn, this impacts future cash flows, asset values, intangible asset values and thus, ultimately, the profitability and longevity of a company.
Just as the global financial crisis was the watershed moment for banks to focus and mature financial risks – particularly credit and liquidity risk – we believe that now is a watershed time for companies to significantly improve their focus on non-financial risks.
Globally, there is an increasing appreciation of the need to recognise the impact that these issues can have, individually and collectively, on the longevity and profitability of a company. There is also an awareness on the impact they can have on the community more broadly, particularly customers.
It is hard to envisage a company that is not exposed to some form of operational, conduct or compliance risk.
Accordingly, board focus and attention on non-financial risks is just plain ‘good for business’.
And, of course, Boards are charged with overseeing the management and mitigation of these risks.
Accordingly, you, as directors are the ultimate guardians of the company’s assets over the long term. And this involves diligently overseeing all material risks facing the company.
What did we find?
Oversight of non-financial risk was immature
Our review revealed that boards – some more so than others – were grappling to oversee non-financial risk and their oversight was less developed than what we had hoped to see.
This is in stark contrast to the approach to financial risk for these companies, which was well developed, understood and managed, with clear metrics to assess success, or failure.
Risk appetite statements were not used well
In particular, we looked at risk appetite statements as a foundational tool that boards of complex organisations can use to assist in their oversight of risk.
Nevertheless, we observed that the quality and content of these statements was only developing, and that the articulation of risk and metrics were nowhere near as mature, or effective, as those for financial risks.
It is true that metrics in the financial sphere are often more readily defined than in the non-financial realm.
However, too often the metrics for non-financial risk only covered particular and discrete issues so they would be unlikely to provide boards with a representative picture of where the company sat in respect to non-financial risk more broadly.
We also found significant reliance on metrics that were ‘lag indicators’. Accordingly, we suggest that boards look to develop, and incorporate, more ‘lead’ and ‘proxy’ indicators for non-financial risks.
Critically, boards must recognise that lagging indicators, such as past compliance, are not necessarily accurate in predicting emerging risk.
Boards could look to the assessment of work, health and safety, where reporting of near misses is a useful indicator for emerging risk.
Of most concern was that we found that management was often operating outside of board-approved risk appetites for non-financial risks for months, and in some cases years, at a time, without any serious attempt by boards to rein them in.
Boards were not actively holding management nor themselves to account for prolonged failures to operate within the risk parameters the board itself had determined.
Reporting to boards was often dense and did not clearly highlight key risks
Reporting to the boards on non-financial risk was wanting in a number of other ways.
Board packs were so dense and voluminous that it was unclear whether their primary purpose was to inform directors in the most effective manner; or to avoid the authors having to make a call on what material to exclude or provide a hierarchy of those risks.
The average pack provided to the board risk committees in the companies we studied was 300 pages long!
Many directors acknowledged the problem of being overwhelmed with information before a board meeting.
The issue becomes particularly acute where directors cannot even begin to identify and prioritise key risks.
Interestingly, our review also found precisely the opposite applying at the other end of the meeting process - with board minutes drafted sparsely and failing to evidence sufficient level of engagement or involvement by directors outside of detailing the actual decision.
To this end, I note that the AICD and the Governance Institute have done some really helpful joint work on appropriate minute taking to ensure good information flows to management from boards.
Our report also has useful things to say on information flows within the board, between the board and committees, and with management.
Board risk committees were underutilised
Finally, we looked at the functioning of the board risk committee. This is the committee charged with doing the ‘heavy lifting’ on risk.
With the backdrop of international developments and a seemingly endless number of domestic reports and inquiries suggesting that non-financial risk required greater attention, we concluded these committees were being seriously underutilised.
At a basic level, the time spent together, and frequency of meeting was modest in the circumstances.
Accordingly, we question why the board risk committee isn’t being used more effectively to triage and prioritise non-financial risks and, particularly to consider the root causes of key risks.
But we saw some green shoots
That said, we observed some directors and officers starting to think innovatively to overcome these challenges.
The report calls out these positive examples to demonstrate better practice in the oversight of risk. For example:
- the use of management level non-financial risk committees to raise the visibility of risks and go on to assist the board in their oversight of them; and
- the minutes of key issues by board committees that are automatically referred to other committees – thus ensuring that the transfer of this important risk information in complex companies is not solely reliant on cross committee membership.
While it was clear that many of the reviewed companies acknowledged that improvement was required and were looking to address these challenges, overall, there is still more to be done.
It has been recently highlighted that Australia’s largest financial institutions tend to have highly developed Risk Committee structures, with requirements such as an independent director as Chair; nevertheless these structures, of themselves, did little to prevent the unacceptable and often unlawful excesses of the past.
So, it's not just about the existence of a Board Risk Committee or the voluminous documents, it’s about the effectiveness of boards overall.
As the Royal Commission’s final report observed:
‘The evidence before the Commission showed that too often, boards did not get the right information about emerging non-financial risks; did not do enough to seek further or better information where what they had was clearly deficient; and did not do enough with the information they had to oversee and challenge management’s approach to these risks’.
Our review supports this finding and calls upon directors to embrace this conclusion and make the necessary changes.
Attached to our report you will find a separate independent report prepared by Kiel Advisory Group.
We commissioned this document to supplement the work of our broader review. It also mirrors similar exercises undertaken in other jurisdictions and its conclusions are consistent with other specialist reports and expert findings.
The Kiel Advisory report looks at how behaviour and behavioural dynamics between boards and management can influence oversight of non‑financial risks.
The report firstly identified mindsets and behaviours common to all the boards reviewed that were helpful to the oversight of non-financial risk as well as those that presented challenges to this task.
It then categorised four different archetypes or models and goes into some detail about the identifying characteristics for each archetype.
There is no right or wrong type of archetype or behaviour. Different dynamics in the board environment will produce different strengths and weaknesses. The challenge is to be conscious of those dynamics, and the different models, and to work to amplify the good aspects and avoid the bad.
We think this is a helpful resource for boards in identifying their own behavioural style so that they can maximise the effectiveness of that style.
It will also supplement what I understand to be a growing trend of behavioural experts being engaged in internal board effectiveness reviews.
And to debunk any myths, we don’t propose to put behavioural experts in every boardroom on an ongoing basis. Nevertheless, we do feel such inputs into a report like this has been very beneficial, and, most importantly will be helpful to you as directors.
In closing, let me say that we acknowledge that the challenges outlined in our report are indeed that – challenging.
There are no ‘easy fixes’ here and just like the journey these companies embarked on to improve their management of financial risk – the journey to improve the management of non-financial risk will likely be iterative and take effort.
But effective oversight and management of non-financial risk is not novel or impossible. Companies have managed some of these risks well in the past and continue to do so today – as is the case with safety risk.
And here I note that it was the board’s focus on safety risk that led in many instances to a ‘safety first’ corporate culture – which is good for everybody.
At the end of the report you will find a series of questions we ask boards to consider.
While drafted with large and listed companies in mind, you should consider these a collection of observations to serve as guidance for boards of any company large or small, listed or unlisted, for profit or not, or a holding or subsidiary entity.
We are acutely aware that there is no ‘one size fits all’ approach to governance and these questions have been prepared with this in mind.
We suggest that all directors carefully read our report, go through the questions, look for the messages and questions that are relevant for your business and embrace them.
The costs and consequences of poorly handled non-financial risks can be immense and, at an extreme, catastrophic.
However, establishing the structures and information flows within your control, getting the people and practices right so as to seek out the ‘known unknowns’ that might otherwise endanger your business, is a very achievable objective.
And this review provides a very useful roadmap as to how to get there.
Thank you. I look forward to the panel discussion.