Home > Executive summary

Corporate Governance Taskforce ‑ Director and officer oversight of non-financial risk report

Executive summary

Good corporate governance in the financial services sector is essential for a fair, strong and efficient financial system for all Australians.

The Financial Services Royal Commission highlighted significant shortcomings in the corporate governance practices of many large financial services firms listed on the Australian Securities Exchange (ASX), including in relation to the oversight and management of non-financial risk. ASIC has also been concerned that corporate reporting on governance has suffered from a ‘form over substance’ approach, with an emphasis on frameworks and processes rather than actual practices.[1] For example, in 2018, the published corporate governance statements of some companies subject to our review stated that they had the frameworks and processes required by the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations.[2] However, self-assessments into governance, accountability and culture, and the Australian Prudential Regulation Authority’s (APRA’s) prudential inquiry into the CBA[3], found governance practices in relation to risk to be wanting.

In August 2018, ASIC received funding to conduct targeted reviews of corporate governance practices of large listed companies to shine a light on actual governance practices. In its first year, ASIC’s Corporate Governance Taskforce reviewed director and officer oversight through the lenses of non-financial risk and discretionary decision making in variable executive remuneration. (A report on executive remuneration practices will be published in the coming months.)

This report sets out our observations on director and officer oversight of non-financial risk. The seven financial services institutions selected for this review are those that many Australians are exposed to, through their personal and business banking, superannuation or insurance, or as shareholders.

The Taskforce’s work

The Taskforce wanted to understand how directors and officers of these large and complex companies are discharging their duties in relation to oversight and monitoring of non-financial risk, and highlight ways to improve governance practices. It did not set out to conduct whole-of-company reviews; rather, it focused on governance practices at the highest levels of each company.

The review was largely structured around discussions with key members of management and directors of the relevant companies, and review of documents. We conducted 60 interviews with executives and directors of the seven companies included in this review, and received more than 29,000 documents.

We commissioned work from external firms to assist in our review, including Deloitte Touche Tohmatsu (Deloitte), who assisted us in developing our surveillance methodology (see Appendix 2). Deloitte also provided research into international governance practices relating to director and officer oversight of non-financial risk in the United Kingdom, the United States, Canada and Germany. This research identified global trends in governance practices that we used to inform our ‘international trends’ sections.

ASIC engaged Ms Pru Bennett, an expert in investment stewardship, to conduct a series of workshops with members of the Taskforce regarding interview techniques specific to discussions with executives and directors on issues relating to corporate governance.

We commissioned Kiel Advisory Group to independently review how behaviour and behavioural dynamics between the board and management can impact effective oversight of non-financial risks. This particular review is intended to assist boards in identifying their own behaviours. It can be used as a tool by boards to assist in overcoming some of the challenges identified in our review.[4] Throughout this report we highlight those matters that are also discussed (from a behavioural perspective) in the Kiel Advisory Group report.

ASIC’s Corporate Governance Taskforce

This is an infographic depicting ASIC’s Corporate Governance Taskforce and the process of delivering the review into director and officer oversight of non-financial risk. In the centre of the infographic is a box that says: ‘review into director and officer oversight of non-financial risk’. To its left are two boxes that represent ‘ASIC’s direct review of seven large financial institutions’. The first box says ASIC reviewed twenty-nine thousand documents, and the second box says ASIC interviewed sixty directors and officers. To the right of the main ‘review’ box are two boxes that say ‘report’ and ‘individual feedback letters’. The purpose of the report is depicted in a box joined to the report box that says: ‘Encourage broader market insight’. The purpose of the individual feedback letters is depicted in a box that says: ‘Drive improvements at company level’.On the bottom of the ‘review’ box are four boxes depicting resources external to ASIC that contributed to the ASIC Report: a report into international trends, a surveillance methodology, a behavioural analysis report, and governance interview skills training.

What we found

Many directors identified challenges with overseeing non-financial risks in large, complex organisations. Nevertheless, there was no strong, corresponding trend of directors actively seeking out adequate data or reporting that measured or informed them of their overall exposure to non-financial risks. Fractured or informal flow of information up to the board and around the board table meant that some boards did not always have the right information to make fully informed decisions. Where information did make its way to the board, there was little evidence in the minutes of some organisations of substantive active engagement by directors.

Some companies lacked awareness of the underlying issues, heightening deficiencies in practices. Other companies had acknowledged the scale of remediation efforts required, and executed initiatives to address governance shortcomings highlighted over recent years. This report refers to some of these initiatives as well as good governance practices we observed throughout our review.

We also observed that companies often had frameworks and structures in place to support board oversight of non-financial risk; however, in practice, deficiencies arose in compliance with, or execution of, these frameworks. For example, boards approved risk appetites that were intended to articulate the level of risk acceptable for company operations, but management operated outside this appetite for years at a time with the board’s tacit acceptance. We saw boards approving charters governing the operation of BRCs; however, the boards did not hold themselves accountable to operating in accordance with those charters.

Specific findings

We considered how risk appetite statements (RASs) were being used as a tool to assist boards in overseeing and monitoring non-financial risk. We observed that:

  • risk appetite and accompanying metrics for non-financial risk were immature compared to those for financial risk
  • management was operating outside board-approved risk appetites for non-financial risk for months or years at a time
  • metrics designed to measure risk often failed to provide a representative sample to the board of the level of risk exposure, and did not allow accurate benchmarking to the board’s stated appetite
  • board engagement with the RAS was not always evident.

We reviewed information flows from management to the board and from board committees to full boards. Our review found that:

  • material information about non-financial risk was often buried in dense, voluminous board packs – boards did not own or control the information flows from management to the board to ensure material information was brought to their attention
  • management reporting often did not identify a clear hierarchy or prioritisation for non-financial risks
  • care needed to be taken to ensure undocumented board sessions and informal meetings between directors didn’t create asymmetric information at board level
  • information flows between board committees and full boards were sometimes informal and ad hoc.

We looked at the operation of BRCs and found that:

  • There was little evidence in minutes of directors actively engaging with the substance of proposals submitted by management or information reported to them, in terms of offering alternative viewpoints or driving action by management. While minutes are not the sole source of evidence of the extent of directors’ stewardship, the minutes reviewed would not on their own support an argument that directors were exercising active stewardship.
  • The timing and frequency of BRC meetings was generally modest considering they are the board’s ‘workhorses’ in relation to risk.
  • Material risk issues were often escalated in an informal and unstructured manner outside regular committee meetings.
  • There is a trend toward full board attendance at BRC meetings (instead of a subset of board members). However, directors were rarely made formal members of the committee, creating the risk of disenfranchising board members through lost voting rights, and entrenching reduced information flows to the full board.

Application to large ASX-listed companies

This report focuses on the practices of large listed financial services companies. ASIC, like the ASX Corporate Governance Council, believes that:

Different entities may legitimately adopt different governance practices, based on a range of factors, including their size, complexity, history and corporate culture.[5]

The observations in this report are made with an understanding of this principles-based, rather than prescriptive, approach.

We recognise that companies outside the financial services sector often face different and unique non-financial risks; however, it is wrong to suggest that only the boards of financial services companies should make non-financial risks a priority. The observations and insights in this report can be applied across sectors. We urge the boards of all large ASX-listed companies to read this report and ask themselves the questions posed throughout. For ease of reference, we have listed the questions in Appendix 1.

Regulatory basis for the Taskforce’s review

One of ASIC’s core responsibilities is to monitor, oversee and enforce directors’ and officers’ duties, as set out in s180–184 of the Corporations Act 2001 (Corporations Act). These include duties to act with due care and diligence, in the best interests of the corporation, and for a proper purpose.

To effectively discharge their duties, directors must take necessary steps to enable them to effectively guide and monitor management of the organisation.[6] Boards need to exercise active stewardship to ensure they have meaningful oversight of their organisation and management. Directors should take a diligent interest in information provided to them and apply an enquiring mind in the discharge of their responsibilities.[7]

The board should ensure processes and practices are implemented so that the organisation operates within the board’s strategic goals and stated risk appetite. Officers should give their boards all information they have that is material to the board’s decision making.[8] Equally, the board needs to ensure it is receiving adequate information to make informed decisions.

ASIC’s encouragement of active stewardship should not be viewed as a suggestion that directors undertake the role of management. This would defeat the purpose of having a separate body to exercise independent oversight.

Instead, active stewardship requires directors to ensure they are properly informed so that they can hold management to account regarding the operation of the company. It requires the board to be the guardian of the long-term sustainability of the company. Where management action (or inaction) is inconsistent with this, the board needs to ensure that the company is brought back on course.

How this report fits into Australia’s governance landscape

This report aligns with ASIC’s regulatory mission to change behaviours to drive good consumer and investor outcomes, and to promote strong and innovative development of the financial system. It is intended to provide observations and insights into the governance practices of large ASX-listed companies, to encourage directors and officers to enhance their oversight of (and in the case of officers, the management of) non-financial risk in discharging their duties.

ASIC’s observations and insights contained in this report are intended to sit alongside market guidance, industry-specific requirements and other relevant reports such as:

  • the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations[9]
  • APRA’s Prudential Standards
  • the APRA CBA Inquiry Report[10]
  • the APRA Information Paper: Self-assessments of governance, accountability and culture[11]
  • the Financial Services Royal Commission’s Final Report[12].

Note on terminology

Corporate governance

Corporate governance is a driver of an organisation’s performance. The term ‘corporate governance’ is broad and has many components.

The ASX Corporate Governance Council’s definition set out in the ASX’s Corporate Governance Principles and Recommendations (Fourth Edition)[13], provides a useful basis:

The framework of rules, relationships, systems and processes within and by which authority is exercised and controlled within corporations. It encompasses the mechanisms by which companies and those in control are held to account.[14]

Considering the Taskforce’s review in the context of Bob Tricker’s model of corporate governance[15], the review focused on the monitoring, supervision and accountability aspects of corporate governance.

The Taskforce’s review that underpins this report was not a whole-of-company corporate governance review. Rather, it focused on identifying corporate governance practices that impacted director and officer oversight, through the lens of non-financial risk.

Non-financial risk

We adopted a definition of non-financial risk that aligns with the definition that APRA used during its prudential inquiry into CBA[16] (which stemmed from the Basel Committee on Banking Supervision and ASIC’s market supervision guidance).

We adapted APRA’s definition to cover more than just prudential institutions, so that it captures:

  • operational risk – the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events and includes legal risk but excludes strategic and reputational risk[17]
  • compliance risk – the risk of legal or regulatory sanctions, material financial loss, or loss to reputation an organisation may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards and codes of conduct applicable to its activities[18]
  • conduct risk – the risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees.[19]

These risks, although called non-financial, may lead to very significant financial loss if they are not well managed.

During our review, we focused on compliance risk as the primary risk through which director and officer oversight of non-financial risk was observed. Throughout the report we specify where findings relate specifically to compliance risk, and where they relate to non-financial risk more broadly.

Companies that participated in the review

The Taskforce reviewed governance practices relating to director and officer oversight of non-financial risk in the following companies:

  • AMP Limited
  • Australia and New Zealand Banking Group Limited
  • Commonwealth Bank of Australia
  • Insurance Australia Group Limited
  • IOOF Holdings Limited
  • National Australia Bank Limited
  • Westpac Banking Corporation.

All companies within the scope of the review produced documents under notice and participated in voluntary interviews with ASIC.

This report was produced to give the broader market insights into corporate governance practices generally. For this reason, while we have named the companies that participated in this review, the report does not publicly attribute governance practices to individual companies.[20] Before publishing this report, we gave these companies individual feedback letters detailing our findings and observations. This feedback aims to drive improvements at an organisational level.


The Taskforce used a multi-disciplinary approach to its governance review. Findings and observations set out in this report are based on a review of documents received under notice, as well as other public and non-public documents, and information gathered from interviews with directors and officers.

See Appendix 2 for more details about the methodology used and information relied upon to inform ASIC’s review.


A large part of this work depended on voluntary participation in the ASIC-led interviews as well as voluntary participation in the behavioural analysis conducted by an external expert. The time commitment was significant and we appreciate these organisations making themselves available.

Companies that opened their doors to ASIC showed willingness to have their governance practices observed and to receive ASIC’s feedback on areas for improvement. This shows board-level acceptance that there are still things to be done. More importantly, it also shows willingness to act on feedback about improvements that could benefit the organisation and its shareholders.

1 See the Review of the ASX Corporate Governance Council’s Principles and Recommendations – Submissions of ASIC, Public Consultation on the Fourth Edition, 1 August 2018; and the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations, Fourth Edition, February 2019 (ASX Corporate Governance Principles and Recommendations).

3 APRA, Prudential Inquiry into the Commonwealth Bank of Australia, April 2018 (APRA CBA Inquiry Report).

4 Attachment A: Influence of Board Mindsets and Behaviours on Effective Non-Financial Risk Oversight, Kiel Advisory Group, 2019 (Attachment A).

6 Daniels v Anderson (1995) 37 NSWLR 438.

7 ASIC v Healey (2011) 278 ALR 618.

8 ASIC v Vines (2005) 65 NSWLR 281.

12 Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry: Final Report, Volumes 1-3, 1 February 2019.

14 Taken from Justice Owen’s report of the Royal Commission into HIH Insurance, The Failure of HIH Insurance Volume 1: A Corporate Collapse and Its Lessons, Commonwealth of Australia, April 2003, at page xxxiv.

15 Bob Tricker, Corporate Governance Principles, Policies, and Practices (Second Edition), Oxford University Press, 2012.

17 APRA CBA Inquiry Report, page 7; Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, June 2011.

18 APRA CBA Inquiry Report, page 7; Basel Committee on Banking Supervision, Compliance and the compliance function in banks, April 2005.

19 APRA CBA Inquiry Report, page 7; Australian Securities and Investments Commission, Market Supervision Update Issue 57 – Conduct Risk, March 2015.

20 To ensure individual governance practices are not inadvertently identified, companies receive a random identifying letter in each graphic or dataset, i.e. Company A in one chart is not the same company as Company A in the next chart.