The reality is that non-financial risks have very real financial implications for companies, their investors and their customers.
The review by the ASIC Corporate Governance Taskforce into Australia’s largest financial services companies has highlighted important shortcomings in corporate governance practices in large listed entities. In particular, oversight and management of non-financial risks has generally not received sufficient attention until recent times – in stark contrast to the focus on financial risk and financial returns.
Boards cannot afford to ignore the oversight of non-financial risks. We have seen first-hand the damage that can result when it is not made a priority. Mismanagement of non-financial risks in the banking and wealth sector has resulted in institutions announcing hundreds of millions of dollars in customer remediation costs. Industry analysts have also projected remediation costs and increased spending on risk and compliance in the sector in the billions of dollars.
Boards must recognise that they are accountable for mitigating all risks – financial and non-financial – facing a company.
Our Corporate Governance Taskforce was established with special funding from the Australian Government, following revelations of significant corporate governance failures during the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Financial Services Royal Commission).
We deliberately targeted large firms with the expectation that they should have mature procedures and the highest standards of governance and accountability in relation to non-financial risks.
Instead, our review revealed that boards were grappling with important elements of the management and oversight of non-financial risk – some more so than others – and their oversight was less mature than needed.
However, the review also observed that institutions increasingly recognise that they need to change past practices to minimise the likelihood of future failings.
Positively, we observed some directors and officers starting to think laterally and innovatively to overcome such challenges. Overall, the companies and their boards we reviewed need to significantly improve their practices to address the issues outlined in this report.
While many boards and companies have started addressing these issues, they appear to be at an early stage. Rectifying these issues requires immediate and sophisticated responses from companies and boards that will need to be prioritised.
We urge boards of all listed companies – whether or not you are in financial services – to read this report. Review your governance practices and accountability structures with reference to our findings, particularly that:
- All too often, management was operating outside of board-approved risk appetites for non-financial risks, particularly compliance risk. Boards need to actively position themselves to hold management accountable to operate within their stated appetites.
- Monitoring of risk against appetite often did not enable effective communication of the company’s risk position. Boards need to take ownership of the form and content of information they are receiving to better inform themselves of the management of material risks.
- Material information about non-financial risk was often buried in dense, voluminous board packs. It was difficult to identify key non-financial risk issues in information presented to the board. Boards should require reporting from management that has a clear hierarchy and prioritisation of non-financial risks.
- Companies generally sought to use board risk committees (BRCs) to achieve desired outcomes, but their effectiveness could be improved. BRCs should meet more regularly, devote enough time and be actively engaged to oversee material risks in a timely and effective manner.
While there is no ‘one size fits all’ solution to these findings, boards need to proactively identify and assess their own characteristics and processes. This includes promoting the oversight of non-financial risk.
This report does not constitute legal advice. We encourage you to seek your own professional advice to find out how the Corporations Act 2001 and other applicable laws apply to you, as it is your responsibility to determine your obligations. Examples in this report are purely for illustration; they are not exhaustive and are not intended to impose or imply particular rules or requirements.
ASIC Report 631
Publication date: October 2019
Copyright © Commonwealth of Australia 2019