The corporate regulator's risk-management review of the $1.8-trillion funds management sector attracted headlines this week.
Less considered was how the findings relate to smaller funds management groups around key-person risk and the use of external consultants.
ASIC's review of selected firms in 2011-12 was published in Adequacy of Risk Management of Responsible Entities.
ASIC assessed risk-management systems by firm size and complexity, and how selected responsible entities managed their financial, investment and liquidity risks.
ASIC said the firms it sampled "generally appeared to demonstrate compliance with their obligation as Australian Financial Services licensees to maintain adequate risk-management systems".
But it warned that improvements could be made - in particular for firms that are not part of the Australian Prudential Regulation Authority (APRA) regulated group.
An important finding was that firms categorised as small (operating less than 20 managed investment schemes) had risks around the loss of a key person, a potential over-reliance on external compliance and risk-management consultants, and limited understanding of residual risk.
Key-person risk can be a big issue for small funds management groups that are established by one or two core investment staff who are not easily replaced.
A potential threat is key staff dominating the organisation's agenda and over-riding risk-management systems.
ASIC said: "Such dominance may be problematic if it leads to decisions being made that would not be considered appropriate within a responsible entity's risk-management systems. We expect responsible entities to have in place appropriate strategies, such as business continuity or succession plans, to mitigate key-person risk."
ASIC suggested firms should consider their board and committee composition to help manage key-person risk and ensure risk controls are maintained.
An over-reliance on external risk-management in smaller firms received sterner commentary.
ASIC found a number of smaller firms were "heavily reliant" on risk-management and compliance consultants to develop, implement and monitor their systems.
ASIC said this outsourcing, while not prohibited, raised a number of questions about the adequacy of a risk-management system of a responsible entity and its ability to comply with its ongoing general obligations.
The regulator said it could be hard for an external consultant to develop a risk-management system that was closely linked to its client's strategy.
And most external risk-management consultants worked part-time for a firm and offered other clients similar services. "It is difficult to envisage how a risk-management system can be effectively monitored in such circumstances," ASIC said.
It said small firms that over-relied on consultants lacked skills to meet their risk-management obligations and appropriately monitor and independently assess the performance of consultants.
Inadequate board involvement in monitoring outsourcing, a lack of defined responsibilities and service agreements with consultants, and an inadequate process for reviewing their performance, were other shortcomings.
"The engagement of external compliance and risk-management consultants who report to the responsible entity on a periodic or as-needed basis may not allow for the timely and effective identification of current and emerging risks," ASIC said.
Another problem was limited understanding of residual risk (the remaining risk after the exercise of risk controls) among smaller firm that are not part of an APRA-regulated group.
ASIC believes an understanding of residual risk is an important consideration during the risk identification and assessment process.
Larger firms had a much clearer plan for managing residual risk.
An emerging risk-management threat was greater financial services consolidation.
Rising cost pressures and weakening fund inflows had led to more mergers and industry consolidation.
"Where the integration and consolidation of responsible entities is not managed appropriately, it could undermine each of the relevant business's risk-management systems," ASIC said.
Although this potential risk is not specific to smaller firms, weaker industry conditions could force greater integration and consolidation among small and mid-size funds management groups.
On balance, extra regulatory attention on risk-management practices in smaller firms is no surprise.
Emerging funds management groups often have significant resource constraints, rely on a handful of key people, and outsource certain compliance activities to cut costs.
But ASIC's review makes it clear that smaller responsible entities, in general, need to lift aspects of their risk management.
As ASIC suggests, part of the solution rests in smaller firms paying more attention to the composition of their board and risk-management committees.
Understanding and monitoring the risk-management process is a priority of good boards, and a signal to regulators that firms are serious about good governance on behalf of their stakeholders.
