The report has examined the big four banks, AMP, IOOF and Insurance Australia Group, structuring the review around 60 interviews with key members of management and directors of relevant companies, along with 29,000 documents.
The corporate regulator’s definition of non-financial captures operational, compliance and conduct risk – which can occur from inadequate or failed processes, breaking legal or regulatory sanctions and inappropriate, unethical or unlawful behaviour.
Many company directors identified challenges within overseeing non-financial risk in large, complex organisations, yet ASIC noted there was no “strong, corresponding trend of directors actively seeking out adequate data or reporting that measured or informed them of their overall exposure to non-financial risks.”
The flow of information up to the board was largely evaluated as “fractured or informal,” with some boards not being fully informed in their decision-making.
ASIC added “material information about non-financial risk was often buried in dense, voluminous board packs,” which made it unclear if their purpose was to inform directors effectively, or “absolve reporters from exercising judgement as to what information should be omitted.”
On average, companies would have 293 pages in packs presented to their board risk committee, with one company averaging 703 pages in its papers.
Boards did not “control the information flows from management” to ensure significant information was brought to their attention and management often did not identify a clear hierarchy or prioritisation for non-financial risks.
Where information did travel to the board, there was said to be little evidence in the minutes of some organisations of substantial active engagement by directors.
All risk leads to financial consequences
In a keynote address for the launch of the report, James Shipton, chair of ASIC commented all risk ultimately has financial consequences and boards cannot afford to ignore non-financial matters.
“If not well managed, non-financial risks carry very real financial implications for companies, their investors and customers – particularly if not identified and prioritised early enough,” Mr Shipton said.
“We have seen first-hand that poorly overseen and managed non-financial risks can result in systemic misconduct and hundreds of millions of dollars of consumer losses. That’s hundreds of millions of ‘other people’s’ dollars.
“This also leads to remediation costs and ‘catch-up’ spending on risk and compliance by firms. In the financial services sector these costs are now reported to be in the billions of dollars, to say nothing of the considerable reputational damage done.”
Companies consistently operating outside of risk appetites
Management for companies was found to be operating outside of board-approved risk appetites for months or even years at a time.
“Overall, we observed that boards’ stated compliance risk appetite did not appear to reflect their actual risk appetite, with companies consistently operating outside their appetite,” ASIC said in its report.
“This was not confined to compliance risk, but was typical of non-financial risks generally, which in some companies we observed to be at levels outside appetite for significant periods of time when compared to financial risk.”
Mr Shipton added: “Boards were not actively holding management nor themselves to account for prolonged failures to operate within the risk parameters the board itself had determined.”
Companies were noted to often have frameworks and structures in place such as board risk committees, to support board oversight of non-financial risk, but deficiencies were observed in compliance with, or execution of the frameworks.
The regulator’s assessment for how risk appetite statements were used deduced accompanying metrics for non-financial risk were immature compared to those for financial risk.
Metrics designed to measure risk were said to often fail to provide a representative sample to the board of the level of risk exposure and did not allow accurate benchmarking to the board’s stated appetite.
Board risk committees acting for eight days a month
Looking at the seven companies’ board risk committees (BRCs), ASIC noted there was little evidence in minutes of directors actively engaging with the substance of proposals submitted by management or information reported to them, in terms of offering alternative viewpoints or driving action by management.
The regulator also criticised the timing and frequency of BRC meetings as being modest, “considering they are the board’s ‘workhorses’ in relation to risk.” On average, a BRC chair and non-executive director would commit around eight days a month to perform their duties, meeting around six times a year.
However, in 2018, BRC meeting minutes showed more instances of active oversight of non-financial risk matters than on financial risk matters, which ASIC said could be explained by the greater focus on the issues and a conscious decision to capture them in the minutes.
There did tend to be full attendance at the meetings, however, interviewees cited a full room could make for a “good news culture” in reporting, saying “the better the audience, the better the news.”
As it is, 63 per cent of companies in the ASX 100 have a board committee focusing on risk and other issues, 24 per cent have a dedicated BRC focusing on risk alone and 13 per cent of groups do not have a board committee examining risk.
Of the 24 companies with a BRC, 12 are required to do so by APRA.
The report has been published as a result of the corporate watchdog receiving funding to specifically conduct reviews of corporate governance, in the fallout of the royal commission.
ASIC’s Corporate Governance Taskforce has also reviewed non-financial risk and discretionary decision-making in variable executive remuneration, with a report due to be published in the coming months.
