On Wednesday, ASIC released a report looking at director and board oversight of “non-financial risk”. After examiningthe big four banks, AMP, IOOF and Insurance Australia Group, and conducting over 60 interviews with directors and management, it found that key shortcomings included fractured communication, a lack of accountability, and management operating outside of approved compliance risk appetites. The review is part of a wider investigation by the regulator, seeking to identify weaknesses in both company structures and culture that contributed to unscrupulous and damaging behaviour highlighted by the Royal Commission.
The report comes from one part of ASIC’s new supervisory initiative – the new Corporate Governance Taskforce and is part of its focus on more intensive supervisory approaches.In August 2018 ASIC received funding to conduct targeted reviews into corporate governance practices of large listed entities to gain an insight on actual governance practices.It follows the damning report last year by an APRA committee that found huge holes in the bank’s non-financial risk governance, amid a culture that had become arrogant and complacent due to superior financial performance.
ASIC’s Corporate Governance Taskforce considered how directors and officers have overseen and managed non-financial risk, with a focus on identifying good and poor practices and recommending improvements to lift corporate governance standards.Non-financial risk included areas such as operational risk, conduct risk and compliance risk, although ASIC primarily focused on the compliance part.
In a speech launching the report, ASIC Chair James Shipton said directors need to be sufficiently informed to hold management to account, saying “by non-financial risk we mean risks such as operational risk, conduct risk (including risks from not treating customers fairly) and compliance risk (that is risks from not following the rules), He said the report should be viewed as a guide to help directors exercise their responsibilities more effectively.
The report found that managements were operating outside of board-approved risk appetites for compliance risk and failing to effectively communicate the company’s risk position. In some cases, this was happeningfor months or even years at a time.
Shipton said “Boards were not actively holding management nor themselves to account for prolonged failures to operate within the risk parameters the board itself had determined.”
“Overall, we observed that boards’ stated compliance risk appetite did not appear to reflect their actual risk appetite, with companies consistently operating outside their appetite,” ASIC said in its report.
The flow of information up to the board was largely evaluated as “fractured or informal,” with some boards not being fully informed in their decision-making.
Shipton stated “We have seen first-hand that poorly overseen and managed non-financial risks can result in systemic misconduct and hundreds of millions of dollars of consumer losses…that’s hundreds of millions of ‘other people’s’ dollars. He added “It also leads to remediation costs and ‘catch up’ spending on risk and compliance by firms. In the financial services sector these costs are now reported to be in the billions of dollars, to say nothing of the considerable reputational damage done.
Improving governance and accountability is a key strategic priority for ASIC. It is one of our seven key strategic priorities for the year ahead. In a warning to corporate boards across the country, Shipton said “Boards cannot afford to ignore the oversight of non-financial risks. As we have seen, all risk can have financial consequences. If not well managed, non-financial risks carry very real financial implications for companies, their investors and customers”.