ASIC declares "watershed time" for companies to improve focus on non-financial risk

ASIC’s Corporate Governance Task Force today, 2 October 2019, issued its report on Director Oversight of Non-Financial Risk (NFR).

The report’s findings underline the critical observations made by Commissioner Hayne in February this year on the widespread challenges faced by Boards and Senior Management in managing NFR.

ASIC reviewed the practices of seven of the country’s largest financial service companies in overseeing NFR.  Given its mandate, ASIC particularly focused on Compliance Risk, but clearly sees Operational Risk and Conduct Risk as important subsets of NFR – which all feed into, and impact, Reputational Risk for banks and corporates alike.

ASIC has urged the Boards of all large ASX-listed companies to read the report and ask themselves the questions posed throughout.

If not well managed, Non-Financial Risks carry very real financial implications for companies, investors and customers – particularly, if not identified and prioritised early enough  James Shipton, ASIC Chair

ASIC concluded all the entities involved in the report were challenged by NFR management and that oversight of these risks was less mature than required.

ASIC still found deficiencies in process and governance, but sees concrete and achievable steps that can be taken to mitigate NFR.

Particular themes picked up by the report and which channel Hayne include:

• No strong trend of directors seeking out adequate data that measures the overall exposure to NFR.

  
   
  This echoes Hayne: “Boards did not get the right information about emerging NFR and did not do enough to seek better information where what they had was clearly deficient”.
  

   
  Shipton also pointed to the dense and voluminous board packs that buried NFR analysis.  Very interestingly he muses on whether the object of presenting overwhelming amounts of data is “to avoid the authors having to make a call on what material to exclude or provide a hierarchy of those risks”.
   

• Metrics for assessing NFR were nowhere near as mature or effective as those for financial risks.
   
• Management often operated outside board-approved risk appetites for NFR for months, sometimes, years.

  
  
  This points to continued lapses in accountability bringing to mind Hayne’s concerns that “it was unclear who within a financial services entity was accountable for what” so hampering an effective accountability framework that “lies at the heart of governance”.
   

• Board risk committees were under-utilised – “at a basic level, the time spent together and frequency of meeting was modest”.

  
Positive aspects to emerge revolve around:

• Some good examples of senior management focusing on NFR and going on to assist the Board in assessing them.
   
• Improved communication of important risk information being better shared internally.
   
• A clear acknowledgement that the challenges of NFR needed to be met.

 
So, there are some clear messages for banks and corporates in all sectors of the economy:

• Good governance means taking NFR seriously and addressing the risk with the right information and the right questions.
   
• Understanding better the various strands of NFR, how they link and getting better at identifying the metrics that will help you assess that risk and how it’s managed internally.
   
• You need to answer who is accountable for the management of each type of NFR – who owns the result of managing that risk?
   
• As Hayne said, underlined by ASIC – take proper steps to frequently assess your governance and identify and deal with governance problems.

 
Finally, the message is clear that ASIC sees the issue of managing NFR and the challenges of good governance as being a matter for all sectors, not just financial services.

It is wrong to suggest that only the boards of financial services companies should make NFR a priority. The observations and insights in this report can be applied across all sectors.

Visit our Rethinking Workplace Risk hub for more articles and resources aimed at helping organisations manage workplace risk.