Australian companies are failing to manage non-financial risk carefully – concludes a study released in October 2019 by the Australian Securities and Investments Commission.
ASIC has been concerned that corporate reporting on governance has suffered from a ‘form over substance’ approach, with an emphasis on frameworks and processes rather than actual practices. The specific issue was non-financial risk.
In consequence, ASIC conducted a study that was largely structured around discussions with 60 key members of management and directors at listed companies, as well as a review of relevant documents.
ASIC Chair James Shipton said the boards ASIC reviewed were challenged by important elements of non-financial risk management and their oversight of these risks was less mature than required.
‘Boards cannot afford to ignore the oversight of non-financial risks. As we have seen, all risk can have financial consequences. If not well managed, non-financial risks carry very real financial implications for companies, their investors and customers,’ said Shipton.
The study shows:
- Risk appetite and accompanying metrics for non‑financial risk were immature compared to those for financial risk
- Management was operating outside board‑approved risk appetites for non‑financial risk for months or years at a time
- Metrics designed to measure risk often failed to provide a representative sample to the board of the level of risk exposure, and did not allow accurate benchmarking to the board’s stated appetite
- Board engagement with risk appetite levels was not always evident.
Australian Boards need well-developed risk appetite policies
It is relatively easy for boards to set a risk appetite for financial risk. Any capable CFO can determine how much capital may be put at risk taken from a given amount of earnings, etc.
“It is true that metrics in the financial sphere are often more readily defined than in the non-financial realm. However, too often the metrics for non-financial risk only covered particular and discrete issues so they would be unlikely to provide boards with a representative picture of where the company sat in respect to non-financial risk more broadly,” Shipton notes.
Fixing an appetite for non-financial risk is much more difficult. “Overall, we observed that Australian boards’ stated compliance risk appetite did not appear to reflect their actual risk appetite, with companies consistently operating outside the parameters appetite. This was not confined to compliance risk, but was typical of non-financial risks generally, which in some companies we observed to be at levels outside appetite for significant periods of time when compared with financial risk,” the study shows.
Worse still when Australian boards operate beyond their risk appetite parameters, they make no effort to reconsider this state of non-compliance, nor to control it so that risk appetite is respected. Quite often it is management that disregards the risk appetite parameters, but the board often does not fulfil its function of monitoring and holding management accountable for this non-compliance.
“This does not mean directors need to do the job of management. Nevertheless, directors need to be sufficiently informed to hold management to account,” Shipton points out.
“There was no clear evidence in the actively sought to urgently return the company into appetite for a sustainable period. We observed issues being addressed as they arose, rather than the board stepping back and considering compliance risk exposure holistically and prioritising the resolution of root causes of appetite breaches,” the study warns.
The solution: Boards must do their job
It is the responsibility of the board to see that parameters for risk are set, and that they are respected by management.
The first step in managing non-financial risk, therefore, is to set workable parameters. This is not easy, however, and may require working with third-party experts if they board does not itself have the requisite skills.
“Returning a company to within its risk appetite can be resource‑intensive,” the study says. “Several companies noted that the main barrier was finding the right expertise in the market to address the issues. Boards must adapt to their operating environment – where there is a shortage of necessary expertise, they must consider whether current operations should change in light of the heightened risk.”
Boards should also take a hard look at the reasons why management is exceeding risk appetite parameters. Then the board should take steps to work with management and address the problems.
“This is imperative where seemingly distinctive compliance events continue to cause the company to operate outside appetite (or dip in and out of appetite). The board should proactively seek this analysis from management. During our review, we saw sporadic evidence of boards requesting root cause analysis or ‘deep dives’; however, this should occur as a matter of course to help deal with recurrent issues,” the study says.
What the board must not do is to accept prolonged operations outside the determined risk appetite. This is in strict opposition to its fiduciary duties, and, if a problem arises, board members could be held both collectively and individually responsible.
Instead, the board should develop a risk management policy with reference to both financial and non-financial risk. “Board members should understand why a specific compliance risk appetite has been articulated in the way it has, and why certain metrics have been chosen (to the exclusion of others) to measure compliance risk,” Shipton concludes.
Diligent Governance Cloud enables directors to assure good governance
Diligent, the pioneer in Modern Governance, has created a set of tools to ensure that directors can provide a solid governance framework and implement good governance.
With so much at stake and so much to oversee, boards need the assistance of electronic board management systems to help them manage information and communications better. Governance Cloud solution address all director needs, including the board portal, secure messaging, minutes, board evaluations, Conflict-of-Interest questionnaires and entity management. Having a fully integrated Enterprise Governance Management system will aid board directors in developing governance frameworks that work for the benefit of the board, the managers, shareholders and stakeholders.
April 16, 2021
Top Trends in Governance, Risk and Compliance for 2021
“You need a good [GRC] system. You need the right data. You need to share the data and take those organisational learnings.” -Zeke Ward, Founder, North Star Compliance Over the past year, companies across industries have navigated diversity, equity and inclusion issues, managed intensifying…
January 29, 2021
Business Continuity Strategy: Options, Best Practice Approaches and Examples
There’s no shortage of things to consider when you’re upgrading your business continuity strategy. For instance: What should your plan cover? What are the critical inputs to the business continuity strategy? What are the different approaches and solutions available? What should the recovery strategies look like within your business…
September 8, 2020
The Importance of Compliance Monitoring
As regulatory compliance obligations continue to multiply, achieving a clear picture of your performance around good governance and compliance is more important than ever. Organisations have responded to this challenge by putting in place increasingly stringent compliance monitoring processes. Larger and more complex businesses and smaller, simpler ones alike face…