ASIC’s Corporate Governance Taskforce recently published its report on director and officer oversight of non-financial risk . The Report highlights the need for directors and officers to recognise that non-financial risks are legitimate risks that can have significant financial consequences. In order to ensure the highest levels of corporate governance, directors and officers should consider placing additional emphasis on non-financial risks when steering the direction of their company.
ASIC’s Corporate Governance Taskforce ‑ Director and officer oversight of non-financial risk report (Report) has recently been published1.
The Report found that corporate governance practices amongst large listed companies in Australia in relation to non-financial risks remained inadequate.
What are non-financial risks?
Non-financial risks are risks that are not financial in nature but can lead to financial consequences. Examples include operational risk, compliance risk, environmental risk and conduct risk.
While non-financial risk does not necessarily have financial consequences attached to it, where such financial burden arises, the consequences can be and have proved to be significant. As highlighted in the Report, hundreds of millions of dollars have been paid out for customer remediation through the Banking and Financial Services Royal Commission because non-financial risks such as compliance failures and legal risk were not adequately considered.
The Report made three main findings in relation to: (1) Risk Appetite Statements (RASs); (2) Information flows; and (3) Board Risk Committees (BRCs).
Risk Appetite Statements (RAS)
Under Recommendation 7.2 of the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations (ASX Corporate Governance Recommendations)2, it was recommended that Boards should set a board-approved risk appetite, for example, through a Risk Appetite Statement (RAS).
The Report found that although RASs were often adopted by companies, statements often failed to adequately consider non-financial risks. Even where a RAS was established, the statements would fail to incorporate appropriate metrics in which non-financial risk could be measured and thus managed. Directors also frequently operated outside the scope set out by the RAS and decisions were made independent of the RAS.
A Board can only function to the extent it is provided the right information that is necessary for them to make appropriate decisions. In terms of non-financial risks, it is important that boards be presented with information in the appropriate form. It is also critical that information about non-financial risk is not being under-prioritised when determining the information the Board should have access to.
The Report noted that non-financial risk information was often buried deep in board packs and was not given the adequate prioritisation it deserved from a risk perspective.
Furthermore, information regarding non-financial risk was presented to directors in a way which made it difficult to identify the ‘materiality’ of the risk. In addition, the flow of information from informal meetings and committees to boards often resulted in an information mismatch or information loss in the transmission process.
Board risk committees (BRCs)
Board Risk Committees (BRCs) are board committees given the mandate of overseeing risk. Recommendation 7.1 of the ASX Corporate Governance Recommendations states that Boards should have a committee or committees that oversee risk.
While the Report noted that Boards have been making use of BRCs, the effectiveness of BRCs was found to be limited and in need of significant improvement. Matters such as: how often BRCs meet; how much time is spent by BRCs; whether members of BRCs are appropriately informed; and whether there is an escalation procedure were all identified in the report as issues for improvement.
Implications for directors and companies
The Report looked at large listed companies and companies subject to APRA regulation. It found that even though large-cap Australian companies were committed to corporate governance, there was significant room for improvement in relation to non-financial risk.
It is important for companies and businesses more generally to consider whether there is merit to incorporating aspects like a RAS, information flow concerns and a BRC into their corporate governance mechanism. If companies do choose to implement such measures, they are only as useful as they are effective, so it is important that they are adequately resourced and reviewed regularly.
Given this is a new area of focus for most boards, there are challenges for companies in accurately identifying relevant non-financial risks, quantifying them, and then putting appropriate frameworks to continually monitor for these risks and address them. Investing in effective and appropriate governance mechanism to better address non-financial risk is likely to yield financial returns that would be of significant value to any company.
Material in this article is available for information purposes only and is a high level summary of the subject matter. It is not, and is not intended to be, legal advice. You should first obtain professional legal advice prior to taking any action on the basis of any information contained in this article. This article is copyright. For permission to reproduce this article please email Hazelbrook Legal: firstname.lastname@example.org