In early October, ASIC's Corporate Governance Taskforce (Taskforce) released its first report which focuses on director and officer oversight of non-financial risks following the Taskforce's study of Australia's largest ASX-listed financial services companies (Report). The Report sets out a series of questions for the boards of large ASX-listed companies to ask itself when considering its own practices for oversight of non-financial risks. This article highlights the key areas where management, including company secretaries, can review their own practices and best support the board in their oversight of non-financial risks.

Background

In the wake of the Financial Services Royal Commission, the Taskforce was established to "conduct targeted reviews into corporate governance practices of large listed entities to gain an insight on actual governance practices." In its first year, the Taskforce has focused its attentions on director and officer oversight and management of (1) non-financial risk and (2) executive remuneration. A separate report on executive remuneration is expected to follow.

The Taskforce adopted a definition of non-financial risk used by APRA in its inquiry into CBA, which includes operational risk, compliance risk and conduct risk. For the purposes of the Report, the Taskforce has focused primarily on compliance risk. The Report also correctly identifies that, although these risks are termed 'non-financial', their mismanagement has the potential to cause significant financial losses for companies, as was seen in the fallout from the Financial Services Royal Commission.

The Taskforce's view is that the companies and boards they observed need to "significantly improve" their current non-financial risk oversight practices. A central theme of the Report is the expectation of active engagement, or "active stewardship", by directors in their oversight of non-financial risk. This requires a more inquisitive approach as well as holding management to account, rather than merely expressing disappointment, where management is acting outside of acceptable risk parameters.

Whilst the Report focused on the questions that boards should be asking themselves and steps they should be making, we recognise that there is a significant role for management and company secretaries to play to support the board.

Risk Appetite Statements

The ASX Corporate Governance Council's Corporate Governance Principles and Recommendations recommends that the board (or a committee of the board) annually reviews the entity's risk management framework and whether the entity is operating with due regard to the board-set risk appetite. The entity's risk appetite will often be set out in a risk appetite statement (RAS).

The Taskforce found that too often management was operating outside of the board-approved risk appetite when it came to non-financial risks, more so than financial risks. In some of the companies observed by the Taskforce it was even the norm, rather than the exception, to operate outside of the risk appetite on non-financial risks for a sustained period of time. This may be symptomatic of non-financial risk monitoring historically being less mature than that for financial risks. Boards are encouraged to review their RAS and include in it a series leading and lagging metrics and ensure that risks are actually measured against these metrics.

Tip for management: When reporting to the board on risk metrics, it is important to engage with non-financial risks as much as financial risks. Whilst their possible financial impact may not be immediately apparent, recent experience has highlighted the need for close attention to be given to non-financial risks. Reporting to the board should also align with the metrics used by the RAS to ensure that relevant information is presented to the board in a clear and concise way.

The Report encourages boards to hold management to account for operating outside of approved risk appetites. As such, we expect boards to become more discerning in their questioning of management practices around non-financial risks and management should be prepared for a greater level of scrutiny where they are not operating within the approved risk appetite.

Information Flows

This area of the Taskforce's focus is premised on the basis that "effective oversight is informed oversight", meaning that boards need to have the right information in order to perform their role. The Taskforce found that material information on non-financial risks was often lost in volumes of board materials, and that it was difficult to assess the materiality of key non-financial risks based on the information given to the board.

The Taskforce observed that the board risk committee (BRC) packs of one company averaged over 700 pages. Add on papers for the full board and other committees and it is questionable how effectively directors can ascertain key non-financial risks from this information where it is not clearly set out.

The Report highlights the importance of directors working together with management and the company secretary to ensure that information is presented in the most efficient manner. These observations also apply beyond just non-financial risks and the overarching principal in this respect needs to be 'quality over quantity'.

Tip for management: Ensure that authors of board papers are exercising judgement as to what information is material and what can be omitted, rather than over-reporting in order to absolve their own responsibility for identifying material information.

Company secretaries may consider engaging in a dialogue with the board, perhaps aligned with the board performance assessment process, to ensure the board's expectations are being met with regard to information from management.

The Report also considers how information from directors' meetings is being captured and also shared between committees and the full board. Current guidance on minute taking recommends including key discussion points and reasons for decisions in minutes of meetings. Whilst this is likely a result of an increasing focus on director accountability as it is a way of showing that directors have discharged their obligations, in practice, striking the right balance will be challenging.

Tip for management: Company secretaries should ensure that they are familiar with, and consider their own practices in line with, the Australian Institute of Company Directors and Governance Institute of Australia's Joint statement on board minutes.

Board Risk Committees

The ASX Corporate Governance Council's Corporate Governance Principles and Recommendations recommend that all listed companies have a committee that overseas risk. This may be a standalone or combined committee (most commonly combined with audit).

The Taskforce considers that the effectiveness of BRCs could be improved and it questions whether BRCs are meeting often enough, or for long enough, to discharge their mandate. This is particularly so for combined audit and risk committees which may be dominated by audit-related matters in the lead up to half and full year reporting.

The Report also highlights the need for companies to have clear and effective processes to escalate urgent material risks that arise between BRC meetings. The Taskforce doesn't seek to prescribe a 'one size fits all' process, but that it should specify the "who, where and how" of dealing with these risks in a transparent and consistent manner.

Tip for management: Together with the BRC, management should implement to the extent it doesn't have one, or review, its process for dealing with time-sensitive material risks, both financial and non-financial. All relevant members of management should be educated on the process, and a written copy made readily available, to ensure that it can be easily followed if required.

In addition, when setting the annual board calendar, management (particularly the company secretary) should engage with the chair of the BRC and the board to ensure that they are comfortable with the time allocated to BRC matters. Where the BRC is combined with the audit committee, key risk-related agenda items should also be scheduled, to the extent possible, so that they don't conflict with half and full year reporting obligations.

What's next?

The Report is a good reminder of the importance of managing non-financial risks given their potential to cause significant financial loss, as was highlighted by the Financial Services Royal Commission. Whilst the focus of the Report was on financial services companies, there is no doubt that the themes apply more broadly to all industries. The Report reflects a clearly heightened expectation on boards, and correspondingly the expectations on management have also increased.

This Report is one in a series of recent reports, papers and statements for companies to consider when framing their corporate governance practices. However, Companies should be cautioned against implementing knee-jerk solutions, or unnecessary layers of governance, in response to each report given the resulting risk of an overly complex, fragmented corporate governance framework. Boards, aided by management and company secretaries, should be using this opportunity to take an holistic review of its current practices and, guided by recent learnings, identify the areas most in need of change.