Ten years on from the desperate environment that saw the Sarbanes-Oxley legislation in the US, risk management is the new panacea to prevent corporate failure. Like regulators around the globe the ASX Corporate Governance Council has dressed itself in the ubiquitous LBD of risk without much thought about what it means.
The third edition of the ASX Corporate Governance Principles and Recommendations shows that in terms of corporate governance and regulation Australia, too, has a low risk appetite.
Overall, the third edition represents an evolution (not revolution) of the rules and it brings few ‘new’ changes (see box). Importantly, it maintains the ‘if not, why not’ approach to disclosure in previous editions.
At a glance
- Requires more intensive reporting (see below).
- Nine new recommendations taking effect for financial years commencing after 1 July 2014, listed entities should:
- undertake appropriate checks before appointing a director and provide security holders with all material information in its possession relevant to a decision on whether or not to elect or re-elect;
- have a written agreement with each director and senior executive setting out the terms of their appointment;
- make sure that the company secretary of a listed entity is accountable directly to the board, through the chair, on all matters to do with the proper functioning of the board;
- have a programme for inducting new directors and provide appropriate professional development opportunities for directors to develop and maintain the skills and knowledge needed;
- ensure that the external auditor attends its AGM and is available to answer questions;
- provide information about itself and its governance to investors via its website;
- give security holders the option to receive communications electronically;
- if it has an internal audit function explain how the function is structured and what role it performs; or if not the processes for evaluating its risk management processes; and
- disclose whether it has any material exposure to economic, environmental and social sustainability risks and, if it does, how it manages those risks.
- Disclosure may be in either the annual report or on the website.
- Coincides with recommendations by ASIC on obligations of directors and audit committee members.
In Australia the Commonwealth Government largely resisted calls for legislation and the ASX reluctantly emerged as a regulator of governance matters. Then, many believed that a change in governance principles would be the answer to future catastrophes.
From a global perspective, ten years on, the OECD still believes that governance is the key. Now, of course as Gail Pearson says, “risk is fashionable” and as the ‘new black’ it means just about whatever you want it to mean. It should be primarily focused on operational risks like inadequate systems, management failure, fraud, compliance, accounting and business strategy. Although when it comes to black we’ve also hopefully learned something about Black Swans and unknown unknowns.
Initially risk management was concerned with a narrow, insurance based view but it has now moved to a holistic, all risk encompassing view, commonly termed ‘Enterprise Risk Management’. In that context it means a process applied in strategy and across the enterprise, designed to identify events that may affect the entity and manage risks to be within its risk appetite, to provide assurance regarding the achievement of its objectives. Combined with internal controls we now have a ‘risk culture’ and loads of reporting to go with it. Can these systems even deal with low probability and high magnitude risks?
Staying with the fashion, the OECD’s recent report reviews the corporate governance framework and risk management practices in 27 jurisdictions and identifies failures as varied as Deep Water Horizon, Fukushima, Bhopal and Seveso, Olympus, Enron, WorldCom, Satyam, Parmalat or the Siemens foreign bribery scandals as being facilitated by corporate governance failures, where boards either did not appreciate the risks involved or had deficient risk management systems.
Emphasis on risk management
The new Principles and Recommendations are unthinkingly besotted with our post GFC focus on risk. For example, recommendation 7.4 provides that an ASX listed entity should disclose whether it has any material exposure to economic, environmental and social sustainability risks and, if so, how it manages those risks. Previously, companies were required to disclose only financial risks.
The OECD believes the cost of risk management failures is often underestimated. It believes corporate governance should ensure both financial and non-financial risks are understood, managed and, when appropriate, communicated. This is consistent with the recent APRA focus on risk.
Is this a case of “action bias”? As many authors have noticed it takes unusual courage for a regulator to stand up and say something must not be done, because often something makes the problem worse.
While generally shareholders are risk averse, some shareholders may want to invest in more risky corporates. As Stephen Bainbridge recognises, the basic corporate law principle of limited liability is designed to insulate shareholders from the downside risks of corporate activity. Because shareholders thus do not put their personal assets at jeopardy, other than the amount initially invested, they effectively externalise some portion of the business’ total risk exposure to creditors.
Is risk the magic bullet? As Desender has acknowledged, risk management is a relatively recent construct. It seems fashion is now demanding we use corporate governance standards and risk management to ensure corporate compliance with a range of activities from accounting misfeasance to foreign corrupt practices and everything in between!
It might be a noble ambition but is it realistic or appropriate? Have we adopted the new fashion just because it’s fashionable? We ought to remember that no less an arbiter of fashion than Coco Chanel said that: “Fashion is made to become unfashionable.”