“The truth is that all risk ultimately has financial consequences.”
These are the words of Australian Securities and Investments Commission chair James Shipton speaking at the Australian Institute of Company Directors, (AICD) Essential Directors Update in Sydney earlier this week.
The Chairman was speaking about the recent launch of the report based on a review done on non-financial risks in the financial services in Australia.
Non-financial is an area of growing focus from both regulators in Australia ‘twin peaks’ regulatory system.
The Australian Prudential Regulation Authority (APRA) published analysis on the self-assessments done on 36 regulated entities and found processes around non-financial risks needed improvement.
Just after the APRA report was released in late May of this year, APRA Deputy Chair John Lonsdale told attendees of the Actuaries Summit, “Among the most consistent themes to emerge were that non-financial risk management was frequently weak; and many of the issues raised were known to entities and were often long-standing. As a result of the self-assessments, we have intensified and more precisely targeted our supervision of entities, and in some cases, we are considering imposing additional capital requirements due to the materiality of the weaknesses identified.”
Now ASIC has released its report specifically looking at how non-financial risks are handled.
Chairman highlighted that while the ASIC report found deficiencies, this should also be an opportunity for financial services.
The ASIC chairman said that they are releasing this report now because of the harm that comes from deficiencies in governance and accountability.
“Just as the global financial crisis was the watershed moment for banks to focus and mature financial risks – particularly credit and liquidity risk – we believe that now is a watershed time for companies to significantly improve their focus on non-financial risks,” Shipton said.
The Director and Officer Risk Oversight of Non-financial Risk Report highlighted four broad areas where that needed work when it comes to the oversight of non-financial risk:
All too often, management was operating outside of board-approved risk appetites for non-financial risks, particularly compliance risk. Boards need to actively hold management accountable for operating within stated risk appetites.
Reporting of risk against appetite often did not effectively communicate the company’s risk position. Boards need to take ownership of the form and content of information they are receiving so that they can adequately oversee the management of material risks.
Material information about non-financial risk was often buried in dense, voluminous board packs. It was difficult to identify key non-financial risk issues in the information presented to the board. Boards should require reporting from management that has a clear hierarchy and prioritisation of non-financial risks.
The effectiveness of board risk committees (BRCs) could be improved. BRCs should meet more regularly, devote enough time and be actively engaged to oversee material risks in a timely and effective manner.
According to the report:
Many directors identified challenges with overseeing non‑financial risks in large, complex organisations. Nevertheless, there was no strong, corresponding trend of directors actively seeking out adequate data or reporting that measured or informed them of their overall exposure to non‑financial risks
The report continues:
We also observed that companies often had frameworks and structures in place to support board oversight of non‑financial risk; however, in practice, deficiencies arose in compliance with, or execution of, these frameworks.
The reviews were done by interviewing 60 directors in financial services.
The above graph is taken from the ASIC report is an indication of the difference of maturity between financial risks and non-financial risks.
More to be done around non-financial risks
The GRC Professional reached out to Professor Elizabeth Sheedy from Macquarie University whose research has revealed a level of immaturity when it comes to systems and processes around non -financial risks.
“My research is consistent with the ASIC report. I’m not aware of any Australian organisation that has reached risk management maturity, although some are more advanced than others. One problem I’ve noticed is that many firms have weak systems for tracking risk events and analysing those events. Such systems are crucial for managing the non-financial risks and ensuring that risk is within appetite. Risk management decisions, such as investment in new controls/programs, should be based on good cost/benefit analysis,” she said.
But how do you measure this?
“Each type of risk will have its metrics. In the case of cyber-risk, you need to track each event, For example, a data breach, denial of service attack. Then for that event, you record the impact, both direct and indirect.
“Risks in the area of harm to customers is difficult, especially in financial services where products are opaque, and many customers lack financial literacy. The pervasive use of Net Promoter Scores as a customer metric has been disastrous,” she explained.
The Director’s perspective
The GRC Professional reached out to Brett Flower from Ethical Leadership and Compliance shared his thoughts on the management of non-financial risks which he identified as his ‘particular bugbear’.
“In governance teachings we are all taught of the importance of financial due diligence, however what is all too often overlooked is that a director or officer is any person within a registered company who performs the role of a director, as outlined by ASIC, or has the capacity to influence or affect the financial standing of the company - regardless of their title.” (Watch this space for a future podcast with the Brett Flower on tackling non-financial risks from a leadership perspective).
With an increasing focus on managerial and board responsibility, especially post Royal Commission on Financial Services, it is yet to be seen what material effects the focus on accountability will have on the development of processes around non-financial risks and ultimately around consumer outcomes.