Last week saw the Australian Securities and Investments Commission release their report on the approach regulated entities have taken towards non-financial risks, with the report’s findings pointing to the fact that processes around non-financial risks remain immature.
The GRC Professional reached out to GRCI’s own Carole Ferguson to talk about the potential implications of the report and what its findings might mean for the future.
Why are non-financial risk frameworks less mature than financial risk frameworks?
There has been considerable work undertaken to identify the relevant risk and compliance standards (eg ISO 3100 and 19600). Collectively, risk and compliance professionals are working hard to embed these standards within their organisations.
But at the board level, there still are pervasive views that compliance is ‘the hand-brake on innovation and progress’ and that risk means determining the likelihood, via some empirical measure, of a regulator darkening the door of the company.
These views are contrary to reality, where the companies with the highest standards of business ethics are, generally, the most successful. The legendary Jack Bogle of Vanguard was a proponent of the importance of good governance for companies over a business that has lost focus on the importance of the customer in the business equation.
So, maturity is often lost against the quick return expectations of the market. Bogle was a long-term investor who exhorted investors to ignore daily fluctuations and instead encouraged them to stay the course!
Companies with corporate failures often have great risk management systems and compliance policies to give them good outcomes. But the compliance person is not listened to and scant interest is taken in the policies. And of course, even today, many companies do not have adequate policies and embedded compliance and run the ‘risk’ that a busy regulator will not take interest in a smaller licensee. Wrong!
From your experience, do you think that the concept of non-financial risk is something understood well by regulated entities?
Non-financial risk is understood, but many prefer to run their businesses with a focus on the financial risks (demand driven by analysts and media). Non-financial risk is opaque—generally, the only time it is understood is at the behest of a vigorous risk and compliance function, or from regulatory action. Firms still are playing regulatory roulette, running the genuine risk of the new significant criminal and civil penalties—and, of course, acting contrary to their shareholders’ and investors’ interest. How many would invest if they knew their chosen company or AFSL holder had no or inadequate policies for financial crime or conflicts?
ASIC is using the APRA definition of non-financial risk, which is broken down into operational risk, conduct risk can compliance risk. Could this focus from ASIC be a good thing from the compliance professional’s perspective? Could it help compliance with getting the buy-in they need?
A definition is needed and not reinventing the wheel is sensible. It helps to redraft policies using this definition, or for dual-regulated entities to continue their monitoring against agreed benchmarks. But it won’t increase buy in. That can only come when boards accept compliance is needed, and not just as am additional cost of doing business.
Is there a risk in considering non-financial risks as something separate from financial risks? Could this have unintended consequences?
The two have always been different. CFOs/internal audit have monitored financial risk expressly and the other has been under the purview of compliance (and in part internal audit). Great focus is made on accounts, solvency and fund performance. Compliance sends reports to the board but they often are dismissed. The low levels of breach reporting for some entities is an indication of potential compliance issues.