ASIC last week released a report into board management of non-financial risks at some of Australia’s top companies.
The report was based on ASIC-conducted document-based reviews and voluntary interviews, supported by behavioural analysis within the boardroom conducted by an external consultant.
It painted a stark difference between the treatment of financial and non-financial risks within the organisations observed.
The number of metrics measuring the companies’ risk profile in terms of non-financial risks was normally a fraction of the non-financial metrics, leading ASIC to conclude that risk appetite and accompanying metrics for non‐financial risk were immature compared to those for financial risk.
While financial risks were often broken down, for example, by portfolios, industries or jurisdiction, non-financial risks were generally captured on an organisation-wide basis. This would make it difficult to identify problem areas in the organisation with poor culture.
In addition, where financial risks often had a “trigger level” automatically incurring scrutiny and a “limit”, this was not the case for non-financial risks.
This lack of measurement and focus appears to have given many companies’ management a free pass to ignore non-financial risks. While the reviewed companies had expressed the company’s risk appetite in a risk appetite statement there were cases “management was operating outside board‐approved risk appetites for non‐financial risk for months or years at a time” and this “with the board’s tacit acceptance”.
While this may indicate the risk appetite statements do not truly reflect the company’s risk appetite it may also be a sign of talking the talk but not walking the walk. One of ASIC’s key recommendations was therefore that “boards need to hold management to account when companies are operating outside of appetite”.
“The board cannot simply express its disappointment at a risk staying outside appetite for a stated period. It must do more to quickly return the company to within appetite. This includes challenging the actions and timeframes within which management proposes to resolve the issue. Prioritisation and slippage should be monitored and accounted for,” it said, noting that some risk appetites expected full regulatory compliance. “While adopting these types of aspirational statements sends a message to staff, doing so without reinforcing them through strong accountability and consequences significantly undermines the effect of the statement. “
As we have stated in our remuneration framework checklist (see HERE), remuneration is one of the clearest ways to communicate what is important and focus on desired behaviours and results.
ASIC indicates that the current focus on financial metrics over non-financial metrics in remuneration appears to have dulled management’s motivation to maintain operations within risk appetites and given executives a carte blanche when it comes to non-financial risks – as long as it does not lead to legal action.
The current focus on financial metrics is could be attributed to a reluctance on the part of investors as well as boards to approve executive remuneration that is based in large part on non-financial metrics, which have in the past been difficult to quantify in measurable metrics. Where metrics are available they are often lagging indicators, such as the number of laws or regulations breached.
ASIC encourages boards to find leading indicators within the operational, compliance and conduct risk that will uncover “near misses”. It does not provide much insight into what those indicators might be, other than to refer to breaches of internal polices or compliance. It also noted that the type of breach (i.e. deliberate, systemic) may be as important as the number of breaches.
The ASIC conclusion that non-financial metrics are immature will compel many boards to review their risk appetite statements, check their currency, then consider what metrics might monitor the company’s performance against the statement on an organisation wide and division, industry, portfolio, and jurisdiction specific basis. Given how hard-pressed the internal resources of companies are it may take some time for this to be worked through each board’s risk and remuneration committees.
Once identified with risk appetites defined, it may be less than effective to include these non-financial metrics as part of an already crowded balanced scorecard. Among other things, this may understate their importance at the percentages investors will agree with. An alternative may to apply them as as a form of consequence management: if trigger levels are reached, the board might be bound to consider the reduction of short term and long term incentives for accountable executives or the implementation of in-period or malus provisions.
This will probably necessitate a better information pathway from management to the board on risks than is currently in place.
ASIC found that reporting on non‐financial risk did not always align with the metrics in the companies’ risk appetite statements, reducing boards’ visibility of how the company was tracking against its risk appetite. Often important non-financial risk information was hidden within groaning board packs, without any indication of what priority these risks entail.
According to ASIC, it should be the job of management to flag to the board issues that are important. Boards, meanwhile, are not censuring management for this failure.
“There was no strong, corresponding trend of directors actively seeking out adequate data or reporting that measured or informed them of their overall exposure to non‐financial risks,” ASIC noted.
Indeed, often boards are exacerbating the problem by not ensuring a formal flow of information about risk from management to the risk committee to the board. Instead, ASIC notes that important risks are often raised in informal conversations, such that it was only subsets of the board that had become aware of the problems.
Pertinent questions ASIC puts forward for boards are as follows:
1 . Should we default to the position that the company should be operating within the board’s stated appetite in the ordinary course of business? When we fall outside appetite, are we requiring management to do everything within their power to return the company to within appetite, or otherwise cease activities that place it outside appetite?
2 . Do I understand why our compliance risk appetite has been articulated in the way it has, and why certain metrics have been chosen (to the exclusion of others) to measure compliance risk?
3 . Does our stated compliance risk appetite reflect our actual appetite? If not, what is the purpose of stating the appetite in this way and how will it help us oversee this type of risk in practice?
4 . Are the metrics we have approved sufficiently representative to provide a picture of
what we are trying to measure across the organisation?
5 . Do our metrics allow us to measure performance against our articulated appetite?
6 . Are we measuring non‐financial risk in a way that provides us with early warnings of rising risk levels?
7 . How do our compliance risk metrics and other non‐financial risk metrics compare to those metrics used to measure financial risk; for example, for credit or liquidity risk?
8 . Does management report to the board against the metrics in the RAS? Do management committees receive reporting against the metrics in the RAS?
To this we might add, what are the remuneration consequences to management of operating outside of the board’s stated risk appetite? What triggers might result in the board considering consequences in terms of remuneration outcomes?
More hours for risk and remuneration committees
ASIC considered the sitting hours recorded for the risk committees to be low given the gravity and breadth of the issues being discussed. It believed committees needed to spend more time on their remit and meet more often to ensure timely escalation of issues.
Given that the report also noted issues with risk measures for incentive payments, it is expected that there will also be more work for remuneration committees.
Will this mean an escalation of fees for risk committees? Possibly. However, ASIC also recommended that the risk committee not include all board members in session, which it notes is not uncommon. This may reduce the workload of committee non-members.
The report can be found in full HERE .© Guerdon Associates 2023 Back to all articles