If your organisation was suddenly exposed to public scrutiny, how would your culture, corporate governance practices and ethics fare? In particular, how would your Board’s attention to non-financial risks (such as operational risk, compliance risk and conduct risk) measure up?
Despite their categorisation, non-financial risks have very real financial implications for companies, their investors and their customers. With COVID-19 now putting additional pressure on directors to have oversight of business operations and ensure compliance while employees work remotely, businesses that are pro-active in addressing not only financial risks but also non-financial risks and taking appropriate measures to mitigate such risks are more likely to weather these tough times.
Reflecting on the ASIC Corporate Governance Taskforce Report
On 2 October 2019, the Australian Securities & Investments Commission (ASIC) Corporate Governance Taskforce released a report on director and officer oversight of non-financial risk (ASIC Report) which primarily focused on Australia’s largest financial services companies. However, the purpose of the review was to improve governance and accountability of all Australian companies irrespective of their size.
The ASIC Corporate Governance Taskforce adopts the view that mismanagement of non-financial risk often becomes a financial risk over time and boards therefore cannot afford to overlook non-financial risks. Inadequate management of non-financial risks can result in systematic misconduct and omissions resulting in a failure to pay proper attention to critical matters which, left unattended, may lead to hefty fines, directors being held liable for failure to carry out their directors’ duties with no insurance cover and heavy consumer losses. In turn, this takes its toll on future cash flows, asset values, intangible asset values and, ultimately, the profitability and longevity of a company.
In light of COVID-19 and the disruption it has caused to supply chains, the travel industry, financial markets, the health sector, and a myriad of contractual arrangements in almost all industries, it is fair to say that companies that have not adequately addressed non-financial risks to date will be ill-prepared for responding quickly to the crisis this pandemic is causing to their organisation.
The way in which a business handles any disruption of service will determine the way they are judged. COVID-19 presents boards with new challenges and a unique opportunity to build a positive reputation for their business within the community.
How can boards better oversee non-financial risk?
The ASIC Report is divided into three sections: risk appetite statements (i.e. statements about the amount of risk an organisation is willing to accept in pursuing its strategic objectives), information flows and board risk committees (BRCs). A snapshot of ASIC’s key findings includes:
1. Compliance risks - reporting of risk appetite and accompanying metrics was found to be immature. Boards additionally need to:
2. Information flows – directors need to be well informed. For this to materialise:
- hold management to account when companies are operating outside appetite;
- engage the risk appetite statements for them to be an effective oversight tool;
- ensure risk appetite is clearly expressed, reflecting actual appetite; and
- ensure reporting to the board is aligned with risk appetite and metrics.
3. Board risk committees (BRCs) – BRCs need to:
- information should not be buried in lengthy board packs or reports with no clear hierarchy as to what is really important regarding non-financial risk, what risks need to take priority and why;
- management reporting should have a clear hierarchy for non-financial risks that prioritises their importance; and
- minutes should include key discussion points and reasons for decisions. Board minutes may serve to prove or disprove that directors have fulfilled their fiduciary duties.
- dedicate enough time to discharging their mandate;
- meet often enough to oversee material risks in a timely manner;
- ensure they are providing informed oversight; and
- involve boards in decisions and proposals at the BRC level.
During the COVID-19 lockdown, with board meetings taking place online rather than in person, employees working off-site and technology playing an important role in enabling businesses operations to continue, implementing these recommendations is even more critical to ensure boards can function effectively.
ASIC recommendations to boards pre-COVID-19 and current considerations
ASIC has recently stated that it will focus its regulatory efforts on challenges created by the COVID-19 pandemic. Until at least 30 September 2020, ASIC will prioritise matters where there is the risk of significant consumer harm, serious breaches of the law, risks to market integrity and time-critical matters. In addition, relief or waivers from regulatory requirements may also be granted.
Nevertheless, prior to COVID-19, ASIC was urging boards to embrace the practices listed below. ASIC may be on hiatus from flexing its regulatory powers while the economy is hard hit, but businesses determined to come out of the crisis in good shape are well advised to:
- take proper steps to assess the company’s culture, identify any problems with that culture, deal with those problems and determine whether the changes it has made have been effective;
- ensure they are properly informed on non-financial risks, that is, by ensuring that the information they have is not deficient and, if necessary, obtaining further or better information and identifying where management’s approach to managing non-financial risks may need to be reviewed;
- adopt the view that placing sole priority on delivering short-term profits and outcomes to investors does not equate to acting in the best interests of the company;
- adopt a more all-encompassing approach to assessing what is in the company’s best interests by:
- allocating sufficient resources and attention to reputational and non-financial risks;
- using technology in the boardroom and looking at predictive analytics to assist with making decisions;
- clearly defining accountability structures and fostering a culture of resolving issues;
- asking themselves not only can they, but should they be doing what they are proposing to do; and
- resolving matters effectively.
Key takeaways for your business
With increased uncertainty as to the duration of the COVID-19 pandemic, businesses are advised to carefully reconcile ASIC’s observations and recommendations against their current practices.
Set out below are some essential takeaways for boards seeking to address corporate governance improvements in COVID-19 times and beyond. Directors must:
- know the fundamentals of the business and keep abreast of the activities of the company;
- assess how they currently measure and report on their findings of non-financial risk and testing risk frameworks regularly to ensure they are effective and practical;
- review their information management processes to ensure information is effectively communicated from management to boards and board committees. However, boards should not overwhelm management with unreasonably reporting expectations that get in the way of management leading the business through the COVID-19 crisis; and
- work closely with management to implement business continuity, crisis management and pandemic response plans in a timely manner and pressure-test these plans for appropriateness taking into consideration the evolving and unpredictable nature of the situation.
COVID-19 and beyond: Questions to ask yourself
Is your board sufficiently addressing COVID-19 and related issues? Is the breadth and materiality of information that your directors are receiving from management correctly calibrated to help your board perform its oversight function? Do you have transparent, effective and consistent processes for escalation of urgent material to the board? Do your business continuity plans contain an appropriate focus on employee wellbeing, supply chain disruption and the short and long term financial impact of the pandemic? Is the business planning for post-pandemic communications and stakeholder impacts?
While COVID-19 may provide a buffer on ASIC clamping down on certain unacceptable practices (such as trading while insolvent), it is essential that your business takes stock of the way it is going about its business. Even more so as cyber and data privacy risks continue to increase with increased fines for breaches and non-compliance, businesses are advised to take proactive steps towards risk and compliance more generally.
The world of corporate governance and directors’ duties, including in respect of non-financial risks is particularly complex. To improve your company’s internal risk management processes and ensure you comply with current laws that apply to your business, please contact our Corporate and Commercial team who can assist your business with:
- Board training on corporate governance;
- Board policies and codes of conduct;
- Reviewing your board structure, skills matrix and sub-committees; and
- Director remuneration Schemes / Appointment Contracts.