Key messages from the first report of ASIC’s corporate governance task force
Another step change
On 2 October 2019, ASIC released the first report from its corporate governance taskforce: ‘Director and officer oversight of non‑financial risk. The depth of the report is a strong indicator of the level of scrutiny this category of risk will continue to receive from regulators in the coming years.
ASIC’s report contains significant detail around the ‘what’ and ‘how’ of board oversight of non-financial risk. In particular, Board Risk Committees, risk appetite statements and risk information were subject to comprehensive analysis. ASIC has sent a clear message that its expectations of these three elements of governance has increased substantially.
The report is another step change in building industry understanding of behavioral norms and the impact these have on risk outcomes. Until now, broad consideration and review of boards in corporate Australia has been relatively untouched by regulators, particularly the social influences that impact leadership decision-making. This report is constructive – rather than being a missive of all that is not working, it is a prompt for leadership teams to reflect collectively on the way they make decisions and signal throughout the company what is truly valued – tone from the top in how it is received, not just intended.
The report goes to culture at the board level. Culture can act as a brake within companies – it is the social control that guides staff (and leaders) in how they think, act and make decisions. In the absence of having detailed rules for every situation, it informs how we respond to change, threats, and guides behaviour. As the world becomes increasingly complex and uncertainty inherent in many day-to-day business decisions, culture becomes even more important. In the context of managing risk, companies need really good brakes if they want to go fast.
Relationships matter within the ecosystem of effective oversight
The effectiveness of governance is driven by the full ecosystem within which boards (and executive teams) operate – the ‘framework of rules, relationships, systems and processes within and by which authority is exercised and controlled’. The real power in ASIC’s report comes from the consideration of group dynamics and how these impact decision-making and oversight and, therefore, the true management of risk. It articulates the very real challenges boards face in delivering on expectations, balanced against the ‘sensitivity to their role in relation to management.’
A separate, notable report by the G30 titled ‘Banking Conduct and Culture – a Permanent Mindset Change’ released in November 2018 found that ‘[w]hile “tone from the top” is appropriately focused on conduct and culture matters, it is unclear if this has flowed throughout the organisation and whether employees at all levels, and especially in the front lines have fully internalized how this will change how they do business.’ In contrast, ASIC’s report takes a far more detailed approach in its analysis and demonstrates how (and why) ‘tone from the top’ can be perceived differently to what is intended in practice, and how it drives behavioural outcomes across companies. It is not just about what leaders (be it boards or executive committees) say, it is also demonstrated in the nature of relationships and interactions between these groups. The report highlights the influence and impact of group dynamics, including cross-group relationships such as between boards and executive management.
ASIC’s report helps redirect the focus on the effectiveness of governance beyond being a function of formal structures to look at the impact of relationships and group dynamics on decision making – whether directors are consciously aware of these impacts or not. The insights the report provides into the functioning of boards – and that every style has inherent strengths, as well as potential weaknesses – is significant. Amongst the observations, companies should note the highlighted better practices: ‘skilled differentiation of the group dynamic is a key differentiator of effective boards’ and ‘relationship oriented styles appeared to provide a more effective foundation for gathering insights and achieving influence.’
As with the findings of the CBA Prudential Inquiry, this report also draws out the challenges in striking the right balance of individual and collective accountability – ‘basic characteristics of individual conscientiousness are necessary, they are not sufficient to achieve distinctive collective performance.’ Conscious awareness of this balance is critical to effective stewardship of companies, especially given the potential for executive accountability regimes to exacerbate mindsets of individual accountability.
Strengthening risk appetite statement frameworks
Utilising risk appetite statements to help govern non-financial risk management was called out as a key area where strengthening is needed.
A specific concern raised was the apparent general practice to operate outside of non-financial risk appetite, often for lengthy periods of time. While complex issues, such as compliance breaches, can at times require significant time to investigate and resolve, ASIC has made it clear it expects boards to hold management to account when risk appetite has been exceeded.
Robust metrics should enable more effective oversight. The report calls out the need for well-coordinated and developed non-financial risk appetite measures, including leading indicators, to be enhanced.
There is a clear need to shift towards more proactive and forward-looking metrics for non-financial risk. ASIC’s report makes it clear that while significant attention is now being placed on collecting non-financial risk data, far less attention has been given to how this should be analysed to generate insights. It reflects the typical approach within financial services to risk management – identify, measure, manage and monitor. Not only do companies need to understand what is going on in, there is also a need to set the basis for future direction. Yet, companies seem to focus on specific data and metrics as an end-state rather than as an input.
Far more work needs to be undertaken to generate insights, including taking sets of quantitative and qualitative data together with behavioural norms or cultural characteristics in order to use these as a basis for action. Undertaking this will enable better identification of leading indicators, an area in which the report finds companies wanting.
More informed oversight by boards and Board Risk Committees
The report expressed concern at the time spent by Board Risk Committees (BRCs) conducting their work, be it number of meetings or total hours spent at the committee. The conclusion of ASIC’s analysis has led it to believe that BRCs may need to spend more time meeting in order to support informed oversight of non-financial risks. Although the report did not provide ASIC-endorsed quantums of BRC meetings, it did highlight existing practice from its sample of seven large financial institutions, set out below:
The report also notes that BRC effectiveness can be strengthened by ‘clarifying and focusing on outcomes rather than on processes’. Policies, processes and systems for governance should not be seen as the end (rather than the means) for delivering effective oversight of non-financial risk.
BRC membership was raised as a potential issue with the report noting the general trend of all board members attending BRC meetings even where they are not formal members. ASIC has stated that better practice is for all attendees of BRC meetings to be members of the BRC to protect against unintended consequences, such as a lack of decision rights.
The length of board packs, too, garnered attention as having the potential to bury non-financial risk information. ASIC highlights that some directors believe only 25% of the volume of papers currently prepared is needed.
Emphasis on root cause
Consistent with its focus on the full ecosystem of governance – frameworks and relationships – the report makes numerous references to the need to identify root causes of issues and risk appetite breaches. ASIC observed ‘issues being addressed as they arose, rather than the board stepping back and considering compliance risk exposure holistically and prioritising the resolution of root causes’.
To enable this analysis, companies need to look in to the true root cause of issues or control breakdowns, not just what happened but why – including the informal drivers that drove observed outcomes as well as the more obvious control breakdowns and weaknesses. Without identifying the real root cause of issues, these are likely to continue to arise.
What steps should companies take?
True change requires constant vigilance and integration of risk and culture priorities in to day-to-day business practices, starting from the top down. This evolution is going to bring many challenges, not least of which is the need to make informed organisational choices around the balance of breadth and depth of non-financial risk assessment. It requires boards and leadership teams to work together to make risk-based choices about where to prioritise resources to facilitate effective decision-making.
ASIC’s report sets out questions that boards should be thinking about in the context of overseeing and monitoring non-financial risks, particularly with regard to risk appetite. Beyond that, the report is silent on what companies should do, which places the responsibility to respond appropriately squarely with companies themselves.
While each company will need to tailor their responses to fit their circumstances, we believe the following additional areas will assist boards and leadership teams determine how they respond to the issues raised in ASIC’s report.
Review the board archetypes and operational impacts
As the report notes, ‘[b]oards should spend more time considering the drivers of their own blind spots, including how their interactions with management may perpetuate them’.
Questions to ask:
- How would you classify your board archetype? Is that view shared by both the board and leadership team (and is it accurate)?
- What are the potential unintended consequences of that archetype and what steps should be taken to identify unconscious assumptions and blind spots and their impacts?
- How can those be tested using an evidence-based approach to ensure validity?
How ‘challenge’ really plays out in your company
Challenge is not just having, or expressing, different views, with the report noting ‘[w]hile the act of challenging was quite common, the extent of deep challenge to the whole group’s assumptions, logic and institutional performance was less clear.’
A key, and often overlooked, component of challenge is that it requires not only free inquiry and intellectual curiosity but also active and receptive listening and the capability (and capacity) to entertain a view that is different to one’s own. There is generally an acceptance of the need for change, but unless there is an equal and aligned understanding of the state of play, the right conditions for change will not be created.
Questions to ask:
- How does challenge play out in your company? How do you respond to different views or perspectives?
- How do you incorporate or harness these perspectives to make better decisions and provide a platform for change?
- Who is influential in discussion and debate?
- For leaders, how often have you revised a position or view following discussion and debate?
This communication provides general information which is current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information.