This article was written by Tim Bednall.
ASIC's Corporate Governance Taskforce, set up in the aftermath of the Financial Services Royal Commission with additional Federal Government funding, has released its first reports.
ASIC Corporate Governance Taskforce Report
The Taskforce has reported on the oversight of non-financial risk by directors and officers of a small group of seven large ASX-listed financial services entities: the four trading banks, AMP, IAG and IOOF. The review does not include Macquarie Group, Suncorp, QBE or the listed regional banks. Nor does it include companies from any other sector. Issues of management of non-financial risk in the financial services sector have already been well and truly canvassed in APRA's report into CBA, in self-assessments prepared for APRA by these companies, and by the Financial Services Royal Commission. It may have been helpful for ASIC to include companies from the rest of the economy in this exercise, especially as ASIC's report purports to provide "broader market insights into corporate governance practices generally".
ASIC has focused on only one category of non-financial risk: compliance. It perhaps says something about the difficulty of managing other non-financial risks such as culture and conduct, climate change and cyber-security that ASIC did not seek to analyse the oversight of those risks in its report.
The Taskforce's report has made some predictable conclusions and recommendations: these companies operate outside their non-financial risk appetites more often than they operate outside their financial risk appetite, the board risk reports are voluminous, important information is buried in the reports, and Board Risk Committees could be more effective. Specific recommendations include:
- Risk appetite statements: Boards must hold management to account for operating outside risk appetite guidelines; Boards must "engage" with the risk appetite statement; The RAS should be clearly expressed, reflecting actuality; Metrics for measuring risk exposure should align with stated risk appetite; Board reports should align with appetite and metrics.
- Information flows: Material information should not be buried in lengthy reports; Reports should prioritise risks by importance; Material information should not be lost in undocumented BRC sessions; Minutes should include key discussion points and reasons for decisions; Avoid asymmetric information; Update the full board in a timely way.
- Board risk committees: BRC's must spend enough time to be effective; BRC's must meet often enough to oversee material risks in a timely manner; BRC members must ensure they are providing informed oversight; Boards need to actively engage in decisions at BRC level; Clear escalation procedures for urgent material risks.
The assumptions about the role of the board and the operation of board committees that underlie the Taskforce's conclusions will attract debate about issues such as whether board committees should include all board members, how far the board should be involved in the day-to-day management of risk rather than exercising effective oversight of the risk management function, and how frequently the board committees should meet to function effectively. There is no doubt that regulators and the community are placing ever greater expectations on the role, obligations and time commitment of directors, which may lead to a debate about the appropriate level of remuneration for boards.
A most useful part of this report for other ASX-Listed companies is in Appendix A, which lists 21 questions extracted from the report that boards can ask themselves in relation to risk appetite statements, information flows and board risk committees.
Unlike the APRA report into CBA and the Financial Services Royal Commission, this report does not refer to specific failures to manage non-financial risk at any of the seven major institutions reviewed. Specific findings of fault may not have been the object of this exercise, but that did not stop ASIC exercising its powers of compulsion to compel the production of a significant volume of material by these companies - over 29,000 documents. The net benefit of this huge exercise is debatable. ASIC has collected data on sensitive issues of risk management that may now be susceptible to disclosure under FOI or in future class actions. There is also a real issue about the appropriateness of ASIC's use of its powers of compulsion in this context, which have been used not to enforce the law but to participate in a governance debate. The cost to the companies involved has been significant, merely to enable ASIC to produce a relatively anodyne report into seven companies which have already been subject to intense public review.
Kiel Advisory Report
Accompanying the Taskforce's report is a report by Kiel Advisory Group, the firm of organisational psychologists engaged by ASIC to sit in on board meetings and interview directors to assess the impact of board mindsets and behaviours on their effectiveness.
The Kiel Advisory Report covered a larger range of companies than the ASIC Taskforce report, but also focussed on the impact of board behaviours on the oversight of non-financial risk. The report identifies "helpful" behaviours, including ethical role modelling and efforts to challenge management. It also identifies "unhelpful" behaviours, including difficulty in engaging in deep reflection and self-challenge (due to a number of factors including limited time, farming of issues, limits on "psychological safety" in speaking up, unconscious bias and being too polite); failure to balance conflicting agendas; and insufficient understanding of the business to challenge management.
The Kiel Advisory Report identifies four board "archetypes": Advisory, Collaborative, Sceptical and Director, and makes observations about the positive and negative characteristics of each. This is a helpful analysis, without identifying any one archetype as being more or less effective than others. It is likely that boards may fall into more than one of these archetypes, and be more or less effective, depending on the issues they are addressing. At the very least, the characterisation of these archetypes (and the description of their respective benefits and disadvantages) provides a framework for NEDs and Boards to reflect on their own role, dynamics and circumstances.
Finally, the Kiel Advisory Report identifies three factors that boards can address to increase their effectiveness:
- Improve ownership of the board's role to create conditions that underpin effective risk oversight
- Focus on outcomes rather than processes
- Increased commitment to collective rather than individual performance: improving functionality as a group and addressing toxic group dynamics
The Kiel Advisory Report is a "first" in Australian corporate governance, and is a useful if generalised mirror on the way Australian boards function. We should expect to see more of this type of study, on a voluntary basis rather than at the behest of the regulator.