ASIC REP 631Director and officer oversight of non-financial risk

KPMG.com.au

February 2020

B ASIC REP 631: Director and officer oversight of non-financial risk

“ Boards did not get the right information about emerging non-financial risks; did not do enough to seek further or better information where what they had was clearly deficient; and did not do enough with the information they had to oversee and challenge management’s approach to these risks”

Financial Services Royal Commission Final Report

© 2020 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Liability limited by a scheme approved under Professional Standards Legislation.

1ASIC REP 631: Director and officer oversight of non-financial risk

The Financial Services Royal Commission and ASIC’s work over the past few years has highlighted what happens when proper oversight and management of non-financial risks are not made a priority.

Off the back of the Royal Commission’s findings, ASIC set up a Taskforce at the end of 2018 to better understand what good corporate governance looks like and improve practices with regards to non-financial risk. In late 2019, the ASIC Corporate Governance Taskforce (the Taskforce) released REP 631 outlining its observations.

ASIC Corporate Governance Taskforce

Non-financial risk includes:

large listed financial services companies were investigated

the risk of loss resulting from inadequate or failed internal processes

Operational riskthe risk of legal or regulatory sanctions, material financial loss, or loss to reputation of an organisation

Compliance riskthe risk of inappropriate, unethical or unlawful behaviour

Conduct risk

directors and senior executives interviewed

documents reviewed

Received external advice on international trends and behavioural factors

30,000+7

60

KPMG summarise the key themes arising from REP 631, what it means and practical next steps you can take.

Introduction

© 2020 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Liability limited by a scheme approved under Professional Standards Legislation.

2 ASIC REP 631: Director and officer oversight of non-financial risk

Key findings and how KPMG can help

Key themes arising from REP 631 include:

In general, the results indicate practices with regards to non-financial risk are broadly immature. The findings of the report can be adopted by all public companies.

Risk Appetite Statements (RASs)

> Key findings

• Risk appetite and accompanying metrics for non-financial risk were immature compared to financial risk.

• Companies operating outside Board-approved risk appetites for non-financial risk for months or years at a time.

• Board engagement with the RAS was not always evident.

> Why does it matter?

• Boards should aim to include leading indicators in metrics for NFR. This would provide directors with early visibility, additional data to support challenge and reduce single-person dependency on the CRO to curate and highlight relevant issues. It may allow Boards to take earlier and more proactive action.

• The level of Board engagement with the RAS sends a strong message to management that the Board considers the RAS to be important.

• For long-term, persistent issues Boards may want to initiate and be able to demonstrate interim measures that reduce risk whilst longer-term strategic options are developed.

• There is need for more root cause analysis or deep dives to help with recurrent issues as returning a company to within its risk appetite can be resource-intensive.

How can KPMG Help?

• Assess RASs for adequacy of the risk appetite setting and tolerance levels for non-financial risks.

• Perform deep dives or root cause analysis.

• Develop and implement non-financial risk reporting frameworks.

© 2020 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Liability limited by a scheme approved under Professional Standards Legislation.

3ASIC REP 631: Director and officer oversight of non-financial risk

Information Flows

Board Risk Committees (BRCs)

> Key findings

• Material information about non-financial risks was often buried in dense, voluminous Board packs.

• No clear hierarchy or prioritisation for non-financial risks.

• Information flows between Board committees and full Boards sometimes created asymmetric information.

> Why does it matter?

• Ensure concise management reporting that focuses on the key non-financial risks, with supporting Key Risk Indicators that can provide additional insight, and can highlight emerging risk.

• Consider initiatives to improve mapping and synthesis of risk and compliance reports, to ensure they prioritise key non-financial risks.

• Ensure that all material risks are being monitored and managed in the appropriate executive forums, and that there is a structured and well-defined “path to the Board” should line risk managers identify significant concerns.

• Boards should review both the formal and informal links between individual Committees and also between Committees and the Board to ensure that they are both fit for purpose, but also can be demonstrated as effective.

> Key findings

• The minutes reviewed would not on their own support that directors were exercising active stewardship.

• The timing and frequency of BRC meetings was generally modest.

• Material risk issues were often escalated in an informal and unstructured manner outside Board meetings.

> Why does it matter?

• BRC members must have capacity to attend to their oversight duties not only during ‘business as usual’ periods but also during periods of intense activity.

• Your BRC should meet with enough regularity to ensure that issues being raised or identified are dealt with promptly.

• Issue age should be tracked, and actions should be monitored to both create and demonstrate rigour and urgency.

• Boards may want to consider how their decision-making processes are documented, incorporating the basis and the key data that informed the decision, or when alternative options were considered.

• Transparent escalation processes should define: initial escalation; the forum(s) for addressing the issue, how the BRC would be informed and how issues are recorded and closed out.

How can KPMG Help?

• Review Board effectiveness and corporate governance frameworks.

• Look at ways to improve information flows within the Board, between the Board and committees and with management.

• Trace obligations from front-line oversight through to Executive and then Board reporting.

• Review the frameworks that ensure material risks/issues are logged, prioritised and then escalated.

• Review incident management /issue management processes.

How can KPMG Help?

• Conduct deep-dive workshops to educate or update the BRC on rapidly evolving products and services entailing many new or heightened risks.

• Monitor and observe BRC meetings for a defined period to assess performance and provide guidance.

• Review and assess functioning of the BRCs.

• Develop charter and operational rhythm for the Executive NFR Committee.

© 2020 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Liability limited by a scheme approved under Professional Standards Legislation.

4 ASIC REP 631: Director and officer oversight of non-financial risk

Board Mindset and Behaviours

> Key findings

• Improve ownership of the Board’s role.

• Clarify and focus on outcomes rather than on processes.

• Increase the Board’s commitment to collective rather than individual.

> Why does it matter?

• The Boards should cultivate “Helpful Mindsets and Behaviours” and manage/reduce impact of “Unhelpful Mindsets And Behaviours”.

Helpful Mindsets and Behaviours include:

• Acting as an ethical role model.

• Being accountable, customer-focused and acting with integrity.

• Making conscious efforts to challenge management.

• Requests for management to supply additional information or analysis.

• More robust disagreement with management’s ideas, or expressed concern about the status of initiatives.

Unhelpful Mindsets & Behaviours include:

• Conflicting agendas.

• Decreases in mutual trust and transparency due to constant challenging.

• Attempts to avoid a ‘blame culture’.

• Lack of genuine self-challenge.

• Difficulty understanding the business.

• Constrained ability to read through information.

• Detachment from day-to-day operations.

How can KPMG Help?

• Undertake Board and Board committee evaluations that identify areas of strength and weakness in skills, behaviours, Board meeting effectiveness against the findings and recommendation of this report.

• Undertake tailored Board training around behaviours and mindsets to improve their effectiveness.

Improving the effectiveness of non-financial risk governance and oversight involves many components of the risk management framework - changing reporting alone may not be enough to ensure a structured, sustainable and effective path of information from the front-line to the Board. Taking a holistic approach to this challenge will likely yield better risk oversight outcomes.

© 2020 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Liability limited by a scheme approved under Professional Standards Legislation.

5ASIC REP 631: Director and officer oversight of non-financial risk

© 2020 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Liability limited by a scheme approved under Professional Standards Legislation.

Jacinta MunroPartnerCompliance & ConductT: +61 3 9288 5877 E: jacintamunro@kpmg.com.au

Matt TottenhamPartnerRisk Strategy & Technology T: +61 2 9335 8516 E: mtottenham@kpmg.com.au

Sophie IoannouAssociate DirectorCompliance & ConductT: +61 3 8663 8722 E: sioannou1@kpmg.com.au

Nandkumar Kadam (NK)ManagerRisk Strategy & Technology T: +61 3 8663 8621 E: nkadam1@kpmg.com.au

The information contained in this document is of a general nature and is not intended to address the objectives, financial situation or needs of any particular individual or entity. It is provided for information purposes only and does not constitute, nor should it be regarded in any manner whatsoever, as advice and is not intended to influence a person in making a decision, including, if applicable, in relation to any financial product or an interest in a financial product. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

To the extent permissible by law, KPMG and its associated entities shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss or damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise).

© 2020 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Liability limited by a scheme approved under Professional Standards Legislation. February 2020. 455153918FS

KPMG.com.au

Contact us