ASIC's First Report on director and officer oversight of non-financial risk is essential reading for all listed companies, regardless of the industry sector, and sends a clear message to non-executive directors. Partner Langton Clarke warns there is no doubt about ASIC's expectation that accountability structures and governance practices should be reassessed to better manage non-financial risk.

The First Report

Arising from the Hayne Royal Commission, ASIC established the Corporate Governance Taskforce in late 2018 to review the corporate governance practices of Australian listed entities.

Released in early October, the First Report focuses on a review of seven financial services companies, including the 'Big 4' banks. The Report sets out the findings of organisational psychologist Elizabeth Arzadon from Keil Advisory Group, which centre around the conduct of boards at two extremes: either the chairman reigns supreme or there is a distinct lack of accountability and informational asymmetry between board members and management.

Key findings

ASIC's review found:

• Management was operating outside of board-approved risk appetites for non-financial risks, particularly compliance risk.
• Reporting of risk against appetite often did not effectively communicate the company's risk position. Boards need to take ownership of the form and content of information they are receiving so they can adequately oversee the management of material risks.
• Material information about non-financial risk was often buried in voluminous board packs. Management reporting should have a clear hierarchy and clearly prioritise non-financial risks.
• The effectiveness of board risk committees (BRCs) could be improved. BRCs should meet more regularly, devote enough time and be actively engaged to oversee material risks in a timely and effective manner.

A message from ASIC

ASIC has urged companies to consider their governance processes in place to manage non-financial risks and warned against management operating outside stated risk parameters. ASIC concludes that non-financial risks are often understated by boards and reporting should have a clear segmentation to identify the priorities and effectiveness of the risk policies in place.

It seems ASIC will continue its attempts to regulate culture, regardless of the ambiguity, and has publicly stated it is not afraid to use the courts to clarify the law. If you are unsure whether your systems comply with ASIC's requirements, please contact a member of our team.