Queensland Audit Office

In October 2019, the Australian Securities and Investments Commission (ASIC) issued its report on oversight of non-financial risk. It said that in contrast to financial risks and returns, non-financial risks have not received sufficient attention until recent times. If not well managed, non‑financial risks have significant financial implications for organisations.

Non-financial risks include:

  • operational risk—resulting from inadequate or failed internal processes, people and systems or from external events
  • compliance risk—legal or regulatory sanctions, material financial loss, or loss to reputation an organisation may suffer as a result of its failure to comply with laws, regulations, and codes of conduct
  • conduct risk—the risk of inappropriate, unethical or unlawful behaviour on the part of an organisation’s management or employees.

While ASIC’s report was directed at large and listed companies, the report findings may serve as guidance for public sector governance bodies.

Entities should review the recommendations against their existing governance practices, accountability structures, and needs of their organisation.

Key observations from the report

Risk appetite statements were not being used effectively

The report found that the quality and content of risk appetite statements for non-financial risks were not as clear and articulated as well as financial risks. Entities should clearly express risk appetite statements in a meaningful way and align them with the actual risk appetite. Boards are encouraged to actively engage in the approval process of these statements, rather than simply ‘noting’ them.

The metrics were also not as mature or effective. Management were operating outside the board–approved risk appetites for non-financial risks, while appetites for financial risks were not breached. Boards need to hold management to account when operating outside risk appetites.

Reporting to boards was often dense and lacked focus

Material information about non-financial risk was often buried in voluminous board packs. The report found that many directors acknowledged being overwhelmed with information before a meeting. It also noted that management reporting often did not have a clear hierarchy or prioritisation for non-financial risks. Hence, directors found it hard to identify and prioritise key risks.

In contrast, board minutes were often drafted sparsely. There was little evidence of directors actively engaging with the substance of the proposals that management submitted, or with information reported to them. While minutes are not the only evidence of directors discharging their responsibilities, the minutes themselves would not on their own indicate that directors were exercising active stewardship.

Board risk committees were not utilised effectively

The report found that the timing and frequency of risk committee meetings was generally modest. Risk committee meetings need to dedicate enough time to discharge their mandate and meet often enough to oversee material risks in a timely manner.

The report also noted a trend toward full board attendance at risk committee meetings. While this avoids repetition of discussions and helps all directors to become better informed, it may prevent having deep dive discussions. It is also likely to lead to a ‘good news culture’ only.