ASIC’s new conduct expectations in Corporate Governance
2 October 2019: ASIC chair James Shipton ‘set the bar’ today at the Australian Institute of Company Directors on what the corporate regulator regards as good governance of ‘non-financial risk’. He launched ASIC’s Corporate Governance Taskforce report: Director and officer oversight on non-financial risk which outlines the standard the corporate regulator expects from organisations when governing for non-financial risks such as conduct, operational, compliance and strategic risks.
The Chair reminded company directors that ASIC’s strategic priority was to ‘improve governance and accountability’ of corporate governance practices in financial and non-financial entities, as well as large listed entities. And that ASIC will be undertaking targeted reviews of these entities’ corporate governance practices. And publishing their findings.
Deloitte Co-Lead Partner for Corporate Governance, Deborah Latimer said today’s taskforce report was a key regulatory response to the corporate governance themes of Commissioner Hayne’s 2019 report on the Royal Commission into Misconduct in Banking, Superannuation and Financial Services.
She noted that the Hayne report had said that ‘every piece of conduct that has been contrary to law, is a case where the existing governance structures and practices of the entity and its risk management practices have not prevented that unlawful conduct’. Latimer said: “While supervisory, the Taskforce report comes at a time when ASIC has adopted an enforcement strategy of ‘why not litigate’.”
She pointed out that the Corporate Governance Taskforce report reinforces ASIC’s approach to the non-financial risk governance failures identified in the APRA Prudential Inquiry into the Commonwealth Bank in 2018, which included the need for 'more rigorous Board and Executive Committee governance of non-financial risks’.
This covered approaching conduct risk by asking ‘should we?’ rather than ‘could we?’ including accountability standards reinforced by remuneration practices; upgraded authority and capability of operational risk management and compliance functions; and cultural change to move the dial from reactive and complacent, to empowered, challenging and striving for best practice in risk identification and remediation.
Based on the work of the Taskforce, ASIC is set to release a follow up report later in the year that will deal directly with the relationship between conduct risk management and executive variable remuneration.
“ASIC’s work is essentially focused on the overall governance by corporate Australia of conduct risk,” Latimer said. “It should prompt organisations to consider how their governance structures support good conduct outcomes.”
“While ASIC’s initial focus is on seven organisations from the financial services sector, this will not stop there. As Australia’s corporate regulator, the duties of company directors set out in the Corporations legislation apply broadly. ASX listed entities in every sector should be asking themselves: ‘Would we be ready for an ASIC Taskforce review?’”
Latimer and Deloitte corporate governance co-lead, Karen Den-Toll worked with ASIC’s Taskforce team to design a hypothesis-led methodology which was adapted by ASIC in the Taskforce’s review.
Den-Toll said: “This methodology helped the Taskforce identify good and poor governance practices across the documents being reviewed. The themes covered board structure for monitoring and supervising; risk governance; board and management accountability; reporting and information flows; and risk resourcing.”
Deloitte Risk Advisory Financial Services leader Mike Ritchie, provided international research on governance practices relating to director and officer oversight of non financial risk in the United Kingdom, the United States, Canada and Germany.
Ritchie said: “This research identified global trends in corporate governance across a sample of large listed international companies to compare them with the practices observed from comparative data in Australia.
“If we have learnt anything from the Royal Commission, it’s that corporations not only need strong compliance frameworks, they also need strong cultures of integrity, and the ability to make judgements about context and situations to make good decisions. They need to understand the communities within which they operate and the moral frameworks that guides good from bad.”
In total the Taskforce received more than 29,000 documents for review (which included some documents to assist the Taskforce’s review of executive remuneration).
The Deloitte leaders pointed out that it is timely to take the discipline from the recent work for the Governance Accountability and Culture self-assessments and drill a little deeper into the organisation’s approach and practices around conduct.
“Now is the right time for organisations to run a thorough health check over their governance and conduct governance arrangements which should really start with the Board reflecting on what good conduct really means for their organisation when it comes to purpose, strategy, and risk,” said Latimer.
“A practical way of approaching this is to look at the organisation’s key public messaging and consider whether its governance structures and arrangements operate in such a way as to adhere to that messaging. This exercise will reveal conduct blind spots.”
The areas that really need to be the subject of critical review in light of the Taskforce Report include:
- The relationship between statutory director and officer duties, corporate conduct, and conduct risk. How are duties discharged in director and officer oversight and management of conduct risk to achieve good conduct outcomes for the organisation?
- The governance structures in place that support and facilitate conduct risk oversight. Who is accountable and who determines the extent to which that accountability is satisfied?
- Decision making processes. How do these processes support adherence to strategic and other objectives and account for conduct aims and risks? What management information supports sound decision-making?
- Executive variable remuneration structures. How does the remuneration structure respond to conduct risk management responsibilities and responsibility failures?
- Routine conduct risk management within the organisation. Is it both systematic and influential, does it provide reasonable assurance on conduct, and are there clear pathways that ensure conduct risk management issues are appropriately escalated and resolved?
See ASIC's release here.