Effective Management and Oversight of non-financial risk
In his address to the Australian Institute of Company Directors (AICD) corporate governance summit, Australian Securities and Investments Commission (ASIC) Chair Joe Longo spoke about: ASIC's corporate governance priorities for the year ahead; the regulator's continuing focus on protecting consumers from online threats (touching briefly on ASIC's expectations with respect to the implement of the Design and Distribution Obligations (DDOs); and ASIC's own digital transformation and focus on improving regulatory efficiency.
Our key takeaways are below.
ASIC’s corporate governance priorities for the next 12 months
An ongoing priority
A key message running through the speech is ASIC's focus on ensuring that non-financial risks are managed effectively and that boards and organisations accord the management of these risks priority on an ongoing basis. Mr Longo stated:
'So I can’t stress this enough. Good governance and culture require constant and ongoing investment of time and effort. Nothing short of that will do. Because if and when those efforts do fall short, there are consequences. When a company fails to act responsibly, ASIC will not hesitate to take action'.
A 'pragmatic' approach to good governance and risk management
Mr Longo emphasised that ASIC is focused on ensuring effective management, not elimination, of risk.
'ASIC recognises that running a company is about managing risks, and involves decision makers allocating resources and making decisions very often in conditions of uncertainty.
The courts have also acknowledged that a degree of pragmatism is involved in balancing risks and benefits. Ultimately, however, in the words of one judge, companies “did not evolve to facilitate risky activity without personal responsibility”.'
In light of this, ASIC encourages directors to focus on ensuring that risks, and in particular the non-financial risks facing their specific organisation, are being as effectively managed as possible. Mr Longo stated:
'ASIC is acutely aware that there is no one-size-fits-all approach to governance. The costs and consequences of poorly handled non-financial risks can be immense and, at the extreme, catastrophic. However, establishing the structures and information flows within your control, getting the people and practices right so as to seek out the "known unknowns" that might otherwise endanger your business, is a very achievable objective'.
Three key areas
Mr Longo said that the 'most common types of situations we are looking at relate to failures by directors to manage their company’s significant or strategic [non-financial] risks'.
In particular, ASIC the following three areas will be a key area of focus for the regulator, including from an enforcement perspective.
- 'Governance failures relating to non-financial risk that result in significant harm to consumers and investors'. For example, Mr Longo said that this could include failure by directors to:
- 'identify and manage the risk attaching to a company’s business activities;
- failing to ensure that appropriate resources are allocated to deal with risks; or
- failing to respond to indicators that risks are not being properly managed'.
- 'Cyber governance and resilience failures'. For example, failure to have adequate policies, systems, and resources in place to appropriately manage cyber security and cyber resilience.
- 'Egregious governance failures or misconduct resulting in corporate collapse' eg 'where company money, or money belonging to company creditors, is misapplied or misappropriated'.
Other areas of focus
Cyber risk
- Heightened risk environment: Mr Longo reiterated ASIC's earlier call for entities to adopt an 'enhanced cybersecurity position' in light of the current heightened threat environment.
- Market Integrity: Mr Longo said that 'cyber risk is very much the new frontier of market integrity' and encouraged firms to improve their management of cyber risk and to focus on improving their cyber resilience on this basis. In saying this, Mr Longo made clear that ASIC is
'not looking to prescribe technical standards or provide expert guidance on operational aspects of cyber security. That is the role of Government and other agencies. Where we consider that a firm has not met its obligations, ASIC may take enforcement action to drive a change in behaviour, as we are with RI Advice Group'.
- Role of boards: Mr Longo said that boards play a key role in this context. In particular, Mr Longo said that boards
'should consider where they have an obligation to report breaches to ASIC, and where it may be appropriate to make disclosure to the market as either continuous disclosure or in financial reports. This year we see a number of risks emerging that will need to be assessed and managed by directors. Specifically, the threat posed by the widespread use of open-source software (think back to the ‘Log4j incident’ just prior to Christmas), heightened global tensions, and the continuation of flexible working arrangements'.
Climate-change disclosure for listed companies:
- Focus on improved disclosure and governance: Mr Longo said that:
'ASIC’s core focus is to foster continued improvement in the standard of climate change governance practices; and to promote the provision of reliable and decision-useful climate-related disclosures by listed companies, to enable investors to make fully informed decisions'.
- Directors are expected to adopt a 'proactive approach' to governance and disclosure of climate/sustainability risks in light of recent developments (eg the roll out of mandatory climate-disclosure requirements in other jurisdictions and the development of global climate/sustainability disclosure standards by the International Sustainability Standards Board (ISSB)). Mr Longo pointed to the Task Force on Climate-related Financial Disclosures guidance on what constitutes 'good disclosure' as a useful resource in this context. Mr Longo said that ASIC intends to 'engage closely with listed companies and investor groups throughout 2022 as the International Sustainability Standards Board climate standards develop, and as mandatory reporting rules are introduced in other markets'.
- Greenwashing: Mr Longo said that ASIC is conducting a review to 'establish whether the practice and promotion of managed investment and superannuation funds that offer "ESG" or "green" products are actually aligned'. Citing requirements in the Corporations Act 2001 (Cth), Mr Longo encouraged boards to 'look out for any greenwashing – and to ask whether their company’s disclosure around environmental risks and opportunities, or their promotion of ESG-focused products, accurately reflects their practices in this area'.
Whistleblowers and good governance
- Many whistleblower policies are 'deficient': Mr Longo observed that ASIC's 2020 review of whistleblower policies found that many companies' policies were 'deficient' in various respects including that they were: incomplete, contained inaccurate or out of date information, and did not include oversight arrangements.
- Surveillance of whistleblower programs: Mr Longo said that ASIC has commenced a surveillance of company whistleblower programs to assess: a) 'how companies are handling whistleblower disclosures'; b) 'how they use the information from disclosures to address issues or change their operations'; and c) 'the level of board and executive oversight of the program'.
Online scams and exposure to misleading and deceptive conduct
- Mr Longo said that ASIC has seen an increase in first time investors entering the market as well as an increase in the volume of business activity conducted online. Consumers are also facing increased risk of online scams and exposure to misleading and deceptive conduct.
- In response, ASIC's priorities over the coming year include:
– 'Working with other regulators, industry and social media platforms to combat and disrupt financial scams
– Addressing the deceptive promotion of riskier asset classes such as crypto
– Disrupting investment ‘gamification’ on digital platforms
– Protecting financially vulnerable consumers impacted by predatory lending practices or high-cost credit.
– Addressing misleading and deceptive conduct relating to investment products, including advertising through digital means that obscures the risk
– Ensuring that consumers receive the benefits of the new design and distribution obligations' (DDOs)
'Targeted surveillance' of DDOs
Mr Longo observed that ASIC's early reviews of target market determinations 'highlighted some disappointing approaches' though there were, 'positive improvements in response, including from the big end of town'. Mr Longo said that ASIC now considers that
'industry is reaching a point where it has had sufficient time to bed down its implementation of the regime. We will therefore be expecting compliance with the regime, and across this year we will pursue a targeted surveillance approach, and will be moving to enforce the obligations where necessary'.
ASIC’s digital transformation and focus on regulatory efficiency
- Mr Longo reiterated the regulator's continued focus on investing in new technologies/systems to lift its digital capabilities. One aspect of this is exploring how supervisory technology – SupTech – can be used to streamline interactions between ASIC and others.
- Mr Longo also pointed to the work of the recently established Regulatory Efficiency Unit (REU) at ASIC as playing an important role in removing 'unnecessary frictions in our interaction with industry, to reduce regulatory impost and drive better compliance'. Mr Longo said that the REU has so far met with 70 external stakeholders and is engaged in identifying a range of initiatives to improve the efficiency of ASIC's interactions with its regulated population.
- Mr Longo observed that reducing complexity is also a focus for the government with the Australian Law Reform Commission currently reviewing the Corporations Act with this aim in mind.
[Source: Australian Securities and Investments Commission Chair Joe Longo, Address at the AICD Australian Governance Summit: ASIC’s corporate governance priorities and the year ahead 03/03/2022]