The FSRC resulted in the bar being lifted on corporate governance, business practices, the treatment of customers, and the management of non-financial risks across Australia. Although targeted at the financial services industry, the FSRC changes are heavily influencing organisations in both the private and public sectors, and are re-defining what constitutes good practice. Just as boards and senior executives settled into new, enhanced governance processes, their operating environments have abruptly changed with COVID-19. Critical (business influencing) information is being released daily, board and management committees are meeting more frequently, and rapid decision making is becoming the new norm.
The FSRC report provided a powerful reminder that the successful delivery of long term shareholder value is about balancing the needs of different stakeholders. The balancing act for boards has suddenly become more complex as there are many significant short term impacts arising from the longer-term objectives being pursued. For example, many organisations are in a capital and liquidity preservation stage and are reducing (or removing all together) dividend payments. This will have significant short term impacts on shareholders, particularly self-funded retirees, whose income is already constrained due to the historically low interest rate environment.
Below are some elements of good governance and risk management practices we believe are critical for organisations to undertake in order to flourish post COVID-19. In light of the fast changing environment, senior leaders and boards should continually review their practices to ensure that they are right for the current environment, and that they are not sowing the seeds of future conduct issues.
1. Maintain appropriate board and sub-committee oversight
During a crisis, there is an expectation that boards and risk committees would be meeting more frequently. During the Global Financial Crisis, the composition of risk committees changed, and for some organisations, all members of the board became members of the risk committee. It is essential that boards review their current arrangements and determine what is best for their particular situation – there is no one size fits all approach. Some organisations will benefit from all board members being active members of a risk committee, while others require a sub-set of highly skilled risk committee members in order to zero in on highly technical problems. Regardless of the approach taken, the organisation needs to have an efficient mechanism to get concise and timely risk information to all board directors.
In recent weeks we have observed an increase in the level of engagement between boards and management, not necessarily via board committees. As directors demand more information, and are getting closer to the detail, there is the risk that the roles of the board and management becomes blurred. All parties need to ensure that there is clarity in terms of the role of the board versus management; and this separation in functions is maintained. In a post COVID-19 world, where management and board decisions are being reviewed by external stakeholders, it will be important to be able to demonstrate that boards fulfilled their duties and did not inadvertently take on management functions.
2. Maintain an appropriate risk appetite, risk framework and metrics
A ship in harbor is safe, but that is not what ships are built for”
John A. Shedd
The risk management frameworks of many institutions are currently being tested. COVID-19 is being described as a one in a 100 year event, and unfortunately many risk frameworks, and the assumptions underpinning them, have not been developed to cater for these 'wild seas'. Many organisations will have risk appetite statements that state 'swift action is taken wherever management is at risk of operating outside of appetite' – but what happens when the majority of your appetite metrics are red?
Now is not the time to throw out existing risk appetite metrics. Senior executives and boards should be focussing on those metrics it can influence, and begin contingency planning for further deterioration in those metrics it cannot influence. We are currently living in a stress test, so when capital and liquidity forecasts are being discussed, senior executives and boards should be acutely aware of the assumptions being used by management in their modelling, and challenge each other on whether those assumptions are extreme enough (or too extreme).
As boards begin to revisit their strategies, during and post COVID-19, it is essential that risk management frameworks are revised concurrently. For example, we anticipate that going forward, there will be a much greater appetite for staff to work from home. Pre March 2020, many organisations thought it too impractical and risky to have certain staff (such as call centres) working from home, yet now it's an accepted COVID-19 norm. Organisations need to update their cyber security, privacy and operational risk frameworks in order to mitigate this new risk exposure in line with their stated risk appetite. Find out more about cyber security risks in Perspectives on Cyber Risk 2020.
3. Ensure risk information is of high quality and flows freely
As a result of the Banking Executive Accountability Regime and other public statements from APRA and ASIC, information flows between board committees and the board have become more formal, structured and documented. Management committee information flows have also followed this trend. With the recent required move towards more agile decision making, organisations have to make sure that the quality of information is maintained (although it may be less formal). Some senior executives and boards have seen the benefits of a more agile decision making process and intend to adopt these going forward. For these organisations, the board and senior executives need to remain satisfied that they are equipped with the right information to effectively challenge management.
Now more than ever, management reporting needs to be reliable, timely and clearly identify prioritisation of financial and non-financial risks. With many risk metrics now in the flashing red zone, board risk committees need to effectively triage and prioritise issues to be escalated to the board and focus on actions to resolve significant outstanding issues. Decision making, including oversight and challenge, as well as good record keeping is critical. Using a risk based approach to prioritise activity is one way to support effective decision making, and there should be a feedback mechanism in order to demonstrate how those decisions have been implemented by management.
4. Adopt an approach to regular, in the moment, self-assessments and review
Following the insights obtained from conducting board self-assessments in 2018, many boards within the financial services industry had committed to developing a rhythm for regular self-assessments and independent reviews of their approaches to governance. While there is the temptation to do a post implementation review of the management of COVID-19 once the pandemic is contained, boards should conduct mini-self assessments, in the moment, to ensure that any changes to governance practices are appropriate, and that the committees are operating optimally. Boards and committees should regularly hold reflective sessions to confirm that they are still getting adequate, quality information to enable informed (and defensible) decision making.
5. Communicate clearly on purpose, values and culture
Senior executives and boards should continue to ensure that the organisation's stated purpose, values and culture are demonstrated in practice. During these times, difficult decisions will be viewed by stakeholders in the context of the organisation's stated purpose and values. Post the FSRC, many organisations have adopted the 'should we?' test. Senior executives and boards should be ensuring that their staff are supported by formal and informal mechanisms to drive the right behaviour in a time when standard practices are not being followed due to the changed environment. With large numbers of staff working from home, the communication channels need to be reviewed and refined to cater for a distributed workforce.
Private and public organisations across Australia have generally responded responsibly to COVID-19. Adoption of a 'community first' mindset, helping customers and others deal with the economic, health and social fallout through a variety of measures, is not only admirable, but has provided organisations with an opportunity to improve trust with their stakeholders. While Commissioner Hayne's six principles (obey the law, do not mislead or deceive, be fair, provide services that are fit for purpose, deliver services with reasonable care and skill, and when acting for another, act in the best interests of that other) will forever hold true, in this time of uncertainty, organisations should 'double down' on their commitment to treat customers fairly, and to ensure that they are widely understood and enacted by all staff. As organisations move at pace to change their operations, there is a risk that key mitigation strategies (designed to protect customers) are missed, or are not operated effectively, resulting in poor customer outcomes in the future. Undertaking a 'risk in change' assessment can assist organisations in assessing how new processes may introduce risks into the business.
Please feel free to reach out to a member of our risk and regulatory consulting team, if you would like to further discuss in the context of your business.