One of the key themes of the Australian Prudential Regulation Authority (APRA) Final Report of the Prudential Inquiry into the Commonwealth Bank of Australia (CBA) published in April 2018 was the importance of oversight by the Board (and its Committees) of non-financial risks (that is, its operational, compliance and conduct risks) and, in particular emerging risks.
At a strategic planning level, it is important to identify current risks and threats, emerging risks and potential new threats for the business, both external and internal, as it grows and evolves.
External risks: regulatory uncertainty and FOMO
Regulatory risks have escalated with the Financial Services Royal Commission hearings and the Commissioner’s Interim Report due by 30 September 2018.
The electoral cycle and day to day politics are likely to affect regulatory change. With an election due by May 2019 but possible this year there are numerous Bills awaiting passage by the Senate.
An incomplete legislative program creates business uncertainty as much as sudden unplanned regulatory changes.
I recently attended a meeting where risk and compliance professionals discussed “completeness risk”.
In auditing, completeness means ensuring that valid transactions are not missing from the accounting records and all information is properly contained in the reports that management uses.
In the context of compliance risk, I interpret “completeness” to mean they have a fear of missing out on a relevant regulatory announcement and, as a consequence, not alerting the business to that change and allowing the business sufficient time to implement policy or procedure changes in response.
Internal risks
On a day to day level identifying emerging threats to your organisation’s reputation is critical: in the case of the CBA, its Board did not receive alerts on individual incidents or themes that indicated an underlying or emerging risk or issue that might have reputational consequences.
Specific risk areas include AML, cyber-security and conduct, operational and compliance risks.
A process is important to identify emerging systemic issues from customer complaints.
Risks from the advanced use of technology must also be monitored.
In summary, your Board and Risks Committee needs to have processes in place to identify both emerging external and internal risks, whether financial or non-financial.
