Both ASIC and APRA have recently separately drawn attention to the importance of boards giving priority to managing compliance risks and other significant non-financial risks that could result in significant harm to consumers, companies and investors.

APRA

In APRA’s publication it emphasised that while compliance risks did not have the direct operational financial implications of credit or market risks, recent high-profile compliance risk failures have made headlines, with businesses having to pay record fines and remediation costs, board chairs and CEOs being forced to resign, and reputations being damaged, resulting in reduced trust from customers and the community.

APRA specifically referred to examples of failure to correctly treat customers (including charging deceased persons, double charging for products, and not applying package discounts), failure to meet anti-money laundering obligations, and privacy breaches.

Prudential Standard CPS 220 Risk Management sets out APRA’s requirements in relation to the risk management framework of an APRA-regulated institution. CPS 220 specifically requires that entities have an adequately staffed, appropriately trained compliance function, with a reporting line independent from business lines.

APRA says that its recent supervision has examined larger and more complex entities and their attention to, and progress on, addressing issues in managing non-financial risk, specifically:

• their compliance management strategy,
• their implementation of frameworks and systems, and
• their accountability and oversight mechanisms to support their strategy.

The key observations from this work have highlighted the need for entities to:

• Have a clearly defined approach to managing compliance risk,
• Have established processes to support compliance risk management practices, and
• Specify clear accountability for managing compliance risk.

ASIC

In a speech by ASIC Chair Joe Longo he said the issues ASIC is focusing on in corporate governance relate to failures by directors to manage their company’s significant or strategic risks.

He identified three topics:

• Governance failures relating to non-financial risk that result in significant harm to consumers and investors. This includes directors failing to identify and manage the risk attaching to a company’s business activities; failing to ensure that appropriate resources are allocated to deal with risks; or failing to respond to indicators that risks are not being properly managed.
• Cyber governance and resilience failures.
• Egregious governance failures or misconduct resulting in corporate collapse. This includes instances where company money, or money belonging to company creditors, is misapplied or misappropriated.

The other issues relating to non-financial risk that ASIC is considering include cyber resilience and climate-related disclosure, including misleading marketing or ‘greenwashing’ by listed entities.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.