The shape of risk reporting in 2020: Non-financial risk

Non-financial risk is a topic that has garnered much attention throughout 2019 and it continues to gain momentum as we move into 2020. As some in the industry start referring to it under a new acronym (NFR), we are likely to see many variations of guidance emerge and new trends and improvements to non-financial risk reporting take shape. Regulatory developments across a number of different government departments have already commenced, with several information papers having been released more recently which provide guidance on the management and reporting of non-financial risks.

While there is a current focus on non-financial risk management in Australia, it is actually an area that has garnered some attention globally for the past few years. It didn’t really gain a lot traction locally until the issue of misconduct was presented front and centre at the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry. A lack of oversight and attention on non-financial risks at Executive and Board levels, including those stemming from conduct, compliance and operational risk matters, is now more apparent than ever.

With the added concern that these non-financial risks are now being realised and giving rise to very real reputational and strategic concerns (which can then result in serious financial impacts to a business), organisations are moving to improve risk reporting on all fronts, and to enhance awareness, accountability and oversight of non-financial risks.

Recent regulatory developments that are driving change

Australian Prudential Regulation Authority (APRA)

In relation to APRA’s remit, there are several key developments that are driving change:

Findings from the Royal Commission

Weaknesses highlighted during the Royal Commission and during APRA’s subsequent Capability Review in 2019 have put renewed focus on non-financial risk areas internally within APRA. APRA has dubbed this ‘GCRA’ (which stands for governance, culture, remuneration and accountability) and a number of projects are now in train to strengthen APRA’s prudential supervision of these. This includes a revised prudential standard on remuneration[1] aimed at providing clearer and more-readily enforceable expectations for remuneration arrangements.

Outcomes from the CBA prudential inquiry

There is a genuine concern that the issues and lack of focus on non-financial risks found within the CBA could be systemic issues across the industry. This is driving APRA to seek more information from organisations on their treatment of non-financial risks and has put risk reporting in the spotlight. APRA has announced plans to embed risk governance self-assessments into its prudential framework and to potentially commence an annual GCRA declaration – both of which will require improvements in the reporting of non-financial risks.

Review and update of APRA reporting requirements

APRA collects information on behalf of the ABS, RBA and ASIC and, as a result, reporting requirements can be quite onerous. In early December 2019, APRA released a proposal to substantially increase the volume and breadth of data that it makes publicly available on authorised deposit-taking institutions (ADIs)[2]. Earlier in 2019, APRA also commenced a project to overhaul reporting in the Superannuation industry and has now released a heatmap of performance results to enable comparisons across funds[3].

Essentially, it can be expected that reporting requirements to APRA (and subsequently to other government organisations) will increase in 2020 and that more of this information will be released to the public. Organisations will need to ensure that their internal systems can accommodate changes in reporting requirements and that robust processes are in place to ensure data integrity.

Extension of BEAR requirements into other industries

The introduction of BEAR within the banking industry has resulted in the need for the development of specific reporting in order to enable accountable persons, including directors, to have comfort over their specific areas of accountability. As this accountability regime is extended into other industries, this focus on reporting will need to follow suit.

Australian Securities and Investments Commission (ASIC)

Findings from the Royal Commission

ASIC has faced similar pressures to APRA coming out of the Royal Commission, which has highlighted a need for improved reporting of non-financial risks. As a result, ASIC has now released a guidance paper on non-financial risk management[4] which calls out the need to review key reporting metrics and, in particular, to ensure that metrics are in place for the reporting of non-financial risks and not just financial risks.

Other relevant points to note from the paper:

* The volume of reporting to Boards and Committees was found to be excessive in many cases; people don’t want to or don’t know how to exercise judgement as to what is important and what can be omitted from reports.

* Furthermore, material information about non-financial risk was often buried in dense, voluminous board packs. Onerous board reporting is a commonplace issue and this makes it difficult to identify key non-financial risk issues within the information presented to the Board. Reporting packs should be reviewed with the intention of escalating clear and concise risk information.

* Management was often found to be operating outside of board-approved risk appetites for non-financial risks, particularly compliance risk. This could suggest that the reporting of these risks is insufficient for Boards to identify issues and/or hold management to account.

* Reporting of risk against appetite often did not effectively communicate the company’s risk position. Risk reporting should be concise and effective, and in some cases may need a complete overhaul. ASIC has encouraged Boards to take ownership for the form and content of the information reported to them and should actively give feedback to management on the reports they receive.

Complaints reporting

ASIC are also in the process of mandating changes to the recording of complaints through updated guidance in RG 165 and will subsequently introduce a legislative instrument on this[5]. This has also been driven by Royal Commission findings, as consumer complaints are viewed as a key risk indicator for conduct issues. Some key changes being proposed to RG 165 are:

* A new requirement to record all complaints received, including those that are resolved immediately. This is something that many institutions don’t currently do, but would actually provide them with more data to enable the necessary analysis and consideration of systemic issues.

* A new requirement to record prescribed data for each complaint received. This is to enable easier comparison and for reporting to ASIC.

* New requirements to report Internal Dispute Resolution data to ASIC. ASIC is proposing for organisations to provide them with 6-monthly reports on all complaints data.

* New requirements for identifying, escalating and reporting on systemic issues. Reports to the Board and Executive Committees must include metrics and analysis of consumer complaints including about any systemic issues that arise out of those complaints, in order to ensure that root-cause analysis has been conducted and to enable them to appropriately oversight for systemic issues.

While complaints reporting is currently under the spotlight following the matters brought to light in the Royal Commission, it is likely that other areas will receive attention in the future.

Focal points to improve your risk reporting

Focus on reporting key risk issues

Board reporting, including risk reporting, is notably voluminous at many organisations. While many view this positively as a demonstration of an increase in the dialogue on risk issues, it can have the offsetting impact of overwhelming those charged with the oversight of risk management. Risk reporting should be tailored so that key information is presented clearly and concisely and does not get lost under mounds of information.

Train staff in risk analysis and report writing if necessary

In order to assist in the production of targeted and more useful risk reports, some organisations will need to address weaknesses in the level of skills around risk analysis at both employee and director levels.

Consider the sufficiency of key risk metrics

Ensure that you have enough metrics to report on both financial and non-financial risks, and that the reporting of these metrics clearly indicates their position against risk appetite.

Non-financial risks are considered more difficult to define and measure than financial risks as they contain a level of subjectivity that often sees them left out of risk dashboards. Continue working on your risk metrics and ensure that a breadth of key risk areas are covered in any dashboard style snapshot.

Furthermore, it is essential that these metrics are all calibrated the same way. A KRI that falls into a ‘red rating’ in one area should not be considered less significant than a KRI that falls into a ‘red rating’ in another area, otherwise this will drive complacency with respect to risks that are sitting outside of appetite.

Recalibrate risk reporting to achieve a better balance between financial and non-financial risks

Make sure that there is an appropriate mix of financial and non-financial risk reporting. Take a critical look at your risk reporting and consider whether it covers:

* A sufficient number of quantitative indicators to regularly report and monitor positions against risk appetite.

Information on material incidents, complaints, etc.

* Analysis of those incidents including root-cause and trend analysis.

* Results and progress of risk and control assessments, including the status of any projects aimed at improving these.

* Internal and external audit findings and the progress of actions taken to resolve them.

Some institutions have also implemented or commenced development of risk culture dashboards, which essentially include a set of non-financial risk KRIs. The content of risk culture dashboards often represent an extract of relevant KRIs from the risk appetite framework, or an expanded set of non-financial risk KRIs, that facilitate the monitoring of risk culture in the interim between risk culture survey / assessment processes.

Consider the sufficiency of the data captured and of your GRC system to complete the necessary risk analysis

We encourage clients to make the most use of the systems that they already have in order to help identify risk trends and correlations, and to facilitate regular risk reporting. In some cases, an upgrade of the reporting functionality or overall system may be considered necessary.

The ways in which we can help you

At times it can be useful to call in an independent party to provide perspective and a fresh set of eyes. Here is a list of ways that we can help your organisation move forward with its management of non-financial risk:

* Independent assessments of Board/Committee performance.

* CBA-style independent assessments of governance, accountability and culture.

* Review of and/or redevelopment of risk reporting.

* Assistance setting up registers and reporting within your GRC systems.

* Development and enhancement of risk appetite statements.

* Risk culture assessments.

* Articulation of desired risk culture and specification / implementation of risk culture dashboards.

* Development and enhancement of conduct risk management frameworks.

Get in touch if you would like to hear more about our services!

References:

[1] https://www.apra.gov.au/sites/default/files/draft_prudential_standard_cps_511_remuneration_v2.pdf

[2] https://www.apra.gov.au/news-and-publications/apra-proposes-major-uplift-transparency-around-banking-data

[3] https://www.apra.gov.au/news-and-publications/apra-publishes-mysuper-heatmap

[4] https://asic.gov.au/regulatory-resources/find-a-document/reports/corporate-governance-taskforce-director-and-officer-oversight-of-non-financial-risk-report/foreword/

[5] https://www.asic.gov.au/media/5113692/cp311-published-15-may-2019.pdf