On face value the Corporate Governance Taskforce: Director and Officer Oversight of Non-Financial Risk Report (ASIC October 2019 Report) may appear to have little relevance for schools, however, if we dig a little deeper we see that there are some important issues discussed that schools should consider.
Oversight of Non-Financial Risks
The first, and most obvious, is that oversight of non-financial risks and reporting of non-financial risks up to the school board or governing body is an essential board oversight role. Often boards (using the term “board” very broadly to encompass all types of legal entities that own and operate schools) focus much more time on financial matters rather than non-financial. While this is understandable, the ASIC Corporate Governance Taskforce (Taskforce) stated (in discussing board oversight of non-financial risks in relation to “Australia’s largest financial services companies”) “we have seen first-hand the damage that can result when it is not made a priority. Mismanagement of non-financial risks…has resulted in [banking] institutions announcing hundreds of millions of dollars in customer remediation costs…”. The ASIC Report also states that industry analysts project that there will be “increased spending on risk and compliance in the [banking] sector in the billions of dollars”.
Definition of Non-Financial Risks
This becomes clearer when you consider what is included in the term “non-financial risks”. ASIC adopted a definition of “non-financial risk” that encompassed three elements, operational risk, compliance risk and conduct risk. Operational risk was described as the risk of loss resulting from failed or inadequate internal processes, excluding strategic and reputational risk. Compliance risk was the risk of regulatory sanctions, financial loss or loss to reputation from failure to comply with laws and regulations, or lack of self-regulating organisational standards such as codes of conduct. Conduct risk is the risk of inappropriate unethical or unlawful behaviour on the part of management and employees.
This three part definition provides a starting point for schools in considering non-financial risks and some helpful categorisation to enable schools to identify sources of non-financial risk.
Categories of Non-Financial Risk
The non-financial risks that school boards should consider is potentially quite a lengthy list. In our May 2018 White Paper “Non Financial Governance Reporting for Non Government Schools” we stated that, while often school boards receive comprehensive reporting in relation to financial, enrolment and academic performance measures, effective board oversight of the overall performance of a school requires a broader set of non-financial reports to be provided and considered.
It is interesting to note that in many schools financial oversight and risk management is often combined into a single board committee with a title such as “Financial and Risk Committee”. This type of committee is almost certain to spend a far greater amount of time on financial matters than it does on oversight of non-financial risks. School boards should consider whether their current committee structures and terms of reference are adequate to ensure non-financial risks receive sufficient attention.
The White Paper listed the following categories of information that would “serve as a useful starting point for boards that are seeking to enhance transparency and their overall decision-making abilities”:
- enterprise risk management
- policy management
- human resources/staff management
- workplace safety
- student safety
- child protection
- student attendance
- ICT (Information & Communications Technology)
- key stakeholder engagement
- property and facilities management
- special projects.
In addition to these categories it was also suggested that boards should “look inward” and monitor their own performance in areas such as:
- progress against strategic goals and objectives
- board performance evaluation
- principal performance evaluation and succession planning
- conflicts of interest and related party transactions.
Using the ASIC non-financial risk definitions we would suggest that school boards receive information in relation to key operational risk areas such as (using the list above) policy management, complaints, human resources/staff management, workplace safety, student safety, child protection, student attendance, ICT and property and facilities.
Schools are generally aware of compliance risks but school boards may not be aware of the full extent of their school’s legal and regulatory compliance obligations or have a good understanding of how these compliance requirements are met. They may also not receive information when there has been a compliance breach.
The area where school boards would often receive little or no information is probably in the non-financial risk area that the ASIC Report refers to as “conduct risk”. Conduct risk includes a lack of disclosure and poor management of conflicts of interest and related party transactions involving staff and other key stakeholders including school suppliers. Conduct risk may also include failure to engage in ‘arms-length’ transactions with school suppliers, including payment to suppliers that are over market value. Conduct risk also includes actual fraud and corruption by employees, possibly from failures to implement internal fraud controls and related policies.
Key Findings of the ASIC Report
The ASIC Report states that boards must realise that they are responsible for mitigating all types of risks, not just financial risks. One interesting finding was that key information about non-financial risks was often buried in “voluminous board packs” making it difficult to identify key non-financial risks issues in information presented to the board. Summarising some of the key findings of the ASIC Report:
- Many boards were not actively seeking adequate data or reporting to measure exposure to non-financial risks.
- Some boards did not always have the right information to make fully informed decisions, often because of “fractured or informal” flow of information around the board table.
- Some directors lacked active engagement with non-financial risks and decisions related to the management of those risks.
- Some boards had articulated risk appetites in relation to specific non-financial risks but the organisation operated outside of these appetites without board intervention.
- There was often no clear hierarchy or prioritisation of non-financial risks.
- Information flows regarding non-financial risks between boards and committees were often informal and ad hoc.
- Board risk committees did not meet frequently enough even though ASIC described them as the ‘workhorses’ in relation to risk.
- Material risks were often escalated informally rather than through proper board channels.
School boards should regularly review the type and quality of reporting that they receive and ensure that they are receiving information on a wider range of non-financial risks, not just academic performance and enrolments. When schools ‘make the headlines’ and suffer damage to their reputation, the damage is often a result of poor management of key non-financial risks.