Estimated read time: 2-3 minutes
Start rating: *****
Topics: CPD for Responsible Managers
One of the emerging compliance challenges faced by Australia’s financial institutions is managing non-financial risk. But grappling with the amorphous ideas of ‘culture’ and ‘responsibility’ can be difficult for organisations more accustomed to tangible measures like profit and loss. What’s the big deal anyway? If non-financial risks are those that exist outside the business’ core revenue-generating activities, why should management care?
It’s a question that the leadership at Crown Resorts would be well placed to answer, as they grapple with their inability to secure a license for their new Barangaroo casino and face the possibility of the closure of their entire Australian operation.
So, what can other organisations learn about mitigating non-financial risk from the Crown crisis?
An organisation’s board is ultimately accountable for an organisation’s culture. This means they need to hold management accountable not only for reporting on risk but for ensuring they are receiving appropriate information to be able to address potential risk.
In its report into corporate governance in the financial services industry (Director and officer oversight of non-financial risk report), ASIC zeroed in on non-financial risk appetite, noting that in many companies this did not filter down into actionable practise below board level. That is, management were often acting in a way contrary to the risk appetite set out by the board. In turn, the board was not addressing this variance, either because they were not aware or because they did not care enough.
In one example brought to light by the NSW Independent Liquor and Gaming Authority (ILGA) inquiry into Crown Resorts, former chairman, John Alexander, revealed that senior staff failed to elevate concerns about a breach in process to the board – a breach that should have been a major cause for concern as it inferred money laundering was taking place within the Melbourne casino. Crown has repeatedly denied allegations of money laundering occurring through its casinos.
This demonstrates that directors cannot defer responsibility by saying they “didn’t know” about an issue. They need to take responsibility for the quality of reporting they receive. If it is not fit for purpose, board members and directors should proactively approach management and request improved information.
Compliance on display
A good compliance structure, with up-to-date systems, processes, manuals and training, is crucial to the safe operation of financial services businesses. But just as importantly, the approach an organisation takes to compliance sets the tone for employee behaviour. An organisation that cares little about how it manages compliance is likely to result in an impression by employees that compliance is not terribly important to the company.
In the case of Crown Resorts, the ILGA inquiry determined that the group was unsuitable to hold a gaming license due to the operator's “poor corporate governance” and “deficient risk-management structures”.
Specifically, the inquiry revealed that crucial compliance training was not provided to staff within the Crown group. A former chairman and other board members admitted they had received no training in anti-money laundering before or during their tenure on the board. There were allegedly plans to introduce a “company-wide program” to detect incidents which may indicate money laundering, but these had not been implemented.
ASIC observed similar issues among the financial services organisations it reviewed as part of its Corporate Governance Taskforce. ASIC noted that while companies often had frameworks and structures in place to support board oversight of non-financial risk, in practice, deficiencies arose in compliance with these frameworks, with management operating outside the board approved risk appetite for “years at a time”.
This is why an essential component of the management of non-financial risk is the identification, reduction and mitigation of risk through well-documented and well-communicated systems, policies and procedures.
The behaviour you walk past is the behaviour you accept
If your company expects certain behaviours or actions to be taken, documenting these in a mission statement is not enough. They must also be behaviours demonstrated by the senior management. Choosing to ignore misconduct by leaders, or failing to effectively deal with inappropriate behaviour, will be viewed as the organisation’s condoning of poor conduct.
In the case of Crown, all employees and board members are subject to a code of conduct, which sets out expected behaviours such as reporting and investigating unlawful activities. However, allegations of money laundering, breaching gambling laws and links to organised crime gangs have plagued the group for years.
In one example that came to light during the ILGA inquiry, former chairman James Packer was asked why Crown never investigated the so-called ‘junket operators’ who were named in media reports as having links to organised crime. Mr Packer said they were “good for business” and a major revenue driver and that he had no understanding of Crown's oversight of them, claiming it was the job of senior staff to keep track. The report labelled this and similar examples of Crown ignoring possible wrongdoing as “corporate arrogance”.
This illustrates why policies and procedures will never be enough to ensure employees respond to every situation appropriately. Leaders past and present set the culture employees live by.
As the Crown case shows, non-financial risks have very real financial implications for companies, their investors and their customers. Not only can incidents cause major disruption to business, but a failure to plan for and mitigate potential risks can also put your company firmly in the spotlight of regulators and the general public alike.
The message to businesses is simple: ignore non-financial risk at your peril.
Related FEP learning:
CPD for Responsible Managers:
An essential update for responsible managers and governance, risk and compliance leaders.
Our 2021 program will equip and empower the key people in your business to bring to life the frameworks and activities your organisation needs to effectively manage its non-financial risk.