Why risk management — like governance — is not ‘one-size-fits-all’
Earlier this year, NSW Treasury released a new draft Audit & Risk policy for public consultation. The policy sets out eight core requirements aimed at strengthening internal audit, risk management and governance across all NSW public sector agencies.
While NSW Treasury’s objectives are clearly laudable, Governance Institute believes that, in practice, they miss the mark.
‘One-size fits all’ is a discredited governance model
Our main concern is that the draft policy mandates a ‘one-size fits all’ approach to audit and risk management which runs counter to global best practice. It’s well-accepted today that prescriptive governance models do not support good governance. World-leading approaches such as our own ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations take a flexible principles-based approach. That is, listed companies are allowed to implement audit and risk frameworks that suit their size, circumstances and industry, while at the same time being accountable to general benchmarks.
Just as the ASX index is home to companies of all shapes and sizes, not all government agencies are the same. Government departments vary greatly in size and structure. And state statutory bodies, including state-owned corporations, which are also covered by the policy, are constituted completely differently from a traditional department. Importantly, they also frequently have boards, whereas government departments do not. These substantial differences are not well accommodated by a single governance or risk management model and could perversely lead to poorer governance outcomes.
Is a wholly independent, combined audit and risk committee really best practice?
The draft policy proposes mandating that all agencies have a wholly independent, combined audit and risk committee. This is well and good for a large government department which does not have a board, and where the agency head effectively functions as the CEO. But it will not work for statutory state bodies which already have committee structures in place and which understand that the management of risk is far broader than financial risk alone. On that basis, mandating a board comprised entirely of independent, non-executive members would mean excluding senior executives from the committee. The inclusion of management is vital if a board committee is to oversee risk management effectively. Management brings an in-depth knowledge of the business and its operations to the table. Without management participating in board committee deliberations on key matters like risk frameworks and strategy, the organisation will effectively be navigating blind.
Guidance from ASX Corporate Governance Council’s Principles
In comparison, Principle 4 of the ASX Corporate Governance Council’s Principles and Recommendations recommends that an audit committee or a risk be comprised of at least three members, all of whom are non-executive directors, the majority of whom are independent and be chaired by an independent director. Principle 4 does not mandate a combined audit and risk committee (they can be combined, or stand-alone and risk can be managed by a range of committees if the board so chooses). It also recognises that an entity may not have an audit committee or risk committee at all, provided it discloses that fact and the processes it employs to independently verify and safeguard the integrity of its corporate reporting and risk management framework. For state statutory bodies, including state-owned corporations, this is a far more appropriate model than the composition mandated in the draft policy.
This is only one area where the draft policy has trodden incautiously. Our submission highlights several others.
The solution is right before our eyes
Governance Institute believes that rather than imposing a rigid and counter-productive risk policy on NSW government agencies, NSW Treasury should embrace the principles-based audit and risk management framework articulated in Principles 4 and 7 of the ASX Corporate Governance Council’s Principles and Recommendations. This is a tried and tested model that’s working well for entities with governing boards to promote transparency, accountability and integrity of stewardship.
Most state statutory bodies have already adopted this model. Forcing them to change to ‘fit’ a model designed for departments without boards is retrograde and will result in poor governance outcomes. NSW Treasury is itself a government department without a board. It needs to let state statutory bodies adopt the audit and risk management structure that best suits their needs, so long as they explain in their annual report why that course has been chosen.
This is a case study in why mandating approaches to governance or risk management simply does not work, whether it is the public or private or not-for-profit sectors. The approach always needs to take account of the particular requirements of the entity, based on its role, history, size and culture.