AustLII Home | Databases | WorldLII | Search | Feedback

University of New South Wales Law Journal Student Series

You are here:  AustLII >> Databases >> University of New South Wales Law Journal Student Series >> 2022 >> [2022] UNSWLawJlStuS 33

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Hodgson, Tom --- "Risk Management Routines And Information Flows To The Board" [2022] UNSWLawJlStuS 33; (2022) UNSWLJ Student Series No 22-33


RISK MANAGEMENT ROUTINES AND INFORMATION FLOWS TO THE BOARD

TOM HODGSON

INTRODUCTION

Recent corporate scandals have highlighted that non-executive directors (‘NEDs’) continue to lack timely information needed to supervise executive activities and oversee the risk management framework. Notably, NEDs in such scandals were not aware of problems when they arose.[1] This essay argues that current risk management routines fail to provide NEDs with sufficient information needed to supervise executive activities and therefore to manage compliance risks. In particular, due to the nature of the part-time role and overreliance on management for crucial information. Whilst compliance and misconduct risks can overlap, this essay focuses specifically on compliance risks.

This essay is divided into four parts. First, the literature and the significance of this thesis are discussed. Second, the way in which information-based risk management routines support directors’ duty of care is considered. Third, practical issues that limit directors’ ability to receive sufficient information needed to oversee executive activities is explored. The final part considers whether a needed risk management routine is a legal obligation on senior management to report to the board once a reasonable suspicion exists of possible non-compliance. In particular, if this obligation should be added to the proposed Financial Accountability Regime (‘FAR’).[2]

This essay focuses on APRA regulated entities, due to recent scandals involving such entities and their systemic importance to the economy.[3] Empirical evidence conducted by ASIC and APRA will be evaluated. Whilst not an APRA regulated entity, anti-money laundering (‘AML’) problems at Crown Resorts (‘Crown’) will also be discussed.[4] Notably, casinos offer a variety of financial services in a similar manner to banks that make them vulnerable to money laundering.[5] This case study will be used to explore information-based issues in complex financial institutions more broadly

Ultimately, this essay argues that obligations on NEDs to actively seek out additional information and to also appreciate when information received is deficient is overly burdensome. Greater information-based obligations should be imposed on management to ensure NEDs receive sufficient information, allowing NEDs to focus more on processing such information, asking probing questions and evaluating executive responses.

Whilst beyond this essay’s scope, I acknowledge that the audit function plays an important role in ensuring NEDs receive independently evaluated information.[6] The effect of risk culture on information flows is also beyond the scope.

BACKGROUND

Risk management covers the activities and processes that address how uncertainty may affect strategy and business objectives.[7] Compliance risk management seeks to limit non-compliance to the extent possible due to the risk of ‘legal or regulatory sanctions’ and associated financial or reputational loss caused by non-compliance.[8] Compliance risks are considered two-fold in this essay. First, the risk of harm caused by failing to comply with the company’s legal obligations. Second, the risk that management will fail to appropriately consider compliance risks nor alert the board to concerns when they arise.

A Information-Based Risk Management Routines

In overseeing the risk management process, boards must evaluate whether executives are adequately identifying and managing material risks and whether management is notifying it of emerging concerns.[9] There are extensive routines in the literature that seek to assist boards to receive timely information needed to supervise executive activities.[10] Key routines include, risk performance data, risks discussed in board and other risk committee reports, processes to escalate concerns to the board and internal and external assurances.[11] Further, risk appetites should enable the board to monitor whether executive activities are operating within the board established boundaries of acceptable risks.[12] Boards are also expected to actively challenge information received and seek out further information when required.[13]

Nonetheless, instances of boards receiving inadequate information are clearly noted. Empirical evidence on large financial institutions found that boards were failing to seek out ‘adequate data or reporting’ on non-financial risks and some boards did not always have the ‘right information’ to make informed decisions.[14] At Crown, NEDs were not aware of a wide variety of non-compliance and misconduct.[15] In relation to money laundering, the Perth and Melbourne subsidiaries received ‘hundreds of millions of dollars’ annually from ‘the Southbank and Riverbank accounts’.[16] Management received red flags that these accounts could be enabling money laundering since ‘at least January 2014’.[17] However, only two of the Crown NEDs who served between 2012 and 2019 even knew these accounts existed before media allegations in 2019.[18]

The literature fails to adequately consider why boards often still receive insufficient information. ASIC provides some general solutions, such as making risk reports more concise and having clear metrics to measure performance against the risk appetite.[19] Nonetheless, ASIC’s focus was more on what should be done rather than how it can be achieved. For example, ASIC stated that directors should ensure that systems and processes enable them to receive ‘the right information’ needed to oversee and monitor risk management.[20]

Practical issues are not addressed in the literature. In particular, NEDs are part-time, they have limited resources to seek out additional information and they are largely reliant on management to provide crucial information. Whilst some note these issues,[21] no real solutions have been provided. An ‘elephant in the room’ issue is what is ‘realistically feasible’ for boards to achieve in risk management.[22] Should NEDs be expected to identify major concerns ‘deep inside their company’, or should monitoring be more high-level?[23]

The possible tension that NEDs are not expected to engage in the management of the business,[24] yet they are expected to obtain all relevant information needed to oversee risk management is not addressed. Therefore, this essay evaluates whether information-based routines are adequate and if greater obligations should be imposed on management to help ensure NEDs receive essential information needed to supervise executive activities.

DUTY OF CARE

Information-based risk management routines seek to support directors’ duty of care,[25] which requires directors to fulfil their responsibilities with a reasonable degree of ‘care and diligence’.[26] Directors must balance foreseeable risks that could harm the company’s best interests, which includes its reputation and interests in legal compliance, against the risk calculus.[27] In determining what a reasonable director would have done,[28] the risk calculus requires ‘the magnitude’ and the probability of risk, ‘the expense, difficulty and inconvenience of taking alleviating action’ and any potential benefits to be weighed up.[29]

A Oversight Duty

Under what has been phrased as the oversight duty,[30] directors are responsible to manage the company and oversee the risk management framework.[31] There is no general requirement for directors to ensure the company is legally compliant.[32] Nonetheless, contraventions of the Corporations Act, such as financial licensee obligations,[33] and possibly other legislation,[34] can be used to establish that the director failed to meet the standard expected of them,[35] as a ‘stepping-stone’.[36] However, as stepping-stone liability focuses on whether the director took reasonable steps in relation to compliance,[37] directors can be liable even if the company contravention is not proven.[38] Consequently, stepping-stone liability may have raised the standard expected of directors.[39]

Whilst directors can delegate powers to management and rely on information provided by others,[40] they must still discharge their duties.[41] NEDs must ‘take reasonable steps’ to ensure they can ‘guide and monitor’ how the company is managed.[42] Whilst a reasonable step is to delegate,[43] NEDs must remain informed and monitor the delegates and company activities.[44] A reasonable director would need to establish compliance and risk management systems and generally be expected to monitor the implementation and effectiveness of these systems.[45] The board must ultimately be satisfied that the company is ‘being properly run’.[46] Further, the business judgment rule does not apply to the oversight duty.[47]

When a NED is put on notice of possible non-compliance or management incompetence, they will likely need to independently inquire into the issue to discharge their duty of care.[48] However, the case law does not address whether there is ever an obligation to actively seek out information on a possible non-compliance issue when they are not put-on notice.[49]

Whilst the extent to which NEDs can be liable for failing to actively inquire into possible risks is not clear,[50] soft law can inform the standard expected of a reasonable director.[51] ASIC has stated that NEDs must control and critically evaluate information received.[52] Further, boards are expected to be satisfied that management is providing information on significant ‘ongoing and emerging’ risks in order to supervise management’s responses to such risks.[53] Therefore, prudent corporate governance likely requires NEDs to consider whether information received is adequate and to actively seek out further information in order to discharge their duties.[54]

PRACTICAL ISSUES

A Routine Reports

Periodic reports on how the company is operating in comparison to its risk appetites and other risk metrics is crucial to enabling the board to oversee the company’s risk management.[55] For example, reports should consider the adequacy of compliance systems, emerging risks and other information needed to evaluate the overall effectiveness of the risk management framework.[56] Information received through periodic routines, such as board packs and risk committee reports,[57] therefore provide boards important information needed to supervise executive activities.

However, empirical evidence from APRA and ASIC highlight that information provided on non-financial risks at large financial institutions is often buried in ‘voluminous’ committee and board reports.[58] For example, ASIC found that information packs presented at board risk committee (‘BRC’) meetings averaged around 300 pages.[59] Further, non-financial risks discussed in both compliance and risk reports often lacked a clear and logical order of prioritisation.[60]

NEDs reported to ASIC difficultly in understanding and evaluating the importance of information provided.[61] Similarly, APRA’s evidence suggested that directors were unlikely to recognise and address crucial risks.[62] Non-financial risks often lacked sufficient visibility, in which possible concerns were not acknowledged or understood.[63] Consequently, non-financial issues were often ‘tolerated’ and only addressed once there was ‘regulatory scrutiny or after adverse events’.[64]

Notwithstanding these difficulties, both regulatory expectations and case law support an expectation on NEDs to process all information provided.[65] Directors have ‘a continuing obligation’ to remain informed and monitor the company’s activities.[66] In the context of financial statements, Justice Middleton stated that the ‘complexity and volume of information’ is no excuse for failing to adequately process and understand information.[67] As a similar expectation is likely required for risk management, this is a high burden on part-time NEDs.[68] NEDs will often have to prioritise and juggle competing responsibilities, such as strategy and oversight, in their limited time available.[69] The need to spend considerably more time to just process the information in voluminous reports may prevent adequate opportunities to ask probing questions and evaluate management responses.

To prevent this burden, ASIC has stated that boards must control the information process and ensure the right information is reported.[70] However, even in 2011, Justice Middleton stated that boards must control the information received and prevent information overloads.[71] Yet this issue remains. ASIC’s recommendation that directors should request more efficiently prepared reports with risks ordered in priority may have a positive effect.[72] Perhaps also management has more proactively reported on risks in the aftermath of the Hayne Royal Commission. However, evaluating possible improvement is difficult without further empirical evidence. Nonetheless, the fact that this issue was clearly noted over a decade ago but remains unresolved questions whether ASIC’s recommendation will have a noticeable positive effect.

Boards ultimately remain reliant on management to prevent voluminous reporting, even if the board clearly states its expectations. As noted by ASIC, the voluminous nature could reflect management’s failure to even consider what information is important.[73] Therefore, management must be willing to spend additional time to critically evaluate what information is relevant to improve this issue.

B Management Escalation Processes

In any event, information gaps between the board and management can result from either ‘too little or too much information’.[74] If the board does not receive crucial information, merely having periodic information-based reports will be ineffective. To prevent this, management are expected to provide the board with timely and accurate information in relation to risks,[75] including regular updates as to important risk indicators and exposures.[76] Recently, Commissioner Owen stated that a crucial responsibility of executives is to provide the board ‘with accurate, timely and clear information’ needed to guide and monitor the company.[77]

Boards are also expected to implement ‘processes and practices’ that enable it to supervise whether management is acting within the board set risk strategies and appetites.[78] By setting the risk appetite and actively communicating with management, boards can set expectations about when and how management should provide information on risks.[79] Boards should therefore establish efficient and clear processes for management to escalate concerns to it, ensuring the board is aware of the relevant risk and swift action can be taken.[80]

However, significant risks that develop are often not escalated to the board in a timely manner.[81] Crown provides an extreme example of this. Management was aware of ‘red flags’ indicating that the Southbank and Riverbank accounts either were, or were likely to be, facilitating money laundering.[82] In January 2014, ANZ raised concerns about suspicious transactions, such as customers making daily deposits at a variety of different casino branches just under the reportable amount.[83] Nonetheless, no one at Crown even reviewed the bank statements.[84] Soon after, ANZ closed its account.[85] Management meetings occurred.[86] However, the risk committee, the Crown board and the subsidiary Perth board were not told about such meetings nor the money laundering concerns.[87] Similar issues happened with ASB Bank in 2018 and CBA in 2019.[88] Again, the board was not told anything.[89] All but two of the NEDs from 2012 were not aware that the Southbank and Riverbank accounts even existed prior to the media allegations in August 2019.[90] The two exceptions were not aware of the AML concerns.[91]

For the purposes of this essay, there is no need to delve into Crown’s profit pursuing culture and Mr Packer’s negative influence over management and some NEDs.[92] I acknowledge that this likely contributed to management’s inaction. Nonetheless, there is no suggestion that the Crown NEDs could not have addressed the AML issues if management told them about the flag reds. Crown’s chair at the time of the inquiry, Ms Coonan, noted that had the board reviewed the accounts earlier, the board could have noted that they had problems.[93]

I also acknowledge that Crown had considerable deficiencies in its risk management processes, such as infrequent BRC meetings, which would have contributed to the information issues.[94] Whilst boards are required to independently evaluate information provided by committees,[95] the BRC can reduce the burden on the board.[96] For example, the BRC should question management when risk management is perceived to be inadequate or overly positive.[97] Further, the audit and risk committees can verify management’s assessments.[98] However, if management is failing to provide information to such committees then this will likely remain ineffective.[99] For example, risks may not be clear in the short-term and there can be a time lag between non-compliance occurring and when this would become evident in data-based reviews.[100]

Whilst Crown is an extreme example, empirical evidence also supports some escalation concerns at other financial institutions. APRA found that non-financial issues were often only addressed when there was regulatory attention ‘or after an event materialise[d]’.[101] Notwithstanding an expectation on management to provide necessary information,[102] albeit not a legal obligation, empirical evidence and the Crown Inquiry therefore highlight that management does not always provide such information.

1 Critically Evaluate Information Provided

Nonetheless, I acknowledge that part of the problem has also been NEDs’ failures to critically question management’s actions and the information they receive.[103] Whilst directors can rely on information provided by management, they must still independently assess the information.[104] ASIC’s empirical evidence found that directors failed to adequately analyse and ‘actively probe’ information received.[105] Further, meeting minutes did not support that NEDs were critically questioning information and responses provided by management.[106] ASIC also found that notwithstanding there being board established risk appetites, management often ran the business outside appetites ‘for years at a time with the board’s tacit acceptance’.[107]

Similarly, the Crown board failed to independently evaluate AML concerns after considerable media allegations, beginning in June 2019.[108] Executives, without looking at the bank statements, incorrectly advised the board that the Southbank and Riverbank accounts were dealt with by Crown’s normal AML policy.[109] As the board was also told that the media allegations were false,[110] they denied the allegations.[111] Only in September 2020, part way through the Crown Inquiry, were the accounts actually looked at.[112]

The media allegations clearly put the board on notice as to possible money laundering.[113] Consequently, their oversight duty likely required an independent inquiry in which assurances from management were insufficient.[114] The board should have at the very least inquired on what basis management believed the accounts to be adequate. More likely, as Commissioner Bergin noted, there should have been an independent review of the accounts.[115]

Mr Alexander, one of the NEDs that knew the accounts existed, was aware of the ‘withdrawal of support’ by ANZ in 2014 but did not know the reason for this until August 2020.[116] A reasonable director was likely put-on notice in 2014 and therefore would be expected to inquire into why ANZ withdrew support.[117] The failure to do so is unacceptable, as NEDs must ‘monitor’ how the company is managed.[118]

The fact that NEDs are part-time does not excuse them from critically evaluating information provided by others in order to oversee executive activities and the risk management process.[119] When boards are put on notice, they must inquire further.[120] NEDs should, for example, request from management clear evidence and justifications to support claims that risks are being adequately managed.[121] No doubt failures of NEDs to do so has contributed to information deficiencies. Nonetheless, this does not resolve what can be done when directors are not told about issues nor put on notice.

C Actively Seeking Out Information

Whilst NEDs must critically evaluate information provided, when should NEDs actively seek out additional information? Due to regulatory guidelines,[122] directors would clearly be negligent if they failed to implement adequate risk management controls and monitoring systems.[123] There was an AML monitoring system at Crown, as required.[124] However, the compliance systems for Southbank and Riverbank were defective in practice, as deposits were dealt with inconsistently by employees and important information was lost in the data entry process.[125]

Whilst not addressed in the case law, directors can possibly have positive obligations to seek out information on certain risks, even when there is no evidence of compliance failures.[126] Whilst boards can delegate powers to management and rely on information provided by others,[127] there will be instances when reliance on management is no longer reasonable and directors need to make independent assessments to discharge their duty.[128] The fact that management was not bringing any issues about money laundering to the board, despite casinos’ vulnerability to it, possibly should have raised NEDs’ suspicion.[129]

For compliance risks that can greatly harm the company, the risk calculus may require proactive efforts from NEDs to ensure risks are properly managed. As casinos and banks offer a variety of high-volume financial services, they are highly vulnerable to money laundering.[130] Extreme reputational and financial damage can be caused to the company due to non-compliance with AML.[131] Further, recent scandals reinforce that harm caused by AML or similar compliance breaches is ‘not far-fetched or fanciful’ and therefore foreseeable.[132]

Therefore, a reasonable NED would likely at times seek out additional information to oversee risk management,[133] especially for high risks such as money laundering. In relation to a managed investment scheme,[134] Justice Wigney held that the positive ‘reasonable steps’ duty would likely be breached if compliance was delegated and the director failed to ‘have any involvement in supervising or monitoring compliance’.[135] This has been argued to support the possibility of a breach by directors more broadly if directors fail to consider whether compliance risks are adequately managed.[136] Further, recent risk management recommendations, such as that boards should evaluate whether information received is complete and whether additional information is required,[137] may have heightened the standard expected of a reasonable director.[138]

Whilst ASIC brought no proceedings, there was likely a reasonable case that NEDs should have proactively assessed money laundering in various accounts of the business due to the extreme ramifications it can have, including significant reputational damage.

1 Regulatory Discretion

Nonetheless, there are many reasons why ASIC may have chosen not to exercise its regulatory discretion, including evidentiary difficulties and the six-year limitation period.[139] Evidentiary difficulties may have been a significant reason why ASIC limited its case in Cassimatis to executive directors, even though the NEDs’ failed to appreciate the details of Storm’s business model and its compliance, or lack thereof.[140] Negligence cases resulting from compliance failures have largely occurred after corporate collapses,[141] as the public demands for someone to be held accountable.[142]

NEDs have recently only been held liable for compliance breaches in the context of corporate disclosure obligations and other ‘stepping-stone’ cases.[143] ASIC’s ‘stepping-stones’ enforcement strategy has resulted in each case being ‘highly fact-dependant’ in which deriving standards expected of reasonable directors and officers is difficult.[144] For example, the application of Cassimatis to a large corporation is very difficult, due to the degree of control that Mr and Mrs Cassimatis exercised, which was central to their liability.[145] Determining when NEDs must seek out information in order to discharge their oversight duty is therefore difficult to assess.

Nonetheless, there is likely a heightened expectation that directors will monitor whether ‘compliance systems are actually effective’ in the post Hayne Royal Commission world.[146] When there is a failure to monitor compliance or risk management systems, NEDs may therefore be vulnerable to regulatory proceedings if the compliance failure ‘attracts significant public opprobrium’.[147] NEDs may be liable if they fail to take reasonable steps to monitor compliance,[148] even when company contraventions are not proven.[149]

Even if not amounting to litigation, the regulatory expectations suggest that prudent corporate governance requires attempts to actively seek out information.[150] Notably, corporate lawyers generally advise boards that they have ‘an active’ oversight duty ‘over management’s risk and compliance practices’.[151]

2 Too Burdensome?

No doubt the Crown board should have done more. However, expectations on NEDs must remain ‘realistically feasible’.[152] Beyond when NEDs are put on notice about a possible issue, requiring NEDs to evaluate whether information provided is complete and to regularly seek out further information, as ASIC expects,[153] is extremely burdensome. Although I acknowledge that if management is repeatedly providing a ‘perfect compliance scorecard’ for certain risks, this might be enough to raise NED’s suspicion as to whether compliance systems are truly effective.[154]

In a complex financial institution with many entities providing different services, it can be extremely difficult for NEDs to independently evaluate risks throughout the institution. For example, money laundering can happen many different ways in various casino or bank subsidiaries.[155] If NEDs did what ASIC expects of them, they could lose time needed to adequately consider strategy and other parts of their role.[156]

Yes, NEDs must process information provided, ask probing questions and challenge management whenever necessary.[157] However, another thing entirely is to expect boards to identify major issues ‘deep inside their company’.[158] NEDs’ part-time role makes it extremely difficult to actively seek out additional information to supervise executives and the risk management process.[159] Information gaps between management and the board can make it difficult to appreciate when information is deficient. Management is ultimately involved in the day-to-day business and will have far greater knowledge about potential contraventions, as Crown highlights.[160] Boards, who are not expected to engage in management,[161] are therefore largely reliant on quality information flows from management to fulfil their oversight duty.[162]

REFORM

NEDs require ‘the right information’ to be able to challenge management on fundamental issues, such as plans to alleviate risks stemming from compliance concerns.[163] However, the expectation that boards should actively seek out information needed to supervise management,[164] notwithstanding their part-time role, is unreasonably burdensome. In contrast, management is involved in the operations of the business, in which compliance risks are more likely to become apparent. Executives should have more stringent obligations to provide NEDs information and be held accountable when they fail to do so.

A FAR

The proposed FAR will govern conduct responsibilities at APRA regulated financial institutions.[165] Accountable persons will be required to ‘take reasonable steps’ when fulfilling their specified responsibilities to prevent the company from conduct likely to cause material breaches of financial services laws.[166] Accountable persons will include senior executives.[167]

A potentially necessary risk management routine is an additional obligation on senior executives to report to the board non-compliance concerns once a reasonable suspicion arises. A reasonable suspicion would be when a reasonable person in the same circumstances was put-on notice of possible non-compliance. As the FAR seeks to ensure that everyone within the company and the regulators know each senior executive’s responsibilities,[168] senior executives would be held accountable if this obligation was not adhered to. Whilst not APRA regulated, State Casino legislations should possibly add the same obligation due to the similar risks that casinos face, such as AML.

1 Necessary?

One could argue that enacting the currently proposed FAR, which is largely modelled off the UK, will already sufficiently reduce non-financial risks. Empirical evidence in the UK, three years after the Senior Managers and Certification Regime was introduced, found that the improved accountability greatly strengthened the effectiveness of compliance and risk management.[169] Further, there was generally greater documentation by senior management and awareness of risks.[170]

Nonetheless, there was no discussion about improved information flows between the board and management. Whilst no survey responses noted this as a benefit to any of the open-ended questions, there was also no specific questions directed to this point. Evaluating whether information flows have improved is therefore difficult.

In any event, the added obligation will clearly increase the likelihood of NEDs being promptly informed. When ‘in doubt’ senior executives will likely appreciate that the board must know about the concern. As executives’ short-term performance bonuses often create inherent biases in which they are more likely to understate risks and their effects,[171] this specific obligation could help alleviate this bias. With a sufficient deterrent for failing to fulfil this obligation, executives’ personal interests in not being punished will help ensure that the need to report reasonable concerns to the board is at the forefront of their minds.[172] Currently proposed, a failure of accountable persons to fulfil their FAR obligations can result in disqualification and the loss of deferred remuneration.[173] As this has largely been considered a sufficient deterrent,[174] these consequences should also apply to the proposed additional obligation.

2 Burdensome?

However, the need to constantly consider whether concerns should be reported and the risk of negative consequences for failing to do so could be considered overly burdensome. If this occurred, talented executives may not want to work at APRA regulated entities.[175] Nonetheless, as the obligation only requires reasonableness, this concern is somewhat alleviated. For example, senior executives would not be expected to find out about every possible instance of non-compliance within their areas of the business. Further, I note that executives would not be subject to the possibility of civil penalties, as civil penalties would likely be considered too harsh by executives.[176]

The regulators are also anticipated to exercise their regulatory discretion to only hold individuals to account for severe breaches. For example, something similar to Crown. Notably, in relation to the currently proposed FAR, ASIC said that the ‘reasonable steps’ requirement seeks to ensure that obligations on accountable persons are not overly burdensome and that ASIC appreciates the nature of complex financial institutions.[177]

Another concern is that executives would provide boards with too much information, in order to safeguard themselves from potentially failing to satisfy the obligation. Again, the reasonable standard and regulatory discretion are hoped to prevent this, as senior executives will appreciate that a reasonable suspicion does not require everything to be reported on. Even if too much information is reported at times, this would be the lesser of two evils if executives are no longer reluctant to promptly escalate concerns to the board.

Perhaps the number of boards that NEDs can sit on needs to be limited, ensuring NEDS have sufficient time to process all information received, ask questions and evaluate management responses. However, NEDs cannot be involved in day-to-day management, as this would undermine their ability to take ‘abstract, strategic and holistic decisions at board level’.[178]

I acknowledged that this reform would likely face great criticism from business groups, as the currently proposed FAR obligation for individuals to take ‘reasonable steps’ has.[179] However, as scandals in the last couple decades have raised recurrent issues and themes, notwithstanding substantial reforms,[180] drastic improvement is still needed. Ultimately, this reform has the potential to ensure management is actually accountable for providing the board necessary information, enabling NEDs to have the right information to discharge their duties.

CONCLUSION

This essay has illustrated that information-based expectations on NEDs required to supervise executive activities and the risk management framework are extremely burdensome. In relation to voluminous information received, NEDs must not only process considerable amounts of information provided but also determine whether the information is adequate. Further, NEDs are likely required to actively seek out additional information in certain circumstances.

I acknowledge that evaluating possible improvements in risk management stemming from the Hayne Royal Commission, the regulatory expectations that followed and executive accountability is difficult due to the short time period. Future empirical research could evaluate the extent to which these changes have genuinely improved information flows.

Nonetheless, the practical issues discussed in this essay highlight that information-based obligations imposed on NEDs are unreasonably high in comparison to executives, who receive multiple times greater remuneration. Whilst NEDs should be required to critically evaluate information provide by others and ask probing questions, they should not also be required to extensively seek out information. Due to involvement in the day-to-day operations of the business, executives should provide NEDs information needed to exercise independent judgment and discharge their oversight duty. Ultimately, the noted reform provides some preliminary thoughts on how information-based obligations could be more appropriately balanced between NEDs and management.


[1] For example, Patricia Bergin, Inquiry under section 143 of the Casino Control Act 1992 (NSW) (Report, 1 February 2021) (‘NSW Casino Inquiry’).

[2] Financial Accountability Regime Bill 2021 (Cth).

[3] Tom Bathurst, 'Directors' and Officers' Duties in the Age of Regulation' (Speech, Conference in Honour of Professor Baxt AO, 26 June 2018) 19.

[4] NSW Casino Inquiry (n 1).

[5] Ibid 45-47; Royal Commission into the Casino Operator and Licence (Final Report, October 2021) 163 (‘Victorian Royal Commission’).

[6] The Risk Coalition, Raising the Bar: Principles-based guidance for board risk committees and risk functions in the UK Financial Services sector (Research Paper, 2019) 12; Elizabeth Sheedy, ‘Structures of Risk governance’ in Elizabeth Sheedy (ed), Risk Governance: Biases Blind spots and Bonuses (Routledge, 2021) 2, 3, 7.

[7] Sheedy (n 6) 1; NSW Casino Inquiry (n 1) 328.

[8] Australian Securities and Investments Commission, Corporate Governance Taskforce: Director and officer oversight of non-financial risk report (Report 631, October 2019) 9 (‘ASIC Taskforce’).

[9] Perth Casino Royal Commission (Final Report, 24 March 2022) 896 (‘Perth Royal Commission’); Committee of Sponsoring Organizations of the Treadway, Effective Enterprise Risk Oversight: The Role of the Board of Directors (Report, 2009) 2.

[10] International Corporate Governance Network, ICGN Guidance on Corporate Risk Oversight (Report, 2015) 12.

[11] Perth Royal Commission (n 9) 896-897; ASIC Taskforce (n 8) 48; The Risk Coalition, Raising the Bar: Principles-based guidance for board risk committees and risk functions in the UK Financial Services sector (Research Paper, 2019); Committee of Sponsoring Organizations of the Treadway, Risk Appetite – Critical to Success- Using Risk Appetite to Thrive in a Changing World (Report, 2020) 10.

[12] Perth Royal Commission (n 9) 898.

[13] Ibid 896-897; ASIC Taskforce (n 8) 26; International Corporate Governance Network, ICGN Guidance on Corporate Risk Oversight (Report, 2015) 13.

[14] ASIC Taskforce (n 8) 6.

[15] NSW Casino Inquiry (n 1) 347.

[16] Ibid 208.

[17] Ibid 210.

[18] Ibid 352, 448, 469, 491, 494, 506, 511.

[19] ASIC Taskforce (n 8) 12, 28.

[20] Ibid 8, 24.

[21] Parveen P Gupta and Tim J Leech, ‘Risk Oversight: Evolving Expectations for Boards’ (2014) 49(3) The EDP Audit, Control, and Security Newsletter 1, 6; Board Governance of AML/CTF Obligations at Westpac: The Advisory Panel Review (Report, 8 May 2020) (‘Westpac Report’).

[22] Westpac Report (n 21).

[23] Ibid 9.

[24] ASIC Taskforce (n 8) 8.

[25] Corporations Act 2001 (Cth) s 180(1).

[26] Ibid.

[27] Australian Securities and Investments Commission v Cassimatis (No 8) [2016] FCA 1023 [478], [483] (Edelman J).

[28] Corporations Act 2001 (Cth) s 180(1).

[29] Australian Securities and Investments Commission v Cassimatis (No 8) [2016] FCA 1023 [486] (Edelman J) citing Wyong Shire Council v Shirt [1980] HCA 12; (1980) 146 CLR 40, 47-48 (Mason J).

[30] Pamela Hanrahan and Rachel Yates, ‘Directors’ duties of oversight: Insights for Australia from recent developments in Delaware’s Caremark jurisprudence’ (2018) 33 Australian Journal of Corporate Law 185, 191; Australian Securities and Investments Commission v Rich [2009] NSWSC 1229 [7278] (Austin J).

[31] Perth Royal Commission (n 9) 896; ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (ASX, 4th ed, 2019) 26.

[32] Australian Securities and Investments Commission v Warrenmang Ltd [2007] FCA 973; (2007) 63 ACSR 623, 628 [22] (Gordon J); Australian Securities and Investments Commission v Mariner Corporation Ltd [2015] FCA 589 [444] (Beach J).

[33] Corporations Act 2001 (Cth) s 912A.

[34] Bathurst (n 3) 12; Allens, Criminal and Civil Frameworks for Imposing Liability on Directors (Australian Institute of Company Directors Report, 2019) 6.

[35] Bathurst (n 3) 12; Cassimatis v Australian Securities and Investments Commission [2020] FCAFC 52 [79] (Greenwood J), [464]-[465] (Thawley J).

[36] I acknowledge that the phrase ‘stepping-stone’ has been criticised: Cassimatis v Australian Securities and Investments Commission [2020] FCAFC 52 [79] (Greenwood J).

[37] Bathurst (n 3) 7, 9.

[38] Australian Securities and Investments Commission v Cassimatis (No 8) [2016] FCA 1023 [4]-[5], [834] (Edelman J); Cassimatis v Australian Securities and Investments Commission [2020] FCAFC 52 [465] (Thawley J).

[39] Allens, Criminal and Civil Frameworks for Imposing Liability on Directors (Australian Institute of Company Directors Report, 2019) 6 citing Maeve McGregor, 'Stepping-Stone Liability and the Directors' Statutory Duty of Care and Diligence' (2018) 36 Company and Securities Law Journal 245.

[40] Corporations Act 2001 (Cth) ss 189, 190(1), 198D.

[41] Pamela Hanrahan, ‘Directors, are you across your legal duties and responsibilities?’, Australian Institute of Company Directors (Blog Post, 27 September 2018) <https://www.aicd.com.au/board-of-directors/duties/fiduciary/directors-are-you-across-your-legal-duties-and-responsibilities>.

[42] Australian Securities and Investments Commission v Healey [2011] FCAFC 717; (2011) 83 ACSR 484 [166], [171] (Middleton J); Daniels v Anderson (1995) 37 NSWLR 438, 505 (Clarke JA and Sheller JA).

[43] Australian Securities and Investments Commission v Healey [2011] FCAFC 717; (2011) 83 ACSR 484 [175], [240] (Middleton J).

[44] Ibid [175], [240]; Daniels v Anderson (1995) 37 NSWLR 438, 503-504 (Clarke JA and Sheller JA); ASIC Taskforce (n 8) 48.

[45] Perth Royal Commission (n 9) 888; ASIC Taskforce (n 8) 8; ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (ASX, 4th ed, 2019) 6; Hanrahan and Yates (n 30) 191, 211.

[46] Daniels v Anderson (1995) 37 NSWLR 438, 500-501 (Clarke JA and Sheller JA).

[47] Australian Securities and Investments Commission v Rich [2009] NSWSC 1229 [7278] (Austin J).

[48] Australian Securities & Investments Commission v Flugge [2016] VSC 779 [29], [1874] (Robson J); Australian Securities and Investments Commission v Vocation Limited [2019] FCA 807 [824]-[827] (Nicholas J); Hanrahan and Yates (n 30) 216- 219.

[49] Hanrahan and Yates (n 30) 219.

[50] This is discussed more on pages 15-16.

[51] Australian Securities & Investments Commission v Rich [2003] NSWSC 85; (2003) 174 FLR 128, 147 (Austin J), Australian Securities and Investments Commission v Healey [2011] FCA 717 [192] (Middleton J).

[52] ASIC Taskforce (n 8) 8, 24.

[53] Perth Royal Commission (n 9) 896.

[54] Ibid 896-897; ASIC Taskforce (n 8) 26; International Corporate Governance Network, ICGN Guidance on Corporate Risk Oversight (Report, 2015) 13.

[55] Governance Institute of Australia, Risk management for directors: A handbook (Report, April 2016) 26-27; ASIC Taskforce (n 8) 24.

[56] Governance Institute of Australia, Risk management for directors: A handbook (Report, April 2016) 26.

[57] Committee of Sponsoring Organizations of the Treadway, Risk Appetite – Critical to Success- Using Risk Appetite to Thrive in a Changing World (Report, 2020) 10; International Corporate Governance Network, ICGN Guidance on Corporate Risk Oversight (Report, 2015).

[58] ASIC Taskforce (n 8) 6, 24, 27; Australian Prudential Regulation Authority, Self-assessments of governance, accountability and culture (Information Paper, 22 May 2019) 6, 16.

[59] ASIC Taskforce (n 8) 24.

[60] Ibid 6, 26

[61] Ibid 26.

[62] Australian Prudential Regulation Authority (n 58) 6.

[63] Ibid 21.

[64] Ibid 21.

[65] ASIC Taskforce (n 8) 8, 24; Australian Securities and Investments Commission v Healey [2011] FCAFC 717; (2011) 83 ACSR 484 (Middleton J); Daniels v Anderson (1995) 37 NSWLR 438, 505 (Clarke JA and Sheller JA).

[66] Australian Securities and Investments Commission v Healey [2011] FCAFC 717; (2011) 83 ACSR 484 [166] (Middleton J); Daniels v Anderson (1995) 37 NSWLR 438, 505 (Clarke JA and Sheller JA).

[67] Australian Securities and Investments Commission v Healey [2011] FCAFC 717; (2011) 83 ACSR 484 [229] (Middleton J).

[68] Gupta and Leech (n 21) 6.

[69] Stephen Bainbridge and Matthew T Henderson, ‘Boards-R-Us: Reconceptualizing Corporate Boards’ (2014) 66 Stanford Law Review 1051, 1065.

[70] ASIC Taskforce (n 8) 28.

[71] Australian Securities and Investments Commission v Healey [2011] FCAFC 717; (2011) 83 ACSR 484 [229] (Middleton J).

[72] ASIC Taskforce (n 8) 28.

[73] ASIC Taskforce (n 8) 24.

[74] Bainbridge and Henderson (n 69) 1065.

[75] ASIC Taskforce (n 8) 8; ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (ASX, 4th ed, 2019) 6, 26.

[76] Committee of Sponsoring Organizations of the Treadway, Effective Enterprise Risk Oversight: The Role of the Board of Directors (Report, 2009) 3.

[77] Perth Royal Commission (n 9) 888.

[78] ASIC Taskforce (n 8) 8.

[79] Perth Royal Commission (n 9) 898; Governance Institute of Australia, Risk management for directors: A handbook (Report, April 2016) 27.

[80] ASIC Taskforce (n 8) 50; Governance Institute of Australia, Risk management for directors: A handbook (Report, April 2016) 27.

[81] ASIC Taskforce (n 8) 50; Australian Prudential Regulation Authority (n 58) 20.

[82] NSW Casino Inquiry (n 1) 210.

[83] Ibid 210, 212.

[84] Ibid 210, 212, 214.

[85] Ibid 213.

[86] Ibid 212.

[87] Ibid 212.

[88] Ibid 219, 221.

[89] Ibid 219, 221, 354.

[90] Ibid 352, 448, 469, 491, 494, 506, 511.

[91] Ibid 443, 494.

[92] Ibid 146; Victorian Royal Commission (n 5) 3, 99, 104.

[93] NSW Casino Inquiry (n 1) 357.

[94] Ibid 540.

[95] Corporations Act 2001 (Cth) s 189.

[96] Shady (n 6) 3.

[97] ASIC Taskforce (n 8) 47.

[98] The Risk Coalition, Raising the Bar: Principles-based guidance for board risk committees and risk functions in the UK Financial Services sector (Research Paper, 2019) 12.

[99] NSW Casino Inquiry (n 1) 133- 138.

[100] Sheedy (n 6) 3.

[101] Australian Prudential Regulation Authority (n 58) 20.

[102] ASIC Taskforce (n 8) 8; ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (ASX, 4th ed, 2019) 6, 26; Perth Royal Commission (n 9) 888.

[103] Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Final Report, 1 February 2019) 396 (‘Hayne Royal Commission’); John Laker, Prudential Inquiry into the Commonwealth Bank of Australia (Final Report, 30 April 2018) 3, 11, 13; Gupta and Leech (n 21) 7, 11.

[104] Corporations Act 2001 (Cth) s 189.

[105] ASIC Taskforce (n 8) 6, 48.

[106] Ibid 7.

[107] Ibid 6.

[108] NSW Casino Inquiry (n 1) 196-198.

[109] Ibid 202.

[110] Ibid 198-199.

[111] Ibid 199.

[112] Ibid 357.

[113] Australian Securities & Investments Commission v Flugge [2016] VSC 779 [29], [1874] (Robson J); Australian Securities and Investments Commission v Vocation Limited [2019] FCA 807 [824]-[827] (Nicholas J); Hanrahan and Yates (n 30) 218.

[114] Australian Securities & Investments Commission v Flugge [2016] VSC 779 [29], [1874] (Robson J); Australian Securities and Investments Commission v Vocation Limited [2019] FCA 807 [824]-[827] (Nicholas J); Hanrahan and Yates (n 30) 218; NSW Casino Inquiry 433, 448.

[115] NSW Casino Inquiry (n 1) 199.

[116] Ibid 494.

[117] Australian Securities & Investments Commission v Flugge [2016] VSC 779 [29], [1874] (Robson J); Australian Securities and Investments Commission v Vocation Limited [2019] FCA 807 [824]-[827] (Nicholas J); Hanrahan and Yates (n 30) 218.

[118] Australian Securities and Investments Commission v Healey [2011] FCAFC 717; (2011) 83 ACSR 484 [166], [171] (Middleton J); Daniels v Anderson (1995) 37 NSWLR 438, 505 (Clarke JA and Sheller JA).

[119] ASIC Taskforce (n 8) 48.

[120] Australian Securities & Investments Commission v Flugge [2016] VSC 779 [29], [1874] (Robson J); Australian Securities and Investments Commission v Vocation Limited [2019] FCA 807 [824]-[827] (Nicholas J); Hanrahan and Yates (n 30) 218.

[121] ASIC Taskforce (n 8) 48.

[122] For example, ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (ASX, 4th ed, 2019) 6, 26.

[123] Hanrahan and Yates (n 30) 211.

[124] NSW Casino Inquiry (n 1) 209.

[125] Ibid.

[126] Hanrahan and Yates (n 30) 211, 218-219.

[127] Corporations Act 2001 (Cth) ss 189, 190.

[128] Pamela Hanrahan, ‘Directors, are you across your legal duties and responsibilities?’, Australian Institute of Company Directors (Blog Post, 27 September 2018) <https://www.aicd.com.au/board-of-directors/duties/fiduciary/directors-are-you-across-your-legal-duties-and-responsibilities>.

[129] Hanrahan and Yates (n 30) 219.

[130] Victorian Royal Commission (n 5) 104, 163; NSW Casino Inquiry (n 1) 45-47.

[131] Hayne Royal Commission (n 103); James Eyers and James Frost, ‘Westpac hit by AUSTRAC for systemic failures’, Australian Financial Review (News Article, 20 November 2019) <https://www.afr.com/companies/financial-services/westpac-hit-by-austrac-for-systemic-failures-20191120-p53c8p>; James Eyers, ‘Money laundering scandal: what CBA admitted to, and why it happened’, Australian Financial Review (News Article, 4 June 2018) <https://www.afr.com/companies/financial-services/money-laundering-scandal-what-cba-admitted-to-and-why-it-happened-20180604-h10xm3>.

[132] Hayne Royal Commission (n 103) 396; Westpac Report (n 21); Australian Securities and Investments Commission v Cassimatis (No 8) [2016] FCA 1023 [486] (Edelman J) citing Wyong Shire Council v Shirt [1980] HCA 12; (1980) 146 CLR 40, 47-48 (Mason J).

[133] ASIC Taskforce (n 8) 24.

[134] Corporations Act 2001 (Cth) s 601FD(1)(f).

[135] Trilogy Funds Management Limited v Sullivan (No 2) [2015] FCA 1452 [223] (Wigney J).

[136] Hanrahan and Yates (n 30) 213.

[137] ASIC Taskforce (n 8) 8, 26; Perth Royal Commission (n 9) 896; International Corporate Governance Network, ICGN Guidance on Corporate Risk Oversight (Report, 2015) 13.

[138] Australian Securities & Investments Commission v Rich [2003] NSWSC 85; (2003) 174 FLR 128, 147 (Austin J); Australian Securities and Investments Commission v Healey [2011] FCA 717 [192] (Middleton J).

[139] Corporations Act 2001 (Cth) s 1317K.

[140] Australian Securities and Investments Commission v Cassimatis (No 8) [2016] FCA 1023 [371], [373], [375] (Edelman J).

[141] For example, Australian Securities & Investments Commission v Flugge [2016] VSC 779; Australian Securities and Investments Commission v Cassimatis (No 8) [2016] FCA 1023.

[142] Pamela Hanrahan and Tim Bednall, ‘From Stepping-Stones to Throwing Stones: Officers’ Liability for Corporate Compliance Failures after Cassimatis’ (2021) 49(3) Federal Law Review 380, 403.

[143] Ibid 407; Australian Securities and Investments Commission v Vocation Ltd (In Liq) [2019] FCA 807; Hanrahan and Yates (n 30) 213.

[144] Hanrahan and Bednall (n 142) 402.

[145] Ibid.

[146] Bathurst (n 3) 18.

[147] Hanrahan and Bednall (n 142) 211- 213.

[148] Bathurst (n 3) 7, 9.

[149] Australian Securities and Investments Commission v Cassimatis (No 8) [2016] FCA 1023 [4]-[5], [834] (Edelman J); Cassimatis v Australian Securities and Investments Commission [2020] FCAFC 52 [465] (Thawley J).

[150] Hanrahan and Yates (n 30) 216.

[151] Hanrahan and Bednall (n 142) 401.

[152] Westpac Report (n 21) 9.

[153] ASIC Taskforce (n 8) 8, 24.

[154] Hanrahan and Yates (n 30) 220.

[155] NSW Casino Inquiry (n 1) 46.

[156] Bainbridge and Henderson (n 69) 1065.

[157] Hayne Royal Commission (n 103) 395-396, 400.

[158] Westpac Report (n 21) 9.

[159] Gupta and Leech (n 21) 6.

[160] NSW Casino Inquiry (n 1) 210.

[161] Westpac Report (n 21) 9; Hayne Royal Commission (n 103) 400.

[162] Hanrahan and Bednall (n 142) 402.

[163] Hayne Royal Commission (n 103) 400.

[164] Perth Royal Commission (n 9) 88; ASIC Taskforce (n 8) 6, 24.

[165] The Treasury (Cth), Implementing Royal Commission Recommendations 3.9, 4.12, 6.6, 6.7 and 6.8 Financial Accountability Regime (Policy Proposal Paper, 22 January 2020) 2, 6.

[166] Financial Accountability Regime Bill 2021 (Cth) s 21(d).

[167] The Treasury (Cth), Financial Accountability Regime – List of prescribed responsibilities and positions (Policy Proposal Paper, 16 July 2021) 2; Explanatory Memorandum, Financial Accountability Regime Bill 2021 (Cth) 1.51.

[168] Financial Accountability Regime Bill 2021 (Cth) s 31(2).

[169] UK Finance and Ashurst, SMCR: Evolution and Reform (Research Paper, September 2019) 2, 29; Bank of England, Evaluation of the Senior Managers and Certification Regime (Report, December 2020) 11.

[170] UK Finance and Ashurst, SMCR: Evolution and Reform (Research Paper, September 2019) 9, 12.

[171] Sheedy (n 6) 3.

[172] Blanaid Clarke, ‘Senior executive accountability and responsibility in financial institutions’ (2021) 66 Irish Jurist 74, 81; UK Finance and Ashurst, SMCR: Evolution and Reform (Research Paper, September 2019) 10.

[173] Financial Accountability Regime Bill 2021 (Cth) ss 25, 42.

[174] Commonwealth, Official Committee Hansard, Senate, 27 January 2022, 30 (Christine Cupitt, Australian Banking Association).

[175] Corey Byrne ‘The Liability of Directors and Officers When AFS Licensees Provide Defective Financial Product Advice’ (2022) 39 C&SLJ 19, 46.

[176] Commonwealth, Official Committee Hansard, Senate, 27 January 2022, 30-31 (Christine Cupitt, Australian Banking Association).

[177] Ibid 51 (Greg Kirk, ASIC).

[178] Perth Royal Commission (n 9) 887 citing AWA Ltd v Daniels (1992) 7 ACSR 759, 866.

[179] Economic Legislation Committee, Parliament of Australia, Financial Accountability Regime Bill 2021 [Provisions], Financial Sector Reform (Hayne Royal Commission Response No.3) Bill 2021 [Provisions], Financial Services Compensation Scheme of Last Resort Levy Bill 2021 [Provisions], and Financial Services Compensation Scheme of Last Resort Levy (Collection) Bill 2021 [Provisions] (Report, February 2022) 20-21.

[180] Ashley Black, Misconduct in Banking and Financial Services; Some Aspects of the Hayne Royal Commission (Paper delivered at Faculty of Law, University of Oxford, 26 February 2020) 3-5.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLawJlStuS/2022/33.html