“But we also believe in taking risks, because that’s how you move things along.”
— Melinda Gates
Taking, and embracing, risks
It may seem to be counter-intuitive compliance advice, but In today’s fast-paced and frequently-changing regulatory landscape, embracing and managing risk is a crucial components for a licensee’s sustainable business growth.
Financial services is a usually conservative industry that usually consigns risk-takers to the bleeding edge, but the reality is that you can not, do not and should not, operate in a risk-free environment. All activity involves risk, and your compliance team should not concentrate on avoiding risk but, rather, on helping you identifying your tolerance and appetite for risk, mitigating consequences and helping you avoid those risks that would be catastrophic for you and your clients. ASIC harbour no delusions that any licensee can conduct business without risk. All the law requires is that a licensee have adequate risk management systems.
In this article, we’ll delve into the concept of embracing risk, its importance in the context of Australian financial services laws and explore practical ways to reconcile risk with compliance obligations. To assist you to understand these obligations, we’ll briefly discuss the notion of a business’ risk appetite and how it can be effectively operationalised within your organisation.
Compliance and Risk
The financial industry is inherently dynamic, complex and frequently changing so participating involves a certain level of risk but, rather than viewing risk as a hindrance, you should embrace it as an opportunity for growth and innovation. Recent events – including the Hayne Royal Commission – have demonstrated the importance of proactive risk management and substantive compliance arrangements. Whether you’re more focused on your reputation, your business’ sustainability or the integrity of the financial system, it’s clear that you’re expected to effectively manage risk.
Let’s start with the basics. Section 912A of the Corporations Act 2001 outlines the obligations of licensees to ensure that their financial services are provided efficiently, honestly, and fairly. Compliance with applicable laws and regulations is essential to protect investors, maintain market integrity, and foster trust in the financial services industry. s912A(1)(d) imposes on licensees an obligation to have adequate risk management systems.
Before we address adequacy, let’s consider traditional risk management more generally.
Traditionally, risk management involves identifying, assessing, and mitigating risks that may impact the licensee’s operations, clients, or the broader financial system. The theory is that by integrating risk management practices into compliance frameworks, AFSLs can effectively manage their exposure to risk while meeting their legal obligations. I don’t want to appear dismissive of this approach or the value of risk management but I believe that one of the most significant developments of the last decade is the extent to which Compliance (as a management discipline) has subsumed risk management. Compliance professionals, unlike the box-tickers of advisers’ fugue states, are required to take a risk-based, qualitative and quantitative approach that encompasses substantive compliance, IT and proactive and practical risk management.
If you’re looking for a definitive statement of regulatory expectations, we’d point out that risk management is a key focus of ASIC’s Regulatory Guide 104 “Licensing: Meeting the General Obligations”. At RG 104.60, the Guide explains that when ASIC assess the adequacy of a licensee’s risk management systems, ASIC is looking for a structured and systematic process that takes into account a licensee’s obligations under the Corporations Act and:
(a) identifies and evaluates risks faced by the business,
(b) establishes and maintains controls designed to manage or mitigate those risks,
(c) fully implements and monitors those controls to ensure they are effective, and
(d) focuses on risks that adversely affect consumers or market integrity.
Before you commit to the Afterpay option for your consultants’ regtech recommendation, remember that the nature, scale, and complexity of your business, as well as your risk profile, determine the specific risk management measures you need. Furthermore, as compelling as your lawyers’ proforma framework might appear, you also need to appreciate that your risk management systems will need to adapt as your business develops and as your risk profile changes over time.
Reconciling Risk and Compliance
While some might suggest that risk-taking is inherent in the financial industry, reconciling risk with compliance obligations can be a challenge for many licensees. As difficult as it might appear, it’s not an insurmountable challenge and by adopting a systematic approach, you can strike a balance between embracing risk and meeting regulatory requirements.
We’re practical people, so we’d suggest that you start by:
a) Establishing a Risk Management Framework: Develop a comprehensive risk management framework that outlines the processes, responsibilities, and controls necessary to manage risk effectively. This framework should be aligned with your business objectives and comply with ASIC’s regulatory guidance. In addition to being tailored to, and reflective of, your business and culture it should be integrated into your reg-tech platform.
b) Conducting Risk Assessments: You should regularly assess the risks associated with your activities, structure, model, products, and services. Try to identify potential vulnerabilities, evaluate their likelihood and impact, and prioritise them for mitigation. It may seem OTT but a proactive approach will help you anticipate and address risks before they escalate.
c) Implementing Compliance Controls: Integrate compliance controls within your risk management framework to ensure that regulatory obligations are adequately addressed. This includes policies, procedures, and monitoring mechanisms to detect and prevent non-compliance.
d) Engaging Employees: Leadership needs to model behaviour but, to be successful, you need to foster a culture of compliance, accountability and risk awareness across your entire team. The initial launch will be important but don’t underestimate the need for, and value of, regular training programs and clear communication channels. In our experience, these elements are grossly under-appreciated; they ensure employees understand their roles and responsibilities and embed the expectation that everyone should actively contribute to identifying and managing risks.
Operationalising Risk Appetite
If you are a Licensee (or business owner), you need to appreciate that understanding and defining your risk appetite is crucial to making informed decisions about risk-taking.
In simple terms, risk appetite refers to the level of risk that a Licensee is willing to accept in pursuit of its strategic objectives. Risk, in these terms, refers to adverse outcomes (of varying impact). The adverse outcomes and impacts your business can endure or absorb is your risk tolerance. Both are important measures to grasp.
Operationalising risk appetite involves reconciling your appetite and tolerance and translating the result into tangible guidelines and actions within your business. Here’s how you can achieve this:
a) Clearly Define your Risk Appetite: Develop a risk appetite statement that articulates your willingness to accept risk in various areas, such as investment, legal, regulatory, technology, and operational processes. It goes without saying that this statement should align with your overall strategy and be regularly reviewed and updated.
b) Establish your Risk Tolerance Limits: Record specific risk tolerance limits for the key risk categories you have identified. These limits should define the maximum acceptable level of risk exposure and provide clear guidance for decision-making processes. These limits will both reflect and define your compliance culture because they’ll send clear messages about what’s important and what you value.
c) Monitor and Report on Risk: Once the design stage is done you’ll need to implement robust monitoring and reporting mechanisms to track and evaluate risks against your risk appetite. Ideally, you’ll draw from a range of data points and reference both lag and lead indicators. Because regular reporting to senior management and the board will facilitate better informed decision-making, take the time to develop reporting that clearly and effectively alerts management to anticipated issues early enough that preventative action can be taken (and ideally before risk thresholds are exceeded).
d) Continuously Evaluate and Improve: Compliance never sleeps because your risk appetite isn’t static but continues to evolve in response to changing market conditions, industry trends, and regulatory requirements. So, you need to regularly review and refine your risk appetite framework to ensure its relevance and effectiveness.
You might not want to actively court regulatory or legal risk, but embracing risk is an essential aspect of operating as an Australian Financial Services Licensee. Despite the demarcation disputes that plague governance functions, Compliance and Risk Management are not mutually exclusive; they should be, and often are, integrated into a comprehensive governance framework that aligns with your business’ values, culture and objectives. By understanding the need to embrace risk, complying with financial services laws, and operationalising your risk appetite, you’ll more effectively manage risk while meeting (if not exceeding) your compliance obligations and position your business for long-term success in a dynamic and frequently-changing regulatory environment.
If you need help to develop practical and commercial approaches to your risk management obligations, reach out to us for help.