If you’re managing an Australian Financial Services License (AFSL) or Australian Credit License (ACL), you already know that section 912A(1)(h) of the Corporations Act 2001, requires you to demonstrate a proactive and integrated approach to risk management. This obligation extends beyond procedural compliance; it necessitates that management and oversight bodies not only endorse, but are actively involved in resourcing and implementing the organisation’s risk management framework.
In addition, the International Risk Management Standard, (AS ISO 31000:2018), compels the governing body of a Licensee to actively ‘sign off’ on risk management measures. This also goes beyond mere tokenistic approval; it requires a commitment to ensuring that the risk management framework aligns with and supports the core values, objectives, and strategic direction of the organisation.
Such commitment involves the development and enactment of policies, procedures, and processes that are crafted to realise the established compliance policy and objectives. It’s an exercise in embedding a risk-conscious mindset at every level of the organisation, ensuring that risk management is not an isolated function but an intrinsic aspect of all business activities.
These obligations, and the practical implications and challenges, were addressed in our most recent Responsible Manager Workshop.
The results shown below are extracted from the 2023-2024 Risk management Survey click here to participate.
Assess your risk appetite by participating in Assured Support’s 2023-2024 Risk Appetite Survey.
For Licensees, the steps for fostering this integrated risk management environment are:
Leadership Involvement: The organisation’s leaders must actively partake in developing and endorsing the risk management framework.
Strategic Alignment: Risk management objectives should support and be consistent with the organisation’s broader goals and strategic plan.
In practice, there seems to be an inherent tension between Licensees’ business imperatives and their risk management and compliance frameworks. Aspirational statements aside, the data suggest that risk management and compliance functions are not “business-enablement” functions; whether legitimately or not, they are intuitively presumed to be risk-averse functions likely to impede or frustrate change. The reality is quite different. Risk and compliance functions should assist management to make informed, and better informed, decisions but they don’t seem to be asked to do so.
Resource Allocation: Adequate resources must be dedicated to risk management, including human, financial, and technological assets.
Interestingly, only 44% of respondents consider risk management and compliance as a top priority. Most licensees, despite the obvious importance of the obligation, consider it as a “nice to have” or, at best, as a secondary priority. Whether the responses are realistic or aspirational is a debate for another day but, from my perspective, the more interesting question raised by these responses, is what do 56% of respondents operating in a highly regulated environment consider “risk management and compliance” to be?
Policy Development: Comprehensive risk management policies should be established, clearly communicated, and aligned with the organisation’s values.
Procedural Implementation: Processes and procedures need to be developed and put into practice to manage identified risks effectively.
Continuous Improvement: The organisation should regularly review and refine its risk management practices adapting to changing internal and external circumstances.
Risk management might not be a key focus for most Licensees, but by prioritising these actions, Licensees can ensure they meet regulatory expectations and establish a strong risk management framework that contributes to the long-term sustainability and integrity of their operations.