As part of our 14th annual survey we surveyed over 30 Australian Superannuation and Asset Management entities. The survey focused on three key areas impacting the sector - regulatory change, ESG and data risk management.
In the year that has passed since our last survey, the landscape within which the Superannuation and Asset Management sector operates continues to grow in complexity, with regulatory and public accountability on the rise across many operational facets.
The three key areas for consideration highlighted in this year's survey, as well as calls to action in responses, are:
1. Regulatory change - increasing expectations and accountability
Key regulatory implementations (ASIC's Design and Distribution Obligations, Internal Dispute Resolution, Breach Reporting and APRA’s Superannuation Data Transformation Program) have occupied the industry taking the significant time of risk and compliance functions and creating unprecedented levels of data for organisations to manage and report. Many organisations across the industry are still refining business as usual controls to meet their additional regulatory obligations.
2. Environment, Social and Governance (ESG) - expectations on the rise
Overseas regulatory developments in ESG have sharpened the focus and expectations of industry stakeholders domestically and highlighted for the sector that integrating ESG into your business strategy and operations is now a question of when not if. A key element of success in integrating ESG into the decision-making of the superannuation and asset management industry centres around the ability of an organisation to influence the actions and business decisions of their investee companies in a meaningful way.
3. Data risk management - an emerging landscape
Key to a strong data risk management framework is the ability to assess the criticality and sensitivity of data holdings, enabling delivery against legislative and regulatory obligations and ensuring the framework supports operational resilience.
These recently introduced reforms, including the focus on ESG, are all aimed at achieving better member/investor outcomes. For organisations to meet this objective, they need better data to execute their obligations more effectively.
Calls to action – how can organisations respond?
In response to the challenges and opportunities identified in this year’s survey we have identified the following calls to action for organisations to consider.
Regulatory change - increasing expectations and accountability
- Consider any learnings from recent regulatory change initiatives such as pre implementation testing, timeliness and ownership across Line 1 and Line 2
- Assess the formalisation of newly implemented key controls to determine whether these are adequately documented, including cyber controls in MIS compliance plans, and evidenced and there is appropriate governance oversight and reporting in place
- Keep the foundational principles of DDO and FAR at the forefront in the decision making process of your organisation
- Consider how you are handling incidents, breaches and complaints from a technology perspective -with so much data available are you making best use of the data to identify and report trends, root causes and themes?
Environment, Social and Governance (ESG) - expectations on the rise
- Assess your investment products and related disclosures against ASIC’s information sheet on greenwashing
- Evaluate the effectiveness of your engagement with investee companies on ESG to date and determine if any refinements are required
- Assess completeness and accuracy of data that will be required under ISSB reporting requirements
- Where public ESG commitments have been made consider how these align with actual business practices and whether you have the processes and controls in place to deliver on these commitments.
Data Risk Management - an emerging landscape
- Appoint an executive owner to take accountability and drive ownership of data
- Catalogue and prioritise data holdings based on criticality and consider governance measures over data held by third party service providers
- Assess control adequacy to ensure critical data is secure, protected, and fit-for-purpose
- Proactively remediate data and control deficiencies identified
