Every system of governance is based in corporate and community cultural values. Effective communication ensures those values permeate all functions to mitigate risk and increase compliance.
— By Peter Scott
It is unfortunate that those responsible for corporate governance are frequently viewed as elitists who are primarily interested in making sure legal and governmental compliance is met, while remaining out-of-touch with what the people in the ranks are dealing with or how the communities in which they operate assess performance.
That view is increasingly out of date with the expanded integration of governance into other business functions like strategy development, audit, risk management, ethical culture formation, workforce diversity, legal and social responsibility strategies. In fact, corporate governance has assumed a more critical role in these types of functions as businesses move into global markets, leading to greatly increased risks. As a result, the men and women directing corporations are faced with the task of ensuring compliance in the context of an increasingly complex social, legal and governmental environment.
Directors, officers, legal advisors, auditors and financial advisors form the top governance structure, and they have a duty to create an effective system of checks and balances that supports sustainable shareholder value and stakeholder interests. However, effective external and internal governance also integrates the shareholder and stakeholder aspects to best manage risk. The conveyance of governance principles can help that create a compliant culture, transparent operations and enhanced responsiveness to the interests of all stakeholders and emerging relevant issues within a corporate environment. The key to effectiveness is to create a transparent culture with lines of communication that go all the way to the top and all the way to the bottom.
Manage Risk Through Go-To Groups
The implication is clear: A decision made in one area is never to be viewed in a vacuum. For example, a legal decision meant to keep the corporation in compliance may have unintended consequences for a community. If there is no transparency, the community assumes that the corporation could care less about the impact on people or the environment. If executive conduct is unethical and the people at the top are silent, a clear message is sent: ethics only apply to the lower ranks in the workforce. If financial information is “tweaked” to misguide shareholders or if the full extent of environmental damage caused by certain processes are hidden from the public, governance is failing. However, directors and officers might not be aware of the failings if they treat governance as primarily involving the signing of required documents.
Integrated governance should read “integrated governance, risk and compliance” because the three must be intricately entwined. As simple as it sounds, one of the ways to effectively integrate governance is to establish lines of communication. When issues come to the attention of those charged with governance via internal governance mechanisms, they must establish connections for further investigation. That is an elaborate way of saying, for example, that when an internal audit reports a discrepancy, there needs to be a way to get more information, like through a rank-and-file working committee or a mid-management enterprise-wide group.
The committees or groups should be charged with continuously assessing risk and compliance issues and regularly reporting results. Reporting includes strategy analysis, perceived threats to compliance, risk threats, plans for change, and metrics for assessing signs of risk or compliance failures. The reporting mechanisms must be transparent so that it creates organizationwide awareness that promotes proactive risk and compliance management.
What is Really Going On?
The actions and responses of external and internal governance create a corporate culture. If the middle-and lower-level staff are afraid to report discrepancies or believe that directors and officers are looking the other way when issues arise, the wrong culture has developed. There have been numerous cases of unethical behaviors at the CEO level that lasted for years. Inevitably it turns out that “everyone knew,” whether it was cheating on reports or having inappropriate relationships with staff members.
There are always multiple people involved in almost every type of violation. Even when it appears a rogue staff member is to blame, the final analysis shows a breakdown in risk management. A good example is the case involving Switzerland’s largest bank, UNS AG. In 2011, a rogue 31-year-old trader in London completed unauthorized trades that cost the bank US$2 billion overnight. Though he was called rogue, the question directors must ask is: How a trade that size goes through without management review. Chances are that someone knew the London trader liked to take risks, but systems were not in place to prevent such a large trade.
In 2012, a JPMorgan Chase & Co. unit cost the bank $2 billion as a result of taking flawed positions in risky securities. What was particularly astonishing is that the unit making the bad investment was created to manage or reduce risk of loss by making safe or balanced investments. After the enormous loss, five employees said that the unit had been making increasingly speculative trades over the last few years. “Everyone knew,” but no one told. Oversight was missing. Employees did not report that the unit was acting risky rather than mitigating risk.
Integrating governance into business functions requires creating a culture of openness and transparency as well as real lines of communication. The organizational structure should support the culture, which may require flattening it to simply information flows. Directors and officers must periodically assess the culture from top to bottom. Governance responsibilities include reading reports on audit findings, legal status, ethics violations, environmental strategies and social strategies as well as enterprise-wide internal committee reports to look for warning signs of risk-taking or compliance failures. If warning signs are detected, they should be acted on and that is where the lines of communication are so important. Warning signs are often detected through analysis of metrics, like high management turnover rates or low employee participation rates when assessment surveys are conducted.
The bottom line is that the governance structure at every level needs to understand that their unit is not operating alone. The decisions made at the IT unit level or the financial unit level and so on should reflect an ethical and transparent culture established by those at the top. The board should always be asking itself: Do I know what is really going on?