By John Glover
Introduction:
Executives and members of the Board of Directors responsible for the management and oversight of public and some private organizations have experienced an ever increasing requirement to exercise Governance, Risk and Compliance (GRC) initiatives. A greater percentage of business decisions are now based on risk management principles which require monitoring and reporting to achieve the expected level of compliance.
Over the last few years, there has been an increased interest in adopting an acceptable framework for the recognition and compliance requirements related to good corporate governance. This framework has been the subject of considerable debate and tuning by international organizations responsible for corporate conduct where there is an imperative to demonstrate compliance with existing and emerging mandates.
The Organization for Economic Co-operation and Development (OECD) has created an international convention which has become a recognized and adopted benchmark for policy makers, investors, corporations and other stakeholders worldwide. Many organizations monitor and report on the OECD Principles of Good Governance to ensure that their oversight bodies are providing the due care and due diligence required.
Large corporations and publicly listed companies of moderate to larger size will already have developed the capacity to respond to the need for GRC and the emphasis will be placed on tracking and reporting the outcomes. However, there are many other smaller organizations and many in the non-profit environment where the concept of GRC is not well understood.
In many of the “not for profit” and “Non-Government Organizations” (NGOs) the management structure will often include an elected Board of Directors (BoD) responsible for the conduct of the organization. This BoD provides oversight and guidance toward the fulfillment of the mission, goals and objectives established as basic principles. The exercise of this oversight is ideally mandated through a disciplined process called governance.
Community Service Organizations, for example, by their nature, would be conscious of public scrutiny to develop loyalty among their funding sources and other advocates and would therefore wish to adhere to and be a participant in observing an acceptable governance standard. The principles and concepts of good governance that would be sought after would be in alignment with any of the regulatory bodies to which they are required to adhere to including accounting and auditing oversight.
WHAT is Governance?
Governance relates to decisions that define expectations, grant power, or verify performance.
Governance deals with authority, responsibility, influence, and accountability:
“Authority” identifies who has what powers;
“Responsibility”: determines who can make what decisions,
“Influence”: ensures that the appropriate voices will be heard, and,
“Accountability”: holds the actor of each activity of substance to full responsibility for their actions.
Governance consists either of a separate process or of a specific part of management or leadership processes. Sometimes the management function within these organizations set up a “governance body” to administer these processes and systems.
In the case of a business, service entity or of a non-profit organization, governance relates to consistent management, cohesive policies, processes and decision-rights for a given area of responsibility. For example, managing at a corporate level might include evolving policies on privacy, decisions and strategies on investment, and, for organizations such as a service organization or a not-for-profit, a heavy reliance on the use and care of data.
These definitions are, for the most part, universally accepted and lead an organization into a clearer understanding of the scope and ramifications of good governance. Most of the references are drawn from online resources. Prominent among these is the OECD Principles of Corporate Governance document which can be retrieved from the Internet and is readily available at http://www.oecd.org/corporate/oecdprinciplesofcorporategovernance.htm.
WHO or WHAT is the dominant focus of Governance activities?
A basic premise of “Governance” is to act with DUE CARE and DUE DILIGENCE on behalf of “The Client”.
Too often there is a lack of understanding as to WHO “The Client” really is and as a result the outcomes from the governance process may fall short of the requirement.
Therefore, it is imperative that the organization clearly identifies “The Client”. This process will include taking into account various aspects related to the social, legal, ethical and interrelationship characteristics between “The Client” and the organization.
Once the definition of “The Client” is clearly understood it is then incumbent upon the Governing Body to determine the role(s) (the WHAT) that must be exercised to achieve the expectations and satisfy the needs (rather than wants) of “The Client”.
Processes and Governance
As a process, governance may operate in an organization of any size: from a small entrepreneurial business venture to a large multi-faceted corporation; and it may function for any purpose, good or evil, for profit or not. A reasonable or rational purpose of governance might aim to assure, (sometimes on behalf of others) that an organization produces a worthwhile pattern of good results while avoiding an undesirable pattern of bad circumstances.
The Governing Body
The “Governing Body” will usually consist of a Board of Directors composed of individuals from a variety of disciplines. In many circumstances this group may be construed as an “Executive Council” or in many situations as a “Steering Committee” dependent upon the scope and intention of the governance process.
Regardless of the title or the composition of this group it is intended that the members of the group are chosen or invited to participate because of a particular skill, knowledge area or competence. It is not unusual for these members to have minimal, if any, formal training or experience in the conduct of governance matters or the protocols and responsibilities that are expected from governance activities.
Many organizations which have active governance processes in place, and often are required by the nature of their organization to adhere to rigorous governance rules (either through an industry standard or regulatory and/or legal mandates), discover that there is a necessity to provide their valued members with training and awareness of the duties and responsibilities entrusted to them.
This is an area that can be readily addressed by a thoughtful and complementary training program designed to place emphasis on roles and responsibilities while optimizing the inherent skills of the governance body members.
Perhaps the moral and natural purpose of governance consists of assuring, on behalf of the entity being governed, a worthy pattern of good while avoiding an undesirable pattern of bad. The ideal purpose, obviously, would be to assure a perfect pattern of good with no bad. A governance body, however constituted, is comprised of a set of inter-related positions and various actions that provide leadership and guidance processes and that uses or exercises power, particularly coercive power.
A good governance outcome, following this line of thought, could consist of a set of inter-related positions exercising coercive power that assures, on behalf of those governed, a worthwhile pattern of good results while avoiding an undesirable pattern of bad circumstances, by making decisions that define expectations, grant power, and verify performance.
Governance is the first component of a three part decision taking style called Governance, Risk and Compliance (GRC). The Risk component is positioned so that all decisions of major import are based on an evaluation of risk and the capacity to minimize unacceptable risk by defining and implementing mitigating controls. The Compliance component is a determination that all of the decisions and activities sanctioned by the Board of Directors, and hence the management of the organization, are in conformance with the current acceptable standard of behavior and performance.
Politics provides a means by which the governance process operates. For example, people may choose expectations by way of political activity; they may grant power through political action, and they may judge performance through political behavior. A number of governance models will track to these focus areas to provide a solid monitoring and feedback capability.
Corporate governance
Corporate governance consists of the set of processes, customs, policies, laws and institutions affecting the way people direct, administer, or control, a corporation. Corporate governance also includes the relationships among the many players involved and the corporate goals and objectives.
The principal players include, “The Client” (however defined), the board of directors, and management. Other affected areas include employees, suppliers, customers, banks, donors and other lenders, regulators, the environment and the community at large.
Information technology governance
Information Technology Governance, IT Governance or ICT (Information & Communications Technology) Governance, is a subset discipline of Corporate Governance focused on information technology (IT) systems, their performance and risk management. The rising interest in IT governance is partly due to compliance initiatives related to financial reporting and privacy. For instance, Sarbanes-Oxley (SOX) in the USA and Basel II in Europe, among other similar GRC models have been instituted to address deficiencies in these areas. The focus on IT Governance has emerged because of the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization.
In Canada, these issues are usually addressed by independent third parties using standards of measurement sanctioned by the Canadian Institute of Chartered Accountants (CICA), the Institute of Internal Auditors (IIA) or other financial governing bodies associated with the Committee of Sponsoring Organizations (COSO) who are involved in the development and measurement of standards of performance related to IT.
A characteristic theme of IT governance discussions is that the IT capability can no longer be a black box. The traditional involvement of board-level executives in IT issues was to defer all key decisions to the company’s IT professionals. IT governance implies a system in which all stakeholders, including the board, internal customers, and in particular departments such as finance, have the necessary input into the decision making process. This prevents IT from independently making and later being held solely responsible for poor decisions. It also prevents critical users from later finding that the system does not behave or perform as expected.
In view of a service organization’s mission and programs the reality exists that data, both of individuals and entities being served by these organizations, is being processed and protected from privacy and confidentiality breaches. Therefore IT Governance would be seen as very much a component of Corporate Governance within the service organization’s mandate.
WHO will be the direct recipient of the Governance Body leadership and guidance?
The organizational structure of an entity will determine how the “Management” roles will be determined and how the reporting chain of command will unfold. This structure will also enable the free flow of information between the Governing Body and the Management who have the responsibility to direct the worker personnel in the proper conduct of the business.
Many organizations will be structured with lean management where there is more “hands on” involvement at each level of the division of responsibility. Other organizations will be highly structured with identification of separate business units or operational entities with various departmental roles that each may have a management function.
Roles and responsibilities will require careful understanding and clarification in order that management can direct the affairs of the organization without getting bogged down in the details. The ability to delegate and the avoidance of micro management will help to ensure that desired outcomes can be accomplished by competent staff and line functions.
HOW does this translate to the front line?
This is where the real productivity and success of the organization will be demonstrated.
The success of the organization in achieving the business and production goals and objectives will depend upon the energy, skill and commitment of the front line personnel. The ability to find and keep solid productive workers will be a huge asset that will require effective hiring practices and a clear understanding of what is needed for support and career involvement.
Too often new hires are brought on board without a clear definition of the intended role or a clear understanding of the basic skills required for achieving the expected level of performance. Many times this leads to severe morale problems and production misfires due to a lack of understanding or capability.
In many cases this is due to a lack of attention to job descriptions, user guides and similar documentation along with a disregard for initial, as well as ongoing, training and awareness of the job role. In effect, many times the worker is destined (some would say [programmed]) to fail.
Management, with the cognizance of the Board of Directors, will want to address this area very carefully to ensure that the appropriate personnel are acquired and that the proper motivation is being achieved. Good management practices will foster the concept that there is a sense of involvement on the part of the workers and a shared responsibility for success.
Measuring governance
Once an organization adopts a governance model and integrates governance into the strategy, goals and objectives there is a need for monitoring and reporting to identify where the governance activities are in congruence with the operating principles of the organization. The choice of what to monitor and measure will require a serious review by the board of directors in harmony with the management team and the stakeholder groups.
There are a number of acceptable metrics available that directly relate to the governance outcomes. They can be expressed in terms of Goal Indicators (KGIs), Results Indicators (KRIs) impacted by Key Results Areas (KRAs), Performance Indicators (PIs) or more specifically Key Performance Indicators (KPIs). Libraries of samples exist for each of these metrics to assist the board and management in identifying the suitable choices UP FRONT before activity takes place that requires monitoring and reporting.
History has shown that the unfortunate default tends to be to begin “doing” without solid metrics in place and catching up at a later time when details are less crisp and accurate.
Over the last decade, several efforts have been conducted in the research and international development community in order to assess and measure the quality of governance of countries all around the world. This becomes a direct reflection of organization governance by inference.
One of these efforts to create an internationally comparable measure of governance is the Worldwide Governance Indicators project, developed by members of the World Bank and the World Bank Institute. The project reports aggregate and individual indicators for more than 200 countries for six dimensions of governance: voice and accountability, political stability and lack of violence, government effectiveness, regulatory quality, rule of law, control of corruption.
SUMMARY:
This brief overview of the principles and concepts of good corporate governance is presented as an introduction to a very complex topic. Additional information and assistance is available in the format of a well-structured facilitation and workshop.
Anticipated better outcomes from such facilitation would leverage the various management elements of an organization towards the fulfillment of a holistic approach to strong management oversight guided by effective corporate governance.
About the Author
John Glover, CISSP, CISA, CMC, ITCP
John is a Certified Management Consultant (CMC) who provides national and international clients with business-oriented technology and human resources better outcomes through detailed analysis and recommendations.
His experience includes project management, strategic planning, business process improvement, network design and implementation, coaching, team leadership and information security. John’s background includes a working knowledge of many industries and proven leadership skills at executive, managerial and technical levels.
His primary focus areas include governance, risk and compliance (GRC) interventions, information security threat and risk assessment, information security and privacy policy formulation, payment card industry data security client support and various telecommunications technology initiatives.