The Imperative of Governance
The origin of the word ‘governance’ can be traced back to the ancient Greek word for ‘steersman’, someone who steers a ship. Back in the 5th century BC, Athenian triremes were the ultimate weapons of their day. Fast and manoeuvrable, these vessels were highly effective in the right hands. Each was under the control of a steersman, who was not only an experience sailor, but someone who was also skilled in marine warfare and who demonstrated leadership by example. Their role was to keep their vessel out of danger whilst at the same time exploiting opportunities whenever they arose.
Essentially this is still the role of governance today. Instead of sand banks and rocks, top management now need to steer a course, enshrined within a business strategy, which minimizes the organization’s exposure to significant risks and which deals with substantive issues in an effective and timely manner.
The enemy to be engaged are now the organization’s competitors, the generals to be satisfied are the organization’s stakeholders and the ultimate destination is the realization of the corporate Vision.
What does good governance look like?
In order to assess the well-being or otherwise of an organization’s governance, auditors must first understand what ‘good’ governance looks like.
The ISO definition of governance is the ‘way in which an organization is led, directed, controlled and held accountable’. This recognizes that governance lies at the heart of every organization, embracing what the organization stands for, its purpose and its beliefs. Given this criticality, it is essential that auditors are able to distinguish good governance from bad. So, what indicators are there that would suggest to us that an organization is promoting good governance?
Good governance is characterized by an organization;
that is willing to explain and be answerable for the consequences of the decisions they have made on behalf of their stakeholders
where stakeholders are able to follow and understand the organization’s decision-making processes.
which takes decisions that are consistent with relevant legislation or common law and are within the powers of the organization.
that attempts to serve the needs of all of its stakeholders whilst balancing competing interests in a timely, appropriate and responsive manner.
where all stakeholders feel that their interests have been considered by the organization in its decision-making processes.
which makes the best use of their available people, resources and time to ensure the best possible results for their stakeholders.
provides opportunities for those affected by or interested in key decisions to participate in making those decisions.
Unfortunately, not all organizations display these characteristics.
When good governance goes bad
Hardly a week seems to pass by without news of yet another serious governance failure. Food safety scares, health and safety failings, defective products, unethical conduct - organizations and brands we have trusted for years suddenly become the centre of attention for all the wrong reasons.
In response to this steady flow of major incidents and perceived abuses of authority, society is increasing demanding improvement in organizational behaviours and performance. Stakeholders today are far less tolerant of business leaders who put their own interests above those of the people their organizations were created to serve.
Where poor practice is observed, Governments, regulators, shareholders and the general public are more willing than ever to hold those who are ultimately responsible for directing an organization to account. Financial penalties, reputational damage and prison sentences await those convicted of breaching the rules or taking unnecessary risks.
The role of the internal auditor in ensuring good governance
The internal auditor is well placed to evaluate corporate governance on behalf of an organization’s stakeholders. We have a level of access to the business that few other individuals possess and it is incumbent on us to use this to ensure that the interests of those who cannot be physically present on site are protected.
In 2014 the Chartered Quality Institute (CQI) introduced its Competence Framework. This informs us that all quality professionals, be they quality directors, quality managers, quality engineers or indeed quality auditors, must have an understanding of governance, assurance and improvement. To help inform this understanding, the CQI Competence Framework associates two key questions with each of these topics.
The CQI Competence Framework
The two key questions relating to governance are ‘is management intent defined?’ and ‘is management intent fit for purpose?’ It is these questions that we as auditors need to seek answers to. And if during the course of our investigation we determine that organizational governance is failing, we must be courageous enough to take action. In the CQI model this requires the auditor to demonstrate leadership abilities.
Let’s consider the first of those two governance questions now.
Is management intent defined?
‘Is management intent defined?’ or in plainer language, ‘has the management of the organization articulated what it wants the organization to achieve?’ As auditors, irrespective of whether we are engaged in 1st, 2nd or 3rd party audits, we are ideally positioned to answer this question.
We can call for objective evidence in the form of policy statements, strategies, plans, objectives and personal targets which collectively provide a ‘golden thread’, channelling intent from the highest levels of the organization through to those working on the shop floor.
We should be questioning top management, ‘the person or group of people who direct and control an organization at the highest level’ to ensure they are understand their stakeholder’s expectations and are clear as to how these will be met.
We should also be holding similar conversations with a cross section of employees from across the organization in order to ensure that these messages have not only been communicated by senior management but they have been properly understood.
Given that many of an organization’s stakeholder groups will rarely, if ever, have direct access to the business it is important that they can rely on us as auditors to act as their advocates. We are morally and professionally bound to carry out our duties in a professional manner, indeed ISO 19011 reminds us of the need to truthfully and factually report what we see, and to be impartial and objective in terms of our conclusions. This isn’t always straightforward though.
Challenging top management on governance issues can be daunting, indeed in some cultures, this notion is completely alien. Nevertheless, we if we are to secure professional credibility, we must find a way to do so. This may mean enhancing our soft skills, our technical knowledge or both. We need to become more assertive, diplomatic, analytical and astute whilst at the same time expanding our understanding as to how those business’ we audit operate.
Is management intent fit for purpose?
That fact that an organization is ‘crystal clear’ as to what it is seeking to achieve is not sufficient in itself to ensure sound governance. There are organizations out there doing the wrong things extraordinarily well, either subconsciously, because they don’t understand what their stakeholders really want, or through deliberate disregard of those they purport to serve.
If they are fortunate, the impact of this misalignment will be solely commercial, a bottom line adversely affected as a result of supplying products and services which don’t meet the market’s needs. At worst, the business and those that operate it expose themselves to fatal reputational damage and legal sanction.
As auditors, we play a crucial role in ensuring that top management are focussed on achieving what the organization’s stakeholders would wish to see delivered. For organizations operating an Annex SL based management system there is a clear path for us to follow when it comes to making this determination however we should note that the same logical approach can be applied in instances where no external certification is held.
As part of ‘Context of the Organization’, Annex SL clause 4.2 requires organizations to understand ‘the needs and expectations of relevant interested parties’(stakeholders). As auditors, we would be seeking objective evidence that these needs and expectations had been initially determined, and that they were being actively monitored and reviewed. This is important as an organization’s stakeholders and their associated requirements are liable to change through time.
Clause 4, Context, feeds into Clause 5.2, Policy. At this point an auditor would expect to see a Policy Statement, appropriate to the purpose of the organization, which provides a framework for setting objectives and which commits the organization to satisfying applicable requirements, including ones drawn from the stakeholder community.
The next step on the trail is to ensure that the organization has considered applicable stakeholder requirements with respect to its planning to address risk and opportunities. It needs to consider what could happen to prevent these requirements being met as well as how it could enable them to be achieved more easily. Is the organization able to evidence it has done this?
Clause 6.2 requires the organization to consider applicable requirements when it sets its objectives and also at the time when it creates plans to achieve these. Subsequently, Clause 8 should see the translation of these plans into actions on the ground which deliver outputs consistent with what stakeholders are seeking. If this is indeed the case, then at the end of our audit trail we can be confident in answering ‘yes’ to the question ‘is management intent fit for purpose?’
At this point a word of caution is advisable. We have concluded that if the top management of an organization is satisfying its stakeholder’s requirements then management intent is fit for purpose. In practice, things aren’t quite so simple. Often the requirements of different stakeholder groups conflict; perhaps the Board want to reduce costs whilst the Employees want enhanced benefits, local residents want minimum environmental impact whilst top management want a 24/7 operation. From an audit perspective, we need to recognize this.
Ultimately however it is the organizations decision as to what the relevant interests of interested parties are, not ours. By all means challenge their decision if you believe their determination is wrong but don’t be tempted to issue a non-conformity unless their selection has resulted in a clear breach of the audit criteria.
Auditors wishing to undertake a more structured assessment of the health of corporate governance should consider alternative criteria.
BS 13500:2013 - Code of Practice for Delivering Effective Governance was developed in the wake of the 2007 financial crisis. It sought to clarify the fundamental requirements for delivering effective governance.
It was produced by the UK’s British Standards Institute in consultation with experts drawn from a wide range of different industries and is intended to be used by those concerned with the governance of organizations as a basic checklist to ensure that all the elements of a good governance system are in place. The Code is applicable to organizations of all types and sizes, from sole traders through to multinationals.
BS 13500:2013 focuses on the need of the organization’s governing body to manage the health of all of the organizations key relationships, in particular those with the customer, employees, suppliers, the local community and society as a whole. It contains three principal clauses; Establishing an effective governance system, principles that underpin an effective governance system and implementation guidance. In a series of annexes advice is also provided as to how to develop a governance policy, stakeholder profiles for different types of organizations as well as a governance self-assessment checklist.
When an organization can demonstrate that it is implementing all of the Code’s recommendations, it can be said to have a system for delivering effective governance. Whilst having such a system does not guarantee effective governance, it does at least encourage and support positive organizational values and behaviours.
Furthermore, organizations who have adopted the Standard can expect greater clarity of purpose, better decision making, improved relationships between top management and the organizations stakeholders and a decreased exposure to risk.
It is not just BSI however who are developing documentation in this area. Last year the International Organization for Standardization (ISO) announced the creation of a new Technical Committee, TC 309 to create ISO standards for all aspects of governance including direction, control and accountability.
Following its creation TC 309 assumed responsibility for two standards already published; ISO 19600 – Compliance management systems and ISO 37001 – Anti bribery management systems. Shortly it will commence work on the production of the first of its own standards. This is likely to offer high level principles and direction on how to establish an effective system of governance. Given BSI’s prior experience in this area, ISO have invited BSI to occupy the TC 309 secretariat.
TC 309’s first meeting was held in London, mid-November 2016 and the next meeting will take place in Shenzhen Shi, China on 12th November 2017. This will be the third meeting for the Technical Committee which has six working groups reporting into it; AG1 – Communications and Engagement, AHG1 – Strategic business plan, AHG2 – Governance of organizations, AHG3 – Whistleblowing, TG4 – Anti-bribery management systems, TG5 – Compliance management systems.
Although experts from these groups met for preliminary discussions at the last plenary, November will see the first official working group meetings. The agenda also includes provision for an anti-bribery workshop.
At present, there are 35 participating members attending TC 309 meetings including representatives from the national standards bodies of Japan, Indonesia, Malaysia and Singapore. There are also 21 observing members (O-members) to the Committee including representatives from Hong Kong, the Republic of Korea and Thailand.
Whilst work continues to progress, it should be recognized that the typical lead time for the development of a new ISO standard is 2 to 3 years. Consequently, we will need to wait just a little while longer for the publication of a much awaited, truly international standard, relating to effective organizational governance.
Governance fails when there is a disconnect between those directing the organization and those the organization exists to serve. This disconnect can occur at many levels.
Those directing the organization may fail to identify their stakeholders correctly.
They may identify them correctly but fail to consult them.
They may consult them, but not understand what they require.
They may understand what they require but chose to ignore.
All of the above can be accidental or deliberate. Irrespective, the outcome is the same. Top management are placing their organization in danger by heading for a destination that is not where the organization’s stakeholders wish to be.
As auditors, should we evidence the above, we are professionally and morally obliged to act to keep the ship safe.