Time for governance boards to step up

Bernie McKendrey, Deputy Chair, The Institute of Internal Auditors New Zealand

Bernie McKendrey
Deputy Chair
The Institute of Internal Auditors New Zealand

“Governance Board steps in to address cultural and ethical issues negatively affecting performance… They are concerned over the organisation’s reputation and performance”.

Did you see this recent headline?  Me neither…

Unfortunately, we are bereft of good examples where a governance body has acted proactively and stepped up.  Are there any?  Are openness, transparency and disclosure only about the ‘good times’ or just when under the regulatory spotlight? 

While there is agreement that culture is a core ingredient to organisation success and a core governance responsibility, boards and management often appear to have limited understanding about how to gain appropriate assurance around culture. Directors may believe their organisation’s culture is appropriate mainly because the CEO and management told them so.  They may know that there is a “Speak Up” programme in place – but not whether it’s ever known about, understood, used or effective.

Culture is recognised as a critical component of organisational governance. It is often the root cause of significant issues that negatively impact performance and ultimately lead to significant reputational and financial damage. It was 17 years ago that the demise of Enron ‘occurred’. But the list of organisations that have suffered due to a lack of understanding of ethical and cultural issues continues today, and continues to increase in number and negative impact. 

The current Royal Commission in the Australian banking market comes to mind, as unethical practices have been routinely aired throughout the Commission’s work.  New Zealand has its own list of organisations (both public and private) that have been affected negatively as well. Building industry construction failures are the most recent examples, and Pike River continues to be a national tragedy that could have been prevented.

What can organisations and boards do?

Assurance functions are the internal conscience.  Governance feedback teams within organisations are critical to having an informed governing body.  An assurance framework (for example, the three lines of defence outlined below) must be put in place by organisations to effectively manage risk:

  • Risk Owners/Managers – As the first line of defense, operational managers own and manage controls and risks. They also are responsible for actions to address process and control deficiencies.
  • Risk Control and Compliance – Management establishes various risk management, oversight and monitoring and compliance functions to help build and/or monitor the first line-of-defense controls.
  • Risk Assurance – Independent objective reviews provide assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defence achieve risk management and control objectives.

All three lines should exist in some form at every organisation regardless of size or complexity. Risk management normally is strongest when there are three separate and clearly identified lines of defence.

The board’s focus on what assurance they are receiving in relation to these lines of defence should include: 

  • What do risk owners/managers report about culture and ethics – is there ownership by this group? Are ethics owned by managers – how is this demonstrated?
  • What monitoring activities are conducted in relation to culture and ethics – are risks in the organisation managed in these areas?
  • Are internal audit providing assurance over culture and ethics? For example, are they requested to provide assurance on the effectiveness of “Speak Up” programmes, which can be a reflection of organisational culture and ethics?  Are culture and ethics programmes independently reviewed for effectiveness?

Employee perceptions about ‘how things actually get done’ may override good systems and processes.  Internal auditors as independent, objective consultants are well placed to undertake specific assessments on culture and ethics. They benefit from daily professional scepticism (a necessary tool for any auditor) to alert them to areas where attention is needed. 

It is time for governance bodies to reacquaint themselves with the internal assurance mechanisms they have in place to assist them in discharging their accountabilities. Boards must step up.

Transparency International New Zealand, PO Box 10123, The Terrace Wellington, 6143 New Zealand admin@transparency.org.nz. Copyright © Transparency International New Zealand 2009 - 2019.
Website design and marketing from effectiveemarketing.com