I have been blogging about GRC (in my personal blog), and it has been interesting to see how many views there are on what governance, risk management, and compliance (GRC) is all about. If you are on LinkedIn, you can see 65 comments on the topic (referencing my blog above) in the "Governance, Risk, and Compliance Management" discussion group.
Not only have there been many different views on what GRC is, but there are different views on what the "G" stands for.
The IIA developed a position paper, based on work by the IIA-UK, titled Organizational Governance: Guidance for Internal Auditors. In it, they said: “There is no single, comprehensive, universally accepted definition of organizational governance.” How can auditors assess governance processes and practices, with related controls, when the term governance is not defined?
If we look at some authoritative sources, we can work this out.
· The Organisation for Economic Co-operation and Development (OECD) says Governance involves:
“A set of relationships between a company's management, its board, its shareholders, and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.”
· The Cadbury Committee (the governance source for UK-listed companies) has a simpler definition:
“The system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies.”
“The shareholders' role in governance is to appoint the directors and the auditors and to satisfy themselves that an appropriate governance structure is in place. The responsibilities of the board include setting the company's strategic aims, providing the leadership to put them into effect, supervising the management of the business, and reporting to the shareholders on their stewardship.”
· The Corporate Governance Committee of Japan has this:
“Corporate governance is a scheme for ensuring that the executive managers, who have been placed in charge of the company, fulfill their duties.”
· Forrester Research, an analyst firm, defines governance as:
“The culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed. Corporate governance includes the relationships among stakeholders and the goals for which the corporation is governed.”
· I like the one from the Australian Stock Exchange (ASX):
“The system by which companies are directed and managed. It influences how the objectives of the company are set and achieved, how risk is monitored and assessed, and how performance is optimized.”
· The IIA’s definition:
“The combination of processes and structures implemented by the board in order to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.”
· The Open Compliance and Ethics Group (OCEG) says:
“Governance is the culture, values, mission, structure, and layers of policies, processes, and measures by which organizations are directed and controlled. Governance, in this context, includes but is not limited to the activities of the Board, for governance bodies at various levels of the organization also play a critical role. The tone that is set, followed, and communicated at the top is critical to success.”
What do we make of all these?
1. Some limit governance to the activities of the board:
2. Others include management as well as the board (by talking about directing (board) and managing or controlling (management):
· Forrester Research
· Australian Stock Exchange
3. That leaves OECD, which I find ambiguous and therefore not very useful.
4. All pretty much talk about:
· Setting the objectives (strategy) of the company
· Appointing leadership
· Ensuring appropriate tone at the top (culture and values)
· Managing risks (implicit if not stated)
· Monitoring and optimizing performance
Each of us can determine whether we define governance as including only board processes or also those of management. My view is that an audit of governance processes would include only board activities - and I would use the Cadbury definition (the IIA one is OK). But, if I am thinking of the GRC model, it has to include how management ensures the directives of the board are achieved - and I would use the ASX version.
In a later blog here, I will talk about what I believe is included in governance. In my personal blog, I will talk about the technology that enables those activities. But first, let’s get your comments.