What Is the Best Framework for Governance?

A reader asked me for a source of guidance on best governance practices, which she wanted for her U.S. company. Before I discuss how I answered, it is worth considering the plethora of frameworks and guidance.

COSO Internal Control–Integrated Framework and Enterprise Risk Management–Integrated Framework

The first thought when it comes to frameworks and guidance for U.S. companies is The Committee of Sponsoring Organizations of the Treadway Committee, commonly called COSO.

This group of five auditing and accounting associations (American Institute of Certified Public Accountants, American Accounting Association, Financial Executives International, The IIA, and the Institute of Management Accountants) has published two frameworks.

The internal control framework, released in 1992 and updated in 1994, provided a common definition and understanding of internal control. It is famous for its “COSO cube,” which shows how activities related to internal control operate at different layers and relate not only to financial reporting, but also to operational effectiveness and legal/regulatory compliance. The framework was recognized by the U.S. Securities and Exchange Commission as suitable for adoption by a company in assessing its system of internal control over financial reporting.

Can the internal control framework be used as a guide for best governance practices? While it includes discussion of certain aspects of governance (e.g., the operation of the board and its committees), the focus is on internal controls. I wouldn’t use it as a guide to establishing or perfecting governance processes.

The enterprise risk management framework was published in 2004. COSO asserts that it is an extension of the internal control framework, but focused one step above controls — on risk management. I say “one step above” because the purpose of controls is to manage risks.

Can this be used as a guide for governance practices? I don’t think so. In fact, I find the internal control framework to be richer with respect to the activities of the board and its committees.

There are other issues with COSO, which I discuss separately.

OECD Governance Principles

The Organisation for Economic Co-operation and Development published its Principles of Corporate Governance in 1999, and they were revised in 2004. The OECD is a highly respected global organization, and these principles merit careful consideration. My opinion is that because the collective and different member countries had to agree, the resulting document is not as aggressive as it should be in defining best practices.

A better document is the 2009 publication, Corporate Governance Lessons From the Financial Crisis. I highly recommend this for any practitioner or student of corporate governance.

The Combined Code

In the United Kingdom, a series of committees (starting in 1992 with the report of the Cadbury Committee and continuing through the Hampel (1998) and Turnbull (1999) committees) has provided some excellent information and guidance on corporate governance. The result of their work is the Combined Code on Corporate Governance. It is principles-based, including guidelines for best practice.

The Combined Code is definitely a good source, but is not as updated as others.

Other Options

Many nations have their own internal control frameworks (such as the Criteria for Control in Canada) and/or governance frameworks (for example, the Malaysia Code on Corporate Governance (PDF). I recommend these for individuals in those countries.

The National Association of Corporate Directors has a campaign to improve corporate governance, with Key Agreed Principles and White Paper Series. This is my second choice for those looking for best practices in governance.

The NYSE and NASDAQ include a number of governance requirements (e.g., the role of independent directors) in their listing standards. For me, the requirements are weak and don’t seem to be enforced in practice (especially the ones concerning risk oversight), so I don’t find them useful.

ISACA and the IT Governance Institute have developed guidance for governance in IT — but I don’t favor defining how IT or finance should be governed without first establishing how governance should operate within the company. In any event, IT governance is arguably a management function and not really “governance” at all — but that’s another debate.

King Code III

This is my clear favorite. The new King Code is up-to-date (published in 2009) and has some radical guidance, particularly as it relates to the critical need for board oversight of risk management and the role of internal auditing. There is a good review of it in the February issue of Internal Auditor magazine.

But where is the generally-accepted U.S. and international governance framework? It simply doesn’t exist. We now have a global risk management standard (ISO 31000), although COSO has not declared its support or the obsolescence of its own risk management framework.

I think it is time for one to be developed. It is time for interested parties to come together and work on a framework of best governance practices — for the United States, if not for the global economy. The interested parties should include representatives of at least:

  • Directors.
  • Investors.
  • Risk practitioners.
  • Auditors (external and internal).
  • Regulators.

What is your opinion? What do you think of the various frameworks and guidance?

Posted on Feb 15, 2010 by Norman Marks

Share This Article:    

  1. If King 3 is good enough, why could that not become the model (first draft) for an international code?

  1. While it isn't a framework per se, I think the Blue Ribbon Commission  report from the NACD (National Association of Corporate Directors)  titled: Risk Governance: Balancing Risk and Reward makes some very, very good recommendations.  It is however, not a comprehensive governance framework and unfortunately, must be purchased.  I joined the NACD to get one.



    Another excellent commentary.

    My view: COSO - OK, but out of date and I do struggle somewhat with a segregation of control and governance frameworks. To my mind, we should have a truly combined governance framework.

    OECD - again, OK, but a little bit lightweight in many respects.

    Combined Code - the last revision, with its increased focus on risk management was a welcome development, but it does stop way short of providing the key elements of best practice.

    To my mind, the best source thus far is ISO 31000. Anyone following this to the required standard will have all of the key elements in place and pretty well defined. It perhaps doesnt go quite far enough in terms of the cultural aspects of corporate governance, but I think it is a pretty good standard overall.

    By the way, and a little off topic - I also enjoyed your commentary on GRC solutions and how to select the best one. As someone who has an interest in a business that provides bespoke solutions - I wholeheartedly agree with your views and would wish that prospective clients shared your view, rather than looking for an 'off the shelf, one size fits all' solution.

    Great insights on all sides, Norman - I have signed up for your newsletter - so look forward to more of the same!




    Great or (in Peters & Waterman’s language) ‘Excellent’ Chairmen/women & Chief Executive Officers who have lead admired global concerns know how to get things done; and, they’ve got all of the necessary and sufficient wherewithal and the personal relationships, credibility and power to lead the timely & efficient creation and the effective deployment of an international GRC Framework.
    Those Chrm/CEOs have actual hands-on experience supporting the effective discussion and reporting inter-relationships between and among the Board of Directors, its subcommittees, and the CAEs, CFOs, COOs, etc. And, they know the policies, practices and procedures that 'do/did things right'. 
    Further, the mindset of those select few is, frankly, above the fray that would ensure among any professionals with vested interests in the GRC Framework that would be created & deployed. They are uniquely well-qualified to forge consensus among an esteemed group of executive GRC (so to speak) "peers" with variant experiences & perspectives.

    So, I would encourage Richard Chambers, President of The IIA, to persuade a highly-esteemed and retired Chrm/CEOs to “take the lead” here. Consider, for example, Jack Welch (GE) or Lou Gerstner (IBM).



    ISO 31000 is by far the best framework but supplement it with additional materials such as the Chapter by John Shortreed on how to implement it- see book called Enterprise Risk Management-Today's Leading Research and Best Practices for Tomorrow's Executives. Supplement it as well with new HB 158 Assurance for ISO 31000- then you have everything that you need. Think about. If you have a solid risk framework in place- this should address all governance risks as part of the  framework, should it not?

    King III of course is quite solid but I think above provides more structure. Combined Code new version is also solid. CoCo from Canada is also good. Malaysia I am not familiar with. Singapore apparently has something quite solid but I have not reviewed it. Australia precursor to ISO 31000 was also solid but not ISO 31000 has all of its DNA.

    Stay away from COSO at this juncture. Does not  get you anywhere and is being rejected by most of the folks that I talk to.






Leave a Reply