Important Contribution to Corporate Governance by G30

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
 

Okay, we have another report that talks about how corporate governance failed and led to major issues for financial institutions — with recommendations for fixing the system.

But, this one makes some interesting and different points — which I believe merit careful review, attention, and discussion. I think this report should be read and considered by boards and those who advise them (including CEOs, CFOs, and general counsel), internal auditors, and risk managers.

Toward Effective Governance of Financial Institutions (PDF) (the link is to the press release; you can download the executive summary and full report from links at the end) focuses on governance of global financial institutions (FI). The report is from the Group of Thirty, composed of eminent global regulators and executives, and the work was led by Tapestry Networks in collaboration with Ernst & Young.

While the report focuses on FI, its lessons and recommendations apply to organizations of all forms. If you only want the highlights, here are my two main take-ways:

    1. Effective governance needs much more than structures that meet best practices, such as diversity in the boardroom, separation of chair and CEO roles, and risk committees. What matters is behavior: what really happens. For example, do the board members act as independent overseers of management? Do they ask penetrating, constructive questions?

    2. The quality of governance needs to be assessed periodically. However, this is difficult as those involved in governance at an organization (the board and executive management) are often blind to their weaknesses.

My major disappointment is that the use of internal audit to assist with assessing governance is not mentioned. In fact, the committee does not demonstrate much insight into the role of that group and its potential for closing the board’s “assurance black hole.”

Other important points made in the report include (the emphasis in bold and underlined is mine):

  • In the wake of the crisis, financial institution (FI) governance was too often revealed as a set of arrangements that approved risky strategies (which often produced unprecedented short-term profits and remuneration), was blind to the looming dangers on the balance sheet and in the global economy, and therefore failed to safeguard the FI, its customers and shareholders, and society at large. Management teams, boards of directors, regulators and supervisors, and shareholders all failed, in their respective roles, to prudently govern and oversee.
  • No one should presume that FI governance is now fixed. It is true that boards are working harder; supervisors are asking tough questions and preparing for more intensive oversight; management has become much more attuned to risk management and to supporting the oversight responsibilities of the board; and shareholders, to some degree, are taking a deeper look into their role in promoting effective governance. Nevertheless, as this report highlights, highly functional governance systems take significant time and sustained effort to establish and hone, and the G30’s input can help with that effort.
  • Good corporate governance requires checks and balances on the power and rights accorded to shareholders, stakeholders, and society overall. Without checks, we see the behaviors that lead to disaster. But governance is not a fixed set of guidelines and procedures; rather, it is an ongoing process by which the choices and decisions of FIs are scrutinized, management and oversight are strengthened and streamlined, appropriate cultures are established and reinforced, and FI leaders are supported and assessed.
     
  • Boards of directors failed to grasp the risks their institutions had taken on. They did not understand their vulnerability to major shocks, or they failed to act with appropriate prudence. Management, whose decisions and actions determine the organization’s risk status, clearly failed to understand and control risks. In many cases, spurred on by shareholders, both management and the board focused on performance to the detriment of prudence.
     
  • The financial sector needs better methods of assessing governance and of cultivating the behaviors and approaches that make governance systems work well. Board self-evaluation, especially when facilitated or led by an outside expert, can yield important insight, but it is sobering to consider that in 2007, most boards would likely have given themselves passing grades.
     
  • Governance experts often describe what good governance looks like, but give little thought to how to measure or achieve high-performance results.
     
  • Although the temptation to judge governance effectiveness by the extent of conformance to a set of perceived best practices can be overwhelming, it is also counterproductive. Most studies of governance agree that it is end behaviors, much more than frameworks and structures, that matter. “Boxticking” neither improves governance nor accurately assesses it. Any arrangement can fail, but failures are more often caused by undesirable behavior and values than by bad structures and forms.
     
  • Behavior appears to be key, and a focus on right behaviors means a shift from the “hardware” of governance (structures and processes) to the “software” (people, leadership skills, and values). This means asking questions such as: How does the board both engage and challenge management? How does it support management in overcoming key difficulties? Are interactions open and transparent? Does management help the board understand the real issues? What is the attitude of the CEO toward the board? Is the relationship between the CEO and the chair (where those roles are split) a constructive one? Are issues presented to the board in a way that is amenable to the application of business judgment? What underlying organizational culture and values drive behaviors — and how can a desired culture best be supported and reinforced?
     
  • The art of governance is in making different forms function well and adjusting the form to enhance function. It takes mature leadership, sound judgment, genuine teamwork, selfless values, and collaborative behaviors — all carefully shaped and nurtured over time.
  • Boards that permit their time and attention to be diverted disproportionately into compliance and advisory activities at the expense of strategy, risk, and talent issues are making a critical mistake. Above all else, boards must take every step possible to protect against potentially fatal risks.
     
  • Without an ability to properly understand, measure, manage, price, and mitigate risk, FIs are destined to underperform or fail. Effective risk governance requires a dedicated set of risk leaders in the boardroom and executive suite, as well as robust and appropriate risk frameworks, systems, and processes.
     
  • Governance cannot be effective without major continuing input from management in identifying the big issues and presenting them for discussion with the board.
  • [Management] must reinforce the values that drive good behavior through the organization and build a culture that respects risk while encouraging innovation.
  • In a great FI, positive values and culture are palpable from the board to the executive suite to the front line. Values and culture drive people to do the right thing even when no one is looking. Values and culture are a fundamental aspect of the governance system, which makes them legitimate and important dimensions of inquiry for supervisors. Values and culture are also important areas for consideration and inquiry by boards. While these soft features defy quantitative measurement, they cannot be ignored. Anyone spending time in an organization quickly develops a clear sense of what drives it: most new employees understand the values and culture of the institution within a year, and many figure it out within just a few months. They instinctively observe how values and culture influence day-to-day business decisions and personnel choices.
  • Board independence and challenge should bring a high quality and value-additive contribution to board deliberation and is not evidenced by the number of times a director says no to management.
     
  • Effectively balancing risk, return, and resilience takes judgment. If a risk is too complicated for a well-composed board to understand, it is too complicated to accept.
     
  • The best board in the world cannot counterbalance a weak internal control and risk management architecture.
  • Those accountable for key risk policies in FIs, on the board and within management, have to be sufficiently empowered to put the brakes on the firm’s risk taking, but they also play a critical role in enabling the firm to conduct well-managed, profitable risk-taking activities that support the firm’s long-term sustainable success.
  • Effective governance comes down to people and how they interact, whether in the boardroom, board committee meetings, management meetings, or meetings with supervisors and shareholders. FIs need to adopt good governance practices, and they can learn from the experiences of others, but what works best in one situation may not work at all in another. FIs can tailor governance arrangements, but if they have the wrong people, or if those people behave in dysfunctional ways, the arrangements do not matter.
  • A very good CEO is preferable to a “star” CEO.
  • The board must confirm the appointment of independent members of the executive team, including the chief risk officers (CROs) and head of internal audit, and should be consulted with respect to other very senior appointments. Boards should maintain a focus on talent development and succession planning, which are critical components of organizational stability.
  • It is misguided and dangerous to conflate the responsibilities of management with those of the board. The board’s primary responsibilities include: (a) reaching agreement on a strategy and risk appetite with management, (b) choosing a CEO capable of executing the strategy, (c) ensuring a high-quality leadership team is in place, (d) obtaining reasonable assurance of compliance with regulatory, legal, and ethical rules and guidelines and that appropriate and necessary risk control processes are in place, (e) ensuring all stakeholder interests are appropriately represented and considered, and (f) providing advice and support to management based on experience, expertise, and relationships.
  • [Ensure the CRO] is independent, has stature within the management structure and unfettered access to the board risk committee, and has the authority to find the appropriate balance between constraint and support of risk taking. The CRO must have the independence, skills, and stature to influence the firm’s risk-taking activities. The board should approve the appointment of the CRO, and the risk committee should annually review the CRO’s compensation.
  • Determine a risk appetite that is clearly articulated, properly linked to the firm’s strategy, embedded across the firm, and which enables risk taking. The FI’s risk appetite framework should frame the choices regarding risks in terms of the type of institution the board and management are trying to build and sustain, and it should clearly link risks and returns. To be fully effective, the risk appetite framework must be embedded deep within the firm and linked to key management processes, such as capital allocation decisions, new product and businesses approvals, and compensation arrangements.
  • The risk committee and full board play a critical role, with management, in ensuring that the risk culture is consistent with the firm’s risk profile aspirations. The tone set at the top of an FI is important, but non-executive directors also need to be attuned to the culture deep in the organization and how the messages at the top are communicated and interpreted by employees. They should seek out the views of supervisors and the external auditor. [Note the failure to reference internal audit!]
  • FI management must strike a balance between being thorough and concise in reporting to the board. They must avoid overwhelming directors with details, while still providing sufficient and unbiased risk information.
  • Boards should take a broad perspective when overseeing risk, including operational and reputational risks that are difficult to measure and mitigate. They should look for early warning signs of emerging risks arising from increasingly complex organizational structures and products or businesses with unexpected overperformance.
  • Strong controls require independent control professionals. In some instances, they need veto rights. They should not be seen as a police force, however, and they need to enable controlled risk taking as well as constrain it.
  • The most important thing management can do to foster good governance is to give the board a reasonable chance of understanding the company strategy, risk appetite, and major challenges the company faces. Management must effectively orient new directors and educate all directors on an ongoing basis to enable the board to ask critical questions of management.
  • Management must be open and transparent with the board and should promote those qualities throughout the organization. Only when management teams share their concerns openly, and in a timely fashion, can the board understand the issues and provide input or direction.
  • Honesty, integrity, proper motivations, independence of thought, respect for the ideas of others, openness/transparency, the courage to speak out and act, and trust are the bedrock values of effective governance.
  1. What do you think of the report?
  2. Have they hit the key points?
  3. How serious is the failure to reference the role of internal audit as assurance provider — for the profession, if not for the board?

 

Posted on Apr 16, 2012 by Norman Marks

Share This Article:    

  1.  I guess, strong control = audit function and

    Independent control professionals = auditors maybe?

  1. Norman:

    I agree 100% that this is a report worth reading.  With respect to your comment:

    "My major disappointment is that the use of internal audit to assist with assessing governance is not mentioned. In fact, the committee does not demonstrate much insight into the role of that group and its potential for closing the board’s “assurance black hole.”

    I think the IIA and the profession as a whole must reflect carefully why commission after commission (including CICA Risk and Governance Committee in Canada) and high powered and intelligent groups like THE GROUP OF THIRTY and the NACD in the U.S.  have repeatedly dismissed IA as irrelevant in terms of playing a key role in the governance  reforms going forward.    

    The other element is that IA departments need to establish themselves as true risk assessment experts.  This should start with IA departments doing all their assessments, unless their role is clearly labelled as compliance checking/police work)  using an ISO 31000 or equivalent assessment methodology.  Based on my experience only a small % of IA work today is ISO 31000 compliant.  In a perfect world IA would make it clear whether the risk mitigator be recommended will address risk liklihood, risk consequence or both. IA functions also need to learn about "risk finance vehicles", "risk transfer/share vehicles" and other viable risk treatments.

    Being hurt/offended  that major commissions see IA as irrelevant and largely impotent won't help.  We need to fix why a large percentage of highly qualified and major commissions around the world  have concluded this.

Leave a Reply