Wellington, December 27, 2018
“Governance Board steps in to address cultural and ethical issues negatively affecting performance… They are concerned over the organisation’s reputation and performance.” Did you see this recent headline? Me neither…
Unfortunately, we are bereft of good examples where a governance body has acted proactively and stepped up.
Are there any? Are openness, transparency and disclosure only about the ‘good times’ or just when under the regulatory spotlight?
While there is agreement that culture is a core ingredient to organisation success and a core governance responsibility, boards and management often appear to have limited understanding about how to gain appropriate assurance around culture.
Directors may believe their organisation’s culture is appropriate mainly because the Chief Executive Officer and Management told them so. They may know that there is a “Speak Up” programme in place – but not whether it’s ever known about, understood, used or effective.
Culture is recognised as a critical component of organisational governance.
It is often the root cause of significant issues that negatively impact performance and ultimately lead to significant reputational and financial damage.
It was 17 years ago that the demise of Enron ‘occurred.’
But the list of organisations that have suffered due to a lack of understanding of ethical and cultural issues continues today and continues to increase in number and negative impact.
Banks in Australia
The current Royal Commission in the Australian banking market comes to mind, as unethical practices have been routinely aired throughout the Commission’s work.
New Zealand has its own list of organisations (both public and private) that have been affected negatively as well.
Building industry construction failures are the most recent examples, and Pike River continues to be a national tragedy that could have been prevented.
What can organisations and boards do?
Assurance functions are the internal conscience.
Governance feedback teams within organisations are critical to having an informed governing body. An assurance framework (for example, the three lines of defence outlined below) must be put in place by organisations to effectively manage risk:
Risk Owners/Managers – As the first line of defence, operational managers own and manage controls and risks.
They also are responsible for actions to address process and control deficiencies.
Risk Control and Compliance – Management establishes various risk management, oversight and monitoring and compliance functions to help build and/or monitor the first line-of-defence controls.
Risk Assurance – Independent objective reviews provide assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defence achieve risk management and control objectives.
All three lines should exist in some form at every organisation regardless of size or complexity. Risk management normally is strongest when there are three separate and clearly identified lines of defence.
The board’s focus on what assurance they are receiving in relation to these lines of defence should include the following:
What do risk owners/managers report about culture and ethics – is there ownership by this group? Are ethics owned by managers – how is this demonstrated?
What monitoring activities are conducted in relation to culture and ethics – are risks in the organisation managed in these areas?
Is internal audit providing assurance over culture and ethics? For example, are they requested to provide assurance on the effectiveness of “Speak Up” programmes, which can be a reflection of organisational culture and ethics? Are culture and ethics programmes independently reviewed for effectiveness?
Employee perceptions about ‘how things actually get done’ may override good systems and processes. Internal auditors as independent, objective consultants are well placed to undertake specific assessments on culture and ethics. They benefit from daily professional scepticism (a necessary tool for any auditor) to alert them to areas where attention is needed.
It is time for governance bodies to reacquaint themselves with the internal assurance mechanisms they have in place to assist them in discharging their accountabilities. Boards must step up.
Bernie McKendrey is Deputy Chair of the Institute of Internal Auditors New Zealand. The above article appeared in the December 2018 issue of the Newsletter of Transparency International New Zealand.