All too often and too easily, corporate governance is evaluated and measured simply by reviewing the structures and processes that an organization implements to achieve lofty ethical principles. However, assessing the effectiveness of governance requires more than reviewing how frequently a board meets, the number of committees an organization may maintain, the language in a code of ethics, or the aspirational pronouncements from the CEO’s office. Evaluating the effectiveness of governance is, at its core, a continuous process of reviewing and measuring behaviors. Such an assessment begins with understanding an organization’s business strategy and culture.
Ideally, organizations have a business strategy and an aligned business culture. The business culture is a set of risk practices and behaviors that are critical to the success of the business strategy. Accepted risk practices might be driven by the elements of the strategy itself — such as quick decisions, rapid growth, and speed to market — or they might be requested by shareholders concerned with capital preservation and adherence to risk appetite. Third parties, such as regulators interested in compliance, or accepted industry practices, such as fair dealing, also can shape accepted risk practices.
Good governance provides the oversight to ensure behaviors, however sourced, remain within accepted risk parameters. An effective governance program sets boundaries against conduct that might cause undue risk or ethical impairment to the business strategy, and it includes measurable tools to reward conduct within the accepted culture. Just as business strategies vary, so too do governance oversight models.
A good starting point when evaluating the scope and efficacy of a governance program is to review the organization’s enterprise risk management (ERM) framework. Ideally, the organization will have already identified significant inherent risks in a variety of disciplines, including market, strategy, reputation, operations, technology, law and compliance, and human resources. This risk analysis provides a solid indicator as to the scope, type, and level of governance oversight required.
The effectiveness of a governance program is best measured in terms of the level of adherence to accepted behaviors. In making this determination, some specific areas to review include: strategy and governance alignment; focused messaging; and measurement, accountability, and consequences.
Strategy and Governance Alignment A first step in examining the effectiveness of governance is to review the fundamental alignment of the organization’s business strategy and culture with the governance oversight model and framework. The type, level, nature (such as proactive or reactive), and scope of the overall governance program should be commensurate with the business strategy and culture. For example, organizations with hard-driving business strategies often require cultures that “push the envelope” on risk taking. What behaviors does the organization require and reward to accomplish its business strategy? High sales levels? Rapid revenue growth? Continuous product introduction? This type of aggressive strategy and culture can result in a substantial level of organizational risk. In such a case, the internal auditor would expect to see a high level of proactive governance oversight in terms of structures, regular reporting on the quality and effectiveness of internal controls, multiple communication channels and issue-escalation paths, scenario-based staff training, and a robust reporting structure to capture potentially adverse behaviors and risks.
Consider an example in financial services. Wells Fargo’s high-risk business strategy was based on rapid and substantial customer fee growth and tied staff compensation to numbers of accounts created. This strategy carried the obvious inherent risk of bogus account creation, which, indeed, occurred. Employees created an estimated 3.5 million false customer accounts. From the outset, this high-risk strategy should have demanded proactive attention to protect the organization and its customers. Ultimately, the lack of a targeted level of governance oversight had dramatic, negative consequences.
Focused Messaging Sound governance requires a clear articulation of the acceptable (and unacceptable) behaviors necessary for accomplishing the business strategy. Senior management is responsible for clearly articulating expected behaviors and verifying the governance structures that effectively carry this message throughout the organization.
For this reason, the content, level, and quality of the messaging should be reviewed. The messaging should speak to the inherent high-risk areas identified in the ERM framework and provide direction for issue identification, escalation, and resolution. The internal auditor should determine how the messaging is communicated throughout the organization. The auditor also should consider the size and scope of the organization as, especially in the case of large organizations, it is important that the message resonates across wide geographic boundaries, languages, and customs.
Measurement, Accountability, and Consequences While the determination of the business strategy and culture, the governance framework, and the articulated message of acceptable behaviors come from the top down, the determination of the effectiveness of the governance program is best seen in the measurement of behaviors. In other words, measuring effectiveness is a “bottom-up” exercise.
Behavior measurement is not as difficult as one might expect. Behaviors that result in adverse risk taking, lawsuits, fines and penalties, fraudulent or illegal actions, or a wide range of discriminatory or unethical practices generally are tracked and reported. Issues involved in job performance often are tracked in the organization’s performance evaluation system. The reviewer should determine whether the organization has compared the adverse events that are reported to the criteria of acceptable risk and ethical behaviors to improve the governance platform. Questions to consider include:
- Has the organization determined where gaps and vulnerabilities have occurred?
- Has the organization used the results to determine how proactive the governance system has been?
- Have potentially damaging issues been escalated for remediation?
- Have certain categories of adverse behavior decreased?
- Have new controls or training been implemented in significant areas of risk and conduct?
- Has the organization identified geographic areas in which the governance program operates better than others?
- Have the risk issues correlated to those delineated in the organization’s ERM framework?
In assessing the sustainability of a governance framework, internal audit should look for two ingredients: accountability and consequence. Were instances of adverse behavior subject to both personal accountability and appropriate consequence? Employees quickly know when adverse behavior goes unpunished or when responsibility for such behavior is not acknowledged. Adverse behavior for which there is no accountability results in lack of confidence in the integrity of the governance program, and, ultimately, it impairs program sustainability.
Internal audit also should evaluate the reward framework: Does the governance program reinforce appropriate behavior via a reward system? Organizations in which exemplary behaviors are rewarded are characterized by a governance framework that shows strength and sustainability.
Every business has its own culture and goals and, therefore, its own risk comfort levels. All businesses can benefit from a strong governance oversight program, with an assessment led by internal audit. An evaluation of governance effectiveness should address not only structure, but also the alignment among strategy, culture, and measurable behaviors.
Dawnella J. Johnson is a partner at Crowe Horwath LLP and the global leader of its internal audit practice in New York.
Gary E. Peterson is a managing director at Crowe Horwath in New York.