Let's face it, civility is in short supply in the 21st century. Whether in politics, social media, on the highway, or in line at a fast-food restaurant, common courtesy and respect are scarce commodities. One place that civility seems to be alive and well is in the boardroom. However, one has to ask: Is there too much civility in a place where members should bring a healthy dose of skepticism?
Common wisdom is that inspirational leadership is synonymous with great success. Many of the world's most successful companies are associated with iconic leaders such as Bill Gates, Mark Zuckerberg, Steve Jobs, Jack Ma, and others.
However, the list of well-known organizations that suffered scandal in recent years because of management missteps is just as long, including Uber, Wells Fargo, Papa John's, and Tesla. Certainly, the #MeToo movement has shown that successful organizations can suffer rapid and significant reputational damage when the human failings of their leaders are exposed.
My examination of high-profile governance failures in recent years has convinced me that, far too often, ineffective board oversight is at the root of corporate scandals. Too many boards are reluctant to question management. Too often, boards are content to say, "We hired a great CEO. We're going to step back and let him or her do their job."
I often wonder if there may simply be too much civility in the boardroom. I am not suggesting the boardroom equivalent of a "food fight," but board members have an obligation to bring professional skepticism to their roles. They must be willing to ask probing questions, challenge management assumptions, rock the boat if necessary, and frankly, risk their future on the board.
One of the key topics in The IIA Audit Executive Center's 2018 North American Pulse of Internal Audit report is board engagement. In the report, chief audit executives are encouraged to strengthen their relationship with audit committee members to help this important stakeholder group understand that they are the true drivers and enablers of effective assurance over internal control.
While vital to the interests of internal audit, internal auditors must do more than just persuade boards and audit committees to support us. We must help boards renew their commitment to understanding and supporting basic risk management. It is amazing to me that some 21stcentury corporations still don't get it.
I have often advised my readers to "audit at the speed of risk," but the reality is, no matter how agile and effective an internal audit function becomes, it cannot go it alone. Effective governance, by definition, will always demand enterprisewide effort.
Effective governance requires constant monitoring and the willingness to question whether management's actions will strain or otherwise impair the governance process. For example, companies often fail to anticipate the possibility of an ends-justify-the-means culture developing in response to pressure to meet earnings expectations or other metrics that drive business. I made this point in a recent interview with CNBC Asia's "Squawk Box," where I also noted that board independence is critical to governance success.
Board members must be willing to question management's actions and not be reluctant to speak out because of potential conflicts. This is why I and others have encouraged organizations to separate the joint role of CEO/chairman. From an internal audit perspective, having a CEO who also serves as board chairman effectively negates the dual reporting line that supports an objective and independent internal audit function. The role can have an equally detrimental effect on board independence.
There has been increasing focus on the composition of boards, especially regarding the need to have members who have IT experience, as cybersecurity is a leading risk area. This kind of self-examination is healthy and may lead to improved board performance. But no level of experience or diversity will ensure board effectiveness if the fundamental trait of professional skepticism is missing.
Asking the extra question, requesting additional information, and turning to internal audit to help provide assurance on what the board is hearing from management are all legitimate actions for a board that is independent and committed to maintaining healthy risk management and internal control.
Let me be clear about one thing: I'm not advocating for an adversarial or conflict-driven relationship between the board and senior management. The board–management relationship should never devolve into a food fight, but it also shouldn't always be a picnic, either.
As always, I look forward to your comments.