​​Are Organizations Too Complex to Govern Effectively?

Comments Views

​When you look at many of the organizational disasters of recent years (such as the Deepwater Horizon explosion, fire, and oil spill that embroiled BP, Halliburton, and Transocean in billions of dollars in cost, even before reputational damage and business disruption), people ask where top management and the board were.

Is it reasonable to believe that the CEO of BP should have known about the risks and potential compliance problems on a single oil rig?

Is it reasonable to expect the board to be able to ensure that top management has the processes, people, and systems in place to manage risks at far-flung corners of the enterprise?

A discussion on a National Association of Corporate Directors (NAC​​​D) site on the topic of The Elements of Effective Board Governance between Robert Guido (retired EY vice chairman) and Mary Ann Cloyd (leader of PwC’s Center for Board Governance) starts with Mary Ann asking “Do you think that corporations today have become too complex to be governed effectively?”

I think this is an excellent and insightful question. It’s not only that corporations are increasingly global, with less reliance on revenue and operations in their home country, that these are turbulent times and business conditions and risks are changing all the time, but organizations are increasingly adopting so-called matrix reporting. In this set-up, a manager or senior executive may have multiple bosses; each could be demanding different priorities and execution, and no one person has total responsibility for key areas. For example, while one executive may be responsible for sales and marketing in Europe, different executives may be responsible for each of the various products and services he is charged with selling. I saw this extensively at my former employer, SAP. While it has some advantages, it can lead to individuals being given accountability for an area without the authority and power to obtain results. In the example I described, the executives responsible for each of the products do not have any authority over the executive running Europe. In addition, managers can be left focusing on the goals and objectives they were set at the beginning of the year even though conditions on the ground have changed. Why? Because their compensation is based on those numbers, not necessarily what some of their matrix managers are demanding as they try to adapt today’s environment.

If I continue to think about SAP, a corporation that has been immensely successful and continues to build innovative and disruptive products, its portfolio of software solutions must number in the thousands. Is that too complex for any management team to manage? Are they making the best decisions when it comes to which solutions to invest in, which to divest or close out, and when to move them to cloud/mobile/in-memory? I will let the SAP insiders make their own assessment.

How did Robert Guido reply to Mary Ann? He made some interesting and correct points.

“Large and complex organizations need strong leaders and an organizational structure that is properly aligned. Strong leaders set the proper tone, develop talent, set realistic expectations, and encourage communications and transparency. Therefore, with proper leadership, I don’t believe that organizations have become too big or complex to manage. I believe these organizations can be grouped into business segments to manage. This will assist in building strong leaders, with the proper lines of communication and a clear understanding of reporting relationships among operating and functional leaders.

“I have worked with large, complex companies with various organizational structures, i.e., centralized versus decentralized, and have seen most to be effective. I believe certain core functions, however, need to be linked (dotted or solid-line reporting) among the business segments and the corporate center. Strong leaders develop and implement the proper measurements to manage large, complex organizations.”

While there is some level of validity to Guido’s answer, it strikes me as naïve. Relying on strong leaders, even when there are (as he continues to say), strong core functions like Human Resources, is simply not enough.

Rupert Murdoch is a very strong leader. While his newspaper group has been very successful for a number of years, it still suffered a highly embarrassing disaster and his reply was that he relied on his managers. Was that acceptable?

BP’s former CEO appeared to be a strong leader, but that didn’t prevent the Gulf incident. His response was basically that it was unreasonable to expect the CEO to know about every potential problem and how it was addressed. He relied on the managers responsible for each area. Was that acceptable?

Now I am not saying that Guido is himself naïve. I don’t know him. All I know is that he was a senior partner with EY and never worked as a manager or executive within a corporation (unless you count EY, and I would suggest that a public accounting firm is not the same species). His assertion that you can hire strong people and then you are OK is naïve.

Strong management is simply not enough. You need the right corporate culture — and let’s not forget that a CEO who is too strong can destroy a corporate culture, or create a culture of greed and disregard for risk or compliance.

You need reliable information that provides insight into the entire organization and its critical points, teamwork among the executives, and strong risk management practices and processes.

I also believe you need an effective, independent and objective internal audit function that has the courage to speak up when things are not as they seem or should be — even when the CEO is the root of the problem.

Add an effective board that provides skeptical oversight of management and not only demands of internal audit a formal assessment of governance, risk, and related internal control processes but listens actively to what they have to say.

Are organizations too complex to govern and manage effectively? I think we are getting close, but actions such as I have described limit the risk.

I welcome your comments!

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • CIA-June-2021-Blog-1
  • CIA-LS-June-2021-Blog-2
  • Agents-of-Change-June-2021-Blog-3





Can Internal Auditors Assess Both Risk Management and Governance Processes?https://iaonline.theiia.org/can-internal-auditors-assess-both-risk-management-and-governance-processesCan Internal Auditors Assess Both Risk Management and Governance Processes?
Should the Chief Audit Executive Report to the Audit Committee or the Full Board?https://iaonline.theiia.org/should-the-chief-audit-executive-report-to-the-audit-committee-or-the-full-board-(2)Should the Chief Audit Executive Report to the Audit Committee or the Full Board?
A Risk Assessment Tool for Auditors and Risk Officershttps://iaonline.theiia.org/blogs/marks/archive/Pages/A-Risk-Assessment-Tool-for-Auditors-and-Risk-Officers.aspxA Risk Assessment Tool for Auditors and Risk Officers
Audit Committee Priorities Remain Risk, Compliance, and Technologyhttps://iaonline.theiia.org/blogs/marks/archive/Pages/Audit-Committee-Priorities-Remain-Risk,-Compliance,-and-Technology.aspxAudit Committee Priorities Remain Risk, Compliance, and Technology