One of the most predictable consequences of corporate financial failures is the inevitable finger-pointing that follows. There was plenty of finger-pointing following the Enron, WorldCom, and other failures of the early 2000s, and it was sure to happen again following the financial failures of the past two years. Lately, however, I have noticed that the accusations are literally "going global." As important as it is to understand the contributing factors, I believe it's time to move forward with the design and implementation of corrective measures in corporate governance and risk management that will effectively mitigate the risks of calamities of this magnitude in the future.
It seems to me that regulatory bodies and thought leaders are trying to outdo one another in assessing blame for the current global financial crisis. In its publication "Corporate Governance and the Financial Crisis" (PDF), the Organization for Economic Co-operation and Development (OECD) has suggested that perhaps one of the revelations of the financial crisis was the widespread failure of risk management. The report indicates that in many cases, risk wasn't managed on an enterprise basis, nor incorporated into corporate strategy. Risk managers were often kept separate from management and disregarded when implementing company strategy. Moreover, the OECD suggests that many boards were oblivious to the company's risks. Others have been less reflective in assessing blame for the corporate failures, and have merely cited greed, negligence, fraud, corruption, and so on.
During my recent global travels, I learned that the accusations are not merely aimed at the corporate sector. Instead, there was an unsettling consistency of accusations that ineffective corporate governance in the United States was largely to blame. As one noted South African corporate governance expert recently observed, "… it is worth remembering that the U.S. is the primary source of the current financial crisis. SOX — with all of its statutory requirements for rigorous internal controls — has not prevented the collapse of many of the leading names in U.S. banking and finance." Even the U.S.-based National Association of Corporate Directors has acknowledged that the current crisis "has eroded public and investor confidence in corporate governance."
We are almost a year into the worst of the current crisis. As tempting as it is to continue assessing blame, I am not sure there is much value to be gained. Instead, I believe it is time to identify and implement long-term solutions that will strengthen corporate governance and risk management. There are currently a number of regulatory and statutory proposals pending in the United States to advance that objective. I personally prefer principles-based solutions such as those developed over the past 20 years by The Committee of Sponsoring Organizations of the Treadway Commission (COSO). However, whether we subscribe to principles-based solutions, or implement a litany of new laws and rules, there are three key objectives that I believe need to be achieved if we are to strengthen corporate governance and risk management:
- Corporate boards must begin to effectively oversee their organizations' enterprisewide risk management (COSO has just issued some excellent guidance (PDF) on this topic).
- Management must design and implement effective enterprisewide risk management frameworks and engage the board at key steps such as setting the company's risk appetite.
- Internal auditing must develop the capability to assess the effectiveness of risk management and provide related assurance to management and the board.
I recognize that the issues related to this topic are far too complex to adequately address in a single blog post. I look forward to exploring these topics further in the coming weeks. I also welcome your feedback on my views.