IIA–U.K. and Ireland has submitted a first-class response.
These are some of the sections I found interesting, in the order they are contained in the response. I welcome your comments, including how these recommendations might apply around the globe.
- When considering the detail of the Code, it is possible to forget the overriding purpose and principles of governance. There is no universally accepted definition but the usual phrasing in the UK, based on the Cadbury report, talks about the "direction and control of the company" and cites core principles of good governance: accountability, probity and transparency; to which equity is often added. These are the overriding outcomes that we want to see from well governed organisations.
Include in the next version of the Combined Code a restatement of the fundamental purpose — to direct and control the company — and principles — accountability, probity and transparency — of corporate governance and a requirement that, above all else, directors should seek to achieve those outcomes.
- The Code includes requirements for several effectiveness reviews. These include:
The performance evaluation of the Board.
The group's system of internal controls.
The internal audit function.
The external audit process.
The audit committee.
The weakness of the present Code from the point of view of stakeholders is that Annual Reports are required only to confirm that an effectiveness review has been carried out. No information is given as to the results of these reviews. This means there is no transparency and limited accountability.
Include a requirement for the board to include in its directors' report a statement that the system of control is sound and that the audit committee, internal audit and external audit are effective. This is the board's judgment and will no doubt take into account the results of the reviews of effectiveness but it also takes into account other work they have done. Similarly, include a requirement for the Chairman to provide a judgment on the effectiveness of directors and of the board as a whole.
- In the UK and Ireland, we tend to see governance being about the matters that are currently discussed in the Code: selection, management and remuneration of directors, financial reporting and related control elements, and dialogue with shareholders.
However, from international sources it is clear that governance includes other subjects. It is not that we do not include those in our governance regime here but rather that some of the matters that have to be in place for good governance are — and have been for many years — recognised in legislation. This includes shareholders' rights and, more recently, disclosures related to directors' remuneration.
It is possible to read the Code as if it painted a picture of governance being only about conformance with rules of behaviour and not about driving performance. However, the original definition of governance spoke about direction and control and the current preamble is clear that the aim is good performance. However, the content of the Code does not help support that.
In addition to the principles related to accountability, include in the Code principles related to other responsibilities of the board: strategy, performance monitoring and risk management.
It is particularly noticeable, given recent events, that the management of risk is not mentioned in the Code as a core responsibility of the board.
The Institute would like to emphasise that there are three distinct aspects to the management of risk.
Firstly, we believe that risk management is an essential part of management. Everyone in an organisation has a role to play in identifying and responding to risks; and for managers, part of their responsibilities as managers is managing risks, including monitoring how well risk responses are working and reporting on that up the line in some way that enforces their accountability. This is the heart of risk management.
Secondly, there are specialist "risk management functions" who support the line managers with this work. They facilitate risk management activities in general by measuring, monitoring and reporting on the extent to which risk appetite and risk tolerances are met or exceeded and providing a challenge that is independent of those incurring the risk. They assist organisations to be consistent in its risk management activities. However, the activities all form part of the ongoing risk management process and should they cease to function, the organisation would not be able to manage its risks effectively day to day.
Thirdly, internal audit provides assurance activities that are part of the governance process but sit outside of the risk management process. These activities regularly conclude on the effectiveness of each element of the process and of the process overall. Internal audit may (and indeed should) use the outputs of risk management activity in forming its conclusions.
Assurance activity is effective only where it is independent of all elements of the risk management process. Should assurance activity cease, the organisation would be able to continue to manage its risks effectively day to day, but we would question the effectiveness of the organisation's governance.
Therefore, the Institute believes that well governed companies have a board that is responsible for risk management and also, as the next heading demonstrates, has access to independent and objective assurance, We believe that it is important to clarify that these are separate and distinct activities.
Risk management should be identified as a core responsibility of the board, as part of its general responsibilities to direct and control the organisation. Include a principle that the board is responsible for risk management and place it in a separate section from the Accountability and Audit section.
- Importance of independent and objective assurance — internal audit
In undertaking all of their responsibilities, directors are dependent upon receiving information. It is not just the information itself that is necessary but a way of understanding the relevance and reliability of that information. The availability of independent and objective assurance from professional internal auditors can assist directors in understanding these aspects and can help them in formulating their overall views on the effectiveness of the system of internal control.
The Code provides some recognition of the value of internal audit. It does require companies to refer to internal audit in their annual reports — either as part of the work of the audit committee when internal audit exists or as an explicit topic of explanation if it does not. Furthermore, the existence of professional standards and key aspects of the role and independence of internal audit are included in the Guidance for Audit Committees.
However, the Code does not yet include the need for internal audit as a principle of good governance, unlike the need for, say, audit committees and nominations committees.
Furthermore, the need for internal audit is somewhat buried, within the section on Accountability and Audit and subsidiary to the duties of the audit committee.
In contrast, the draft King III includes specific sections on internal audit. However, it would valuable to recognise the importance to the board of having a professional source of independent and objective assurance on all aspects of directing and controlling the company, not just one aspect.
Add a principle that the board should have access to independent and objective assurance from a professional internal audit activity. This principle should be included with the other responsibilities of the board discussed above, not just in the accountability and audit section.
The board's role in relation to risk management
The Institute believes that there is a varied standard of understanding amongst boards of their responsibilities related to risk management and that, frequently, only lip service is paid to this requirement.
The board is responsible for setting the tone for risk management. Part of setting the direction of the company is about deciding how much risk to accept — the risk appetite. Part of controlling the company is establishing an open culture with the right incentives and providing adequate resources so that managers can identify, respond to, monitor and report on risk. The board is responsible for forming a view of the company's management of risk.
The board can do this in a complex organisation only by receiving and reviewing reports from the organisation. To assess these, it needs to understand the business.
The Code obscures the importance of risk management to the strategic health and performance of the company because it fits it into a section on accountability and audit.
Include in the Code a new principle on risk management separate from the accountability and audit section. Consider including supplementary principles and provisions, which capture the board's role in relation to risk management.