Thinking about corporate governance
When we think about corporate governance, most if us think about a large and quite often unwieldy set of organisational structures and processes which keep the organisation aligned and on course towards its explicit objectives. And that is what governance has been portrayed as … An immovable aspect of an organisation, set in concrete, and difficult if not impossible to change.
“[…] the system of structures, rights, duties, and obligations by which corporations are directed and controlled. The governance structure specifies the distribution of rights and responsibilities among different participants in the corporation (such as the board of directors, managers, shareholders, creditors, auditors, regulators, and other stakeholders) and specifies the rules and procedures for making decisions in corporate affairs. Governance provides the structure through which corporations set and pursue their objectives, while reflecting the context of the social, regulatory and market environment. Governance is a mechanism for monitoring the actions, policies and decisions of corporations. Governance involves the alignment of interests among the stakeholders.” (emphasis added by me)
Failing to understand the needs of corporate governance structures
While governance is indeed one of the more stable aspects of current day business performance, with codes having been published throughout most of the world dictating what at a minimum a good governance structure should look like, I have a feeling a lot of people fail to understand that a good governance in an organisation is nothing more nor less than an essential scaffolding for goal oriented performance of that organisation, within a set of normative boundaries.
We can dive deep into governance, and I want to and will later on this year, when I’m preparing my course material for the classes I will be teaching on that subject matter at the Antwerp Management School, but now I want to make a very specific point on most of those codes and frameworks that have been established … because I believe internal audit’s current interpretation of its role with respect to these frameworks fails to address a key aspect.
Corporate governance is a blueprint … only a blueprint
I’ve referred to governance as a scaffolding, but let’s consider it more like a blueprint of a vessel that will take the organisation towards its goals. A blueprint, or even a set of DNA-coded rules that will provide an organisation, if properly applied, with a stable structural basis to develop from.
There is, however, a problem … we often fail to consider our evolving needs when we build our first house. DNA instructions only kick in under specific circumstances, and not under others. The same goes with organisations. The structures considered relevant at a certain point of maturity of the organisation are often no longer that relevant once an organisation evolves and matures. Just like a small dingy will do well to sail on a calm lake, it cannot withstand an ocean in gale-force winds. The context has changed, and so the governance needs to change. And herein lies the problem, a problem internal audit is excellently positioned to address if it lets go of its traditional approach to its roles and responsibilities and embraces its strategic role in the organisation.
Resistance to change
Governance structures are often inherently resistant to change. They are built that way. By definition, they are there to avoid organisation becoming severely dented from multiple impacts of risk events. They have been developed to endure and thus they endure … beyond their relevance. They are, so to speak, the plastic containers of the soft drink. Long after the soft drink is gone, long after we are gone, the plastic container endures. Much like that container, we often find relics of original governance structures deeply embedded in organisations, sometimes even at the core, where their irrelevance to the new reality in which the organisation plays actually impedes that organisation from developing at the required pace to keep up with the competition.
A core task of the internal auditor
The interesting thing is that it is one of internal audit’s core tasks to provide the organisation and its board with timely indications on the continued relevance of its governance processes. It is right there in the definition of internal auditing:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” (emphasis added by me)
A quick trip down memory lane
How did we get there? Internal audit started out as the guardian of the internal control systems. If the internal controls were well, all was well. Well, not so much, it turned out. The 1980’s clearly showed that that line of thinking was an error. Even with no failures in internal controls, those controls may well have been built in the wrong places given the evolving risk profile of an organisation. Internal controls were clearly not the ultimate solution to organisational issues.
The scope of internal audit activities was extended to cover risk management systems as well. We were no longer just looking at internal controls, but also at the circumstances that required us to build those internal controls in the first place, the risks impacting an organisation on its way from its current position to its intended objectives. Sadly, that still did not prove to be adequate to avoid major problems. Enron and Worldcom showed that even with some measure of risk management systems present in an organisation and internal audit actively monitoring those systems, a structural lack of governance – window dressing, as it were – can lead to significant issues which could not be mitigated by an active second and third line of defense.
Enron and Worldcom were addressed in the US by the passing of the Sarbanes-Oxley act. Much has been written about that, and we are not going to revisit those discussion. I believe that while intended well, Sarbanes-Oxley may have gone about solving this issue in the wrong way. Internal audit should have gone on to play an even more explicit and important role in signaling governance issues. What happened was the contrary. Internal auditors became process mapping experts and started to tick the boxes on the adequacy of internal control structures. So instead of a step forward, internal audit took a step backward.
Exiting the dark ages of internal auditing
We’re slowly leaving those dark ages (okay, years) of internal auditing. The banking crisis of 2008 emphasized the need for an independent oversight of existing governance structures. Essentially, the questions to be answered are the questions that are invoked in the definition of internal auditing:
- Do these governance structures exist?
- Are the governance structures being used and respected as they should be?
- Are the governance structures still relevant?
However, it is no longer just the governance structures that need to be reviewed and where needed renewed. We will have to train an entirely new generation of internal auditors as well. Internal auditors with the capabilities to not gravitate towards ticking the boxes but with a capability to review and provide assurance and advice on the adequacy of governance structures.
This will prove to be a key challenge, a challenge we will go about addressing in our master classes at the Antwerp Management School. In 2014-2015, they still will be given in Dutch, as of 2015-2016 we’re planning to establish a master class internal auditing in English as well. I will be developing some of these ideas on these pages. I hope you will take the time to share your ideas as well on the platforms I will be posting these ideas on.