Norman Marks on Governance, Risk Management, and Internal Audit

A few years ago, my friend Dr. Rainer Lenz started talking about the internal auditor as the “gardener of governance”. In an article in EDPACS, Rainer explained (with my emphasis):

Governance has been central to what internal auditing has been aspiring to do for a long time. Governance is by definition “The combination of processes and structures implemented by the board to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives” … and is the perfect choice for “heartland” of internal audit. Governance is an umbrella term, which we suggest should include the E and S of ESG. We view governance as the core territory of internal audit, helping to avoid overpromising and underdelivering. Governance as the suggested “heartland” of internal audit covers a broad arena, it is not too abstract and does not have too little content, either, just right sized, the recommended focus of internal audit.

I don’t agree 100% with this idea, as while the board has a very significant role to play in providing management oversight and advice, there’s far more to be concerned about in the daily operation of the business.

However, governance does have a very significant role and internal audit needs to be concerned about the effectiveness of the board and its various committees (i.e., not just the audit committee).

If you have an ineffective board, you may have:

• An uncontrolled CEO that takes the wrong risks, mistreats employees and customers, makes poor decisions, damages reputations, and leads the organization to failure.
• The wrong goals and strategies to achieve them.
• A disregard for laws and regulations, and the interests of the community.
• And so on…

With that in mind, it makes sense for CAEs to be familiar with the various governance codes, including understanding the very recent changes in the UK’s code.

But there is a serious problem facing most boards around the world that many of us have overlooked.

Is it getting the information it needs, when it needs it, in a way that it can consume and act on it?

This should be on the radar of risk and audit professionals, but it is rarely mentioned let alone addressed.

A recent article in Board Intelligence informs us: Directors say board packs are worsening. Here’s why and how to fix it.

These “board packs” are how board members receive the materials they rely on for their oversight and decisions.

The latest study tells us:

• …less than half (48%) of board papers add value in the eyes of their readers, with the rest considered as either having no impact (42%) or being an obstacle (10%).
• Overall, 63% of board members and governance professionals continue to score their board packs as “Weak” or “Poor”.
• The average board pack is now 226-pages-long.
• A quarter of board members and governance professionals (24%) think the time taken by management for board reporting is insufficient, with another 19% being unsure.

As the article concludes:

A poor board pack is almost always symptomatic of a lack of critical thinking amongst management more widely, a lack of clear focus and alignment around what matters most, and patchy communication between management and the layers below.

And what does this lead to? It makes boards slow to spot risks and opportunities within the business, slow to make decisions, and slow to execute changes in strategy and direction. And at times of such rapid change and transformation, that’s a risky place to be.

What are we doing about this?

Are we working with management and the board to ensure the board packs are effective? That means they must be:

• Timely
• Focused on the right topics
• Concise, leaving out trivia
• Complete and not omitting information the board should have but management doesn’t want them to see
• Easy to consume and act upon

The risk and internal audit leaders have a role to play here, an important one.

The CRO can ensure the risk resulting from poor information flow to the board is identified and assessed.

The CAE can help draft guidelines or standards for board packs. The CAE can also assess the board packs that are delivered and help management see and fix the problem.

Returning to Rainer’s theme, one of the important tasks of any gardener is removing the weeds by the roots so that they don’t return.

Unnecessary detail and delays are weeds that need to be taken out by the roots, allowing the important information to burst out into the sun.

What do you think?