Norman Marks on Governance, Risk Management, and Internal Audit

Today, I am hosting a Guest Post by Elliot Schreiber, PhD. I have a few comments at the end.

___________________________________________________________________

Boards have responsibility for approving the strategy and risk appetite of the company.  This requires directors to have sufficient information to assure themselves that they can make the best decisions possible at the time the decision is needed.

Those who follow business literature know that there has been an increase in focus on culture, and how to create a “healthy” environment in which employees feel respected and are engaged in creating value for all stakeholders.  This is not a search for “feel good” environments.  Healthy cultures create greater financial success over the long-term.  Conversely, an unhealthy culture, one that is authoritarian, puts the organization at risk.  However, boards have not focused on organizational culture, seeing it as an operational, management responsibility. But before focusing on culture, boards need to work with the CEO to ensure that the right values are embedded in the organization.

What do we do, though, if the CEO is the problem, fostering values and culture that are unhealthy and create unnecessary risks.  This has been the case in more than 70% of the corporate crises in recent years. Wells Fargo, Volkswagen, and Boeing, to name but a few have all had crises caused by a CEO that created an environment in which employees were afraid to disappoint and incentivized to do the wrong things.  The damage to each of these companies has been considerable in terms of market value loss, increased cost of capital, loss of key talent, and greater regulatory scrutiny.

We should question why the boards of these companies did not see the problem in advance.  Some, like Margaret Heffernan believe it has to do with “wilful blindness” and that in every crisis there is someone who know but chooses not to believe it or share it.  And if the crisis is caused by the CEO, there would likely be little information provided to the board.  Yet, how could Wells Fargo open 3.5 million bogus accounts for customers without the board knowing?

While boards do not want to step into operational issues, they need to be able to understand opportunities versus risks, even those caused by the CEO.  However, consider how boards get information on critical issues.  They need to make choices, to call on the heads of environmental affairs, R&D, Compliance, Human Resources, Corporate Strategy, Public Relations, Legal, Investor Affairs, Information Technology, Government Affairs, Internal Audit, and Enterprise Risk Management. Would the information be discussed by the entire board or a committee?  And if a committee, which one?  In either case, directors would likely sit there hearing a debate from the different perspectives of each executive on what to do. And if the board wanted to know if the culture was conducive to averting a potential crisis, where would they go to find out?  Sounds like a joke and maybe a bit of hyperbole, but each of these people would have a different perspective on the issue that should be heard. Not only is this cumbersome for the board, but it also highlights the inefficiencies and risks of organizations that operate in silos.

Silos exist in almost all organizations.  They may have been established as centers of excellence to help the business make and execute decisions.  However, the people within these siloes rarely share information with one another and rarely collaborate.  In fact, they compete with one another for access to the CEO and board and for budgets and influence.  Lack of information flow is a recipe for unnecessary risk.

If silos made sense in an industrial age, they make little sense today.  Since the inception of the Internet, stakeholders have been able to access considerable information, not all of it factual, to determine if the company is meeting their expectations.  When a company fails to meet the expectations of stakeholders, one of its stakeholders might take action that will erode value, either immediately or over time.  Silos also reflect a mechanistic view of a corporation as a value chain rather than a system within a large ecosystem. The value chain envisioned an organization taking in raw materials and moving it through the organization until it can be marketed and sold, thereby creating profits.  Staff organizations were there as support.

In 1971, 85% of the market value of companies in the S&P 500 came from tangible assets.  Today, nearly 90% of market value comes from intangible assets, the primary one being reputation.

We cannot manage a complex system of external stakeholders with a purely mechanistic organization.  We must be able to understand the opportunities versus risks for each stakeholder, so that strategy and risk inform one another and the CEO and board get a comprehensive view of how their decisions will be received within the ecosystem in which they operate.  Silos waste resources, kill productivity and make it more difficult to meet objectives. This is a recipe for increased risk.

Instead of silos, consider if the organization did away with silos and created a cross-functional group of experts focused on strategy, culture, stakeholder value and risk.  This group would have as its remit assessing business opportunities and risks for each stakeholder and would have access to the board in the same way internal audit has access to the Audit Committee.  They would examine information and debate the opportunities versus risks and then would provide the board with a comprehensive view of how each stakeholder would likely respond to a given board action.  Decisions would be more strategic and less reactive or defensive. In addition, the group would provide “group cover” for a whistleblower who might see and want to call attention to a risk early on.  Given the politization of business, it is becoming more critical that companies adopt such cross-functional analysis.

In summary, boards are not currently getting the comprehensive information about complex strategy and risk decisions due to the way information flows or is bottled within the organization.  Instead of having functional silos competing based upon their own sense of value, the emphasis would be shifted to providing their expertise to others and then finding the best way to create and preserve value for the organization.

___________________________________________________________________

Norman’s Comments

1. As said many times on this blog, I am not a fan of the concept of risk appetite. I favor limits and policies, but the idea that there is an “amount of risk” escapes me.
2. I am not sure the board should be expected to know about Wells staff opening millions of bogus accounts. However, they should expect management to know – and for somebody, somewhere, to come forward and blow the whistle.
3. I am not sure about a stakeholder-focused approach. I prefer one that is focused on enterprise objectives. However, when there are activist shareholder groups this is probably wise.