Reducing risks through management governance

Sam Butcher believes management governance will be given much more attention in coming years as boards become more proactive in managing their risks.

In recent years, much has been written about board governance – the governance arrangements for the board, shareholders and the CEO. Far less has been written about the governance arrangements for employees, referred to as "management governance". Management governance will be given much more attention in the years ahead.

Directors are responsible for ensuring the organisation’s management governance framework is adequate and working properly. Yet many organisations have relatively weak management governance and this poses serious risks to the organisation and its directors. Directors would be well advised to satisfy themselves that the organisation’s management governance framework is sufficient and is working properly. This will reduce directors’ exposure and enhance the organisation’s risk profile. It should also improve performance.

What is management governance?

Governance is well described as "the framework of rules, relationships, systems and processes within and by which authority is exercised and controlled". This can be distilled into two core concepts: how authority is exercised and how it is controlled. Good governance requires clarity on both.

At management level, clarity on how authority is exercised requires:

• Long- and short-term objectives for the organisation and individuals, underpinned by an overall mission that is well understood and actively pursued. Objectives guide decision-making and are usually tied to at-risk remuneration; and
• Delegations of authority that identify which roles or committees are authorised to make any material decision.

Clarity on how authority is controlled requires:

• Clear boundaries on decision-making, such as policies, procedures, standards and codes of conduct; and
• Appropriate assurance mechanisms, such as internal controls, systems, reporting, audits and management sign-offs.

The Usual Suspects

There are four elements of a good management governance framework:

• Relevant objectives supported by appropriate incentives.
• Comprehensive delegated authorities.
• Clear policies and procedures imposing boundaries on decision-making.
• Appropriate internal controls and assurance mechanisms.

Many large organisations do two of these four elements well; they have clear objectives and strong assurance mechanisms. The other two elements – delegated authorities and policies – tend to be weaker. Here, I will focus on these weaker elements that expose directors and organisations to more risk.

In our experience, delegated authorities rarely cover the spectrum of decision-making (financial and non-financial) and are often out of date, poorly understood and not followed. As a result:

• It is difficult for directors to gain assurance that the governance framework is adequate and working properly, increasing directors’ exposure if something goes wrong.
• The organisation faces higher operational risks through employees either making decisions without authority or failing to take accountability for their actions.
• Decision-making can be slow and inefficient, with employees awaiting direction from above and wasting time working out who has authority to make decisions.

Most large organisations do have mandatory policies and procedures, including a code of conduct. These are often implemented in response to an event, such as a fraud or new external regulation. It is rare to see a proactive approach where the board actively determines the boundaries on conduct that are important, eliminates all others and makes the policies easy to understand. It is rarer to see links between policies and the decisions they regulate. Without a proactive approach, policies often evolve into a complex morass of information that is impossible to understand and follow in its entirety.

Weak governance increases risk

Delegated authorities are a cornerstone of accountability, and policies have never been more important in this increasingly complex and transparent world. All mandatory requirements should strike the right balance between control and freedom to act and should be well understood by all. They are weak if employees do not understand which roles have authority to make a decision and what the mandatory requirements are.

Effective authorities and policies (including a code of conduct) are the first line of defence against risks of bad decisions. If they are weak, the organisation is forced to rely on the second line of defence: people "doing the right thing". This requires cultural and behavioural outcomes that are difficult to manage and inherently less reliable than a sound process.

In addition to providing the first line of defence, effective delegated authorities and policies also improve the second line. They do this by promoting a culture of accountability, transparency and conformance.

An effective framework makes it clear exactly who is authorised to make which decisions and what boundaries on decision-making apply.

It must be simple yet comprehensive, embedded into everyday activities and have appropriate assurance mechanisms. In that environment, accountabilities are transparent, well understood and easily tested.

It is likely that employees will take accountability for their decisions and operate within the boundaries. Knowledge that decisions are scrutinised, and that people are held to account for them, inevitably sharpens the mind of the decision-maker.

Some Examples

I have heard executives describe their organisation’s delegated authorities and policies as "an accident waiting to happen", "almost unworkable" and "like sailing the Titanic through icy waters. We’re just lucky we haven’t hit any icebergs yet!"

There are many examples of directors suffering reputational damage due to bad decisions by management. A recent example is the News Corp phone-hacking scandal, where large payments were made to victims to settle potential criminal claims. It appears these payments were not brought to the attention of directors. A strong governance framework would require payments in connection with criminal claims to be approved by directors or reported to them immediately. If the News Corp directors had been informed of the payments, the phone-hacking activities would probably have been stopped much earlier and with far less damage to the reputation of the company and its directors.

Cultural weaknesses are often identified as causal factors following a corporate scandal. While it is virtually impossible to stop criminal behaviour, an effective governance framework makes it harder for rogue activities to take root and promotes a culture of accountability, transparency and conformance.

In addition to posing risks for directors, a weak governance framework also increases exposure to operational risk. I have observed the following examples:

• A fast-moving consumer goods company had difficulty controlling the rebates and discounts offered to customers by sales representatives. The sales reps did not understand the limits on trade spend and frequently offered terms outside of the limits, which cost the company hundreds of thousands of dollars each year. Clarifying and communicating the limits was the first step in eliminating the losses, rather than accepting them as a cost of doing business.
• A financial services company lost hundreds of thousands of dollars when a call centre worker offered a refund to a customer, without having authority to do so. The company then felt compelled to offer the refund to many other customers. The worker did not understand that he or she had no authority to offer the refund, or that the organisation would suffer the loss. The loss would have been avoided if the matter had been referred to the worker’s manager, as it should have been.
• An organisation running large, complex projects had very few delegated authorities and it was not clear who was accountable for many decisions. One project lost millions of dollars. A review revealed that several avoidable mistakes had been made, but it was not clear who made them or was accountable for them. People assumed others were attending to things that were either not done or not done properly. These mistakes would probably have been avoided if the organisation had had an effective framework of decision-making and accountability.

The board’s role in management governance

It is the board’s responsibility to ensure each of the four elements of the management governance framework is adequate and working properly.

The board sets the organisation’s mission and long-term objectives, the specific objectives and incentives for the CEO, and the overall remuneration framework. The board also decides what authority to retain and what to delegate to the CEO. Having done this, the board should require the CEO to cascade the objectives, incentives and authorities throughout management, and tell the board how that has been done. This forms the first two elements of the management governance framework.

For the third element, directors are responsible for ensuring the boundaries on decision-making are appropriate, clearly documented as policies, communicated to employees and enforced. The most critical document is usually the code of conduct. The board should satisfy itself that the policies are adequate, well communicated and enforced.

Board committees take a leading role with the fourth element by monitoring the effectiveness of internal controls and reviewing audits. Their primary purpose is to monitor particular activities of management, such as safety or financial reporting, and help the board gain assurance that the systems for managing risk are adequate and working properly.

Leading boards reduce risk for directors and the organisation by ensuring the management governance framework is adequate and working properly. Sound governance reduces risk by decreasing the likelihood of bad decisions and providing a shield if a bad decision is made. Taking the lead on management governance should enable directors to demonstrate they took due care in their oversight of management. It is far better to do this proactively than to sit back and wait for something bad to happen.