Good governance is not an optional nice-to-have or a box ticking exercise but a set of principles and actions that help us keep our purpose and goals on track.
When the metaphysical poet, John Donne, wrote “No man is an island entire of itself”, he reminded us that none of us exists – let alone thrives - in isolation. Rather, we do best when we feel a sense of belonging to the whole human race, with all that implies - for good and ill.
The same is true for organisations.
Fast forward a few hundred years and we encounter Sir Adrian Cadbury (yes, the chocolate Cadburys). Late in his career, Sir Adrian made an important contribution to thinking about the role organisations should play in society more generally– and how they can be led and managed with that in mind.
In his influential 1992 Report and Code of Best Practice – known ever since as the Cadbury Report – he neatly encapsulated what we mean by the term “corporate governance”. For Cadbury, governance is all about “holding the balance between economic and social goals and between individual and communal goals…The aim is to align as nearly as possible the interests of individuals, corporations and society”.
Since then, governance has become a watchword for the laws, frameworks and systems that govern how organisations are controlled and operate and how they – and their people – are held to account by their stakeholders, whether that’s the shareholders of a big multinational company or a small outfit’s customers and staff.
The idea of governance is often closely associated with ethics, and with risk management and compliance - hence the acronym GRC, meaning governance, risk and compliance.
And while Sir Adrian’s committee was set up in the wake of a string of large-scale financial scandals at big businesses – from Asil Nadir’s Polly Peck consortium to Robert Maxwell’s appropriation of his staff’s pension funds – the core principles of what has become the UK’s Corporate Governance Code have filtered down to even the smallest of organisations, including in the public and not-for-profit sectors.
As leaders, we need to understand what we mean by governance, and how we can carry out our activities legally and responsibly –with an eye to those wider obligations. Nor is this just a nice to have, or a chore we’d rather not have to contemplate: getting governance right can help drive success; getting it wrong can prove incredibly costly, in everything from fines to reputational damage.
So how can we enjoy all the plus points while avoiding all the pitfalls?
First, some definitions:
Governance is the system of rules, practices and standards that guide an organisation towards its goals.
For example, a charity will have rules about the composition and conduct of its board of trustees to reinforce its purpose; a code of conduct will set behavioural expectations for everyone associated with an organisation.
Risk refers to the processes we put in place to identify, anticipate, monitor and mitigate events (risks) that threaten to blow us off course.
For example, maintaining a risk register to keep an eye on likely risks and their probability.
Compliance is about making sure we comply with the law, regulation, policies and procedures that set the bounds within which we can act.
For example, making sure we provide a safe working environment for staff; that we deal with customers fairly or that we protect the data we hold about people.
They work together to support positive progress, help us to use resources wisely and take into account the needs of our stakeholders. What are known as the four Ps of governance remind us that GRC shouldn’t be an add-on or a box-ticking exercise, but an integral part of how we operate. Governance is about:
People: decision-makers and those on the receiving end alike.
Purpose: why the organisation exists.
Process: how that purpose will be achieved.
Performance: the results achieved.
It also means setting expectations around not just what we do, but also how we do it – and modelling that behaviour ourselves.
The UK’s Seven Principles of Public Life (also known as the Nolan Principles) were specifically developed for people who work in the public sector, but they also offer a useful guide to the standards of behaviour good governance requires in any context:
Selflessness: acting in the interests of others rather than ourselves.
Let’s consider the governance arrangements we might need to have in place to make sure we’re managing our finances appropriately. GRC frameworks around financial governance are designed to mitigate a range of potential issues, from simple negligence (not keeping the right financial records or failing to pay tax on time) to serious criminal intent (fraud, tax evasion or money laundering, for example).
Depending on the size and type of our organisation, some of this might be mandated, for example, legislation around bribery or how shares in big companies are traded. But all organisations will face a mix of internal compliance requirements (those set out in our organisation’s policies and procedures) and requirements laid down by external stakeholders.
Internal stakeholders may include:
Leaders
who need to know the levels of profit and cash flow to manage the business and plan for the future.
Shareholders
who want to keep an eye on their investment with regular financial and strategic updates.
Employees
who rely on payroll and pension systems.
Internal compliance requirements may include:
External stakeholders may include:
Customers
Buying and use our products and services.
Banks and other lenders
Providing us with business loans.
Regulators
In the UK, for example, that might mean The Charity Commission, regulators of registered charities and their accounts or Companies House, where registered company accounts and reports are held as public records.
National and local government agencies
Responsible for applying finance-related legislation and regulations, including, in the UK, HM Revenue and Customs (HMRC) - responsible for VAT, tax and National Insurance, plus money-laundering regulations; the Financial Conduct Authority (FCA), which regulates the financial services industry, and the Pensions Regulator, which regulates workplace pensions schemes.
External compliance requirements may include:
Organisations will also want to keep an eye on the financial risks they face. Risk registers generally include a range of potential financial risks, whether that’s the impact of an economic downturn; fluctuations in currency exchange rates or the implications of non-compliance in a key area, like tax or employment law.
The framework we use to support financial governance will depend on the size and type of our organisation.
For example, a small company may rely on a single bookkeeper to count the takings, deal with supplier payments, account for VAT, run the payroll, send in tax and national insurance payments, pay into staff pensions, keep and balance banking records and so on.
Similar activities take place in all organisations, but often on a larger scale. For example, there are often whole departments to deal with accounts and payroll, supported by external partners and consultants as necessary.
Some large organisations outsource their entire administrative, payroll and financial record-keeping to specialist companies who provide a full range of administration support services geared up for compliance. However, it is still our organisation’s responsibility to provide them with the correct information.
The specific practices we must adhere to are typically laid down in a range of policies and procedures (the framework), which staff must follow to ensure compliance. It’s important that these are not the sole preserve of any dedicated finance staff. They should be integrated across an organisation to prevent silos and to embed expectations around processes and behaviour more widely.
As leaders, we need to ensure that these procedures are not only in place, but up to date and robust enough to identify and deal with any non-compliance. That means keeping up to date with the legislation and regulations that apply to our industry, our environment, the type of organisation we are and changing circumstances.
We also need to make our team members aware of their legal obligations, and ensure they are following all of the necessary policies and procedures and keeping their own knowledge up to date. For example, we need to be clear about who can authorise expenditure or sign off on invoices or the financial information we need to contribute to regular financial reports.
A key element of governance in any context is being open to independent scrutiny. It’s the governance principle that underpins the role non-executive directors play on big company boards, bringing an external perspective, challenging group think and holding executive directors to account. Similarly, internal audit is an independent and objective process of taking stock of an organisation’s internal processes and controls, governance and risk management.
It’s a concept that has a more literal meaning in the context of financial governance. Many organisations must have their annual financial reports and statements checked (audited) by external auditors, specialist accountants whose task is provide stakeholders with the assurance that financial statements are accurate and comply with relevant regulatory requirements.
External auditors will not just look at the final reports, but may also look at things such as:
Sales ledgers – to check the level of income received;
Cash books – to see that the income has been banked correctly;
Debtors – to assess the amount of money owed to the company;
Stock – to check that the records are accurate and to value remaining stock as an asset;
Purchase ledgers – to check that costs put through the business are correct, legal and compliant;
Bank reconciliations – to see that payments in and out are all balanced or accounted for;
Creditors – to see how much the company owes;
Payroll records – to make sure that tax, national insurance and pension contributions have been dealt with and paid correctly;
VAT returns – to ensure that the correct amounts have been declared and paid.
During the process, the auditor will also check that other regulations are complied with, including in areas such as money laundering and data protection
The aim is to make sure that everything stacks up – and that the organisation concerned has in place the systems and processes to be able to give its stake holders a true and fair picture of the state of the business.
Failures in GRC can have serious implications, including loss of income, fines, and a drop in share value as investors lose confidence or customers moving to a more palatable competitor. We might be blindsided by an event we could have anticipated if our risk management processes were more robust.
These problems are not just costly and embarrassing. They can also dent staff morale, causing unwelcome churn, and even present a security risk if we don’t have the right procedures and controls in place.
There can also be serious implications if government agencies or customers decide to take legal action. These include penalties, hefty compensation payments or even prosecution under a whole raft of legislation from the Data Protection Act to the Bribery Act or Money Laundering regulations.
More than anything, failures show that we have lost Adrian Cadbury’s idea of balance, that somewhere along the way, by accident or design, we have failed in the fundamental governance task of aligning the interests of individuals, our organisation and society more generally.
With governance, as in so many aspects of our lives, ‘prevention is better than cure’. Being able to avoid and mitigate non-compliance and risk through the art of good governance is an invaluable skill that makes organisations (and reputations) a whole lot stronger – and will prevent us from being marooned on one of John Donne’s islands.
Outline the 4Ps that make up governance.
Explain what the Nolan principles of 'selflessness' and 'honesty' mean.
If you don’t already know, ask a colleague about the annual audit process for your organisation’s financial reports and statements. Reflect on how it contributes to good governance.