THE CORPORATE GOVERNANCE AUDIT: All organizations can benefit from strong governance oversight, with an assessment led by internal audit.

Author:Johnson, Dawnella J.
Position:Governance Perspectives

All too often and too easily, corporate governance is evaluated and measured simply by reviewing the structures and processes that an organization implements to achieve lofty ethical principles. However, assessing the effectiveness of governance requires more than reviewing how frequently a board meets, the number of committees an organization may maintain, the language in a code of ethics, or the aspirational pronouncements from the CEO's office. Evaluating the effectiveness of governance is, at its core, a continuous process of reviewing and measuring behaviors. Such an assessment begins with understanding an organization's business strategy and culture.

Ideally, organizations have a business strategy and an aligned business culture. The business culture is a set of risk practices and behaviors that are critical to the success of the business strategy. Accepted risk practices might be driven by the elements of the strategy itself--such as quick decisions, rapid growth, and speed to market--or they might be requested by shareholders concerned with capital preservation and adherence to risk appetite. Third parties, such as regulators interested in compliance, or accepted industry practices, such as fair dealing, also can shape accepted risk practices.

Good governance provides the oversight to ensure behaviors, however sourced, remain within accepted risk parameters. An effective governance program sets boundaries against conduct that might cause undue risk or ethical impairment to the business strategy, and it includes measurable tools to reward conduct within the accepted culture. Just as business strategies vary, so too do governance oversight models.

A good starting point when evaluating the scope and efficacy of a governance program is to review the organization's enterprise risk management (ERM) framework. Ideally, the organization will have already identified significant inherent risks in a variety of disciplines, including market, strategy, reputation, operations, technology, law and compliance, and human resources. This risk analysis provides a solid indicator as to the scope, type, and level of governance oversight required.

The effectiveness of a governance program is best measured in terms of the level of adherence to accepted behaviors. In making this determination, some specific areas to review include: strategy and governance alignment; focused messaging; and measurement, accountability, and consequences.

Strategy and...

To continue reading