Connecting Good Governance With Key Risk

During the COVID-19 pandemic, many enterprises have stated that employee health and well-being are their primary concern. The events of 2020 have also led organizations to evaluate their preparedness for and responses to another major risk factor that they considered the most pressing issue just a few months ago: corporate governance.

A recent report encompassing a survey of more than 1,000 respondents examined the top risk concerns currently on the minds of global boards of directors (BoDs) and executives. The risk factors cited in this report cover a variety of topics: the economic climate, technology, human resources (HR), operations, competition and more.¹

Despite their diversity, these risk factors share one thing in common: They all relate to corporate governance. Corporate governance encompasses the vision and mission of the enterprise and how the leadership seeks to accomplish that mission by establishing policies and procedures, setting ethical boundaries, delegating authority, ensuring quality and compliance, and meeting the needs and interests of its various stakeholders.

Sound corporate governance, of which sound IT governance is an integral part, can give boards and senior executives the power to ensure that their enterprises are effectively managing the risk conditions about which they are most concerned, in addition to those that are largely unforeseen. The numbers in the following headings reflect the ranking of each risk cited in the survey.

Regulatory Change and Scrutiny of Operational Resilience, Products and Services (Number 1)

During the COVID-19 crisis, organizations have been disrupted by the immediate need to change the way they do business at even the most fundamental levels, and IT has played an integral role. With offices and storefronts closed and vast numbers of employees suddenly transitioned to working from home, the operational resilience of functions such as cybersecurity, communications, transaction processing, auditing and many others has been put to the test. At the same time, organizations are asking their IT teams to think outside the box to leverage existing systems so they can continue to operate. In such an environment, sound IT governance is critical to accomplishing this outside-the-box thinking without exposing the organization to unacceptable levels of risk.

Although good governance is about much more than compliance and quality control, these are certainly fundamental aspects of it. A well-governed enterprise seeks to comply with all relevant laws, regulations and standards, and it has processes in place for doing so, but risk related to regulatory change is broader than a simple gap in compliance. Some regulatory changes have the potential to impact the value proposition of the whole enterprise, and in an enterprise with sound governance, top leadership is scanning the horizon for regulatory changes that could be disruptive at the strategic level, including IT-related requirements involving privacy and cybersecurity.

Defining and ensuring the quality of products and services also fall under the purview of governance. The effective communication of expectations and a healthy culture, along with consistent and repeatable business processes (all governance-related concerns), can help ensure that products and customer experiences meet quality standards and support the enterprise’s mission, values and value proposition.

Economic Conditions Impacting Growth (Number 2)

Changing economic conditions can affect, among other things, enterprises’ access to three key factors related to growth:

1. Credit
2. Investment funds
3. Markets

Organizations may not be able to control the volatility of the economy, but good governance—particularly the demonstration of good governance—can improve an organization’s position with regard to these three key factors.

In the late 1990s, organizations such as RepRisk and RobecoSAM began publishing environmental, sustainability and governance (ESG) ratings and, in 1999, the Dow Jones Sustainability Index became the first global index to track sustainability-driven public enterprises based on RobecoSAM’s ESG analysis. Today, most international and domestic public (and many private) enterprises are being evaluated based on their ESG performance by various third-party providers of reports and ratings.² Not everyone fully accepts the utility of corporate governance rating systems. For example, some have expressed skepticism that any governance score based on a single set of value judgments about what constitutes good governance practices is a reliable measure of an enterprise’s governance. Indeed, the Society for Corporate Governance’s stated position is that “Many governance practice prescriptions tend to elevate form and appearance over substance.”³ Nevertheless, investment driven by ESG considerations remains high. According to a 2019 survey, 84 percent of investors agreed that corporations and business leaders should commit to balancing the needs of multiple stakeholders including shareholders, customers, employees, suppliers and local communities.⁴

Investors, lenders and gatekeepers who control access to markets are more likely to provide growth opportunities to enterprises they trust, and good governance is one way enterprises can earn that trust. Those responsible for IT governance should understand that the way an organization leverages technology has an impact on its perceived trustworthiness. According to a 2020 survey, trust in technology is down overall, and more than 60 percent of respondents agreed with the following statements:⁵

• The pace of change in technology is too fast.
• I worry technology will make it impossible to know if what people are seeing or hearing is real.

Government does not understand emerging technologies enough to regulate them effectively.

Succession Challenges and Ability to Attract and Retain Top Talent (Number 3)

Where there is an absence of good governance, there is an increased likelihood of fraud, bribery, corruption, waste, abuse, and unfair or unethical practices. Additionally, there may be a lack of clarity about the enterprise’s mission and values. These concerns contribute to unhappy employees, who, in turn, are harder to retain and less productive. In a well-governed environment, the opposite is true, making good governance essential to reduce the risk of being unable to hire the right people, keep them or maximize their potential.

GOVERNMENT DOES NOT UNDERSTAND EMERGING TECHNOLOGIES ENOUGH TO REGULATE THEM EFFECTIVELY.

Employees want to be well compensated, but they also want to understand the purpose and significance of their work (and the organization’s mission) and the basis on which their success is evaluated. They also want fair access to opportunities for advancement, education and flexibility. For these reasons, sound governance makes an organization more attractive to employees who want to do good, grow and drive the success of their employer.

Adoption of Digital Technologies That May Require New Skills (Number 10)

It is imperative that business and IT leaders take a holistic view. When implementing new technologies, consideration should be given to how these technologies will enhance employee effectiveness and potential (and thereby job satisfaction), in addition to their inherent features and benefits. Top management should also cultivate a culture in which flexibility, comfort with change and continuous learning are the norm, as this will help current and future IT projects gain acceptance and demonstrate a satisfactory return on investment (ROI).

Ability to Compete With “Born Digital” Enterprises (Number 4) and Resistance to Change (Number 5)

One way governance is defined is “the act or process of providing oversight or authoritative direction or control.”⁶ Any significant change within an enterprise almost always requires strong top-down leadership. Without it, the most likely outcome is that nothing will change (maintaining the status quo), while everyone looks out for their own responsibilities and no one takes responsibility for the well-being of the whole. Opportunities will be missed, time and resources will be wasted, and change efforts will ultimately fail. Again, when leadership fosters a culture of continuous learning and comfort with change, it can avoid conflict with employee expectations.

On the surface, concern about “born digital” competitors may seem to be driven by external pressure from newcomers entering the market, and it is. But it has just as much to do with an organization’s ability to manage its own digital transformations. A successful digital transformation requires a strategic, coordinated effort. Permitting digital transformation to be managed by the various business areas based on their own needs results in efforts that are divergent, redundant and/or contradictory.⁷ The board, senior management and IT leadership have the power to ensure that people with the right skills and expertise are tasked with implementing new technologies and processes with the proper authority, support and funding to succeed.

Cyberthreats (Number 6) and Privacy and Identity Management and Information Security (Number 7)

Information security was identified in two of the top 10 places in the survey, reflecting enterprises’ current reality. On the one hand, they must protect the data and information in their possession from malicious parties who seek unauthorized access to it for their own gain. On the other hand, consumers are demanding greater control and transparency with regard to how enterprises use their data for legitimate business purposes and the risk to which this exposes consumers. Technology solutions are an integral part of managing data privacy and security concerns, but most enterprises understand that these are not solely technology issues. The key to managing risk lies in sound governance over both data and IT. Governance establishes the enterprise’s mission and its commitment to its stakeholders. It also establishes who is responsible and accountable for data privacy and security, what policies and procedures are in place to guide the enterprise’s actions, and what types of controls and reporting mechanisms have been implemented to ensure quality, security and compliance.

Organizational Culture Does Not Encourage Timely Identification and Escalation of Risk Issues (Number 8)

IT can play a critical role in ensuring that risk factors are identified and escalated in a timely manner. For example, organizations can use artificial intelligence (AI) to scan social media for potential reputational risk or to monitor supply chains for potential disruptions and failure points. They can leverage automation to perform continuous auditing processes, sampling large populations of data to detect irregularities and quickly escalating issues that require human intervention. These capabilities are most powerful when deployed in a well-governed environment to enhance human stewardship. That is why it is critical that top management foster a culture that supports the timely reporting of risk issues. Regardless of the systems put into place to detect risk, if the culture is such that employees believe it is best to remain silent and follow orders, then technology-enabled detection and escalation systems will be less effective, and top leaders can be virtually certain they are receiving incomplete information with regard to risk factors affecting the enterprise.

Customer Loyalty and Retention (Number 9)

It should be intuitive that commitment to customer loyalty drives profitability, and research provides evidence that this is so.⁸ Nevertheless, incentive structures and a focus on short-term performance can sometimes motivate employees to make decisions that destroy customer value and loyalty rather than build it up. If board members and senior leaders want to mitigate risk related to customer loyalty and retention, they must empower their employees to do whatever is needed to satisfy (or even delight) customers and reward them for doing so. The organizations that do this best (the “loyalty leaders”) grow revenue roughly 2.5 times faster than their industry peers.⁹ As more and more interaction between organizations and their customers becomes technology-enabled, greater responsibility for the end-to-end customer experience will fall under the purview of IT governance.

AS MORE AND MORE INTERACTION BETWEEN ORGANIZATIONS AND THEIR CUSTOMERS BECOMES TECHNOLOGY ENABLED, GREATER RESPONSIBILITY FOR THE END-TO-END CUSTOMER EXPERIENCE WILL FALL UNDER THE PURVIEW OF IT GOVERNANCE.

Conclusion

While striving to adapt to the continuously evolving landscape of top-level risk factors, leaders can understandably become focused on tactical solutions and short-term objectives, which are necessary. But it is important to bear in mind that good corporate governance—and, as a microcosm, good IT governance—acts as the compass that directs the enterprise’s perception of, and response to, risk—whatever that risk may be.

Endnotes

¹ Enterprise Risk Management Initiative Staff, “Executive Perspectives on Top Risks for 2020,” North Carolina State University, USA, 12 December 2019, https://erm.ncsu.edu/library/article/top-risks-report-2020-executive-perspectives
² Huber, B. M.; M. Comstock; “ESG Reports and Ratings: What They Are, Why They Matter,” Harvard Law School Forum on Corporate Governance, 27 July 2017, https://corpgov.law.harvard.edu/2017/07/27/esg-reports-and-ratings-what-they-are-why-they-matter/
³ Society for Corporate Governance, “Statement on Governance,” https://www.societycorpgov.org/about76/statementongovernance34
⁴ Edelman, Edelman Trust Barometer Special Report: Investor Trust, USA, December 2019, https://www.edelman.com/sites/g/files/aatuss191/files/2019-12/2019%20Edelman%20Trust%20Barometer%20Special%20Report%20-%20Investor%20Trust.pdf
⁵ Edelman, Edelman Trust Barometer: Global Report, USA, 2020, https://cdn2.hubspot.net/hubfs/440941/Trust%20Barometer%202020/2020%20Edelman%20Trust%20Barometer%20Global%20Report.pdf?utm_campaign=Global:%20Trust%20Barometer%202020&utm_source=Website
⁶ Committee of Sponsoring Organizations of the Treadway Commission (COSO), Improving Organizational Performance and Governance, USA, 10 February 2014
⁷ Capgemini Consulting, Governance: A Central Component of Successful Digital Transformation, France, 2017, https://www.capgemini.com/wp-content/uploads/2017/07/Governance__A_Central_Component_of_Successful_Digital_Transformation.pdf
⁸ Markey, R.; “Are You Undervaluing Your Customers?” Harvard Business Review, January–February 2020, https://hbr.org/2020/01/the-loyalty-economy
⁹ Ibid.

Kevin M. Alvero, CISA, CFE

Is senior vice president of internal audit, compliance and governance at Nielsen Company. He leads the internal quality audit program and industry compliance initiatives, spanning Nielsen’s global media products and services.