Corporate governance – how a corporation is controlled and directed, and how it manages its risk profile – is generally contained in a framework of policies, rules, codes of conduct and processes. Despite many corporations having a plethora of documentation to guide and control the behaviour of their employees and executives, internally generated corporate scandals that damage reputation and financial standing, and expose directors to legal proceedings, continue to occur.
This is because good corporate governance is not simply policies, rules and processes – equally important is how delegates apply them. For purposes of efficiency, corporations, through governing boards, need to delegate decision-making. This means that executives and employees who are lower in the chain can have authority and power, increasing an organisation’s risk profile. Delegations, therefore, need to be part of a corporation’s risk management framework.
While outside events can have a significant impact on organisations, many scandals erupting in the corporate world have arisen largely through the behaviour of an organisation’s own employees or executives. The New South Wales Independent Commission Against Corruption has stated that many of the reports it receives involve allegations of corrupt behaviour in the misuse of delegations. Therefore, the governing authority must not only consider delegation risk as part of risk management, and provide a system for monitoring the decisions and actions of delegates, but provide corporate guidance for those entrusted with decision-making.
Risk management involves adopting a risk forecasting and evaluation system, coupled with a risk appetite matrix setting out the prioritisation of risks and application of resources, to minimise, monitor and control the probability and impact of risk factors.
Where delegates’ behaviour is concerned, corrupt criminal behaviour can, by its nature, result in increased risk, but risk factors can also arise where behaviour results in violations of mandatory internal codes of conduct and policies. An aspect of this is where employees and executives operate outside corporate culture: e.g., where a ‘silo mentality’ exists in defiance of established corporate norms. Again, how individuals behave when carrying out delegated authority is central to corporate operational risk and an essential part of risk management.
Delegations and monitoring
Delegations are necessary – they allow for nimble decision-making, empower employees, can reduce ‘red tape’ and increase organisational efficiency and performance. However, having delegations in place without accountability controls and regular monitoring can allow behavioural issues to go undetected. For successful monitoring, there must be transparency, accountability and an effective flow of information, and an effective board that is prepared to set up the necessary controls.
How can delegation risks be minimised through board governance?
Good governance includes devolution of authority and maintaining control over that process.
The following systems assist in good decision-making and operate as risk management tools:
- a comprehensive, readily accessible, delegations framework, identifying clearly monetary limits, boundaries and accountability structures linked to a policy framework, human resources and risk management systems (i.e., it is not a ‘stand-alone’ document);
- available and readily accessible policies and procedures that articulate clearly the corporate culture, expectations and obligations;
- a framework of regular reporting to the board on specified decision-making, which corresponds to the organisation’s risk matrix and risk appetite;
- a risk management framework that is regularly reviewed and incorporates the organisation’s risk appetite;
- a regularly reviewed table of internal and external audits;
- a comprehensive fraud risk education program, which employees undertake each year; and
- a system of training programs for board members, to ensure board members understand fraud management, legal responsibilities and are kept up to date with topical issues and case studies.
Apart from these formal systems, there is much that a proactive board can do, on an ongoing basis, to reduce risk associated with delegated behavior by:
- regularly monitoring the delegations framework;
- regularly revisiting corporate objectives and key performance indicators;
- ensuring board members have the necessary skill sets, which assists in directors being aware of their legal responsibilities and accountabilities, and satisfying ‘duty of care’ requirements under the Corporations Act;
- regularly ensuring and monitoring compliance with legal and regulatory requirements;
- creating an atmosphere where board members are encouraged to ask difficult questions and are engaged in discussion;
- encouraging management to tell ‘bad luck’ stories, as well as ‘good luck’ ones;
- encouraging management to be forthcoming about corporate cultural issues;
- endorsing a ‘talk the talk’ and ‘walk the walk’ approach, to encourage ethical behaviour throughout the organisation;
- creating an atmosphere where employees can raise concerns – i.e., ensuring whistleblowing is not discouraged; and
- ensuring management knows it is responsible for managing risk and disclosing, not hiding, difficult situations.
A well-designed, regularly monitored corporate risk management framework with an appropriate delegations framework and policy, should result in increased organisational efficiency and performance.