This is an important time for those of us in the governance, risk and compliance market.
Every day, as we see new revelations about alleged phone hacking and bribery in News Corporation and the UK’s Metropolitan Police, we are reminded of the risks that poor governance and control can bring – the exact risks our GRC business is trying to help our customers manage and avoid. Bribery, gifts and gratuities policies, regulatory oversight, the role of audit and compliance – topics that are currently front page news the world over.
As the story progresses, the discussion is turning from specifics about one organisation to an in-depth debate about good corporate governance. One of the most interesting discussions is around the need for companies to not only ensure policies are in place and are being adhered to, but also that process can be clearly audited so that the board has true oversight of what is going on in their firm. It is becoming increasingly clear that it is no longer enough for a chairman to trust people to do the right thing and tell them when things go wrong. The concept of ‘willful blindness’ – which states that if there is knowledge that an executive could or should have had, but chose not to, the executive is still responsible – means that saying you ‘did not know’ is not good enough. You have to show that you have made every effort to know - and demonstrate that the processes and controls are in place to ensure this.
With penalties under the US’s Foreign Corrupt Practices Act (FCPA), and now the UK Bribery Act, holding senior executives and board members to account, there is a clear need for connectivity between the compliance and audit activities and the overall corporate governance of an organisation. And this needs to be managed at all levels. It’s clear that the actions of all areas of a company need to be considered, and that it is often the smaller parts of a company’s operations that present the highest, unknown risks – as Murdoch stated this week, the News of the World was only 1% of the total business for News Corporation.
What recent events have shown us is that now, trust is not enough. All organisations need to have the right processes and controls in place to truly know what is going on in the business. The next generation CEO and Chairmen in front of committees such as these we are seeing this week will need to be able to say: “I knew, because I made it the job of people on my team to know, and we put the processes and controls to know if we did wrong or harm.” Will we see companies making this investment in process, controls and culture? Or will the Board continue to rely on trust alone?
I agree with what you said in theory, but now put that in practice: what control would have gone up the ladder to tell the bosses that a small company (1% of the holdings) is doing something illegal? What they were doing was not financial, so no auditing controls were bypassed. What they were doing did not get reported, so no editing controls were bypassed.
What control could have been put in place to require this kind of knowledge to go up the chain of command? Something that could be audited later to prove that the CEO knew about it?
David,
Fully agree with what you say, and would built that this requires as well insight on the risks which the company / board would want to be controlled. Otherwise one could face the situation of thinking to have controlled everything but missing the big gorilla able to do tremendous harm.
And building on the above comment, reputational harm is not quantifiable, in other words even the smallest company of the group can harm the total organisation.
Marcel
You cannot audit every process and overly control a business (well you could but you would kill any business) however there are steps which would have prevented or at least properly address the issues when they were first reported and criminal charges brought against happened – this is turning out to be not (as was reported) a few actions of a couple of rouge reporters but a more systemic issue of corruption and illegal action, driven by an aggressive and highly competitive culture at News of the World. Also, the original investigation failed to really uncover the extent of the law breaking I would ask this – what was company policy for obtaining illegal information and had the company laid out explicit rules on its editorial standards, methods and principles and tried to create the right culture? Was there an effective whistle blowing line and process for concerned employees to raise issues not just to the management of News of the World but also to the parent company? Were all payments reviewed and authorised by the correct individuals (the first investigation found “blindingly obvious” payments to police in the company records) not just editorial managers but finance and audit? When the issue was first reported was it correctly investigated by people with the desire and support to uncover the true extent of the issue and failure in management not just actions of individuals (when the email evidence was reviewed again it apparently tool “3 minutes” to decide to refer it to the board, why were emails not reviewed in 2006?
The Home Affairs Committee accused News Corp of deliberately trying to thwart the police investigation, surely this alone should have rang the alarm bells of the other board members of News International that something was wrong? There are controls you can put in place for any global company operating ‘small’ businesses in multiple jurisdictions where there whole board is informed of criminal investigations and significant government relations issues – I would argue that some basic information flow and controls imposed by the corporation could have prevented wrong doing, it could have also ensured when it first happened it did not continue and become seemingly acceptable practice for the company
In an age when the world’s faith in institutions – both public and private, church and state – has been sorely tested by rogue traders, corrupt public officials, arrogant (or willfully blind) corporate leaders, even false charitable enterprises, the answer to ‘is trust enough’ is quite simply, “no”.
We (Thomson Reuters) live or die in the marketplace by the integrity or our information, the independence of our news. The Trust Principles embody an important notion in society about the role of news, and one which is evident in the outrage over the News Corporation debacle: the idea that journalists pursue truth, not subvert it.
The Reagan-era quote, ‘trust but verify’ has become ‘verify to trust’ in many arenas. Writ large, good governance (or a commitment to principles married with policy and process) is perhaps the only thing that can restore widespread broken trust.