This post is part of ourGRC 101 series, providing an entry-level overview of the business of governance, risk, and compliance. Today we’ll explore the ‘G’ in GRC: governance.
When taken on its own, the word "governance" can have a pretty broad meaning. Democratic nations are governed, for example, by the person or people elected to lead them and the legislation, policy, and direction put in place by those elected bodies.
The governance established by these bodies is guided by a set of principles and vision that, ideally, reflects the ethos of the system and the people who exist in it. The governance in GRC isn't all that different in theory, but usually we're talking about it from the perspective of a business or organization, rather than a nation-state or society.
As we did with the other pillars of GRC - risk management and compliance - we'll use this article to explain what governance means in the context of GRC, its essential components, different types of governance, and, ultimately, what good governance looks like.
What is governance in GRC?
Governance refers to the set of rules, policies, and processes put in place to establish a standard for corporate or organizational behavior. Taken together, it’s the system by which a company operates.
Managers and employees use these guidelines to help them make decisions. It encompasses practically every sphere of management, from action plans and internal controls to performance measurement and corporate disclosure. These guidelines form a framework designed to ensure the company achieves its objectives.
The definition and scope of governance may shift slightly in different contexts. For example, at the corporate level, governance has come to mean business ethics and truthful financial reporting in the wake of the Sarbanes-Oxley Act (itself a result of Enron, Worldcom, and other scandals). In IT circles, it’s commonly understood to mean good management of software resources and investment.
Important Components of Governance in Organizations
Governance covers all the processes that coordinate and control an organization’s resources and actions. These include:
Explicit and implicit contracts between the company and the stakeholders for distribution of responsibilities, rights, and rewards.
Procedures for reconciling the sometimes conflicting interests of stakeholders in accordance with their duties, privileges, and roles.
Procedures for proper supervision, control, and information-flows to serve as a system of checks-and-balances.
If governance sounds rather all-encompassing, that’s because it is: Governance can be highly detailed or intentionally broad, depending on the company and its particular needs.
Some companies have very explicit ways of doing things down to the letter, while some companies limit it to a few core principles intended to guide decision-making.
As companies get larger and more corporate, more external expectations are placed on them. External scrutiny may come from government bodies like the Securities and Exchange Commission, or shareholders themselves.
Main Types of Governance
This is the main type of governance we'll be focusing on. It's the system of rules, policies, and practices by which a corporate entity, organization, or firm operates. It covers everything from business strategy, to compensation, to ethical behavior, to management structure and more. It essentially defines the way an organization is run and provides a roadmap to ensuring the business is successful.
This type of governance is the counterpart to private, corporate governance. It refers to how governmental entities in the public sector enact rules and policies that direct the populations they oversee.
Public governance differs quite a bit from governance in the corporate sector in that it determines how a governing body provides public services, executes public policies, strives for economic growth and more. There is typically no profit motive involved in this type of governance. It also usually includes some form of public participation, like voting in a democratic system.
Again, this is simply the set of guidelines, policies, and procedures on how a non-profit organization operates. Governance in this arena is usually established by a board of directors.
Key Principles of Good Governance
Organizations, even those in the same industry with similar scale, can be run quite differently. There's really no set standard for what "good" governance looks like. It's easy to recognize when an organization runs like a well-oiled machine, just as bad governance stands out when a company goes through tough times.
What works for one organization might not work for another. For this reason, it's hard to agree on an exact framework for effective governance. It's easier to find consensus by identifying common principles that reflect a well-governed organization.
Once rules are made, they must be enforced. This depends on a good organizational structure, which defines jobs and lines of reporting so that expectations can be met. Structuring around lines of business establishes individual accountability for results.
As with ethics, personal accountability can be reinforced through culture. An organization’s culture can define the behaviors of empowerment that manage people by results rather than by telling them what to do.
Communicating a firm's corporate governance is a key component of community and investor relations. Board members should create transparent sets of rules and controls to which shareholder, director, and officer incentives are aligned.
This can extend beyond financial performance. Good governance also mandates things like ethical business practices and corporate citizenship, and makes sure those activities are visible to both the organization and the public.
Those who establish organizational governance need to be on the same page when it comes to decision-making. Governance should encompass a wide range of perspectives to arrive at an outcome that is at the very least agreeable to all parties.
Approaching governance this way also helps organizations consider all the needs and perspectives of a company's stakeholders and the present and future impact of these decisions.
Things can change quickly in a corporate environment. There must be systems and processes in place to respond to crucial events, and communicate that response to shareholders.
If an organization experiences a crisis like an environmental disaster that affects operations, what's the response plan and at what point do public communications take place? If it becomes embroiled in a controversy, how will that be handled?
Prepared, responsive organizations tend to fare better in these scenarios because they've thought through the next steps and have the agility to adjust quickly.
Equity, Diversity, and Inclusiveness
In an increasingly complex global business landscape, diversity isn’t only something every organization should strive to improve — it can also become a competitive advantage. According to a recent report, companies with a diverse workforce earn up to 2.5 times higher cash flow per employee and inclusive teams can increase productivity by over 35%.
The numbers aside, there are numerous intangible benefits of attracting and retaining diverse employees for morale, motivation via career advancement, and nuanced understanding of multicultural markets.
From a governance standpoint, inclusivity harkens back to consensus-driven decision-making. Employees may feel more committed and bought into the mission of an organization when their voices carry weight and their perspectives and unique experiences are considered in company policy.
Efficiency and Effectiveness
These principles drive good business outcomes. When an organization creates streamlined processes aimed at execution of strategic goals, it makes governance a whole lot easier. Corporate leaders can clearly explain what is happening, when it’s happening, and why to the board or shareholders when called upon.
Efficient execution of strategic initiatives is the backbone of any successful company. It allows organizations to do more with less, and remove the guesswork around what exactly employees should be working toward. Removing the friction of decision fatigue and clunky processes heightens focus and frees up organizations to do their best work.
Whose responsibility is governance?
The board of directors is the primary stakeholder influencing corporate governance. Directors are elected by shareholders or appointed by other board members, and they represent shareholders of the company. The board is tasked with making important decisions that fall under the governance umbrella, such as corporate officer appointments, executive compensation, and dividend policy. In a nonprofit setting or when a company has obligations that go beyond maximizing shareholder value, governance might also include prioritizing certain social or environmental concerns.
Boards are typically comprised of two types of members: inside and independent. Insiders are major shareholders, founders, and executives. Independent directors do not share the ties of the insiders, but they are chosen because of their experience managing or directing other large companies. Independents are considered helpful for governance because they dilute the concentration of power and help align shareholder interest with those of the insiders.
Why is governance important for organizations?
Corporate governance decisions affect many stakeholders—from employees to suppliers to investors. The board’s duty is to balance the interests of each of these constituents, and make sure each is treated fairly.
For their part, each of these stakeholders wants to know the company is in good hands and being run in accordance with a sound set of principles. In publicly traded companies, their right to be informed is mandated by law: Companies whose stock is traded on public exchanges such as NYSE or NASDAQ have extremely rigorous guidelines for making business information available to investors.
What are the consequences of poor governance?
Corporate governance is directly tied to a company’s reputation, financial health, and attractiveness to investors. When governance goes awry it can lead to outcomes like the scandal that rocked Volkswagen in 2015, when it was revealed that the firm had rigged engine emissions inspections—an order that came from the top of the company. Other problems can involve insufficient cooperation with auditors, improper accounting practices, misalignment in executive compensation packages, or poor management structure—any of which can severely hamper the organization’s ability to meet its objectives.
How To Put Effective Corporate Governance in Place
It's easy to pontificate on what constitutes good governance. It's a much harder lift to implement it. Getting governance right comes down to thoughtfully building your governance framework and putting controls in place to ensure your organization is adhering to the policies, direction, and short- and long-term strategy across the board.
Strengthen Institutional Frameworks
In order to strengthen institutional frameworks, you need visibility into the landscape your organization is operating in. You have to know what risks and opportunities face your organization and what actions you can take to mitigate or capitalize on them.
For example, in managing risk governance, you want to make sure you're identifying, assessing, and communicating what the business risks to your organization are and what the action plan is for addressing them should one pass the tolerance threshold of your key risk indicators.
The best way to do this is to start using a reliable, scalable GRC platform that can provide insight into where your risks exist and what you can do about them.
Implement Effective Policy
Impactful policies guide the rules and behaviors of an organization’s operation. They also make sure important laws and regulations, especially in regard to compliance, are upheld. Oversight in these areas is critically important to guide decision-making and inform the risk appetite of an organization.
Corporate policy should be accessible to all employees and tracked meticulously. To that end, using a policy management tool can help an organization identify and correct compliance gaps as they become apparent and remediate policy violations.
Promote Participation and Inclusivity
We touched on the importance of this in the key principles section of this article, but the message bears repeating: Participation and inclusivity are essential to enacting good corporate governance.
Stakeholders at every level of operations — from the board to junior staff — should be able to participate in the direction of corporate governance. Functionally, this can be extremely difficult to do, but keeping good documentation around when and how employees can participate in decision-making and communicating that information to your workforce can be helpful.
Good Governance Starts with The Appropriate Tools
Every organization has rules, policies, and procedures in place that direct how the entity is run, but not every organization has the tools in place to properly steer compliance, risk management, data privacy, and operations in the right direction.
LogicGate Risk Cloud® helps companies collaborate, automate, scale, and adapt risk management as they grow. Request a demo and see how easily all of the essential components of good governance can be managed with Risk Cloud.