BUSN603 CORPORATE GOVERNANCE AND RISK MANAGEMENT ASSESSMENT 3
Semester Two 2019
GOVERNANCE AND RISK MANAGEMENT AUDIT EXERCISE
Introduction and assessment task
Actions are dictated by values. Identifying organisational values – both proclaimed and actual – will assist an organisation to ensure that most, if not all, its actions are commensurate with these values, and enable it to put in place a robust structure to support the ‘operationalisation’ of its values.
Many governance and risk management problems for multinationals and companies trading far from their home base, for example, arise because of differing value systems. A governance and risk management audit helps an organisation to establish clear guidelines about the limits of acceptable behaviour which are consistent world-wide, while recognising where appropriate local social differences. In other words, a governance and risk management audit articulates the core values of an organisation, and assesses the consistency of their internal and external application: internal with respect to what the company or organisation says about itself in its various documents, such as statements about mission and conduct; external with respect to how they act in their host societies and internationally.
A governance and risk management audit always starts internally, with a review of ‘paper’, ‘processes’ and ‘people.’ The findings of the audit are then tested out with stakeholder groups, to ensure that the values base is one which is shared by, or at the least acceptable to, key stakeholders. The results provide important management information and can (and ideally should) be used to report on the organisation’s social and/or governance performance, either as part of the Annual Report or as a supplementary report.
In this assessment, you are asked to conduct a values and risk audit of an organisation with which you have had some association. It could be a large company, a family business, a school, a hospital, a not-for-profit organisation. It could be any organisation that provides a service or conducts any form of social activity that involves:
- Some form of statement about what it does and its commitments. This could be a company or organisational mission statement; or marketing material; or any document in which the organisation defines its commitment to abiding by the law, or certain moral codes, or specific cultural or communal commitments. In other words, anything that articulates what the company/organisation stands for with respect to governance and social responsibility. It might be as generic as saying, as Google does, “do no evil”, or as specific as BHP Billiton’s commitment to observing best practice in land remediation of spent mines;
- Some level of financial management and accountability. This can be at a very high level for a large company, or very modest in a small family business. Either way, there has to be some level of financial or resource accountability, and some level of responsibility for what the organisation does in the conduct of its activities;
- A recognised set of risks to the organisation’s well-being, or to the interest of its stakeholders, that are articulated in some way, whether in the form of an organisational risk management strategy, or some other less formal method of assessing and addressing organisational and/or stakeholder risks.
- A defined set of services or products. That is, the organisation’s outputs – what it offers its client or customers;
- A customer or client base. There must be some customer or client base for the audit to make sense, and this needs to be identified, namely, who the organisations serves or supplies.
- Some level of management structure or identifiable managerial accountabilities responsible for organisational governance and risk assessment and management. For our purposes, an anarchic group of people just doing things for the sake of it to help others, or themselves, but with no formal structure, is not a suitable subject for this exercise. There must be some specific roles and accountabilities, even if poorly defined.
What you are asked to do is to conduct a mini-audit of the organisation that describes the above elements, analyses how well and appropriately the organisation manages its stated governance and risk management commitments and provide a set of recommendations on how the organisation may enhance its governance and risk management performance.
First read the below to give you a better idea of the big picture, so to speak. Note: you are NOT expected to conduct a full governance and risk management audit with detailed interviews and in-depth analyses of organisational documents.
What you are asked to do is a ‘mini-audit’ in which you select an organisation and:
- Give an overview of the organisation – what it does and how it promotes
itself to its shareholder (where relevant) and stakeholders, through official
documents, policies, procedures, and advertising. Provide evidence in the form of attachments, but only important
documents, or selections that make your point. Don’t go overboard with
attachments and evidence; just enough to make your point, and no more.
- Clearly state the ‘advertised’ values of the organisation – what it says it stands for. Where these are unclear, try to tease them out.
- Describe the processes the organisation has in place that promote, monitor, review, action its value commitments. Again, you can’t do everything, so be selective. In your general overview of the organisation’s value commitments, you can state that the organisation is committed to x, y and z, but focus only on z, for example. In other words, don’t be too ambitious. You don’t have much time to complete what could be quite a detailed exercise. So, focus on something that is representative of the company’s values commitment (or otherwise!).
- Review the history of the organisation over the recent past, say, 5 years. You don’t have to be rigid about this. If 10 years is a more appropriate frame of reference, then that’s fine. What you are looking for here is the extent to which the company has been true to its commitments. What evidence can you find one way or another? Remember, corporate governance and/or CSR undertakings are major value commitments of an organisation and are absolutely central to this assessment.
- If possible, interview a few key stakeholders for their views. This is not always
possible, but may be very relevant in some circumstances. This is up to you. You do NOT have to interview anyone. But if you can, and if it is relevant, then this would be a good way to get more data on the organisation’s fulfilment or otherwise of its value commitments.
- Draw some conclusions about the company’s integrity (more on this below).
In other words, discuss what you have found. No need to be definite or
definitive, since this is only a mini-audit. But it can be indicative, and
serve as the preliminary study for a much deeper investigation. In other words,
this is ‘audit lite’, so to speak, in which you do a fairly quick and
succinct review of an organisation to see if there is anything that would lead
you to look more deeply.
- You need to be specific about the things you find that indicate organisational integrity, and those that indicate organisational hypocrisy. You are not asked to solve the problems you find, but once you have identified key issues, discuss them in light of the key issues covered in the unit.
- You do not have to provide heavy academic referencing, but where possible, draw on examples from the readings and unit guide, and any other sources that you believe to be relevant. Again, no need to go overboard. Just cite those sources and references that you have actually used; not a long list for the sake of impressing the marker – the opposite will be the case. You will get good marks for authenticity and sound analysis.
It is important to note that a full-blown governance and risk management audit is a comprehensive and integral approach: integral, because it combines different approaches with different methodologies, and comprehensive, because it takes the entire organisation (including its environment) into consideration with all the different perspectives that prevail in different functional areas. The latter especially finds expression in the values assessment process. The fact that values and policies are discussed ensures that they are looked at from different angles, taking various fields of interest into consideration. In a full-blown audit, it is particularly critical that values are checked for economic viability as well, to balance social and values aspirations, because governance and risk management policies which are not based upon solid business economic grounds will not endure very long. In a full- blown, large scale audit, it is essential that the social mission and the economic mission of a company go hand in hand.
However, remember, you will not be undertaking a full-blown, comprehensive audit.
There is no specific template for the audit, because we wish to see what you come up with as an appropriate format for the sort of organisation you are auditing.
- Governance and risk management Audit
The reasons for examining the state of an organisation’s values are many and various. They include external social pressures, risk management, stakeholder obligations, and identifying a baseline to measure future improvements. In some cases, organisations are driven to it by a gross failure in ethics, which may have resulted in costly legal action or stricter government regulation. More often, however, organisations simply want to know if they are doing the right thing with respect to their governance commitments, the law, their shareholders and their stakeholders.
Governance and risk management auditing is a
process which assesses the internal and external consistency of an
organisation’s values base. The key aspect is that it is value-
linked, and that it incorporates a stakeholder approach. Its objectives are two-fold: it is intended for accountability and transparency towards stakeholders and it is intended for internal control, to meet the governance objectives of the organisation.
The point of such an audit is that it enables an organisation to see itself through a variety of lenses: it captures the organisation’s values profile. Companies recognise the importance of their financial profile for their investors, of their service profile for their customers, and of their profile as an employer for their current and potential employees. A values profile brings together all of the factors which affect an organisation’s reputation, by examining the way in which it does business. By taking a picture of the value system at a given point in time, it can:
- clarify the actual values according to which the
- provide a baseline by which to measure future improvement;
- learn how to meet any social or governance expectations which are not currently being met. Importantly, these are expectations that the organisation has set for itself – not expectations set by others;
- give stakeholders the opportunity to clarify their expectations of the organisation’s behaviour. Importantly, it assists the organisation to better understand who its actual stakeholders are;
- identify specific problem areas within the organisation with respect to its stated social and governance values;
- learn about the issues which motivate employees and managers;
- identify general areas of vulnerability, particularly related to lack of openness.
2. International business
You are not required to select an international or multinational organisation, but if you do select one, you need to be mindful of the following. Multinational companies face special issues in relation to governance and risk management auditing. It is, though, precisely these special issues which can make governance and risk management auditing so important to multinationals. Executives of such companies are well aware of the added complications which operating across a number of cultures brings. But problems tend to multiply when differing value bases are permitted to take hold within different cultures. It may have seemed acceptable for Shell to apply differing environmental standards to their drilling in Ogoniland decades ago to those they applied in Europe or North America – but in an era of acute global consciousness of the interdependence of the world ecosystem the same standards are rightly expected in every continent.
One of the issues which most concerns multinationals is that of corruption: how to do business in countries where backhanders are expected in the common course of events. The United States has brought in legislation – the Foreign Corrupt Practices Act – which forbids US companies to engage in this when dealing with the public sector in other countries. Australian laws are also specific with respect to corruption. This, perhaps, more than any other, is an area where executives might like to set themselves Warren Buffet’s publicity test: how would I feel if my behaviour were headlined in my city’s local newspaper? How would I feel if my family knew about it?
Working practices and human rights are other major areas of concern. Some
make a principled withdrawal from countries where they could otherwise manufacture profitably, because they are not prepared to work within that regime, as Levi Strauss did in China. Some companies withdrew from South Africa because they would not cooperate with apartheid; others believed that they could set an example and give opportunities to black people they would not otherwise have had. Protest from outraged consumers may force companies manufacturing in India or Thailand to sack the underage children they were previously employing as machinists – but what if the 12 and 13 year old girls are then forced into prostitution to survive?
Companies alone cannot right all the evils of society. Many of the decisions they have to take have no ideally right or ideally good answer. What matters is that they should have a clearly thought out framework of governance and risk management, and that these values should be consistent wherever they operate. A multinational company must test its values across all its areas of operation if it wants the findings of its governance and risk management audit to be comprehensive and provide the greatest payback in terms of identifying potential areas of vulnerability to consumer pressure.
3. Stakeholder power
Stakeholder power is increasingly being wielded to affect organisational behaviour. Boycotts are called to protest against specific company actions: Nestle’s sales suffered from the boycott protesting about their policy on selling baby milk in the third world, and Shell were forced to change their plans for disposal of the Brent Spar oil platform when German consumers stopped buying Shell petrol. A 1995 poll of 30,000 consumers in the UK showed that one in three had boycotted stores or products in the previous because of concerns about governance and risk management standards, and six in ten were prepared to boycott in the future. Almost two in three of those surveyed were more concerned about governance and risk management issues at the time of interview than they had been previously.
Pressure groups are growing more professional and more vociferous. Where in the past unethical or hypocritical behaviour by a company might have been kept quiet by skilled public relations people, there is now greater likelihood that someone within a company will alert the relevant pressure group (loyalty to employers being lessened, and concern for the public good being greater) and that the pressure group will succeed in generating significant publicity about the incident. One of the greatest benefits of the governance and risk management audit is that it assists an organisation to scan its environment, to identify the issues that are most likely to provoke action by pressure groups. It also gives the organisation an opportunity to encourage such groups to participate in the decision- making process, or at the very least to inform them fully of the organisation’s position.
In the move to total quality, suppliers become key stakeholders. The quality of components or raw materials used is crucial. Their timely delivery is crucial; their reliability is crucial. The best suppliers want to develop long term relationships with customers whom they can trust to deal fairly with them and to pay on time.
The picture which develops here is of an
organisation/business at the centre of a network of relationships –
relationships with employees, with customers, with shareholders, with society
at large. Each organisation may have other groups of people whom it considers
to be key stakeholders. For example, a company with particular environmental
concerns may consider future generations to be key stakeholders; other
companies may see their retired employees as being important, while still
others may have strong links with pressure
groups and voluntary organisations.
Governance and risk management auditing enables organisations to better comprehend these relationships. All relationships are based on values such as trust and an expectation of fair dealing. Understanding these dynamics and finding out where expectations and perceptions differ give an organisation a head start on maintaining strong and stable relationships.
In contrast to social auditing, which aims primarily at measuring the social impact of a company on its environment, the governance and risk management audit from the outset is value-linked. It measures the ‘governance and risk management climate’, so to speak, of an organisation by analysing the values on which organisational actions are based.
Essentially, it is a kind of integrity or, more cynically, a ‘hypocrisy’ analysis – how faithful is an organisation to its declared governance and/or CSR values?
A governance and risk management audit is organisation-centred. It is not an audit of the values of individual managers or employees, although clearly individual values play an enormous role in determining the values of an organisation and the extent to which it is true to its values. In part these values are connected with public opinion on matters such as respect, justice and responsibility and can, to some extent, be derived from the rights and interests of stakeholders, but the bottom-line is that the organisation ought to adhere to its publicly stated values.
4. Stakeholder perspective
The objectives of the governance and risk management audit are two-fold. On the one hand, the audit is intended for accountability and transparency towards stakeholders; on the other hand, the audit is intended for internal control in order to meet the governance and risk management objectives of the organisation. One of the aims of the governance and risk management audit is to give an organisation the opportunity to track progress through the years and to find out where there is still some work to do with regard to its governance and risk management objectives.
Accountability requires that stakeholders are provided with such information as they have a right to. The right to information is determined by: (a) the social environment within which the relationship between the organisation and the stakeholder is set (thus current legal standards would represent a minimum basis for accountability); plus (b) the organisation’s own decisions about which stakeholders it particularly wishes to recognise and emphasise. Thus, stakeholder groups do not have an absolute claim on businesses to provide them with information, because the extent to which an organisation is accountable to stakeholders depends on the particular social environment of the organisation, on its conception of relevant stakeholders and on the social responsibility the organisation is willing to take for justifying its actions towards a particular stakeholder group. Therefore, stakeholders’ right to information is in a large measure related to a positive duty that the organisation has committed itself to.
It is possible and justified to assign different
weights to the interests of different stakeholder groups. Clearly not all
stakeholders can ever be involved in an auditing process. For most
organisations, the external stakeholders
which are included will be restricted to the minimum of: shareholders,
customers, suppliers and the wider community,
although one could think of many more groups that could be of importance to a
specific organisation. The fact that the number of stakeholder-groups taken
into consideration is limited indicates that certain stakeholders are perceived
as being more important than
Second, stakeholder concerns will differ between groups. It is obvious that more important stakeholders will have greater influence on an organisation’s actions, and that, in the case of conflicting concerns, the interests of the stakeholder group with the most influence will prevail. Dialogue with stakeholders is carried out in the external governance and risk management assessment process and in this process the interests of stakeholders are identified and balanced according to the weight the company assigns to each stakeholder group.
The objective of accountability towards stakeholders requires information about general issues such as product safety, the environment, employee relations, etc. An ethical bookkeeping system collects data systematically about the organisation’s values behaviour, which is relevant for stakeholders. This process is most likely to include ‘hard’ information, including for instance complaints of stakeholders, business accidents or fines for unethical behaviour. A significant quantity of this data will already be present in the organisation’s ‘normal’ accounting and management information systems (e.g. human resources information: number and level of female employees, payment ratios for employees of different ethnic origin, etc.). By collecting this kind of information, a company is in fact keeping some records on the social impact of its actions and policies and therefore we might consider this social accounting.
The term ‘values accounting’ is used to refer to the process in which data is gathered with regard to organisational governance and risk management. This will include looking at the information provided by the bookkeeping system and looking at the ‘paper’ and ethics- related processes in the organisation, in order to lay bare the (explicit and implicit) value system of the organisation through analysis. Value-linked corporate behaviour derived from bookkeeping records, will be tested against current guidelines and opinions on environmental issues, hiring/firing policies, etc. A comprehensive check-list (with regard to lines of communication, reward systems, chain of command, etc.) is used to determine what behaviour the organisation values. This is done by looking at the formal and informal structures and processes in the organisation.
In the internal governance and risk management assessment process the prevailing values of employees are examined through interviews, surveys, questionnaires, etc. The outcomes are then related to the value system of the organisation, revealed by the accounting process. By doing this the values gap (different perceptions on the organisation’s values) is identified, as well as conflicting interests within the organisation and values that are inconsistent with each other. But internal values assessment is not only concerned with uncovering prevailing values, it also looks at what the organisational values should be. Since the purpose of internal auditing is to measure the compliance of facts with norms, these norms – being the values the organisation wants to incorporate – must be clear. This might be the case as a result of an earlier participative process (written down in a values statement or not), but it is important that this is an on-going process in order to make sure that the company perseveres with these values. So, internal values assessment is also concerned with internal audits. This is done by listening to employees (the original meaning of the word audit being derived from the Latin word ‘audire’ means to listen).
Workshops and small group discussions often further raise governance and risk management awareness and can be an important tool for building consensus.
You will have limited time to conduct your
governance and risk management audit, so any interviews you may undertake will
have to be limited in time and scope.
So, the governance and risk management audit will result in the identification of (actual) organisational values on the one hand, and, on the other, the general direction of how the organisation wants to develop its value system. The findings will therefore need to be translated into action planning for the following year. If the governance and risk management audit is performed every year or every other year, an organisation should be able to track its progress based upon the baseline information provided by the different elements of the governance and risk management audit. Hence, the governance and risk management audit provides a snapshot of the integrity of a company.
- The purpose of the audit is to
provide an analysis of the values commitment
of the organisation. You can focus on key issues, or a business unit,
or, if the business is small, the whole organisation.
- Remember to provide relevant contextual overview of the organisation/business unit/issue and information on key personnel/groups/stakeholders.
- Where the organisation has a specific governance or CSR statement, this must be included in your documentation.
- In effect, you are being asked to provide a gap analysis, i.e. the gap between commitments and action. Therefore, you must provide an account of what the commitments are, and what the organisation has done (or not done) to keep those commitments.
- You also need to analyse why you think there is a gap, or no gap between commitments and performance. This is where you can use the theory presented in the unit along with case study examples.
- Indicative length: 3000 words, not including attachments, references or endnotes. Need not be exactly this, but if you fall too far short, by more than a 100 words or so, you may lose marks. If you fall short by a 1000 words, you will definitely lose marks.
- However, brevity will be rewarded over bloat, therefore try to be succinct and to the point. Use appendices for the detail and present in a format appropriate to your organisation’s context and practices.
- Use the Harvard referencing style when citing sources. You will lose marks if you fail to do this.
- You may add links to YouTube clips or other multimedia if appropriate asevidence.
- This is an individual task and not group work.
- This assessment is worth 50% of your total unit mark.
- Due date: End of Week 12.