Corporate governance has long been an area of focus for boards and recent proposals in the UK have ensured that this remains the case.
The Financial Reporting Council consulted in late 2017 on proposed changes to its Corporate Governance Code for quoted companies. The final text of the changes is expected to be published this summer, for introduction in 2019.
The focus on governance extends beyond the quoted company arena. Legislation laid before Parliament in June 2018 will, amongst other things, require large UK private companies to disclose in their annual directors’ report details of the corporate governance arrangements they have operated during the previous year. At the same time, a consultation has been launched on proposed corporate governance principles for large private companies, which the government hopes will be adopted by those companies as an appropriate framework when complying with the new governance-related reporting requirement.
‘Culture’ as a core governance issue
An interesting feature of the proposed changes to the Corporate Governance Code is the focus on culture being the responsibility of the board. The consultation draft of the new Code included provisions such as:
“Directors should embody and promote the desired culture of the company. The board should monitor and assess the culture to satisfy itself that behaviour throughout the business is aligned with the company’s values.”
It is no surprise then that boards are asking themselves how they respond to this responsibility. What can they do? How to they demonstrate that? What are their peers doing? What will best practice look like?
It’s not just a British thing though, of course. This echoes the approach already being taken in the financial services sector across the world, which is bound to filter through to other sectors. These are questions worth asking wherever a business is based, and whatever it does.
- William Dudley, President and CEO of the Federal Reserve Bank of New York, said during a panel discussion in February 2018:
“I think there’s a pretty broad acceptance of the notion that regulation and compliance only takes you so far… You need a good regulatory regime supplemented by various good conduct and culture in the organizations.”
- In March 2018 the UK’s Financial Conduct Authority published a discussion paper on Transforming Culture in Financial Services, stating:
“Given its impact and the role it needs to play in re-building trust in financial services, firms’ culture is a priority for the FCA. We expect firms to foster cultures which support the spirit of regulation in preventing harm to consumers and markets.”
- The Financial Stability Board in April 2018 published its toolkit on Strengthening Governance Frameworks to Mitigate Misconduct Risk. Corporate culture was a core focus of the toolkit, with senior leaders being advised to articulate their desired culture, identify the significant cultural drivers of misconduct and then act to shift behavioural norms to mitigate those cultural drivers.
Designing a risk management framework
What steps do we see companies taking to respond to this focus on culture? It’s complicated, and always bespoke, but one fundamental component is designing a good risk management framework. Prevalent themes of such a framework, and areas that therefore need to be improved include:
- A strong ‘speak-up’ or ‘see, say’ culture – do employees feel empowered to raise concerns, without fear of retaliation?
- Consideration of conflicts – does decision-making power rest in the right hands, and are there clear rules around when an individual should recuse themselves from the decision-making process?
- Appropriate accountability – where does the buck stop when it comes to taking responsibility for a course of action, and does everyone in the chain of command understand the expectations placed upon them and their contribution to the end result?
- Clear lines of communication – has the tone from the top been cascaded appropriately, have the instructions of managers been clearly conveyed and have the actions and decisions of employees been adequately recorded and communicated to their line managers?
When problems do arise, as they inevitably will, it is important that they are examined and understood and that the learning points from them feed into improving the risk management framework. It should be a loop of continuous improvement.
The ultimate objective of a strong risk management framework is to assist companies in preventing issues from arising in the first place. If that objective fails, however, having the right framework in place can help with early detection of problems and provide companies with the opportunity to then carry out appropriate remediation. Where a problem has attracted the attention of regulators or enforcement agencies, the existence of a good risk management framework can act as a helpful mitigating factor when it comes to sanctions, sending a positive message to show that appropriate steps were taken to seek to prevent problems and learn from them if they happen.
Stakeholders at all levels – whether consumers, shareholders, employees or others – will expect that companies are taking the appropriate steps to manage their exposure to risk. The clear message is that culture and risk management go hand in hand, so no wonder culture has become a core topic for discussion at the boardroom table.
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.