The article was published in The Business Times on 23 December 2016.
The Board is responsible for establishing a system of corporate governance that is of a high standard, specific, and relevant to the company. This requires installing certain structures and practices such as board composition, committees with clear terms of reference, and clear and comprehensive risk management policies.
However, even the best of intentions can be undermined if the people required to adopt them in practice do not, themselves, behave correctly. And behaviour is very much influenced by culture – in this case, the culture of the company, the board, and risk management. A clear understanding of the distinction and the interaction of the three cultures is important in cultivating effective governance.
Corporate culture and board culture
A company’s values and beliefs are manifested in “the way things are done around here”. Often, this “way”, or culture, is codified in documents such as the mission, vision and values statements, ethical standards, and a Code of Conduct.
In the same way, board culture – its values and beliefs, really – is often manifested in the way the board behaves and arrives at decisions.
Both board and corporate cultures must be consistent.
The board cannot sit outside the corporate culture and operate inconsistently with the values espoused by the company’s Code of Conduct. It should consistently lead by example and establish the right “tone at the top”. This requires a commitment to define, establish and assess the values and conduct expected of board members, individually and collectively, by using the same yardsticks it applies to the corporate culture.
In fact, many leading companies are establishing formal Codes of Conduct specifically for the board that articulate these requirements, so that there is no uncertainty about the way its members are required to behave.
The board’s role in corporate culture
Leadership is an important element in any culture. The board is thus critical in driving the corporate culture – and in more ways than just ensuring that boardroom practices and decisions reflect the corporate culture it wishes to have.
Proactive behaviour is vital.
For instance, the Code of Corporate Governance recommends that the board sets the company’s values and standards (including ethical standards). However, the 2016 SGX-KPMG study of corporate governance disclosures found that only 46 per cent of boards were responsible for setting values and standards.
In fact, the board’s role should go beyond to establishing values and standards. It should continually assess the corporate culture to ensure that the various moving parts are aligned and that corrective measures are implemented.
The board should also regularly evaluate the style of the CEO and management, and how that style influences corporate culture. It can do so by proactively spending more time in the business, incorporating cultural assessments into core processes (such as mergers and acquisitions and overseeing subsidiary operations in multiple jurisdictions), establishing regular board reporting on cultural indicators, and establishing an assurance framework to regularly assess the corporate culture (such as independent reviews conducted by internal audit and culture surveys).
Corporate culture and risk culture
An important component of corporate culture is the risk culture, which addresses the articulation, communication, measurement and management of risks within the company.
The recent ISCA-KPMG study, Driving Value: Risk Transparency and Culture found that while risk governance disclosures have improved over time – with information about structural elements being particularly strong – those relating to behavioural aspects are less forthcoming.
Companies give robust disclosures on areas that are more structural in nature, such as the board being responsible for risk governance, setting up key risk and whistle-blowing policies, and establishing an internal audit function.
However, when it comes to critical behaviours such as risk tolerance, risk culture, linking remuneration and performance and fraud risk management, the standard of the disclosures is lacking. There is much room for improvement here.
For their part, stakeholders such as regulators and investors are starting to realise that regardless of how adequate a company’s risk management and internal control framework may be, the processes and controls will not be effective without a robust risk culture.
To address this issue, the board should ensure that the company has in place a programme such as regular risk management training and workshops (incorporating behavioural scenarios), to continuously develop and enhance awareness of the right behaviours, values and ethical standards.
When things go awry
Examples abound of “what can go wrong”, when an unhealthy corporate culture prevails in an organisation without a robust risk culture.
Enron is a prime example. Its external profile was one of innovation and ethics. Its corporate slogan was “Respect, Integrity, Community, Excellence”. It won many industry awards including one of the “Best companies to work for”. In reality, the company had a toxic corporate culture without a balanced and effective risk culture. For years, the board and top management encouraged behaviour that pushed moral and legal boundaries in the pursuit of profit maximisation. The outcome – total corporate collapse – is well documented.
In short, boards need to ensure that their companies focus on the behavioural and not just structural elements of risk management. A strong risk culture supports effective risk management; a weak one is a risk in itself.
Irving Low is Head of Risk Consulting, KPMG in Singapore, and a member of the Advocacy and Research Committee of the Singapore Institute of Directors. The views expressed are his own.