In February, the Organisation for Economic Co-operation and Development (OECD) published Corporate Governance Lessons from the Financial Crisis. It can be found at http://www.oecd.org/dataoecd/32/1/42229620.pdf.
Their conclusion was that “the financial crisis can be to an important extent attributed to failures and weaknesses in corporate governance arrangements[i]. When they were put to a test, corporate governance routines did not serve their purpose to safeguard against excessive risk taking in a number of financial services companies.”
The report identified a number of governance weaknesses.
- “The risk management systems have failed in many cases due to corporate governance procedures rather than the inadequacy of computer models alone: information about exposures in a number of cases did not reach the board and even senior levels of management, while risk management was often activity rather than enterprise-based.”
- “In other cases, boards had approved strategy but then did not establish suitable metrics to monitor its implementation.”
- “Company disclosures about foreseeable risk factors and about the systems in place for monitoring and managing risk have also left a lot to be desired even though this is a key element of the Principles. Accounting standards and regulatory requirements have also proved insufficient in some areas leading the relevant standard setters to undertake a review.
- Last but not least, remuneration systems have in a number of cases not been closely related to the strategy and risk appetite of the company and its longer term interests.
The OECD pointed out that these governance weaknesses are not limited to financial organizations. “It is also an essential, but often neglected, governance aspect in large, complex non-financial companies.”
While it is possible to have effective risk management processes without a risk management application, it is certainly much more difficult. Isn’t now the time, when there are so many examples of corporate failures to manage risks in the news every day, to implement a centrally-managed/coordinated risk management office with an effective automated solution?
In the eyes of the OECD (and in most international governance frameworks), governance is inclusive of risk management and the controls required to manage risk and achieve objectives. In turn, non-compliance with laws regulations is one of the risks covered by the risk management process. As a result, governance as used by the OECD and others, is the same as the space called GRC (governance, risk, and compliance) by analysts, vendors, and consultants.