The term ‘corporate governance’ is used with a wide variety of meanings. It’s taken for granted that ‘good governance’ is a good thing, and intuitively we expect a well-governed organization to perform better. But without agreement on what the term means, it’s hard to make sense of the measures and comparisons, and it’s hard for managers to know what, if anything, they are expected to do.
Here are some of the things people refer to when they write about ‘corporate governance’.
This is the G in ESG (Environmental, Social, and corporate Governance), relating to the information the organization discloses to the rest of the world. Good governance in this sense means that the organization is disclosing everything it should, promptly and truthfully.
This type of governance has two objectives:
For government agencies with responsibility for economic development, and for some of the investment community, ‘corporate governance’ refers to the regulatory framework in which corporate investments are managed.
For government agencies, the purpose of corporate governance is “to make sure that the financial sector can serve the needs of the real economy; that savings are available and effectively channelled to corporations that need capital for innovation, job creation and growth.” (OECD)
For investors, corporate governance can refer to the regulatory framework that ensures the ‘safety’ of a shareholding: Are minority shareholders treated equitably? Is there a risk of asset stripping? Is there sovereign risk affecting the payment of dividends?
Governance in this sense asks the question: Is the board capable of doing its job?
Board competence, on its own, is not sufficient to good governance; but it’s unquestionably an essential element.
Governance in this sense asks the question: Does the board actually do its job?
In other words: Does the board actually govern the organization? As with board competence, this element is not governance in itself. It is part of the method of governance.
Governance in this sense refers to the operational activities carried out by the organization’s managers and personnel to deliver governance outcomes: in particular, to implement policy and to ensure compliance with regulatory and management system requirements.
This is the counterpart of meaning 4. Boards are expected to monitor the organization’s activities and to exercise oversight. This implies that the activities are designed and controlled in such a way that they can be monitored, that oversight can be exercised.
This might be termed the ‘GRC meaning’ of governance. GRC stands for Governance, Risk, and Compliance. In practice, the term has come to refer to a single body of activity: governance as the overarching activity of which risk management and compliance management are elements.
Can any of the meanings of corporate governance be used to measure and compare the standard of corporate governance between organizations? It would certainly be convenient if organizations could be rated on a one-to-ten scale of governance, from lousy to excellent; but convenience is rarely a characteristic of management analysis.
Meaning 1, ESG governance, can be used to assess individual, specific characteristics such as greenhouse gas emissions or IFRS compliance. But an organization’s full set of disclosures, taken as a whole, don’t create a measure of the organization’s ‘governance’ in any sense.
Part of the difficulty is in the fact that ESG is at the same time very broad, touching every company in some manner, but also quite specific in that the ESG issues companies face can vary significantly based on their industry, geographic location and other factors. As such, there is no one set of metrics that properly covers all ESG issues for all companies. Moreover, the landscape is changing rapidly so issues that yesterday were only peripheral today are taking on greater importance. John Coates, Corporate Finance Director, SEC
Assessments based on meaning 2 are predominantly looking at jurisdictions and regulatory frameworks. An assessment of an individual organization is focused more on where it is incorporated, where it is listed, and what industry it is in, rather than consideration of its board or management. This type of assessment can produce useful information for investors and regulators but is not much help for directors and managers working to improve value and performance.
Meanings 3 and 4, together, are the focus of ISO 37000 Governance of Organizations. This standard sets out principles to guide the formation and activities of an organization’s governing body. There have been suggestions that ‘ISO 37000 compliance’ can be used to assess the quality of an organization’s governance, and there are consultancies offering ISO 37000 certification explicitly for this purpose.
This is misguided.
First, ISO 37000 is not intended for certification. It provides guidelines, not requirements.
ISO 37000 is not a management system standard and therefore does not provide requirements for certification or compliance.
Even if it were certifiable, diligent ‘compliance’ would achieve corporate governance only in the abstract. It’s like asking if a person is a ‘good driver’ without specifying what they will be driving. The requirements are very different if they’ll be driving a school bus or a combine harvester or a formula 1 racing car.
While in general it may be good practice for a board to follow the principles of ISO 37000, whether or not they have done so says nothing whatever about the quality of their governance of their organization at any point in time.
The fifth meaning of corporate governance — the internal control of the organization’s activities — is the most complex and by far the largest in terms of actual time and effort expended. A board is a small number of people who meet periodically; the rest of the organization is a large number of people working continuously. This aspect of governance is also the least studied, perhaps because it’s not obvious how to measure it.
A problem in trying to measure ‘governance’ in this sense is that so many of the performance measures are of things that didn’t happen: the employees who weren’t injured, the fines that weren’t incurred, the incident investigations that weren’t needed, the writs that weren’t received.
When the general public hears ‘governance’, they’re thinking about the organization’s activities and outcomes, not the structure and intentions of the board. If the organization has a lot of accidents, or is frequently incurring fines or getting sued, the public will reasonably infer that the organization is poorly governed. The converse is not so simple, at least in the short term: zero accidents might be the result of excellent governance; or it might just be that the organization was lucky that year.
Attempts to assess the quality of an organization’s internal governance are also hindered by the lack of two key elements: the governance objectives, and the system to achieve those objectives.
It is common on corporate websites to find a page headed “Corporate Governance” containing a list of policies and certificates of compliance with standards like ISO 9001, ISO 14001, and ISO 27001. What is missing is any way to know if the list contains everything it should, or to gauge the relative importance of the items listed.
If the organization were a motor vehicle, the corporate governance page would be an assertion that the vehicle is fit for use. But until you know the intended use, you don’t know what ‘fit’ means. Brakes, yes; steering, yes; what about cabin heating? If the vehicle is a snow-cat in Antarctica, cabin heating is a life-or-death safety requirement; if it’s a limo in winter, heating is a commercial necessity but no-one will die if it fails; if it’s a golf buggy, no-one cares.
So it is with an organization’s governance. Unless the board has actually stated the governance objectives, the organization’s managers are working in the dark. As with all management activities, unless you know where you’re going you don’t know how to get there or if you’ve arrived. The statement of governance objectives is the practical outcome of ISO 37000. The board can meaningfully monitor the organization’s activities only if they’ve articulated what they will monitor and what they expect to see when they do so.
For some organizations, the corporate governance page on their website is an ever-growing list, on the some-is-good, so more-is-better principle. Hey, we must be really well governed, look at all these policies we’ve got! This approach brings to mind Santayana’s description of a fanatic as someone who, having lost sight of their objectives, redoubles their efforts.
The second issue that makes assessment difficult is the lack of an actual system of governance management. Formal definitions of corporate governance often include phrases like “the system of policies, processes, and responsibilities...” In most organizations, describing the set of policies, processes, and responsibilities relating to governance as a ‘system’ would be charitable indeed.
It is common to find managers who will cheerfully admit that their compliance documentation, such as for ISO 9001, is maintained purely for audit purposes, to get the compliance certificate.
It is common to see policy statements, on the website or framed on the foyer wall, that were created purely for PR purposes, without even a pretence of relevance to the anything actually happening in the organization: Acme Corporation is committed to [insert good intention here]. Put it on letterhead, get the CEO to sign it, and we’re done.
Apart from being dishonest and dangerous, this approach to governance is so obviously and painfully wasteful: it adds no value to anything. Actual governance — ensuring that the organization’s activities are consistent with its governance objectives — adds actual value. As the safety people love to remind us: if you think safety is expensive, just try having an accident.
The core challenge is that the list of things an organization should be doing for governance purposes is long. Trying to manage the items on the list as a collection of separate management tasks is more total work than is feasible in a live organization. Unless the organization can show that it has a system for managing its governance activities as a whole, it is inevitable that at least some of its governance will be mere lip service or will end up entirely unmanaged.
There are numerous definitions of corporate governance, and correspondingly numerous attempts to measure quality of governance and to quantify the value that governance adds. For the community at large, all that matters is outcomes: the reasonable expectation that the organization will achieve its objectives.
The expectation is reasonable only if we can see that the board has defined the governance objectives in terms that management can achieve; and management has a system in place to prove that is has achieved them.