Governance risks
Some governance risks are broad in nature. Others, are very narrow. Some have little in terms of universal benchmarks, while others have well-established frameworks or regulations. Here are some of the main risks that should be considered:
- Shareholder rights and engagement – are there any limitations on certain classes of shareholders, and does the business engage effectively on important issues?
- Board structure and diversity – are there independent directors, and does the board have sufficient diversity of experience, style, and background? Increasingly, neurodiversity is a consideration, and in some countries a workers’ representative is a requirement.
- Executive compensation – is this structured to be in line with corporate objectives, and is it consistent with peers in comparison to the wages of other staff?
- Anti-bribery and corruption – many countries have a comprehensive legal framework.
- Tax transparency and policy – what is the organization’s approach to tax, and particularly the jurisdictions it operates and pays taxes in?
- Ethics and culture – a broad topic, ethics encompass all the above and more. Culture has become a hot topic over the past 15 years with the link between a strong organization-wide culture and performance becoming increasingly apparent.
- Data protection – often also included as a social risk, good information governance is relevant here as well.
Typical impacts for the organization will be reputational, legal and regulatory, people, financial, and ultimately strategic.
Getting started – Determining the key risks
Compared with environmental and social risk, it is much more difficult to take a holistic approach to governance risk, given the breadth of topics. However, it is likely that many activities and risks are already in your audit universe. A governance code may have been adopted by your organization, although these may only cover some of the issues described above. Understanding the relevant governance code(s) –mandatory or optional – is a good starting point. This will depend on jurisdiction(s), market listings, regulators, and industry practices. Governance codes can be principle-based or more prescriptive, and will typically define some or all of the following, often on a “comply or explain” basis:
- Clarity of purpose
- Leadership
- Integrity
- Board composition and division of responsibilities
- Board effectiveness
- Decision making
- Risk management, internal controls, and audit
- Accountability, transparency, and reporting
- Remuneration
In understanding governance risks, you should also take into account what specific legal or regulatory requirements there are around any of these issues. This may include reporting requirements around diversity or executive pay or matters which must regularly be reported and considered by the board. Also, consider what other stakeholder expectations are relevant. This is likely to focus on investors, as they have been increasingly vocal and prepared to vote against boards that do not adequately address specific issues.
With this background information, along with your consideration of the issues highlighted earlier in this article, you can ensure your risk assessment incorporates relevant governance risks.
How internal audit can make an impact
As always, we should leverage work done by the first and second lines in considering where we can make the biggest impact. We should consider our risk assessment alongside any new information we have about regulatory changes, emerging issues in our sector, or jurisdictions, and investor interest.
