Some governance risks are broad in nature. Others, are very narrow. Some have little in terms of universal benchmarks, while others have well-established frameworks or regulations. Here are some of the main risks that should be considered:
- Shareholder rights and engagement – are there any limitations on certain classes of shareholders, and does the business engage effectively on important issues?
- Board structure and diversity – are there independent directors, and does the board have sufficient diversity of experience, style, and background? Increasingly, neurodiversity is a consideration, and in some countries a workers’ representative is a requirement.
- Executive compensation – is this structured to be in line with corporate objectives, and is it consistent with peers in comparison to the wages of other staff?
- Anti-bribery and corruption – many countries have a comprehensive legal framework.
- Tax transparency and policy – what is the organization’s approach to tax, and particularly the jurisdictions it operates and pays taxes in?
- Ethics and culture – a broad topic, ethics encompass all the above and more. Culture has become a hot topic over the past 15 years with the link between a strong organization-wide culture and performance becoming increasingly apparent.
- Data protection – often also included as a social risk, good information governance is relevant here as well.
Typical impacts for the organization will be reputational, legal and regulatory, people, financial, and ultimately strategic.
Getting started – Determining the key risks
Compared with environmental and social risk, it is much more difficult to take a holistic approach to governance risk, given the breadth of topics. However, it is likely that many activities and risks are already in your audit universe. A governance code may have been adopted by your organization, although these may only cover some of the issues described above. Understanding the relevant governance code(s) –mandatory or optional – is a good starting point. This will depend on jurisdiction(s), market listings, regulators, and industry practices. Governance codes can be principle-based or more prescriptive, and will typically define some or all of the following, often on a “comply or explain” basis:
- Clarity of purpose
- Board composition and division of responsibilities
- Board effectiveness
- Decision making
- Risk management, internal controls, and audit
- Accountability, transparency, and reporting
In understanding governance risks, you should also take into account what specific legal or regulatory requirements there are around any of these issues. This may include reporting requirements around diversity or executive pay or matters which must regularly be reported and considered by the board. Also, consider what other stakeholder expectations are relevant. This is likely to focus on investors, as they have been increasingly vocal and prepared to vote against boards that do not adequately address specific issues.
With this background information, along with your consideration of the issues highlighted earlier in this article, you can ensure your risk assessment incorporates relevant governance risks.
How internal audit can make an impact
As always, we should leverage work done by the first and second lines in considering where we can make the biggest impact. We should consider our risk assessment alongside any new information we have about regulatory changes, emerging issues in our sector, or jurisdictions, and investor interest.
Governance codes were mentioned earlier in this article. Whether your organization has adopted a code in full or developed its own framework, it will need to produce a regular (typically, annual) report of compliance with the code. Assessing the processes supporting this reporting is often a good way to execute broad audit coverage of governance risks. Such reports are expected by regulators, provide assurance to the board, and are sometimes published (at least in part in the annual report). Therefore, it is important that they give an accurate picture.
Reports may take many forms and will often include qualitative assertions and specific data or examples. It is important that any data reported is accurate, but equally as important that narrative assertions or examples are supported by evidence. Internal audit can provide assurance over the processes to collate this evidence, ensuring it is complete and accurate and that the right oversight controls are in place. We can also review the report and verify that the conclusions reached fairly reflect the evidence available. Generally, we take a combined approach to provide comprehensive and broad assurance.
Board composition has been under the spotlight, and while practices have improved there is often still a lack of transparency in recruitment, objective evaluation, and diversity. This is a sensitive audit which needs to be conducted by experienced auditors. When done well, it provides real insight and impact.
It is important not to make this about the individuals currently serving on a board, but about the effectiveness of processes around recruitment, structure, skills-determination, and performance evaluation. Consider some or all of the following:
- Is there an evaluation of the skills required on the board and an up-to-date skills matrix? Is this specific enough to ensure the board members possess the right range of skills and experience but sufficiently flexible to attract a diverse pool of candidates?
- Do recruitment processes include defining an ideal candidate profile, pre-determined selection criteria, and stakeholder involvement in the exercise? Are candidates sourced in a way that ensures a wide pool of candidates, recognizing that there may be a need for confidentiality?
- How are conflicts of interest identified and managed?
- What are the rotation policies/term limits for non-executive board members?
- How is board performance evaluated? Is there a self-assessment process and a periodic independent assessment?
- Is there a training plan for the board and individual board members? Is there an individual appraisal process?
- Does the committee structure support effective delegation but ensure the board maintains its responsibility for strategy and oversight?
- How effective is the relationship between executives and non-executives? Does the structure facilitate both support and challenge?
- Is there an effective process for succession planning?
- Do boards allow time for open discussions and strategic thinking, as well as formal meetings?
Some of this can be done by document review — including board papers and minutes, skill matrix, recruitment process documents, etc. But much of this will also require interviews with board members and those who support the board, such as the corporate/company secretarial or corporate governance team.
This article concludes the series on what internal audit should know about ESG risks. If you missed the first two articles, be sure to review our suggestions on how internal audit can approach environmental and social risks.