Just a few weeks ago, we hosted a well-attended webinar on the topic ‘Governance: A tool for Growth’ by Alicia Perez Director of IS Audit. With a number of inquiries coming in we decided to sit down with Alicia one more time to bring you this 2 part fireside chat on what makes Governance so important.
What is Governance?
AP: “There is a proper definition for governance that I can’t reel off right now but if you think about it simply, governance is a framework of repeatable steps performed consistently to get us from where we are to a particular target state. So if you use that definition for governance, it is very easy to see why governance becomes important to an organization’s bottom line. Governance is concerned with making sure you have a framework that supports a sustainable output. It speaks to:
- The timely provisioning of resources, both human and financial capital to move forward.
- Capability to measure and manage attendant risks of planned initiatives to tolerable levels.
- As well as, having some kind of mechanism to know whether or not you have arrived at your preferred state. Along the way there must be some form of measuring of the value of initiatives undertaken, done in a timely enough fashion; to ensure you can take corrective actions before you have incurred so much losses that there’s no path to hit your desired goal.
So if you take that definition of governance then it becomes evident that big or small, everybody is in business to achieve a particular end state that is going to create value for somebody else and the tenants of good governance are therefore applicable.”
What have we done wrong traditionally in our approach to Governance?
AP: “Traditionally, we’ve thought of governance as something that we do to get internal audit or other assurance functions off our backs. We write policies and procedures to simply be compliant, but no business is ever in the business of ‘being compliant’ and subsequently those artefacts really do not reflect executive commitment nor do they direct what we do. So our governance structures have failed in a lot of instances because we haven’t truly appreciated the changes that they were supposed to effect in our operational day-to-day lives. A policy document is intended to provide direction on where we’re going, what we must avoid, and what are the things that we must do. This sets the tone of executives in terms of what’s our posture is concerning our objectives and it sets expectations for all stakeholders. It then gives direction to our line managers who are responsible for rolling out procedures, answering questions around: what is my latitude in terms of rolling out a particular framework? What are the lines that I can or cannot cross?”
How do you then operationalize a policy document in 2018?
AP: “Firstly we have to change our mindset on why we are creating the policy and ensure that what is produced is relevant and useful in transitioning/maintaining the targeted business environment. The intent and requirements of the policy must also be understood and importantly, routine operational processes (not internal audit) must alert us to critical policy deviations. The organization’s ability to hold people accountable for violations is critical and also where a lot of organizations that could be great fail miserably. This way the policy is not removed from the operations but drives operations and necessary culture shifts.
You know you have issues with your governance framework if I can do my job which is what really creates value for the business, and then say ‘oh, by the way, let me go and complete these policy forms before I submit.’ The controls required by the governance framework must be built into the process. As a highly respected colleague of mine once said, ‘If no-one is going to consume what you are producing then it begs the question why are we producing it, to begin with.'”
How important is a strategic plan in a Governance framework?
AP: “At the end of the day, a strategy document needs to clearly outline where we want to go, where we see ourselves in the next X number years and it should also give us a high-level overview of the initiatives that we will undertake to get us there. The management team should be able to pick it up and build out a tactical plan to get us to our target state.
I’ve been to clients that have the most fantastic strategy document, it is so beautiful, accompanied by awesome PowerPoint slides; it is really a marvellous output complete with a high-level tactical plan and timelines. However, when you look at what employees are doing on a daily basis there is a significant misalignment essentially ‘I’m building widgets, yet the grand strategy of the organization is to create balloons.’
In essence, a strategic plan is critical, however, if it is not leveraged as a management tool our strategic planning exercise is reduced to an academic experience (usually accompanied with good food).”
It is one thing when strategy and documentation align theoretically but how do we ensure it is executed effectively?
AP: “Although we said ‘we’re creating widgets today, but three years from now we’d like to be making balloons,’ today our widget factory is churning and everybody’s hard at work making widgets. While this is happening, people feel accomplished in making the 100 widgets they are supposed to do per day and they still get assessed on that 100 widgets per day. However, no one has taken into consideration what tactically must be done for us to transition to a balloon factory. So, arrangements are not being made for the necessary physical resources, the research & development is not being done, processes are not re-engineered etc. but in the short term, we’re going to continue performing well operationally because we continue to make that 100 widgets per day. In three years’ time, however, a ‘thriving business’ will begin to decline and typically there is a scramble (at a higher cost) to retain value or catch-up. So although we’re performing great on a year-to-year basis it is not sustainable because we have not put in place the requisite steps to make the transition to where we needed to be.”
Have you seen in your experience any company who actually operates in the way you have defined Governance?
AP: “Yes, I’ve seen aspects, because there are so many facets one organization may not have all 100% but I have definitely seen companies that have put a lot of the pillars of governance in place and do very well. It does take dedicated effort, someone looking on and saying they wish to make large profits is not enough. It takes an executive team that’s committed to making those tough decisions, ‘I’m not going to get the gains this year but I’m committed to making less profit this year because I believe that this is what I need to make lasting profits in the years to come.'”
Are there clear differences between those leaders versus the companies who don’t perform as well?
AP: “Ownership! Ownership and being very deliberate in tracking key performance indicators, doing away with lots of qualitative measures. Of course, it can’t all be quantitative, but we’ve become too easy on ourselves with qualitative assessments. You can easily explain your own qualitative opinion, numbers though are a little harder to tweak. So, ownership is one, the buck stops with me! Being very clear on who owns the results. So there is transparency when the investment decision is being made and the person championing/sponsoring that project also is very clear that they are responsible and will be held accountable for ensuring that promised benefits of the investment are actually realized.
So, let’s take an upgrade of an IT infrastructure for example. The business believes that a revamp of the IT infrastructure is the panacea. If accompanying benefits are not quantified and realization owned, one of two things typically happen:
- We get carried away with shiny technology toys and create capacity/capabilities that the business cannot optimally leverage; or
- The infrastructure is appropriately upgraded but the business is not prepared to leverage that capability to create business value that will give us a reasonable return on the investment.”
Course correction is a must when thinking long-term. How important is the Risk management?
AP: “That is why governance is such an exciting thing because you just don’t know. You must aim for optimum, but you just don’t know. Every day is another opportunity to measure progress which is where your performance management becomes critical to ensuring that you achieve the target and tweak as necessary.
We do this in our personal lives with our own money, we don’t just blow up all of our budget and hope to be okay for the remainder of the month we have specific things that we’re going to spend on and we measure that spend. It’s a similar approach to businesses so you measure as you go along. You should have points at which you check your KPI’s (including risk exposure levels) to ensure that you’re aligned, that this is what I plan to spend, and this is a benefit I was hoping for? Are we on or off track? If I am off track what can I do to recoup some of the gains that I anticipated?”
Stay tuned to our blog for part 2 of this fireside chat about Governance, for more information and insights on how to leverage an effective Governance Framework in our business.
ABOUT THE AUTHOR: Alicia Perez, B.Sc, CISA, CGEIT
Alicia Perez is a Certified Information Systems Auditor with over ten (10) years in the field of business assurance and IT Audit Alicia speaks from a place of technical competence and hands-on experience; she has been integrally involved in a wide range of projects at varying degrees of complexity and has interacted with audit minds in almost every industry throughout the Caribbean.