Says Gary Hinson: "In the context of corporate governance, I propose
the role of Governance Director at executive Board level to act as a senior
focal point for issues relating to management control, risk management and ethics.
Through this paper explaining the rationale for my position, I intend to stimulate
further discussion and development of the concept."
What is “corporate governance”?
In essence, corporate governance is a modern buzzword for old-fashioned management
controls. The core aspects of governance include:
- Appropriate management structures i.e. organizational design, including
the roles of executive and non-executive directors;
- Management control frameworks, with clear accountability and responsibility
(such as financial and other limits on “delegated authority”);
- Ethics in the business context, and social responsibilities;
- Risk management - risks in general including operational, financial, market
and IT risks;Management oversight and controls review - making sure that managers
and staff comply with internal and external rules, regulations and laws (e.g.
compliance and audit functions)
Corporate governance committees
During the past decade or so, reports such as Cadbury, Turnbull, Hampel, Combined
Code, Greenbury and Higgs in the UK have stimulated widespread discussion on
the subject of corporate governance. The studies were stimulated by major British
corporate problems that were thought to be symptomatic of failures in the overall
systems of management control.
The reports were written by senior quasi-governmental committees, taking input
from a range of commercial, governmental and academic groups in a form of cross-industry
benchmarking. Interested groups (such as the professional bodies for auditing
and accountancy) were invited to discuss their perspectives on recent management
control failures and propose generic improvements. Each study also built on
The committees’ findings primarily relate to large publicly listed limited
companies although the underlying principles, if not the full details, are more
generally applicable. The recommendations are not formally enshrined in British
law but organizations are well advised to comply. This is a similar situation
to the London Stock Exchange Listing Rules with which limited companies must
comply in order to be listed. Listed companies that break the rules may be de-listed,
and any which bend the rules are likely to have problems finding professional
advisors such as auditors.
In the United States, the Enron and WorldCom scandals further reinforced the
need for widespread governance improvements. America responded by implementing
legislation such as Sarbanes-Oxley and Gramm-Leach-Bliley, imposing new legal
obligations on corporate management. Directors who fail to uphold the principles
of good corporate governance now face imprisonment. Suddenly, corporate governance
is on the agenda, big time.
Who should be responsible for governance?
Governance responsibilities are distributed throughout the organization since
everyone has some part to play in the proper management and control of the organization’s
assets. However, it could be argued that governance is the primary function
of senior managers and directors.
I firmly believe there is a strong case for a new executive management role
of “Governance Director”, supplementing and enhancing the non-executive
and executive directors and senior managers with the greatest influence on corporate
In my personal view, the single step of establishing the role of Governance
Director would solve common organizational design problems such as:
- To whom should [semi-]independent internal control and review functions
- How can discrete governance activities be aligned across the organization?
- Who should take the lead on the subject of ethics?
- How should the executive and non-executive directors interact?
- [Last but not least] Who should be held accountable for corporate governance?
A proposed rôle description for the Governance Director is presented
in Appendix A below. You are very welcome to use this as
the basis for defining the rôle in your organization!
Governance in relation to IT
I consider governance in the broad as an all-encompassing framework of management
controls for an organization. Thinking specifically in terms of IT, for example,
governance includes but extends well beyond management of the IT department.
IT is a major function in many organizations with a significant budget. IT is
used and has impacts throughout the organization and indeed through business
relationships to suppliers, partners and customers. IT governance is therefore
both a business and a technology issue. Given the penetration of IT into the
business, IT governance is also a major part of overall corporate governance
in most modern organizations.
I am surely not the only one who thinks this way. In a letter published in
September 2003’s issue of Director, the Institute of Director’s
journal, Julian Brackley of Niku Corporation UK said that “The updated
Combined Code on corporate governance will force thousands of businesses to
undertake a review of the way IT is managed ... Companies will have to apply
a similar level of governance to IT as they would to the finance function.”
Here are five key aspects of IT governance that I believe would be of direct
concern to the Governance Director:
- Conventional management control within the IT department - the Governance
Director would not have a hands-on executive role (that’s the IT manager’s
job) but would be responsible for sharing best management practices amongst
all departmental managers e.g. budgeting and forecasting and expenditure tracking;
HR management; supply and demand management (capacity planning, service levels
- Project management - technology projects are notoriously risky yet the established
principles of good practice in project management are seldom fully applied.
For instance, we were horrified but not entirely surprised to find that less
than half of IT projects surveyed by Computer Weekly even have a documented
- Change management - most new or changed IT systems and services are presumably
implemented to improve the organization in some way, yet conventional change
management concepts are usually notable by their absence. As a simple example,
project communications, if they are managed at all, are typically internally-focused
within the project team and/or IT: rarely have we seen truly customer-focused
project teams that communicate effectively with the rest of the organization
and make any real effort to smooth the implementation, except perhaps for
a token effort to “train the users”. Is it any surprise then that
system implementations are often resented and sometimes rejected by the very
users whose lives were supposed to be improved by the new systems?! You can’t
treat users like performing dogs!
- Information security management - whilst traditional IT security functions
have tended to focus on technical security controls within the systems and
networks, the remit of modern information security extends throughout the
organization and beyond. Proactive management of information security risks
and controls requires someone to integrate general user and management activities
with those inside IT, and to help coordinate HR, physical security, IT/network
operations, marketing and procurement functions.
- IT risk management - we have already touched on the need to improve management
of risks in projects and information security, but risk management techniques
have broader application. Effective contingency planning, for example, requires
coordinated effort across the organization.
Benefits of Board-level representation
It is often said that the most critical success factor for major strategies,
projects and initiatives is solid senior management support, and with very good
reason. The management hierarchy of a typical organization invests a great deal
of power and influence in senior management, just as a football team looks to
its captain and coach for leadership direction, motivation and support. Something
proposed and/or strongly championed from the top has an uncanny way of coming
to fruition. Conversely, if senior managers do not actively support something,
or worse still if they oppose it, they have many ways to influence the outcome
negatively through what is known colloquially as ‘company politics’.
I feel strongly that the same is true of corporate governance. Senior management
support for governance is an essential component of success. This is the key
reason that I am proposing a Board-level management focus for governance, but
not the only one. Here are some others:
- Of course I believe in the strength of the cost-benefit case for governance
of control frameworks as a whole. Strong controls increase alignment of the
organization’s various parts with its central strategic objectives,
and reduce risks relating to noncompliance with all sorts of policies, rules,
regulations and laws. This is essentially an argument for quality assurance
in relation to management processes. Solid governance controls allow the organization
to go into risky situations with greater confidence;
- Ethical standards of the top team influence the entire organization. Their
tacit or explicit acceptance of unethical policies and working practices can
easily lead junior managers and staff astray. Another way to express this
is ‘cultural leadership’;
- Governance has become a more complex issue of late. Sarbanes-Oxley, for
example, includes specific, narrowly-defined legal requirements that could
easily be missed or misinterpreted through ignorance, yet precious few senior
managers have the time or inclination really to get to grips with their governance
responsibilities. The Institute of Directors, for one, has consistently bemoaned
the lack of management qualifications or training to support senior managers
as they step up to the Board;
- With a clear focal point driving from the top, governance is more likely
to be defined and applied consistently across the corporation. Distributed
piecemeal governance initiatives are unlikely to be as effective, especially
in the face of competing demands for limited resources;
- There are tangible costs involved in designing and operating a sound governance
framework, albeit offset by rather intangible business benefits. In a typical
corporate environment, these costs must be justified relative to other investments
in order to secure sufficient budget;
- Other managers and staff who become aware of governance failures in the
organization will have more confidence in reporting the matter internally
to a senior person for whom governance is their entire raison d’etre;
- Board-level appointments are publicized as a matter of course, presenting
an ideal opportunity to nail the corporation’s coilers to the mast.
Appointing a Governance Director sends a clear message to the outside world
as well as to the organization itself about the importance attached to governance.
This is a positive sign for corporate stakeholders who are increasingly concerned
about governance of their investments, in other words it should theoretically
improve the share price.
In summary, I believe there is more than enough governance-related work to
be done in any large organization to justify the full-time leadership position
of Governance Director (or perhaps “The Governor”!), especially
with today’s increased focus on this issue. I recently spotted my first
Governance Director vacancy notice in the UK press, and I feel sure there will
be more to come as the idea gains credibility.
Have your say!
To comment on this paper and contribute to the fascinating debate on corporate
governance, please contact the author by email (firstname.lastname@example.org)
or telephone +44 1306 731 770.
For more information about IsecT’s consultancy services relating to IT
and corporate governance, please read Appendix B below or
This small selection of governance-related papers is listed in reverse chronological
sequence. The European Corporate Governance Institute website (www.ecgi.org)
gives access to scanned or uploaded copies of most of these plus other related
Combined Code Updated to reflect Higgs, Smith etc. July 2003.
report Recruitment and Development of Non-Executive Directors. At the
invitation of the UK Department of Trade and Industry, Laura D'Andrea Tyson
(Dean of the London Business School) led this study. June 2003.
report Review of the role and effectiveness of non-executive directors.
Committee chaired by Derek Higgs. Department of Trade and Industry (DTI).
report on Audit committees - Combined Code guidance. Committee chaired
by Sir Robert Smith. Financial Reporting Council (FRC). January 2003. The
committee report is included within the Revised
Combined Code Principles of good governance and code of best practice.
Derived by the Committee on Corporate Governance from the Committee’s
Final Report and from the Cadbury and Greenbury Reports. May 2000. (Updated
in 2003 - see above)
report Internal control; guidance for directors on the Combined Code.
Committee chaired by Nigel Turnbull. Institute of Chartered Accountants in
England and Wales (ICAEW). September 1999.
report Final report of a committee on corporate governance chaired by
Ronnie Hampel. January 1998.
report Study group on directors’ remuneration set up by the Confederation
of British Industry (CBI). July 1995.
report Committee on the financial aspects of corporate governance, chaired
by Adrian Cadbury. December 1992.
Appendix A: Proposed rôle
description for the Governance Director
Governance Director role
The Governance Director is an executive board position with overall accountability
for the organization’s corporate governance activities. This role does
not release other directors, managers and staff from their individual governance
responsibilities but acts as a co-ordination, alignment and strategic leadership
The Governance Director’s primary responsibilities are as follows:
- Proactive leadership and strategic direction for all matters relating to
corporate governance, including related policies, implementation or improvement
plans and measurement
- High-level co-ordination of governance, risk management and control activities
throughout the organization, including systematic governance improvements
- Promoting the value-enhancing aspects of sound corporate governance as well
as compliance with the policies, rules, regulations and laws
- Line responsibility for management control functions such as internal audit,
physical site security, information security, risk management
- Liaison with non-executive directors (via the Senior Independent Director
Secondary responsibilities include:
- Being the focal point to lead discussion and make corporate decisions on
serious ethical issues, governance-related policies and other governance matters
- Offering advice to other directors and senior managers on governance and
management control matters
- “Dotted line” responsibilities for managers in charge of important
governance and control activities such as annual financial reporting, due
- Liaison with external regulators etc. on governance and control matters
- Creation of a ”whisteblowers’ charter” and the corresponding
mechanism for confidential internal reporting of frauds, impropriety, internal
control failures and similar governance breaches
Appendix B: IsecT Ltd’s consultancy
services relating to governance
Our interest in governance stems from our practical experience of information
security controls coupled with an enduring interest in management.
Every modern organization depends critically on high-quality and reliable information,
with virtually all using IT systems to collect, process and disseminate information.
Managers receive huge amounts of information from, and issue reams of decisions
and instructions to, the workforce using computers and various communication
systems. Securing (i.e. ensuring confidentiality, integrity and availability
of) those information systems and data is extremely important, but so too is
the design of appropriate information flows and systems. In many ways, modern
management is as much about systems engineering as it is about traditional direction
Our consultancy services all fall within the scope of governance with a particular
focus on governance within IT. At a broader level, we can also help clients
review and improve governance as a whole, and ensure that governance within
the IT context blends seamlessly with and supports overall corporate governance.
For more information on the issues raised this paper, or for advice on our
IT governance consultancy services, please visit www.isect.com
or contact Gary Hinson on +44 1306 731 770.