What makes good corporate governance?
The Australian Institute of Company Directors considers governance to be the systems that direct and control (or govern) an organization. Good governance is about the effective way decisions are made and power is exercised within an organization. Ultimately, good governance is the framework that ensures the organization can meet its mission.
Transparency as the key to good corporate governance
There are many principles of good governance but one that sets aside and paves the way for a well-functioning organization is transparency. For a Board to provide the good stewardship, to set the right culture and risk tolerance, to act with diligence, and to ensure the Board and Management are held accountable for their respective roles, transparency is key.
A Board cannot execute its duty and function effectively where transparency is lacking from management. Where risk is concerned, a Board must build a culture of transparency to ensure it is equipped with all the right information to enable compliance and discernible judgment where the risk appetite is concerned and everything underpinning this.
During uncertain economic times it is even more paramount that a Board has transparency over risks the organization is facing, and pressure-tests plans to assess if all scenarios have been considered, the potential impacts and the mitigating factors which can reduce the risk. Boards should question, challenge and drive conversations that provide clarity on existing and impending risks and ensure the transparency to enable a well-functioning organization.
Data, systems, and cybersecurity
The focus of our times is security: of data and systems, with cybersecurity and data privacy governance essential to ensure operational resilience is in place with the preparedness and rigorous assessment required to ensure tight measures are imbedded with well-designed incident simulations.
The new Cross-Industry Prudential Standard (CPS)
Asia-Pacific Research Area (APRA) has introduced CPS 230 (incorporating all requirements into a single prudential standard) to:
- strengthen operational risk management through new requirements to address identified weaknesses in existing practices;
- improve business continuity planning to ensure that regulated entities are ready to respond to severe business disruptions; and
- enhance third-party risk management by extending requirements to all material service providers that regulated entities rely upon for critical operations or that expose them to material operational risk.
APRA expects that senior management would have identified their critical operations and material service providers by mid-2024 and be well positioned to set tolerance levels by the end of 2024.
Cybersecurity disclosures, regulatory change and enhancements and greater scrutiny in this space will certainly mean security will be paramount for Boards for this year and next. Boards will want to receive the adequate assurance to execute their duties in this space. This assurance comes from transparency and adequacy of risk management.
What organizations should strive for now
The governance and transparency of security, enhanced by a well-functioning engine room of controls which are clear, accurate, efficient; and which are automated as much as possible to enable a risk enhanced environment with less operating costs is what any well governed organization should strive for.
Automated controls
Automated controls are a key aspect of managing internal controls which can substantially reduce the cost of compliance. Automated controls be articulated in three parts:
- The automation of existing manual controls can be achieved through configuration changes, code changes or implementation of tools, such as identity management systems and GRC systems. These assist organizations to operate the controls automatically, e.g. using SAP GRC or SailPoint to manage identity and access management.
- The automation of control testing can increase efficiency in all three lines of defense. This includes implementation of automated scripts or Robotics Process Automation Bots to perform control testing activities giving significant accuracy, consistency and efficiency in the control testing processes.
- The automation of control monitoring (tracking and reporting of controls against key performance indicators) can be achieved through data and visualisation tools and GRC solutions, providing increased visibility into key controls and giving timely remediation of control failures or gaps.
By leveraging automation, organizations can transform the traditional processes for control testing by using technology to increase consistency, accuracy, efficiency, and scale in the internal controls process.
With the number and severity of risks seemingly on the rise, a Board will increasingly need to focus on its risk oversight responsibilities in 2024. Some areas of focus will be internal controls, fraud, cybersecurity, and the overall effectiveness of the Enterprise Risk Management (ERM) framework. Past indicators show that environments with significant uncertainty leads to increased fraud risk, meaning, extra vigilance will be required as uncertainty increases. Cybersecurity will also be top of mind, including experience on the Board and considerations of the implications of data privacy and security with the growth of artificial intelligence.
New focus areas for the Board of Directors
These are newer areas of focus for a Board which highlight even further the importance of a Board needing to receive transparent reporting of the organization’s risks and it must be fully informed of information regarding new and emerging risks to prepare for future scenarios. This may require re-evaluating the ERM program to assess its currency and efficacy – just because it worked well in the past does not mean it is right for emerging factors emanating from uncertain times and changing digital environments.
Conclusion
In conclusion, a Board needs to have the competency of emerging security, technology, and data changes to know how to manage the risks associated with them. It needs to be furnished with transparent reports which allow it to manage the risks and plan for future scenarios. These will enable a Board to be equipped to manage the risks associated with changing and uncertain times. Greater and more efficient assurance can be given to a Board where its controls environments are automated, leaving more time to focus on the emerging changes and prepare their risk environments for them, in addition to reducing operational costs associated with manual control testing.