Governance: Managing Risk and Creating Legitimacy

Ultimately, for governance to be effective it needs a suite of capabilities embodied by all managers and informal leaders within an organisation. Capabilities which account for the inseparability of risk and strategy and how culture underpins an organisation. In other words, a revision of the conventional model of governance is needed. Enter stage right, the governor-manager.

This is the third article in the current series on governance. If you have not had a chance to read the prior articles, Governance: The Foundation for Strategy and Planning and Governance: Achieving a Healthy Organisational Culture, they help to set the scene for this final piece.

The difficulty faced by many organisations is the attempt, or in some cases assumption, that work happens in discrete silos. Silos which are orchestrated from the top by a cadre of senior leaders. This view is understandable, given that if you want to be highly paid, it generally involves sitting at the top of a hierarchy and controlling the resources under you. To lead at scale, hierarchies are essential — as I argued in Are Hierarchies Healthy for Organisations?

When it comes to the effects of hierarchy on organisational performance, it is all about knowledge sharing. That is, you can have an effective high performing team with deep hierarchies, so long as there is an open model to knowledge access. But when knowledge hiding goes on — think when managers take things offline and "that's above your pay grade" comments abound — hierarchies tend to erode team performance and organisational culture.

However, while hierarchies can be highly powerful structures in the attainment of operational and strategic success, they can also prove insidious. This happens when leaders do not use reasoned deliberation and encourage the vitality that comes from an open model of knowledge access (MBO), and instead institute a system of management by tight control over who gets to deal with what. When this happens, leadership ceases to be authoritative and becomes authoritarian — a process which successive Royal Commissions have shown inevitably leads to malfeasance and malpractice. In less extreme circumstances, the bonds of organisational culture are weakened and the tremendous benefits that accrue from discretionary boundary spanning are lost. In short, there is a complete breakdown of governance.

The good news for leader-managers is that when a sustainable and sensitive approach is taken to an organisation's knowledge model, risk can be more effectively managed and legitimacy created.

The Inseparability of Risk and Strategy

In his book, Directors at Work: A Practical Guide for Boards, Geoffrey Kiel outlined five dimensions of risk:

1. An economic concept — greater risk should equal greater return.
2. A personality characteristic — willingness to take risks.
3. A management system — follow a specific standard as implemented by the Board.
4. Products and services — such as insurance, derivatives, outsourcing.
5. A governance role — a responsibility of an officer or manager.

The importance of seeing risk in these broad dimensions is that it demystifies it from being a highly specialist field only undertaken by a small number of people in an organisation, and instead correctly situates risk as concerning employees at junior and senior levels in the organisational hierarchy.

An example of this is a Board / CEO setting an aggressive risk appetite for the organisation in the pursuit of growth, but where the traits of key personnel are predominantly risk averse. In such a scenario the overarching strategy is likely to flag and fail. Another example is to set aggressive growth targets, employ people who are risk takers, but then bind them with risk management systems which severely restrict the ability of staff to take risks.

Unless risk and strategy are seen as inseparable, and appropriate frameworks, management structures, and culture are in place, an organisation will find itself trying to cook a hot meal in a cold pan. This is because when all the jargon of risk management is stripped away, what we have is a structured way of thinking about opportunities and challenges.

To better understand how and why stakeholders at all levels of an organisation need to be awake and aware of risk and strategy, we first need to look at the three broad categories into which risks can be assigned:

1. Strategic risks: things which impact strategic objectives and affect a significant part of the organisation, department, or program. Examples of strategic risk include changing customer / competitor behaviour, socio-economic changes (e.g., cost of living crisis, COVID), disruptive technology.
2. Financial risks: things which impact an organisation's financial position and growth potential. Examples of this are major budget overruns, unproductive teams, or troubled programs.
3. Operational risks (including legal risks): things which impact BAU activities, specifically defined as 'the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events'. Examples include loss of key staff, equipment failure or industrial action, data loss via cybersecurity failures, WHS issues, incorrect rates applied to the payroll system, and legal compliance.

In a perfect storm, failure to view risk and strategy as two halves of a corporate whole and manage them at all levels from the CEO down, can see an organisation with aggressive growth targets cutting resources in the very teams that are expected to lead growth initiatives.

Interestingly, the cause for this systemic failure is usually cultural not procedural. While one inexorably leads to the other, I stress this point because when faced with strategic threats, senior leaders usually double down on procedures at the expense of culture. When this happens, an organisation gets deeper into the mire.

Culture is central to the quality of contemporary governance. It is inextricably linked to the questions of right and wrong and re-frames compliance-oriented "can we?" questions into ethically-weighted "should we?" questions. — Governing Organisational Culture.

This was the finding of the Prudential Inquiry into the Commonwealth Bank (CBA.AX) which revealed that cultural factors were the underlying cause of its shortcomings. Specifically:

• A pervasive sense of complacency from the top down.
• A reactive culture—rather than proactive and pre-emptive—in dealing with risks.
• An insular culture that did not reflect on and learn from experiences and mistakes (its own and others'), including at board and senior leadership levels.
• A collegial and collaborative working environment which impeded accountability and the individual ownership of risk issues. Trust was not continually validated through strong metrics, healthy challenge, and oversight.

In other words, the organisation's culture becomes what is termed 'operationally closed'. This means all operations, such as communication and decisions, act to recreate the system (organisation / division / department / team). Self-sustaining — yes. Capable of growth and transformation — no.

Yet, when underlying cultural challenges are addressed, specifically around an environment of cliques and a closed knowledge access model, organisations stand a much better chance of managing risks and meeting long term strategic goals.

The Governor-Manager

In more conventional models, the prevailing thinking is that managers run an organisation and board members oversee or govern the enterprise by ensuring it is run well and moving toward strategic goals. The difficulty with conventional wisdom is that there is overlap with some managers (e.g., the CEO) who already take an active and central role in both management and governance.

Given the inseparability of risk and strategy, the way in which risk needs to be managed at all levels of an organisation, and how culture underpins an organisation, excluding people outside the C-Suite from playing an active role in governance is fraught with problems. Because of this, a revision of the conventional model is needed. Enter stage right the governor-manager.

In many respects this is probably already happening inside the organisation for which you work and can be surfaced with a series of questions. Are you or your manager:

• Responsible for upholding corporate culture?
• Responsible for tracking and reporting on risk?
• Accountable for progress toward strategic goals?

If you answered 'yes' to these questions, then you are a governor-manager and need to ensure that governance is in your BAU playbook. Not put in a locked box, in a tall tower, in a remote castle, in a land far away. If you are a line-manager and answered no, now is the time to take a long hard look at your role because the likelihood is that all of those responsibilities and accountabilities are on your plate — if not in your job description.

Naturally, depending on your seniority within an organisation, the level of responsibility, ownership, and accountability you have for governance will vary.

In a deeply hierarchical organisation, the division between 'senior' and 'junior' is not always clear cut. Therefore, a task should be tackled at the level where it can be done most effectively. However, this can raise challenges when someone of a very high calibre is hired who can do a task better than the nominated line manager. The challenge for these highly capable leaders is in knowing where to draw the line on involvement.

So, how is all this done in practice? In addition to the tools I outlined in Anchoring Teams Through Transformation, there are two additional frameworks which can help governor-managers.

1. Develop and Embed a '5 Skills Framework': the five skills are self-reflection, giving and receiving feedback, constructively challenging and being challenged, trust, and the 'should we' question.
2. Establish Key Risk Indicators (KRIs): Bernard Marr explains the difference between key performance indicators (KPIs) and key risk indicators (KRIs) as follows:
   • KPIs answer the question, "How are we doing against our goals?"
   • While KRIs answer the question, "What is the likelihood that we might not achieve our goals?" or, to put it another way, "What might prevent us from achieving our goals?"

Given the perennial tendency in all organisations for people to 'jump on' problems and demonstrate 'they've got this', a key challenge emerges in the way governance can help to manage risk and create legitimacy. This includes, resisting the pressure to keep the focus on the short-term and instead drive value by letting plans and employees deliver on their accountabilities. Something which brings us full circle to the difficulty faced by many organisations — the attempt, or in some cases assumption, that work happens in discrete silos. Silos which are orchestrated from the top by a cadre of senior leaders.

Ultimately, for governance to be effective it needs a suite of capabilities embodied to a greater or lesser extent by all managers and informal leaders within an organisation:

• Getting culture right;
• A comprehensive understanding of strategic risks;
• Hiring and developing leader-managers;
• An understanding of when hierarchies are providing value and when they are the cause of problems;
• Unlocking the power of discretionary boundary spanning.

Given the high bar this sets for an organisation, it underscores why it is a challenging time for talent management. Therefore, keep your talent close and your great talent closer.

Good night, and good luck.

Further Reading

Basel Committee on Banking Supervision, 2011, Principles for the Sound Management of Operational Risk, Bank for International Settlements, June, www.bis.org/publ/bcbs195.htm.

Kiel, G. C. (2012). Directors at work: A practical guide for boards, Pyrmont, N.S.W.: Thomson Reuters.