The Components of Governance
IIA has defined Governance as providing a mechanism for management and other employees to take care of their responsibility and their activities for the achievement of the enterprise’s objectives, plan for sound internal control and risk management activities, support efficient and effective operations with the required level of monitoring and reporting, as well as establishing effective independent control and assurance. Governance is basically composed of the following main components:
1 - Objectives and direction
Before a structure for the enterprise can be raised that caters for ordered, efficient and effective operations, a foundation needs to be laid comprising the established mission, vision, values, objectives, and strategies of the enterprise. The identification and formulation of these components are important, not least to motivate and inspire all employees to work in alignment.
Mission
The mission describes the enterprise’s reason for existence as well as delineates the bounds of its operations and activities.
Vision
The enterprise’s vision expresses the idea over the longer term of what the enterprise aims to achieve and forms the basis for objectives and strategies.
Values
The enterprise’s values express the values that the enterprise wishes to uphold and will form the basis for building a cultural identity.
Objectives and strategies
Objectives and strategies support the enterprise’s vision and values. An objective describes a desired future state, and an enterprise will normally have both strategic objectives and operational goals. The strategic objectives, often approved by the board, will reinforce the enterprise’s vision and values, and will often be realised in the longer term. The more short-term operational goals will be approved by management and should support the strategic objectives. They are typically more tangible and concrete, and their achievement will be based on tailor-made action plans. Operational goals will, as a general rule, be defined for the various business areas and at various levels of the enterprise.
2 - Structure
A sound structure, with viable decision-making processes, clear division of responsibility and authority, appropriate information and communication processes as well as remuneration and reward schemes, is key to an enterprise being in a position to achieve its strategies and objectives.
Organisation, responsibility, and authority
The organisational structure with a clear delineation of responsibility and authority is appropriate to the enterprise. An effective organisational structure consists of a system of delegation of responsibility and authority which balances and distributes the roles, responsibility, and authority in the organisation. The relationship between superior and subordinate should be clarified, from owners and out to the individual employee, and rules of impartiality which secure adequate objectivity in decision-making processes should be established. The Board has a supervisory role helping to support value creation and avoid loss of value.
Information and communication.
Relevant, reliable, and sufficient information is made available and timely communicated. Information is a prerequisite for the management and development of an organisation. Information must be made available to those who can make use of it both within and outside the organisation. This requires the establishment of processes and criteria for the identification of who is the recipient of what type of information, and the decision is made as to when and how information is to be sourced or obtained.
Remuneration and reward schemes.
Remuneration and reward schemes support the enterprise’s objectives and values. It should include all employees and reinforce the enterprise’s objectives and values. The schemes should reward an employee’s contribution to long-term and ethical value creation as well contribute to the avoidance of unnecessary conflicts of interest.
3 - Implementation.
The enterprise’s objectives and strategies should be rendered into concrete actions plans at an operational level. Comprehensive and co-ordinated management of the core processes translates into efficiency and quality in the operational phase, and they are supplemented by support processes, such as financial and risk management. At the same time, laws and regulations must be complied with, and organisational values maintained and protected.
Operational planning.
Strategic objectives are rendered into specific goals and action plans. The enterprise’s strategic objectives must be rendered into specific goals and action plans for organising and implementation. The plans should provide clear direction as to how the strategies are to be implemented and the goals achieved, whilst ensuring that organisational values are taken into account and realised in practice. The achievement of goals is monitored in relation to plans made and the desired progress.
Management of core processes.
Core processes are defined, managed and documented. Typically, an enterprise’s core processes will often consist of the production and distribution of goods and services with a given quality in the most efficient way. Processes that normally encompass many different departments and systems in the organisation should be defined, managed, and documented. This will ensure targeted and coordinated processes and activities leading to the best results possible and which will provide a basis for knowledge transfer and quality improvement.
Risk management.
Risk management assists in the management of uncertainty in respect of the achievement of the organisation’s objectives. Risk management is a tool to manage and control uncertainty in respect of the enterprise’s ability to create, protect and realise value as well as to achieve its goals. By uncertainty is meant in this context both possible unplanned negative outcomes as well as potential positive outcomes. Risk management should be an integrated part of governance. Established good practice is that risk management should have a holistic perspective (“Enterprise Risk Management”) which is integrated across the organisation and harmonised with other management activities.
Compliance with laws and regulations.
The organisation operates in compliance with laws and regulations. The Board has the overall responsibility to ensure that the organisation operates in compliance with external and internal regulations and has an oversight role which contributes to this. Senior management has the operational responsibility to ensure compliance by monitoring their areas of responsibility by identifying any compliance gaps and implementing necessary measures to close these gaps. The risk of non-compliance is an operational risk and work with this type of risk should be coordinated with and assessed as a part of the organisation’s operational risks.
Financial management.
Financial management supports decision-making and contributes to the organisation’s access to and use of resources. The organisation should consciously manage the inflow and use of resources in order to achieve its objectives. The planning of inflow and use of resources is expressed in the budget and financial forecasts, while the financial statements reflect what has actually happened The budgets and financial statements are an important support for decision-making by the board, management and other internal and external stakeholders.
The management and protection of other assets, resources, and processes.
Other assets, resources and processes are identified, managed and protected. There will normally be other important processes in an organization, these processes and resources must also be managed, and their value advanced and protected.
4 - Learning and improvement.
An enterprise which has established structures and processes for planning and daily operations will need to supplement this with satisfactory processes for learning and improvement. The external context and internal conditions will be frequently changing, and it is therefore important to have satisfactory processes for continuous learning and improvement so that the organisation will be well prepared and equipped for the future. Learning and improvement takes place at all levels in the organisation.
Monitoring and evaluation.
Systematic monitoring and evaluations are established for all key activities so that deviations and undesired trends may be discovered and mitigated.
Control functions independent of line management.
Control functions independent of line management contribute to the development and improvement of the enterprise’s governance and operations. In a number for industries and sectors there are official requirements as to the establishment of control functions independent of line management, often called second line functions. Even when this is not an imposed requirement, enterprises of a certain size will often find such functions useful. These second line functions should be independent of the operational activities and function as controlling and advisory entities for the enterprise. They should have an open dialogue with the rest of the enterprise and have access to all information of importance to perform their tasks. The control functions can be important contributors to the development of governance and decision-making principles and the administration of frameworks for governance and control.
Objective assurance.
Objective assurance and advice provide the Board and management with a more reliable and sufficient basis for decision-making. It is of critical importance that the Board and management can rely on the fact that the information they build their assessments and decisions on is relevant, reliable, and sufficient.
Continuous learning and improvement.
The need for improvement and learning is continually identified and actions are implemented. Errors, unwanted results and the need for improvements to the activities of the enterprise will often be detected and corrected through the internal control measures established, but in that case only those directly involved in the matter will normally be informed and learn from it. Learning should not stop there but also be disseminated to others who might experience similar challenges and to those who have the responsibility and authority to implement necessary changes.
5 - The Three Line Model.
The Institute of Internal Auditors (IIA) published in 2013 a Position Paper with the title The Three Lines of Defense in effective Risk Management and Control. The document described a model which achieved significant recognition and wide usage. However, many people felt that the use of the word defence gave an unfortunate signal that risk management and control is primarily concerned with defending the enterprise against negative incidents and not about taking offensive action and grasping the possibilities that may exist for improving the achievement of objectives. For this reason, the IIA published in 2020 an updated version of the model with the title The Three Lines Model. In this latest document it is emphasised that risk management is as much a matter of identifying and grasping opportunities as of ensuring control and a satisfactory defence, as described in the initial model.
The model illustrates that the Board (the governing body) is the first line and has the overall responsibility for ensuring the establishment as well maintaining an oversight of an enterprise’s risk management and internal control. Senior management has the day-to-day responsibility for activities leading to the achievement of organisational objectives, including risk management, and that the first and second line have key roles to play in discharging this responsibility.
The second line (management and internal process controls) supports the first line by providing advice to the first line in the areas of risk management, compliance and monitoring of activities. The distinction between the first and second line may not necessarily be visible in the organisation chart in small organisations.
The third line is the internal audit function which provides objective and independent assurance and advice to the Board and management in the areas of governance and risk management (including internal control).
While the first and second lines are part of line management and report to them, the internal audit/the third line will in contrast be employed by and report to the Board (the highest level of governance).
The external audit and various supervisory authorities are also included in the model (External assurance providers).(Source: IIA).
To learn more about Governance, please contact us.