As with all of the business models I have written about, organisational governance has been well documented by other authors. And for every author there is a definition.
I define governance as the proactive management of variance, applied equally to compliance and performance. The two halves of governance are equally important yet it seems that whenever I read articles or hear conversations on the subject, they are always to referring to compliance.
Compliance is the activity where the company ensures adherence to its own internal policies and standards; and to the policies, standards, regulation and legislation imposed on it by external industry bodies, local, national and international law.
Performance refers to ensuring operational processes adhere to the internal standards for revenue, cost, quality and service; or put more simply, ensuring that operations are working to budget.
There are two important truths, here:
- You can have process without compliance, but you cannot have compliance without process, and
- You can have process without management, but you cannot have management without process.
It is therefore the business process that binds compliance and performance together.
The role of management is to ensure business processes adhere to budget and to address variances as they arise. This is true for all managers irrespective of their position or role in the organisation. It therefore embraces all functions including the functions.
The reverse is equally true; as compliance functions are expected to manage to budget (ie performance), operations functions can be expected to manage to the restrictions imposed by compliance frameworks.
This therefore raises the question: why does the term Governance get used so widely and have so much importance placed on it? If managers accept that their role embraces both performance and compliance, then Governance and Management become one and the same thing, and the apparent separation disappears.
Many of my clients have employed managers for compliance specific roles – such as an OH&S manager or a Sustainability manager. There is nothing wrong with these appointments, indeed they are most necessary. These managers are employed as subject matter experts to own a portfolio (such as OH&S) and to be responsible for how that portfolio manifests itself in the business. This includes being responsible for knowledge transfer, awareness, training, etc – and all the other dimensions that a subject matter expert can bring to the business.
They are also accountable for the appropriateness of the framework they use and for managing how well the business adheres to the compliance processes associated with their portfolio. In essence, they are responsible for managing how well the business complies with its own compliance regime.
What they are not responsible for is the active management of compliance in the business. Here the operational process managers are responsible. The operational manager is responsible for not only what gets produced by the process, but also how the output is produced. In this case, the ‘how’ is defined by the restrictions imposed on the production process by any and all of the applicable compliance frameworks. Process managers don’t get to choose which framework they will and won’t adhere to.
The compliance framework
To further explore the idea of compliance frameworks.
A framework is a model and a filter and importantly a model is only an abstract; an alternative way so see the business. It is not the business itself. Every framework is different and each allows a manager to view specific aspects of the business and to filter out all those aspects of the business that they are not interested in.
Every compliance manager has their preferred framework. Popular frameworks include the eTom for Telecommunications, ITIL for IT, APQC for business analysts and Sarbanes Oxley for Finance. These frameworks all manage risk in some way. Then there are the risk frameworks themselves which get treated as something different again.
While each framework is different, the business is consistent. It doesn’t change no matter which framework you use. Consider the following illustration of a generic enterprise.
In this ‘naked’ view, it does not matter who is looking at the business. Everybody sees the same thing.
If you apply views/filters you get the following. The filters are example only.
It is the same business, but now seen through the selected view of the managers choice. These views do not corrupt the message. Rather they focus it to remove ‘noise’ and other irrelevant data. But it is clear is that if a manager is looking at the business through an HR view, then they are not looking at it through an IT view. This tends to create silos, in that managers start to only see the business through one view and forget that it is only a view and not the business. Working in teams helps mitigate this issue.
Frameworks guide the manager as to what should be considered when transacting the business process and which parts of the processes need to be controlled to ensure that the business is adhering to its internal policies and applicable external regulations, legislations etc.
For example; the COSO framework requires a business define itself in four categories; Finance, Sales and Operations, Corporate and Legal affairs, and HR.
For each of these categories there are sub categories and so on and so forth. The drill down process stops when it gets to the business process. At this point, specific process steps in the transactional process are identified as control points to ensure that the process will deliver an outcome consistent with the requirements of the framework.
The compliance manager owns the framework, but the business process manager is accountable for ensuring adherence to the control points. Their daily/weekly/monthly process KPIs should include validation that the control points are being managed correctly.
This is fairly straight forward when a manager is dealing with one compliance framework. It gets more complicated when the same process step is the control point for multiple frameworks.
To manage this complexity the risk manager should own and manage a repository of control points. The repository will detail the many to many relationships between Risk, Framework, Process, Process Control Points, Process Managers and Process Owners.
This spectrum tells the process owner what control points they should be managing in each of the processes in their portfolio; and it tells the risk manager who they should be working through to mitigate each of the risks. It highlights which process steps are key control points in that they are governed by more than one compliance framework. The relevant compliance manger ensures that the responsible managers have the skills and tools to manage the control points.
The organisation model could look like this:
Once the repository model is established and the relationships known, then the process manager should use a scorecard to manage the control points in exactly the same manner as they manage process performance using KPIs, short interval control and analysis of variance.
A simple example scorecard is shown below. The compliance SME will work with the process manager to agree the appropriate frequency of review, the units of measure (UOM) and the target score (budget) for each compliance metric.
For mine it is not an overly long bow to treat a scorecard as just another framework.
There are many opinions on what’s an appropriate organisation structure to manage the marriage between performance and compliance. Operational performance generally reports through to the COO. Compliance is all about risk and the risk manager should be accountable for the means by which risk is understood by the business. This includes ensuring the use of appropriate frameworks. By extension compliance managers should report to the risk manager and the risk manager should apply a very broad definition to the word ‘risk’.
This raises the question – who should the risk manager report to. The answer is largely determined by the nature and culture of the business and the strength of the need to separate operations from risk. In certain circumstances it will be acceptable for the risk manager to report to the COO, in other cases this would be akin to asking the fox to install the chicken wire. Other reporting lines can be through the CFO or directly to the CEO.
For such a structure to work requires effective matrix management. It also requires operational managers to take the time to fully understand the processes they are responsible for and to embrace their wider responsibility in terms of risk and compliance management.
In closing it is worth reinforcing the point that effective governance/management requires the adherence to multiple frameworks. One framework cannot do it all. Equally to allow, or cause, a manager to focus predominately or solely on performance is to undermine the wider role of management in the business.
I welcome your comments on the above. If you disagree with me let’s have the debate as it drives the learning process for both of us.