I am a great Stieg Larsson fan. The latest book in the Millennium Series (ironically not written by Larsson as he is no longer with us) – The Girl in the Spider’s Web – contains the following immortal lines: “What I actually said was that all you needed was a gang of lawyers… Lawyers are the hit men of our times.”
I doubt if you asked most Boards of Directors what they looked for in their General Counsel, they would say “We want a hit man! Or hit woman!” But perhaps when it comes to someone who is responsible for Governance, Risk and Compliance (GRC) they should. Really you say? Well yes. Hit men are single minded with a clear target in mind. And when it comes to being an effective guardian of GRC, this is what the GC must be too. The problem with GRC is that it is so complex covering areas such as regulation, risk assessment, compliance monitoring and advice, legal structure, internal audit… the list goes on. So what will help the GC in ensuring that he or she can adequately cover GRC and protect the organisation they work for?
If we wrap GRC within the wider concept of “Governance” we really need to be clear what this word means. The UK Corporate Governance Code, published by the Financial Reporting Council, which is regarded by many as the “gold standard” of the governance world, defines corporate governance as “the system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies… The board’s actions are subject to laws, regulations and the shareholders in general meeting.”
It is no easy task to run a corporate board, as the Code recognises that “governance requires continuing and high quality effort.” Quite so. We all recall the corporate blips of the past - Enron, World Com, the banks in 2008 and now even allegedly car companies! And this is where the General Counsel can really help companies and their boards. How should they best achieve this?
First, there is a need to remember that business is about risk and so no system will eradicate all risks. And nor should it because of course risk can be positive as well as negative. Most boards have a huge number of risks which they assess with various ratings in their risk register. However, this makes risk difficult to understand and assess. The GC can help here directing the board to focus on those two or three risks which can shut the organisation down and ensuring that comprehensive action plans are in place for these. Other less important risks need targeting but not to the same degree so it is very much a case of prioritisation.
Second, while governance has in the past focussed on processes and procedures whether in the form of legislation, regulation or guidance, there is now much more of a recognition that governance is about people, not just processes. As the Code says, an important role for the board is to establish the culture, values and ethics of the organisation. These all very much depend upon people relationships and here the GC, particularly where they have the role as Company Secretary too, can help guide the board not least because they will be an employee who knows the company well. While the GC is rarely a board member (and may not even be on the Executive Committee) the work he or she can do here includes looking at team dynamics, assessing the effectiveness of the board and making sure that directors both know the company’s values and live by them. The GC and Company Secretary is often seen as the conscience of the company. This imbues them authority as an influential trusted adviser and they should leverage off this to ensure the board acts with the highest integrity and therefore safeguards GRC.
Third they should keep governance simple! But why do directors need things to be simple – surely given the position they have reached they should be able to cope with the complexity of GRC? To some extent yes, but we already place a lot of legal and regulatory responsibilities on directors ranging from the Companies Act to competition regulation to health and safety legislation. Adding governance to this is fine provided it can be communicated in a straightforward fashion as possible. A good GC should be in the position to make the complex complexless! Or complex free! In this way boards will be able to appreciate and understand GRC issues and deal with them.
Fourth, they must be an exemplar of good governance. Being the conscience of your organisation is not as easy as it sounds. It does mean that if you are advocating values such as transparency, integrity and constructive challenge then you must live these values yourself and ensure your own house is in order if you are to be a credible advocate. Equally however, if a company is to be a successfully governed one then everyone needs to be the conscience of the company – as GC you may be the trusted advisor but it won’t be an effective organisation if you are the only person with a conscience!
Finally, the GC can get support in this area. For example, there are technology solutions available to support GRC issues such as Wolters Kluwer ELM Solutions Passport, the industry’s most advanced technology platform for Enterprise Legal Management. Passport enables organisations to connect all systems that support legal, risk and compliance activities through a single, secure, collaborative platform. This enables the GC to improve visibility and flag high risk matters, and to use data from across systems and departments to more strategically, holistically, and proactively manage legal, risk, and compliance and, ultimately, to better protect their company. Getting a technology system to co-ordinate many of the complexities of GRC should give the GC time to work with the board and senior management, to focus on the people side of governance knowing that the information coming to directors is accurate, consistent and clear. After all, that is what good governance is all about.
So perhaps for good and effective governance the GC doesn’t need to be a hit man or woman after all! The key is to be able to use a variety of resources and insights to ensure that the board, senior management and company as a whole are fully aware of, and can deal effectively with, GRC issues.