www.pwc.co.uk/riskresilience

Corporate Governance in the Boardroom A practical perspective

A PwC Point-of-View Paper

June 2015

Contents

Governance 2

What is corporate governance? 4

Why corporate governance matters 8

The role of the board 10

Becoming a resilient organisation 16

The moment of truth for corporate governance 20

Building trust and culture 24

So what could tomorrow look like? 30

Contacts 32 Governance The bedrock of any successful business

In an era when trust in business is at a premium, and scrutiny from stakeholders is ever wider and more intense, it has never been more important for organisations to behave in accordance with their core purpose and principles in order to protect reputation and trust. Corporate governance is a vital mechanism through which boards can ensure that the behaviours of their workforce are aligned to the organisation’s purpose and principles – and that corporate goals and values are translated into their people’s decisions and actions.

2 | Corporate Governance in the Boardroom | PwC Our latest thinking is that good Our long-standing view on risk corporate governance can be awareness as the bedrock of good summarised under three main themes. corporate governance is echoed in the Financial Reporting Council (FRC)’s First, effective corporate governance is latest revisions to the UK Corporate grounded in a clear view of what Governance Code, which emphasise the matters most to the business, the full importance of risk appetite and risk range of risks facing the organisation, culture. We welcome this step forward. and how these risks relate to the And we believe it represents a further business and its strategic priorities. Only reinforcement of the importance of risk with an understanding of these areas is leadership – heralding a future in which it possible to say what is or isn’t a risk. more companies appoint a specific Second, it begins and ends with the executive to scan the entire horizon of board, which is responsible for risks across and beyond the organisation crystallising a clear corporate purpose, on behalf of the board. exhibiting the right values, and ensuring these are being acted upon. Third, At root, the best corporate governance behaviour and decisions in the ‘moments creates a clear and visible line of that matter’ represent the ultimate test cause-and-effect from the board’s of good corporate governance – not least mandate, purpose and values all the way when a crisis hits. to the cultural norms and everyday behaviours exhibited at all levels. A When boards succeed in creating and business that can demonstrate this sustaining effective corporate governance, linkage will be well placed to it generates a range of business benefits outperform its competitors and provide that combine to create higher trust, a step further to achieving their goals. stronger resilience and enhanced PwC urges all boards to take this competitive edge. So this is not just an message to heart. Resilience will be built ethical responsibility for the board, but a into the organisation to the ultimate strongly commercial one as well. benefit of the stakeholders.

Drawing on our seminar series for non-executive directors Over the past three years, PwC has run a succession of seminars for non-executive directors focused on governance and risk. This paper summarises some of the themes covered in these seminars, and encourages boards to ensure that their governance, especially when looked at through the lens of reputation and resilience, has adapted – and continues to adapt – to the high-pressure environment in which they operate.

PwC | Corporate Governance in the Boardroom | 3 What is corporate governance?

Corporate governance is one of the most frequently used – some might claim overused – phrases in the business lexicon. But different people often have different perspectives on what it actually means. For some, corporate governance is primarily about legal structures. For others, it’s mainly about business controls, and the check and balances on how people carry out their work. For a third group, it’s a much wider concept encompassing the entire way a business is led and managed.

4 | Corporate Governance in the Boardroom | PwC Crucially, risk occupies a position at the heart of the five pillars, and is the unifying element linking them all.

The five pillars of corporate governance

Our view is that effective governance is founded on five pillars, all of which are interrelated, and each of which must be in place and functioning well for governance to do its job (see Figure 1). The pillars are:

Figure 1: The five pillars of effective corporate governance

Key Leadership Structure and Risk Management Transparency framework strategy and performance information and and reporting elements culture oversight controls Code Leadership Effectiveness Accountability Remuneration Relations with ‘Principles’ shareholders

Framework • Tone at the top • Board • Risk appetite • Execute • Stakeholder sub- • Conduct composition • Risk and control compensation engagement components and and benefits • Chairman & culture • Stewardship commitment CEO • Principal risks • Performance Code • Appointment related • Decision and going • Annual General succession and remuneration making concern Meeting (AGM) re-election • Incentive • Strategy setting • Risk • Financial and • Board management schemes (Share non-financial • Reserved committees framework schemes/ reporting matters and • Board pension) delegations • Risk and control • Regulator(s) evaluation monitoring • Remuneration • Board meetings balance • Induction and • Policy • Relationships training framework • Risk adjusted with • Management reward management • Assessment of information effectiveness • Balanced and advice scorecard • Entity • Non-financial governance performance • Auditor relationships

PwC | Corporate Governance in the Boardroom | 5 Leadership strategy Structure and Risk and culture performance oversight Risk is the pillar which lies at the heart of corporate governance, The way a business’s leaders The tone from the top must be underpinning and conduct themselves and infused and embedded at all interconnecting the other four. communicate on a daily basis – levels of the organisation, All components of an and the ethics and values they through structures that ensure it organisation’s governance exhibit in doing so – are is translated into everyday framework need to be designed instrumental in setting the ‘tone behaviours. Mechanisms for and managed in the context of its from the top’. This tone shapes achieving this include overall risk appetite, reflecting every action, decision and monitoring by the board and its the fact that managing risk – and relationship across the various sub-committees, being accountable for doing this organisation. As a result, the assurance through functions effectively – are central to the right leadership tone is the such as Internal Audit and board’s role. The right focus on starting-point and bedrock not Compliance, and contingency identifying and owning risk just for corporate governance, plans for crisis management. equips the board to understand, but also for the effective overall analyse, prioritise and manage management of any business. risks of all types, supported by the Risk & Compliance Officer.

1 2 3

Much has been written about the changing risk landscape – with contributions ranging from PwC’s own thought leadership on the global megatrends, to the World Economic Forum’s annual Global Risks report, to the UK Institute of Directors’ ‘Responding to Global Risks’ publication (see information panel). Whatever shifts occur in the risk landscape, an approach based around the five pillars of our corporate governance framework – with risk awareness at its core – will both ensure appropriate focus on risk by the board, and also enable an organisation to reflect the increased focus on risk appetite and risk culture promoted by the FRC in its recent revisions to the UK Corporate Governance Code (see information panel).

6 | Corporate Governance in the Boardroom | PwC Management Transparency and ‘Responding to Global Risks: A practical guide information and reporting for business leaders, controls One of the benefits of a well- developed structure and 2014’ – The Institute of Clear and open reporting effectiveness is that they enable Directors (IoD) requires a solid underpinning of the business to communicate in timely and accurate This publication – with contributions an open, accurate and timely management information, so from the IoD itself, PwC, Airmic, way with all its stakeholders. both financial and non-financial Marsh and Zurich – builds on the This means interested parties impacts and performance across World Economic Forum’s ‘Global ranging from shareholders to the business can be monitored, Risks’ report, to examine how regulators, from employees to measured and benchmarked organisations, boards and individual regulators, and from suppliers to against relevant key leaders can better understand the environmental NGOs can gain a performance indicators (KPIs) impacts of global risks, and build clear understanding of the using a balanced scorecard resilience to them at both a strategic business’s unifying purpose or approach. This pillar and operational level. As the IoD ‘board mandate’, how its chosen encompasses the information highlights in the foreword to its strategy aligns with this systems for collecting, analysing report: ‘This is by no means negative purpose, and how it’s pursuing and reporting the information, thinking. Improved resilience breeds this strategy. and reward and recognition increased confidence, greater processes that encourage the enterprise and other benefits. behaviours that the board wants Equally positive is the reality that a to see across the business. threat to one organisation can be an opportunity for another… Businesses can achieve competitive advantage through an effective 4 5 response to global risks.’ The FRC Corporate Governance Code: raising the bar for risk management – the role of the Board In September 2014, the Financial Reporting Council (FRC) issued an updated version of the UK Corporate Governance Code for UK-listed companies. Announcing the new Code, the FRC said it aimed to significantly improve the quality of information investors receive about companies’ long-term health and strategy, and to raise the bar for risk management.

The FRC also highlighted the importance of the board’s role in establishing the company’s ‘tone from the top’ in terms of its culture 1 Sour ce: ‘Five Megatrends and possible implications’, PwC, April 2014: and values. It stressed that the http://www.pwc.com/en_US/us/corporate-governance/publications/assets/pwc-corporate- directors should lead by example, in goverance-directors-megatrends.pdf order to encourage good behaviours 2 Sour ce: ‘Global Risks 2015’, World Economic Forum,: throughout the organisation. http://www.weforum.org/reports/global-risks-report-2015 3 Sour ce: ‘Responding to Global Risks: A practical guide for business leaders, 2014.’: http://www.director.co.uk/Content/PDFs/Responding-to-global-risks-web-edition.pdf PwC | Corporate Governance in the Boardroom | 7 Why corporate governance matters

The reason corporate governance matters comes down to the benefits that better governance delivers, as illustrated in Figure 2.

8 | Corporate Governance in the Boardroom | PwC Figure 2: The context for corporate governance – drivers and benefits

Drivers for better Benefits of better governance Governance governance • Stakeholder • Enhanced oversight and performance and performance decision making Risk & expectations control Compliance Assurance • Strategic/ • A critical need to continuum competitive manage business advantage complexity, • All stakeholder volatility and confidence and trust change Culture, behaviour and change • Cost efficiency and • Increased global improved ROI risk Landscape and environment • Market value and Knowledge and data protectionValue and creation • Cost of GRC reputation • Corporate • Increased governance code Business maturity, relevance, integration and convergence enterprise and regulations resilience • Need to secure • Compliance and investment transparency Leadership, accountability and assurance

As the chart shows, there are several And, in our opinion the most effective drivers for better governance. These drivers are those that focus on the desire range from stakeholder performance ‘to do the right thing’ rather than those expectations to the need to manage that are forced on an organisation as a increased complexity and risk, and from result of regulation. various regulatory requirements to the desire to secure capital at an affordable The benefits of better governance cost. But what’s interesting is that not all reinforce this, and underline the drivers are of equal importance in business case for investing in effective achieving effective corporate governance. They include strategic governance. advantage, greater resilience both to sudden shocks and long-term change, These diverse drivers feed into – and and higher confidence among all help to shape – the business’s corporate stakeholders in the business’s ability to governance structures, processes and generate value in the future. Ultimately, cultures as applied and maintained by all these benefits come together in a the board. Many boards have single, invaluable asset: higher trust. historically focused on legal structures An organisation that is demonstrably and internal business controls as the and visibly well-governed will generate core of their corporate governance. stronger trust both internally and However, as the FRC has highlighted, externally – and will enjoy an inherent elements such as management of competitive advantage over its less external risks, setting the right ‘tone trusted counterparts, in the ongoing from the top’, and embedding a culture battle for better relationships, revenues, of ethical values and behaviour are talent and investment. equally as important – if not more so – in governing today’s businesses.

PwC | Corporate Governance in the Boardroom | 9 The role of the board

From setting the right ‘tone from the top’ to maintaining and monitoring business controls – and from rewarding the right behaviours to communicating openly and transparently with all stakeholders – the board plays a pivotal role in all aspects of corporate governance. These activities can sometimes be disconnected, so it’s the board’s role to apply the right risk lens to every decision and action. For this to be a success, organisations need to have the right people on the board – challenging, experienced, inquisitive and with the time to understand both the risk landscape and their legal and ethical responsibilities.

10 | Corporate Governance in the Boardroom | PwC Adapting to the four types of risk in today’s risk landscape

The board is best placed to enable and ensure effective corporate governance. As Figure 3 shows, today’s risk landscape includes four broad categories of risk that the board must monitor, manage and mitigate: financial, operational, hazard, and strategic risks.

Figure 3: The role of the Board – from mandate, via risk lens, to culture & behaviours

The board mandate

ERM Risk register

Risk is linked to Behaviours Strategic strategy Financial Risk appetite • Risk awareness • The Board Mandate • Working practices Risk • Reward and talent contagion • Values and Consequence lens: standards Hazard • Reverse stress testing Operational System risk • Collaboration Culture

Reputation

Resilience

1. Financial risks are usually a 3. Hazard risks tend to stem from regular focus of board risk major factors that affect the discussions, with strong impetus environment in which the coming from today’s increased organisation operates. While regulatory, accounting and financial contingency planning is often used to audit focus. Financial information is help address them, there is a danger clearly a key element of stakeholder that the difficulty of controlling these communications, performance risks means boards may not take measurement and strategic delivery. them into account when formulating strategy. 2. Operational risks are typically managed from within the business, 4. Strategic risks arise when the and often focus on market, quality, strategy gets out of line with what the compliance and health and safety business needs to do to create value issues where industry regulations and sustainably, typically because of standards require. These risks may external change. In cases where a affect an organisation’s ability to board get too ‘bought in’ to a deliver on its strategic objectives. particular strategy, these risks may be missed out from its risk register.

PwC | Corporate Governance in the Boardroom | 11 The starting-point: the board mandate… Tomorrow’s Company: So, how can a board ensure its risk lens To appreciate how vital this is, consider defining the ‘board captures all types of risk, and thereby the impact on a business if its Board contributes to robust and holistic lacks a clear and agreed idea of its mandate’ corporate governance? PwC’s view is mandate. Without an understanding of ‘A mandate captures the ‘essence’ that the journey to more comprehensive the organisation’s overall purpose, the of the ‘character’ and and joined-up governance begins from directors will inevitably struggle to distinctiveness of the company, in the business’s overarching purpose or create the right strategic plan and the terms of: its essential purpose; its ‘board mandate’ – a term defined in the appropriate risk appetite to support its aspirations; the values by which it accompanying information panel drawn execution. They will also find it hard to intends to operate; its attitude to from Tomorrow’s Company. As this build trust both internally and integrity, risk, safety and the definition makes clear, the mandate externally, since stakeholders within environment; its culture; its value encapsulates what the company stands and beyond the business will be unclear proposition to investors; and plans for, and what it wants to be known for, what it is really trying to achieve, for development. It is a living across everything it says and does and in and how. statement about what the company all its relationships. stands for and how it wishes to be It follows that strategy, risk and the known to all of its stakeholders.’ With this in mind, a board looking to board mandate are all integrally linked enhance the quality and scope of its – and impacts in the strategic risk Source: Tomorrow’s Company: corporate governance should first step category can be felt across all types of ‘Tomorrow’s Corporate back and agree a clear and explicit risk through rapid contagion. Imagine a Governance: The case for the purpose and raison d’être for the situation in which the emergence of ‘Board Mandate’ organisation as a whole. It should then previously unforeseen risks around the use this purpose as the starting-point for strategy of an industrial company cause its risk discussions. Finally it needs to key component suppliers to demand ensure that it has the right balance of payment up front, simultaneously people and skill sets around the triggering financial and operational boardroom table. risks as well.

12 | Corporate Governance in the Boardroom | PwC …and controlling the risk levers

Given the potential for this type of We’re not suggesting that ERM contagion, it’s crucial that the Board approaches are misguided – but rather does everything in its power to address that today’s more dynamic and all four types of risk, in line with its interconnected risk landscape means agreed board mandate and risk appetite. ERM alone is not enough. With its In general day-to-day, financial and financial and operational risks ‘nailed operational risks are controlled through down’ using ERM, the board can the established structures including maintain a wider view of evolving Enterprise Risk Management (ERM) strategic risks through techniques such processes, risk register, Audit and Risk as ongoing horizon scanning and Committees, and so on. orthodox scenario planning: ‘What if 30% of our customers switch to digital However, a factor to bear in mind is that alternatives? How about if our two risk registers created under ERM biggest competitors merge?’ approaches have traditionally focused primarily on financial and operational risks, and less on strategic and hazard risks. There has been a tendency for risks to be evaluated on a ‘bottom up’ basis rather than focusing on major risks affecting the achievement of strategy. This consequently creates the danger of a ‘blind spot’ around these potentially catastrophic risk types. Another factor is that, especially with today’s constant global scrutiny via social media, risk contagion between the various categorises can occur at breath-taking speed. For example, a strategic or operational risk event may create an immediate financial risk by undermining confidence among major customers and/or providers of capital. So some risks may cross into or out of the boundaries of ERM.

PwC | Corporate Governance in the Boardroom | 13 Preparing for the consequences of unforeseen risk… Reverse stress-testing: But however well prepared a business strikes, terrorist action or major preparing for may be, things can still go wrong. transport disruption due to extreme Hazard – systemic risk – is ever-present. weather. Organisations can plan and consequences – not By its nature, hazard is unforeseen, test their own readiness to deal with predicting causes unpredictable and emerges from left such consequences without needing to ‘With the growing uncertainty in field. So, in an increasingly uncertain identify the specific scenario that’s the risk landscape, a technique and interconnected world, how can created them. that is being used increasingly in companies prepare for the impacts of both the public and private sectors unforeseeable risk events? In other words, a lack of clarity over the cause does not prevent a business is ‘reverse stress-testing’. This The answer is to apply a ‘consequence preparing for the outcome. So boards approach effectively accepts that it lens’, by identifying the potential should take pains to pinpoint the critical is no longer possible to forecast outcomes of an as-yet unknown event, events and exposure points that could events themselves, and instead without getting distracted by all the effectively bring the business to a focuses on managing their knock- possible causes, and then creating standstill, and work out how they will on effects or consequences. contingency plans to deal with those navigate through disruptions in these ‘To pick recent examples, an airline outcomes if they arise. This approach, areas. might test out the impact of most of often termed ‘reverse stress-testing’, was Europe’s airspace being closed down described in a 2012 PwC paper entitled While such exposures to hazard vary (as occurred with the volcanic ‘Black swans turn grey: The between industries, every sector has eruption in Iceland), or a bank might transformation of risk ‘ (see information them: think how the tragic earthquake model the effect of a major panel). and tsunami in Japan in 2011 triggered a collapse in supplies of key components counterparty collapsing (Lehman By way of example, take the impacts on to automotive companies worldwide. Brothers) or a Euro member country businesses of an epidemic such as Ebola, Irrespective of the root cause, what defaulting. Reverse stress-testing is Swine Flu or SARS – the consequences mattered at that moment was the plans proving to be a very effective way of of which can be access to specific and alternative sourcing arrangements focusing on extreme events and markets, and possibly the loss of many that carmakers had in place to ride out protecting organisations against staff. Similar consequences could result this type of supply chain disruption. ‘unknown’ risks.’ from other scenarios where staff and Source: ‘Black swans turn mobility are lost for a period, such as grey: The transformation of risk’, PwC, 2012

14 | Corporate Governance in the Boardroom | PwC …while keeping a close eye on behaviours

While it is vital for boards to establish as Appreciating the culture of the much visibility and control as possible organisation and indeed the differing over each of the four key types of risk – cultures within different parts of the financial, operational, strategic and business is critical. For example a ‘good hazard – its role does not end there. The news’ culture may be a warning sign single biggest risk to any organisation – that problems will be hidden, whereas a overarching and impacting all the business that embraces bad news and others – is the embedded culture and deals with it effectively provides behaviours of its workforce. confidence to the board.

As we highlighted earlier, it is crucial This imperative raises many questions. that the board sets the right tone from Are our people risk-aware? Do they feel the top, aligned with the board able to raise concerns and whistle-blow mandate, through its ethics, values and if necessary? Are working practices behaviours. But this tone will come to aligned with our values and standards? nothing if it is not reflected at the Do our rewards and management bottom of the organisation and every structures encourage the right level in between. behaviour and visibly penalise wrongdoing? If at any point our culture and behaviours deviate from our values, are we equipped to find out why and ensure it doesn’t happen again?

PwC | Corporate Governance in the Boardroom | 15 Becoming a resilient organisation

Becoming a resilient organisation

If you’re getting these components right, ‘organisational resilience’ embraces the and transforming to be stronger than then you’re on the journey towards definition that’s now guiding the bodies before. This dual nature of surviving being a ‘resilient’ organisation. But – including the BSI and the ISO – whom and bouncing back has been staying on track requires a clear PwC thought leaders have been helping investigated in a previous PwC paper, understanding of what is meant by develop standards for: ‘Resilience is an ‘Prospering in an era of uncertainty: The resilience, what it looks like, what levers organisation’s capacity to anticipate and case for resilience ’. contribute to it, and what benefits it react to change, not only to survive, but generates. All of this is both desirable also to evolve.’ It’s clear that change in today’s business and achievable: in PwC’s view, environment is faster and more organisational resilience is now the most The key word is ‘change’. To be resilient, profound than ever before – thus important discipline in business, and is it’s true that you need to be able to reinforcing the need for resilience. But becoming better understood to a point manage through an earthquake’s resilience to change has always been where it can be measured – and disruption of a supplier factory. But you vital. What’s different today is the managed. also need to manage through long-term necessity to take greater risk in a shifts in consumer purchasing rapidly-changing and unpredictable The first step is to accept the difference behaviour. So resilience isn’t just about environment – and to pinpoint and act between risk management and surviving shocks: it’s also about on emerging opportunities at pace, resilience. Our use of the term bouncing back from profound changes before competitors do so.

16 | Corporate Governance in the Boardroom | PwC Isolating underlying risk factors… ‘Roads to Ruin’: the Roads to Ruin is a research study • Boards fail to identify and guard produced by Cass Business School on against threats to the organisation’s perils of unrecognised behalf of the Association of Insurance reputation and licence to operate. and unmanaged risks and Risk Managers (Airmic) examining • Boards fail to question the Airmic commissioned Cass a decade’s worth of major corporate foundations of success. Business School to analyse crises (see information panel). • Boards are influenced by a 18 high-profile corporate crises The researchers’ analysis revealed a set dominant CEO. that had occurred during the of six common factors in the behaviour • Boards fail to set and control risk previous decade. Seven of these exhibited by the boards of the crisis-hit appetite. had resulted in the company involved facing bankruptcy, with companies: • Boards fail to recognise a change three eventually being ‘rescued’ by in the risk environment. government. In 11 of these crises • Boards do not plan for a crisis. the Chairman and/or CEO lost their jobs, and in four cases … and then advancing the focus to resilience executives received prison sentences. All of the companies Airmic built on the insights in Roads to The study concluded that resilient were damaged. Ruin by commissioning Cranfield School companies generally: The report found that these crises of Management to research a further all involved deep-seated – and valuable report, Roads to Resilience: • Have exceptional risk radar. often unforeseen – ‘underlying Building dynamic approaches to risk to • Build effective internal and external risks’, which were dangerous in achieve future success. Sponsored and networks. four ways: supported by PwC, this study involved • Review and adapt based on excellent • Many posed a potentially lethal interviews with executives, communications. management and staff with risk threat to the continued • Have the ability to respond rapidly management responsibilities, including existence. and flexibly. CEOs, at eight selected organisations. • When they materialised, the • Have diversified resources. risks often caused serious, The researchers on Roads to Resilience sometimes devastating and found overwhelmingly that the key to almost always uninsurable achieving resilience is to focus on losses to the business, its ensuring the right behaviour and reputation and its owners, while culture – a step that may involve also putting the positions of the fundamentally re-thinking and CEO and/or Chairman under challenging prevailing attitudes towards threat. risk. They added that traditional risk • Many of these risk events helped management techniques – while making to transform serious – but an essential contribution – do not in potentially manageable – crises themselves create a culture of resilience. into catastrophes that destroyed reputations and licences to operate. • Most of these risks are both beyond the reach of current risk analysis techniques, and also beyond the remit and expertise of typical risk managers. Unidentified and therefore unmanaged, these risks remain unnecessarily dangerous.

PwC | Corporate Governance in the Boardroom | 17 Understanding what resilience looks and feels like

So, what does a resilient organisation decision-making, adaptive capacity, and look like? PwC’s answer is summarised agility – reflect primarily internal in the Enterprise Resilience Framework capabilities. These traits are clearly vital in Figure 4. In our view, organisations in responding to a crisis, but they’re also demonstrate resilience by exhibiting six hallmarks of a company that can exploit traits. Three of these – coherence in change.

Figure 4: PwC’s Enterprise Resilience Framework

6 traits – and 5 levers to mange them Identity

Adaptive capacity Context and environment

Coherence Agility

Leadership

Trust Relevance

Reliability Value protection

Capability and capacity

The three remaining traits – relevance, For example, relevance is particularly reliability, and trust – reflect the important when organisations are organisation’s external relationships innovating. Whilst product with customers, business partners and improvements might be delivering other stakeholders. These may sound against an immediate customer need like soft traits, but quite the reverse is true. they can often miss a wider opportunity to open up new markets. The use of smaller disk drives in products such as the Apple iPod was a great example.

18 | Corporate Governance in the Boardroom | PwC Levers and benefits of resilience

In combination, these six traits effectively make up the business immune system, enabling it to shrug off illness, bounce back and enable adaption to change. To develop and sustain them, companies need to pull the right levers. We’ve identified five broad groups of levers for resilience, shown on the right-hand side of Figure 4. They are:

Identity Context and environment Leadership The elements that describe the These elements include the The quality of the organisation’s alignment of the organisation’s horizon-scanning, situational management and governance purpose, vision and values with awareness and anticipation that processes, along with the the culture and behaviours of its enable an organisation to be discipline they apply to stress- employees. An organisation that responsive to change, and the testing strategy and driving says one thing and does another connectedness of its relationships, innovation. will not be resilient. including internal networks that link strategy with operations.

Value protection Capability and Capacity The traditional elements related These elements provide the to operational risk management. underpinning resources required Whilst these are important, an to support an organisation today over emphasis on these elements, with the flexibility and agility to or lack of alignment between them support future aspirations. will harm an organisation’s overall resilience.

Each organisation will need a different need to change minimising the cost and balance between these factors to make it disruption caused by knee-jerk resilient. However, the benefits of striking transformation, and where it is required, the right balance are remarkably ensuring change is delivered smoothly consistent. Those that achieve this will and in a way that supports the be positioned to build resilience in the organisation’s long-term aspirations. long term, by spotting the weak signals Getting this right will protect their that indicate a future problem or reputation and ultimately generate opportunity, being quick to identify the higher returns on investment.

PwC | Corporate Governance in the Boardroom | 19 The moment of truth for corporate governance

While resilience is a desirable quality, it’s questionable whether an organisation that has never had to ride out a crisis can truly claim to be resilient. That said, there can be very few long-standing businesses that have never encountered a crisis that could fundamentally endanger their reputation and licence to operate.

The fact is that boards can put in place all the components of corporate governance needed to achieve resilience – the right tone, culture, risk appetite, controls, and more – and crises will still happen. Being resilient will help them to bounce back and, if necessary, transform themselves in response.

20 | Corporate Governance in the Boardroom | PwC Four types of crisis

The Roads to Ruin and Roads to However, it’s also vital for boards to PwC’s experience and thinking have Resilence studies provide valuable recognise that all crises are not the found that there are essentially four guidance for boards seeking to create same. This means a ‘one-size-fits-all’ types of crisis. As Figure 5 shows, these corporate governance environments approach to preparing for – and are all different – not just in terms of that foster and embed resilience into responding to – crisis situations will their causes, but also in the speed with their organisations. An especially inevitably fail to address the full array of which their full impact emerges. So as important point is the emphasis on causes, consequences and twists and well as remaining vigilant for sudden culture and behaviour as the principal turns that can emerge. unexpected events, the board also needs source of resilience. to stay alert to slow-burn situations that could suddenly explode into disruptive risk events.

Figure 5: Time/severity profile of four types of crisis

Scale of impact (severity)

Hidden crises Operational disruption

Classic rapid Strategic disruption onset event

1. The first type of crisis is the classic 3. The third category is hidden crises So faced with these four types of rapid-onset crisis, such as a that can suddenly explode into view, potential crises, what can boards do? physical disaster or business such as serious frauds or ongoing In summary, one area of focus for each continuity breakdown. In many ways, ethical breaches. These take a similar type of crisis: these are the easiest to identify and path to the major physical events, but • Business recovery plans, which have tackle: something big has happened, their onset is concealed until they been rehearsed, tested and and a senior response is imperative spring up. communicated, are essential to – and urgent. 4. Finally, there’s the long-term mitigate the classic rapid onset event. 2. The second type of crisis is more strategic crisis that builds up • Horizon scanning, scenario planning challenging: operational slowly over time, to the point where and linking risk and strategy together disruptions – such as supply-chain the organisation’s very operating will provide a lens on potential failures, IT outages, or health and model is challenged and sometimes strategic disrupters. safety failings – that can rumble tipped over the edge. Think Kodak’s • Maintaining discipline, a strong along quietly while building up camera film business or Blockbuster’s compliance culture and a joined up catastrophic event risks in the video rental stores. view of the overall organisation will background. Think rail maintenance: help prevent operational issues one of a series of apparently low-level becoming operational disrupters. issues suddenly ticks upwards to trigger a full-blown crisis, apparently • Keeping a focus on the relevance of with little warning – although the the value and behaviours of the signs were actually there all along. organisation and ensuring they are consistent with the values expected by society today, will help to avoid hidden crises.

PwC | Corporate Governance in the Boardroom | 21 Ultimately, people matter most

While these types of crisis differ in leadership comes to the fore, providing a improvements in these areas, the place nature, origin and time profile, the clear and explicit purpose, vision and to focus initially is behaviour, since – board that has implemented effective values – all demonstrated and reinforced unlike an embedded culture – it can be corporate governance will be better by the right behaviour and culture, changed virtually overnight. placed to respond in the best way to defined as ‘the way we do things around each. This is where the true value of here consistently’. In trying to drive

Figure 6: The drivers of behaviour in an organisation

Purpose How they act Results

Vision Intrinsic motivators Values

Behaviours

Behaviours and Leadership actions decisions in the Performance moments that Communication matter

Structure Reinforcers Performance measures

Reward, training and talent

Competitive context

Figure 6 shows the levers at the board’s If these four intrinsic motivators – Reinforcers disposal to help ensure the purpose, vision, values and behaviours organisation’s people behave how it – are in place and aligned in the right In our view, six components play a role in wants them to. direction, experience suggests that most helping to reinforce and embed the right people in an organisation will behave in behavioural norms across a workforce. In order of importance, they are: Intrinsic Motivators the way we want. As the positive behaviours become increasingly 1. Tone from the top – how To establish and use these levers, the embedded, the result can be a virtuous leadership conducts itself and what board should start by looking at the circle where doing the right thing it says. Intrinsic Motivators and applying its becomes the accepted cultural and board mandate to clearly articulate the behavioural norm rather than 2. Consistent communication organisation’s purpose and vision; then something imposed from above. – both internal and external, verbal convert the purpose and vision into and written, and behavioural. explicit values; and finally use these 3. Organisational structure – free values to define the behaviours it wants of silos that could make people people to enact across the business. prioritise their own sectional interests over those of the business as a whole.

22 | Corporate Governance in the Boardroom | PwC 4. Performance measures – The results monitoring and recognising the right Tomorrow’s Company: behaviour as well as the right The litmus test for people’s behaviour is financial outcomes. the decisions they take at the moments The importance of that matter, when they have a choice 5. Rewards – incentivising and board conversations between doing the right thing or not, rewarding the right behaviour as well and when there is probably nobody ‘The fundamental precept of the as the right financial outcomes. watching to compel them to do it. In board as a governance tool, 6. Competitive pressures – resisting other words, don’t wait for a problem to whether unitary or supervisory, the temptation to behave arise – look to encourage proactive is the belief that the best way to inappropriately even if competitors rather than reactive behaviours. lead an enterprise is in the are doing so. Provided the intrinsic motivators and interchange and sharing of facts, In combination, these six components reinforcers are encouraging the desired ideas and perspectives between shape behaviour at the moments that behaviour, the odds are that the decision the managers of the business, who matter – and the board that succeeds in they take will be the right one for the know its nooks and crannies, and aligning them can achieve both higher organisation as a whole. outsiders, who know less but have performance and better behaviour. For more detachment and objectivity. the board to generate these outcomes, it The medium for making that is vital that it gains ready and ongoing interchange happen can only be access to the broadest possible range of conversation. There is no perspectives and views on the business. alternative. The options are This means encouraging and facilitating restricted to whether or not a frank, open and two way conversations subject gets suitable airtime, with and between the full array of and whether the quality of the internal and external stakeholders – a conversation about it is good point stressed by Tomorrow’s Company or bad.’ (see information panel). Only through Tomorrow’s Company: such conversations can the board hope ‘Tomorrow’s Corporate to gain a comprehensive all-round view Governance: Improving the of its business’s risks and opportunities quality of boardroom with the ultimate outcome of conversations’ heightened resilience and trust across all stakeholders.

PwC | Corporate Governance in the Boardroom | 23 Building trust and culture

24 | Corporate Governance in the Boardroom | PwC The right culture & behaviours

While the right culture and behaviour This measurement can take place in Aligning these three aspects of are vital for corporate governance to be three dimensions: behaviour is the key to successful effective, any effort to drive 1. What we want – the behaviours the culture change. Even when values are improvement in these areas across an organisation expects in order for its clearly articulated, they don’t organisation raises an obvious question: vision and values to be achieved. necessarily generate the right behaviour how do we know whether it’s working? at moments that matter. If there is a 2. How we set ourselves up – One way for the board to find out could mismatch between the intended, the processes, policies and controls be to wait and see if a crisis blows up (or espoused and actual behaviours, the that the organisation creates to not) caused by poor behaviour. But a far organisation will underperform influence people’s behaviours, better and less risky approach is to commercially and lose trust among including reward policies and measure culture on an ongoing basis. stakeholders. If they’re aligned, both leadership communications. performance and trust can – and Before it can measure culture, the board 3. What we get – what are people probably will – grow. has to start by defining it. PwC generally doing? What decisions are they defines culture as ‘the assumptions or making? What are they prioritising? beliefs common in an organisation that Focusing on scenarios involving predict how its people will behave and trade-offs that impact outcomes and what it will achieve’. It clearly isn’t culture will make the measurement possible to measure assumptions or more meaningful. beliefs. But the behaviours and outcomes they produce can be measured.

Investing in your trust asset… The shifting parameters This brings us back to the core purpose The trust engendered by good corporate of corporate governance: managing and governance is also instrumental in of trust explaining the business in a way that is achieving resilience, because when a ‘As well as managing the different aligned with its core purpose and builds crisis hits an organisation they trust, levers to nurture the right trust among all stakeholders. And trust stakeholders will give it the benefit of behaviours and build organisational is not an asset to be taken lightly. PwC’s the doubt, and more time and leeway to resilience, boards must also take Trust Insight research looks at the value sort its problems out. However, as we account of a further critical of being a trustworthy organisation and pointed out in a 2013 paper entitled dimension – which is the constant measuring the drivers that influence ‘Integrity, business ethics and the evolution in the criteria against trust with different stakeholder groups. resilient organisation ‘, the drivers of which society judges companies’ The findings indicate strongly that trust are constantly changing (see trustworthiness.’ investing in trust as an organisational information panel). Boards should asset can drive performance for any strive to keep pace with this evolution “Integrity, business ethics business and can help organisations through stakeholder conversations and and the resilient achieve their strategic goals. horizon-scanning. organisation”, PwC

PwC | Corporate Governance in the Boardroom | 25 …and ensuring compliance

However, while the drivers of trust may The scope and nature of compliance has The accumulation of such compliance change over time, a consistent evolved from a series of rules-based teams – all performing similar imperative for trust to develop and grow regulations to a much broader, greyer compliance activities and processes – is regulatory and ethical compliance. So, area that now includes operational, can result in bureaucracy, to ensure that corporate governance customer and third party risks which inconsistencies and compliance fatigue does its job, boards must be continually have become more complex and among front-line management subjected aware of the level of compliance entwined – areas that are more difficult to repeated intervention and disruption. for companies to monitor and control. throughout their organisation. By So are organisations doing too much or applying a compliance lens to the right Compliance risk also touches many are they doing too little? This is not a information, they can be assured that functions and over time multiple question on the volume of compliance the governance framework is effectively compliance initiatives and structures are activities, instead it’s the efficacy of such translating the board’s mandate, created across operational, financial, activities, how they are structured, purpose and values into people’s regulatory, ethical and legal organised, deployed and more everyday behaviour on the ground – and departments. This is understandable importantly how they are integrated also that this behaviour is compliant. given the significant changes to the into business as usual. regulatory and ethical compliance landscape, from the Sarbanes-Oxley Act to the rise in anti-bribery legislation and the renewed focus on Data Privacy.

Eight tips for successful compliance

Be proactive Make best practice for Don’t lose sight of the big Take a proactive approach to purpose picture compliance that addresses present An integrated compliance framework It can be tempting to focus on and future compliance needs. This is founded on fundamental individual components – such as frees up leadership time to invest in components that collectively deliver policy or training – to deal with a the business and confidently exploit an effective and efficient compliance specific compliance incident or new market opportunities. It also organisation and culture. These situation. But only by embracing an helps to bring an ethical reputation, components vary in complexity and integrated compliance programme not only with regulators but also with depth to reflect each organisation’s will you pinpoint root causes and customers, suppliers and wider risk exposure – but they remain embed a true compliance culture. stakeholders. integral to effective compliance capabilities.

Align with business Make it sustainable Don’t just assume it’s objectives More often than not, the focus on working An effective compliance programme achieving compliance targets is A well-balanced monitoring and aligns its activities and focus with the sustained for a year or two, but then assurance structure is critical to any business’s objectives and strategy. drops off. Sustainability is a vital compliance programme. It enables Focusing on compliance with characteristic of a compliance issues to be detected and remediated competition law during an programme, as it ensures that early, facilitates the continuous acquisition trail, or on data protection compliance investments continue to improvement of the programme, and as the business grows its offshore benefit the organisation and pay off – more importantly – embeds data centres, will position the over the long term. compliance accountability across the compliance programme as a trusted business. adviser to strategic decision-making.

26 | Corporate Governance in the Boardroom | PwC Compliance can feel like an unwieldy burden: executives and non-executives are overwhelmed by compliance information from multiple sources; the front line is overwhelmed by compliance tasks, risk assessments, audits and reporting requirements placed upon them by the different compliance teams; and the sustained focus on cost efficiency is putting pressure on the ethical and regulatory compliance teams to find synergies, adapt and take a more consistent approach. In response, many organisations are reassessing the effectiveness of their compliance capabilities and are looking for the most successful approach.

Eight tips for successful compliance

Keep it simple With the constant increase in laws and regulations, businesses can adapt a reactive and siloed approach to compliance, resulting in duplication and ‘compliance fatigue’. A leaner and simpler programme leads to more efficient processes, and is recognised by the business as an enabler not a distractor.

Communicate, Communicate, Communicate Progressive compliance programmes have long recognised the importance of consistent and clear communication around their objectives. Some programmes have their own branding and corporate communication skills, while others use third-parties to source them.

PwC | Corporate Governance in the Boardroom | 27 New approaches emerge Now the tide is changing. Driven assurance activities. We are also seeing mainly by Boards and non-executives, strong signs that the recent focus on we are seeing an increasing number corporate culture as evidenced by the of organisations striving and investing updated UK Corporate Governance Code to develop and integrate their is here to stay – defining, shaping and compliance capabilities to manage monitoring the culture and behaviours ‘business as usual’ compliance risk, across organisations. It’s no longer a while also identifying and improving ‘nice-to-have’ but a ‘must-have’. the more overarching and fundamental ethical levers. Strong and continuously reinforced ethical cultures breed acceptance of We believe that the future for many ethical standards rather than resistance ethics and compliance functions will be to them, as long as they are clearly building a simpler, universal and aligned to the reputation of the integrated framework that spans all company. They also breed ‘loyalty’ – an compliance areas supported by one emotional bond to the organisation’s common tool to capture compliance brand which is the strongest compliance requirements; risks, policies, tool possible; people are far less likely to procedures, controls, monitoring and intentionally damage a brand they hold an affection towards.

28 | Corporate Governance in the Boardroom | PwC PwC | Corporate Governance in the Boardroom | 29 So what could tomorrow look like?

30 | Corporate Governance in the Boardroom | PwC The rise of ‘risk leadership’ Tomorrow’s Company: If boards are able to create, embed and consider the value of a dedicated defining tomorrow’s sustain the type of corporate governance executive risk leadership role, taking that we’ve described in this paper, then into account how risk is structured in dedicated executive risk we think this opens the way to a new the organisation and its risk maturity. leadership and different future: one in which organisations – and their people at all This type of role is described in the ‘Having in place an executive voice levels – truly understand both the accompanying excerpt from the report. of risk in the organisation that leads critical role of effective risk Crucially, Tomorrow’s Company stresses the risk agenda helps deliver the management in a turbulent and that the purpose of risk leadership is not business model and drive business uncertain world, and also the about ‘removing the responsibility for performance. risk from members of the board. It is to opportunities for their businesses to This leadership is achieved through help support them in managing today’s adapt and build capacity for survival. being both a voice of challenge and a and tomorrow’s risk agenda.’ An business educator and enabler, fully This future could be one where there is a important effect would be to help boards empowered to help the business common understanding of risk get an overall perspective on what is gain a deeper appreciation of the throughout the organisation, where risk happening in the wider risk space, relationship between risk, reward becomes the natural vocabulary used by ensuring better-informed and more and strategy to enable better and everyone when thinking, assessing and holistic decisions. acting upon decisions – ensuring that more informed decisions to be risk is taken seriously, acted upon and In PwC’s view, this compelling vision taken. marks a logical next step in the evolution addressed – resulting in a partnership It involves embedding a risk culture of corporate governance. The attitude of mind and behaviour that is to help the organisation proactively foundation and ultimate proof of embedded in the DNA of the deal with risk issues and inherent effective corporate governance is organisation. dilemmas, across and beyond the behaviour – a fact that underlines the enterprise. A vital enabler for this future is the need for effective executive risk emergence of a new form of risk leadership. The best-governed and most To be successful they must be able to leadership across all industries. This resilient businesses of the future will be see, and integrate the whole risk concept is explored in a recently- those where senior management takes a agenda for the business, aligned to published paper from Tomorrow’s firm lead in forging a risk strategy that its business model, and navigate this Company entitled: ‘Tomorrow’s Risk harnesses knowledge and ideas across agenda over immediate and longer Leadership: delivering risk resilience and beyond the organisation, both to term horizons, with independence and business performance.’ In line with support the board and also to keep it and assuredness. This involves the changes in corporate governance set fully informed about emerging risks. having a strong forward looking and out by the FRC, the publication puts The risk leadership proposed by external focus, scanning the forward the case for all organisations to Tomorrow’s Company delivers on business environment for risks and rethink their risk leadership, and every count. opportunities that can impact business performance.’

‘Tomorrow’s Corporate Governance: Tomorrow’s Risk Leadership: delivering risk resilience and business performance’

At PwC, we’re continually engaging with boards and leadership teams on these issues, aiming to help them align their organisation’s board mandate, strategy, risk appetite and behavioural culture in a way that enhances governance and supports their journey to resilience. Throughout this journey, the key to tomorrow’s successful, well-governed company is robust leadership of the risk agenda. In a world of ever-more diverse and unpredictable risks, that’s the one vital factor that will increasingly define and differentiate the best corporate governance.

PwC | Corporate Governance in the Boardroom | 31 Contacts

32 | Corporate Governance in the Boardroom | PwC Boardroom Engagement Risk Ethics

Richard Sykes Simon Perry Tracey Groves Author and Governance Risk and Enterprise Resilience Partner Business Ethics and Integrity Risk Partner Compliance Leader T: +44 (0) 7740 024957 T: +44 (0) 7803 853425 T: +44 (0) 7841 011300 E: [email protected] E: [email protected] E: [email protected]

Behaviours Compliance

Nicola Shield David Andersen Risk and Controls Partner Governance Risk and Compliance Partner T: +44 (0) 7931 388648 T: +44 (0) 7850 516437 E: [email protected] E: [email protected]

Risk and Governance Resilience Crisis

David Taylor Martin Caddick Dr Paul Robertson Risk and Regulation Partner Director of Enterprise Resilience Director of Crisis Leadership T: +44 (0) 7973 227781 T: +44 (0) 7590 354320 T: +44 (0) 7850 907527 E: [email protected] E: [email protected] E: [email protected]

Simon Evans James Crask Director Senior Manager Enterprise Resilience T: +44 (0) 7771 657600 T: +44 (0) 7715 484258 E: [email protected] E: [email protected]

For more on governance, risk and compliance visit www.pwc.co.uk/riskresilience

PwC | Corporate Governance in the Boardroom | 33 This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

150429-133019-GR-OS