Some organisations believe governance is imposed upon them externally and an obligation that has to tick a number of boxes, rather than an opportunity for the company to grow. But whether you’re a start-up or a more mature company, your governance, risk and compliance practices need to be regularly reviewed. This is especially important during times of disruption and increased scrutiny.
Today more and more companies are considering their governance frameworks anew– there’s no point in having layers of governance for governance’s sake. They’re setting themselves up to avoid risk, which gives stakeholders confidence, and ensures everyone is following the same strategic direction.
Start-ups need to be agile and nimble in their governance as they are early in their life cycle but often their biggest barrier is knowing where to start. Governance here might be as simple as putting regulatory and legal frameworks in place, seeking advice from independent advisors or directors when required and having appropriate segregation of duties or delegations of authority. It’s also important to consider what kind of organisation the start-up wants to be: is it heading towards IPO listing, or a sale to a potential investor and what would be necessary from a governance perspective to bring this about?
More mature organisations are revisiting their governance to ensure they can stand up to scrutiny but also making sure they can deal with disruption to maximise opportunities for growth. They’re looking at whether their frameworks are fit for purpose both now and into the future. Still, the pendulum shouldn’t swing too far: increased scrutiny may incur tighter governance, but that musn’t muzzle and disempower the organisation.
So compliance doesn’t mean stasis. Although some organisations have been traditionally risk averse, there is also a need for calculated risk in order to prosper. It may be time to look again at new product development, capital investment and M&A activity and go back to first principles of governance. Business cases for change are usually lengthy and cumbersome. But revisiting these requirements and looking at them afresh, including the timings within which the business case is put forward for approval, can significantly increase the speed for pursuing opportunities.
However, for this to occur, there needs to be a clear articulation of risk appetite from the Board. We live in an increasingly digitised world, and many mid-market organisations are still not prepared for data leaks, breaches of privacy and have a way to go before considering themselves cyber ready. As Boards negotiate complex regulatory environments, they need to consider the “Crown Jewels” of the business, the most important elements that must be protected. That could be customer data, in-house IP, or financials. Controls to protect these can then be designed. This is not just an IT issue but one where everyone in the organisation understands the high price of risk.
For governance success, organisations should ask the following questions:
- What is your risk appetite? What do you want to achieve? Is this clearly understood by everyone in the organisation?
- What are your compliance and regulatory obligations and what are the structures you need to put in place?
- How much are you prepared to invest? Do you need internal or external resources?
- Talk to your people – how are you going to get everyone aligned?
The answers to these questions will provide a great starting point for considering governance in a new light.
Sarah Cain and Heather Hicks, Partners, KPMG Enterprise Audit
