Effective corporate governance is not a one-size-fits-all approach, as recognised by regulators and self-regulatory organisations around the world. Principles propounded by local advisory and governing bodies provide guidance on how to effectively and transparently manage an organization and ensure it is meeting its obligations to all stakeholders. We will examine how corporate governance principles can be enhanced and improved by the explicit integration of information governance into companies’ corporate governance schema.
Corporate governance is, in its most general terms, how a business is controlled, governed, and operated. Principles of good corporate governance include fairness, accountability, responsibility, and transparency. A company’s system of governance is its framework of rules, relationships, controls, and processes.
Company management and boards have myriad responsibilities. These range from planning for pandemics, natural disasters, and other major events that can affect a company’s basic ability to conduct business and disrupt operations; managing the company’s workforce and supply chain; ensuring compliance with data privacy and security regulations; and staying on top of constantly evolving regulatory and reporting requirements in the different locations in which they operate.
Recent hot topics in corporate governance range from proper compensation and remuneration, to environmental and social concerns, to effective financial and operational reporting, to disaster (actual and virtual) planning. In the remuneration sphere, questions include what kind of actions executives are being incentivized to take and how to address gender, racial, and seniority pay disparities. On the environmental front, relevant considerations include preparing for natural disasters such as the wildfires that ravaged Australia and California in 2019, protecting the company against climate-related litigation, and measuring and disclosing climate-related risks. The ongoing Covid-19 global pandemic is certainly the most pressing recent global example of an unforeseen risk that organizations must manage. As countries work to bring their economies out of recession, lawmakers are identifying enhanced reporting and governance as key to recovery. For example, the EU’s reconfigured Green Deal to revitalize the block’s economies includes additional financial and business operations reporting for companies that receive assistance in recovering from the economic impact of the pandemic.
Each of these areas of focus requires a well-conceived and -executed schema to manage the information assets of the organization, which can be achieved by creating a framework for an evolutionary information governance (IG) program.
Rules and Guidelines
Most countries have specific corporate governance rules for companies that are listed on that country’s exchange or are regulated by that country. For example, the Australian Exchange (“ASX”) Corporate Governance Council has laid out eight guiding principles for effective corporate governance of listed companies. In the Philippines, the Securities and Exchange Commission has enacted the Code of Corporate Governance for Publicly Listed Companies with 16 guiding principles and related direction for listed companies, and the Monetary Authority of Singapore (“MAS”) requires listed companies to “comply or explain'' with its Code of Corporate Governance and the 13 principles and multiple provisions listed therein. These codes and guidances are consistent with the corporate governance rules and guidelines of other organizations across the world, such as the US Business Roundtable, the US Council of Institutional Investors, the UK Financial Reporting Council, and the European Corporate Governance Institute.
In addition to guidelines styled as corporate governance, other national and international institutions have offered guidance on enhancing governance to ensure robust risk mitigation. For example, in response to widespread misconduct in the Australian financial system, the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry found that a strong corporate governance culture is key to “encourage [the] sound management of non-financial risks, and to reduce the risk of misconduct.” Other organisations have explicitly called out other areas required for effective governance. An example is the 2012 Report of the Basel Committee on Banking Supervision. In response to the 2008 financial crisis which had at its core bad data (improperly valued loan assets), the Basel Committee issued a standard (BCBS 239) for Global Systemically Important Banks. The standard consists of “principles for effective risk data aggregation and risk reporting,” and recommends creating formal data, IT, and information governance frameworks.
With the exception of BCBS 239, many of these guidelines do not explicitly include information governance as part of corporate governance. As we explain below, information governance can support effective corporate governance, and its omission from formal inclusion should be addressed.
IG, in general terms, is the strategy and framework for managing information effectively in an organization, reducing risk and enhancing value and efficiency of operations. The key elements of effective IG are creating the processes and utilizing the appropriate technology and controls to ensure the integrity and reliability of the information, the accessibility and availability of that information, and its security over its lifecycle, from creation through storage and use, to disposition or archiving.
For many corporate stakeholders, IG is a foreign concept that may often be confused with data governance (which is an element of IG), relegated to the task list of the company’s IT operations or parked in its under-funded, under-resourced records management programs. It is much more than that: a well conceived IG program sits astride an organization’s business operations, ensuring that the organisation’s lifeblood -- information -- has integrity and is responsive to the business’s needs. A reliable, available, and usable corpus of information derived from good data is an essential element for any modern organization to tackle corporate governance issues. In the early days of Big Data that contributed to the definition of IG, Robert Smallwood specifically called out IG as a “super discipline,” encompassing a variety of areas ranging from data management and regulatory frameworks, to privacy and security considerations, and characterized IG as a “subset” of corporate governance. This characterization has evolved over time, as the need for an integrated framework has been recognised.
Good information governance can ensure that your managers and directors have timely access to accurate production, financial, and sales information on which to base decisions for the company. Good information governance can help your company securely transition to remote work and then maintain that as an enduring operational reality, enabling effective service for your customers’ needs through numerous disasters and ensuring business continuity. Good information governance means that your company’s information and data will be secure, available, and dependable.
The framework for an IG program should always evolve to reflect the changing nature of business conditions and corporate priorities. A great example of this will be the challenge faced by companies and municipalities in the EU as, in response to the COVID-19 related stimulus programs, they attempt to incorporate and accelerate the Green Deal principles and precepts in their highly regulated environments. Given the new economic realities as countries attempt to jumpstart their economic recoveries post-COVID, it will be interesting to watch how governments deal with privacy regulations and enforcement; if focus will shift to financial outcomes over enforcement of individual rights, particularly in the EU.
Convergence of Governance
As companies, boards, investors, and other stakeholders expand their corporate governance focus from financial performance to other important factors that affect the long-term sustainability of companies, information governance should also be a focus. Good information governance underpins good corporate governance in many areas. Some of the key issues that are top of mind for boards and management today that will benefit from strong information governance include cybersecurity, regulatory changes, global and local economic uncertainty, business continuity, enhanced financial reporting, among others. For more on these, see the recent article published by Susan Bennett and Professor Michael Adams entitled Information Governance Key to Good Corporate Governance.
To meaningfully address these and other concerns in the corporate governance sphere, companies must have a solid information governance foundation. A strong IG framework will ensure management access to accurate, reliable, and timely information, support audit responsibilities, and provide replicable processes upon which managers and boards can rely. By making IG concepts explicit in existing corporate governance codes and guidelines, companies, managers, boards, and investors are better positioned to understand how IG supports good corporate governance by improving information access, and enabling companies to become more resilient. In this section, we propose changes to existing corporate governance rules and guidelines by subject area, with detailed language proposals (by jurisdiction) in the Appendix, and in the following section, we lay out steps that companies, boards, and managers can take now -- because you don’t have to wait to embrace the convergence of governance.
Corporate Reports and Disclosures
Key to regulators, investors, markets, and the public’s understanding of what a company is doing and how it is operating are company reports and disclosures. While required or permitted disclosures vary from market to market, the common ground is that reports and disclosures must be timely, accurate, and responsive.. These public-facing documents include financial reports, annual disclosures, corporate governance disclosures, and material event disclosures. For example, the UK Corporate Governance Code explains in its first provision that the board must assess the basis on which the company generates and preserves value over the long-term and describe in the annual report the “opportunities and risks to the future success of the business,” the “sustainability of the company’s business model,” and specifically “how its governance contributes to the delivery of [the company’s] strategy.” 2018 UK Code Provision 1. Annual reports are often the main source of information about the company for shareholders and other stakeholders and the veracity and completeness of what is disclosed therein matters. In fact, the ASEAN Corporate Governance Scorecard has more than ten specific questions concerning the quality of companies’ annual reports. The ASX CGC directs companies to make fulsome, detailed corporate governance disclosures that explain both the company’s “governance arrangements it has in place” but also “how they are being implemented in practice.” Corporate Governance Principles and Recommendations, 4th ed. (Feb. 2019) at p. 4. Such disclosures are meant to promote transparency, improve investor confidence, and assist other companies that may be facing similar challenges.
Given these goals and requirements, a well-conceived and effectuated IG program will enable management to have appropriate access to the corpus of information to be disclosed and confidence in the procedures that the company has in place to store and retrieve important information as a result of that framework. For example, a requirement to annually review risk, as found in the ASX CGC at 7.2, should include the explanation of how the board conducted its risk review (discussed more in detail below), what material insights were gained from that review, and what steps the board is taking as a result of that review. An IG framework enables these disclosures and provides a repeatable, auditable process that can promote market confidence.
Explicitly recommending a comprehensive, appropriate IG framework in order to improve corporate reports and disclosures would be a logical step by exchanges, regulators, and advisory bodies. This could be added to the ASX CGC Code under principles 4 and 5, to the New Zealand FMA under 4.3, and to the UK FRC’s Corporate Governance Code as a provision under F, Transparency and External Reporting. Appendix A sets out other countries’ and organisations’ codes and guidelines that could be improved by the addition of an IG framework to corporate disclosures and reporting.
Shareholder or Securityholder Engagement and Rights
Engagement with a corporation’s shareholders or securityholders is crucial to effective management and governance today across the world. Stakeholders in Europe and Asia have long understood this, and American businesses have been trending in this direction. In the United States, the SEC reported a ten-fold increase in shareholder engagement over the past decade. In Europe, the European Union Shareholder Rights Directive (SRD II) promotes effective stewardship and long-term investment objectives by focusing on the responsibilities of the investment community, not just shareholders. Engaging with shareholders and securityholders allows management and directors to hear directly from them and build a relationship of trust. Shareholder engagement includes efforts on topics such as executive compensation, strategy, diversity and inclusion, risk management, and corporate governance, in addition to the usual financial and strategic conversations. These complex discussions can build strong relationships, ensuring that management and stakeholders are on the same page with respect to company strategy, long-term value, and effective stewardship. This is particularly important if co-called “activist” investors arrive who are looking for short term gains instead of long term results. Part of the relationship of trust requires management and the board to ensure timely access by the shareholder or securityholder to accurate information.
The corporate governance guidelines and rules of many organisations recognise that companies need to provide information to ensure this trust relationship is established and nurtured. What they haven’t done is to explicitly incorporate the complementary IG principles: veracity of information; availability of information; dependable and repeatable reporting of information, in this context. The guidelines and rules can be enhanced to incorporate these principles in order for shareholders to be able to participate meaningfully with company management. See the chart at Appendix A for more detail on suggested enhancements and clarifications.
Risk Identification and Management
Another key area for incorporating IG is in addressing management’s responsibilities to identify or recognise risk, manage risk, and set and monitor the company’s risk profile. Countries and exchanges differ on the roles that board members and management take with respect to risk recognition and management, but all agree that risk identification, assessment, control, and management are critical to a company’s success. The positive effect of a thoughtful IG program on an organization’s ability to plan for and respond to risk is evidenced by having good, clean, available and timely data upon which to base decisions during turbulent times. Organisations and jurisdictions are aligned in stating that boards and management should pay close attention to potentially disruptive risks, which could have a significant, severe, and often sudden effect on a company's revenue, operations, profitability, competitive position, and reputation. See, e.g., National Association of Corporate Directors, The Report of the NACD Blue Ribbon Commission On Adaptive Governance: Board Oversight of Disruptive Risks (2018). Disruptive risks include near-term political challenges; market deterioration/industry disruption; natural disasters/man-made emergencies; and strategic/business model failure.
Incorporating IG into corporate governance codes for risk matters can be achieved by explicitly adding IG frameworks and systems to the risk responsibilities of boards and management. For example, the Singapore Code of Corporate Governance Principle 9, can be amended to include information governance systems as a type of internal control that must be reviewed and assessed. By including IG in that and similar principles, boards and management will better understand how that framework can help them better assess the types and extents of risks that their corporations face.
Business resiliency includes risk, supply chain, insurance and legal, technology and information security, government relations and public policy, financial and investor, customers and branding, talent and workforce, and employee health and wellbeing. These are all areas well serviced by a strong IG strategy that, again, provides timely, accurate information to management so that they can plan for and react efficiently to business threats.
Among the internal control systems that boards should work with management to oversee and regularly assess is how the company manages its information resources and the processes governed by the company’s IG framework. These will include development, documentation and ongoing maintenance of company-wide information system architecture, documenting, conforming and maintaining key data and information processes and development and maintenance of a master data management program. Understanding that the IG framework straddles all areas of a business’s operations can assist management and the board in assessing the adequacy of other internal control systems. Similarly, the repeatability of IG processes and auditability of the IG framework can help management and the board strengthen other internal controls.
Why Boards Should Act Now to Incorporate IG
Companies can realise the benefits of information governance, as laid out above, before information governance is explicitly incorporated into their respective jurisdictional corporate governance codes and guidelines. All regulatory and advisory bodies -- both those that require companies to comply (like the Singapore MAS requirement for listed companies to “comply or explain”) and those that issue advisory guidance (like the US Business Roundtable and OECD) -- explicitly recognize that corporate governance is not a mandated “check-the-box” system, but rather depends on the specifics of each company. Inherent in that understanding is that companies can adopt best practices before the relevant local advisory group or regulator requires those practices. Adopting best practices before they are explicitly required is an example of strong, competent leadership, uniformly recognised as fundamental in effective corporate governance and risk management. As Peter Seah, the chairman of DBS Bank (Singapore), recently wrote, a “corporate governance framework [is] anchored on competent leadership, effective internal controls, a strong risk culture, and accountability to stakeholders.”
The benefits from acting now, and being an “earlier adopter” to integrate IG into your company’s corporate governance schema, are profound. Information governance integration will obviously benefit your company’s risk identification and management, reducing the cost of risks associated with crises and unplanned events. What is not so obvious is how it can add value to areas other than risk mitigation and guideline adhesion.
We focus on two areas where a strong information governance component to your corporate governance framework will provide immediate and measurable impact. One is M&A and financing. Good corporate governance can help a company attract outside investors and capital and reduce the costs of capital for the company (in terms of debt and equity financing). The due diligence processes conducted for these transactional functions are heavily dependent on the corporation being able to accurately report on its business functions and on the flow of information underlying these functions. A well-defined information governance program can clearly facilitate this process and inject a greater degree of transparency in the due diligence process for both M&A and capital markets activities.
In addition, only in recent years has valuation of information assets started to gain traction as an integral part of M&A due diligence, beyond the standard valuation of the target company’s intellectual property. The valuation of information assets is being realised due to the improved insight afforded by having a sound, evolutionary IG strategy and well-documented, auditable, repeatable business processes around information management, leading to greater opportunity to leverage business information that was previously not available.
A second area where information governance can provide measurable impact is companies’ reputations, through, for example, growing forays into data ethics and corporate social responsibility activities. As part of their commitment to corporate social responsibility, some US companies across a range of verticals are finding ways to employ their data assets to more directly service their communities. Their effectiveness in deploying successful initiatives depends largely on their ability to harness the internal corpus of responsive information and conduct sophisticated (advanced algorithmic) analysis, sometimes in concert with external IoT and sentiment analysis data. None of this is possible without a well-developed IG framework, which can provide the basis for meaningful analysis on underlying data assets with integrity.
Effective corporate governance needs strong information governance. Numerous areas of focus for corporate governance depend on or require the type of transparency, measurability, and repeatability that comes from a robust information governance framework. These include shareholder and stakeholder engagement, appropriate and fulsome disclosures, business resiliency, and risk identification and management. As championed in this article, local regulatory and advisory bodies should explicitly incorporate information governance into their corporate governance rules and guidances. Even with the myriad characterizations of corporate governance principles across jurisdictions, and differing degrees of requirement, a developed information governance framework will enhance corporate governance in organisations regardless of their location.
While explicit guidance will hopefully be forthcoming along the lines proposed herein, companies and boards should seize the initiative to bring information governance into their corporate governance systems. Companies should turbocharge an integrated information governance program as part of their efforts to enhance and improve their corporate governance. As laid out above, the upsides include mitigating risk, improving management of data and information, unlocking and leveraging information assets for business growth, and enhancing the ability to demonstrate good corporate citizenship.
Bryn Bowen is a Principal Consultant at Greenheart Consulting Partners, a Governance Risk & Compliance information consulting practice and a Board Director of MCCG Guyana, a management consulting company based in Guyana.
|JURISDICTION||SECTION/ PRINCIPLE||PROPOSED INSERTION/ADDITION|
|Australia||4.2||Corporate Reports; add to Commentary paragraph 1:
The company should have in place an appropriate information governance framework that will allow the CEO and CFO to declare that the financial records are properly maintained and give a fair and true representation of the financial position of the company.
|4.3||Add to the beginning of the last paragraph:
This disclosure should include a description of the company’s information governance structure.
|5.1||Disclosures; add to Box 5.1:
Document the information governance framework that governs the management of the underlying information being disclosed.
|6.2||Rights of security holders; add to the end of second paragraph:
The best way to facilitate this is through a strong information governance framework established at the outset.
|7.1||Risk management and recognition; add to the risk committee roles:
Ensure that an information governance framework exists and is responsive to the company’s risk concerns.
|New Zealand||2.1||Add to Board Composition & Performance, Board Responsibilities:
Overseeing the governance of the organization’s information assets and processes perhaps as an adjunct to the audit function
|3.1||Add to the Board Committee, financial reporting processes: ensuring financial and information processes are in place and monitored….|
|4.3||Add to Reporting & Disclosure, Non financial reporting: ...include other non-financial disclosure such as compliance with its information governance framework...|
|6.3||Add a new section to Risk Management:
An issuer should disclose how it is managing its information and data assets through an information governance program, and should report on its level of risk, performance, and management.
|US Business Roundtable||II||Add to Key Responsibilities of the Board:
Reviewing the company’s information governance structure. The board annually reviews the company’s information governance structure to ensure that it is adequate to responsive to the company’s risk profile and audit and disclosure needs, and is aware of changes in information profiles that may affect the company.
Add to Key Responsibilities of the CEO and Management:
Creating, implementing, and updating the company’s information governance structure. The CEO and management create the company’s information governance structure, implement it, and regularly assess it to ensure that it is adequate and responsive to the company’s risk profile and audit and disclosure needs. Management keeps abreast of changes in information profiles that may affect the company.
|IV||Board Committees; Audit Committee. Add:
“Information Oversight. To ensure that the audit function is encompassing, oversight of the company’s IG program should be an explicit part of the committee’s responsibilities.”
|UK FRC Corporate Governance Code||1(C)||Under Board Leadership//add new provision:
The board should ensure that the company has put in place an information governance structure that is appropriate for its size, industry, and risk profile, monitor implementation of the information governance structure to ensure that it is effective, and review it periodically.
|4(O)||Add to Audit, risk, and internal controls, provision 29:
The board should monitor the company’s risk management, and internal control systems, and information governance structure, and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.
|Germany||Rec. A.2||Add to recommendation A.2:
The Management Board shall institute an appropriate compliance management system and information governance system reflecting the enterprise’s risk situation, and disclose the main features of this system.
|Rec. D.3||Add to recommendation D.3:
The Supervisory Board shall establish an Audit Committee that – provided no other committee or the plenary meeting of the Supervisory Board has been entrusted with this work – addresses in particular the review of the accounting, the monitoring of the accounting process, the effectiveness of the internal control system, the information governance system, the risk management system, the internal audit system, the audit of the financial statements and compliance. The accounting particularly comprises the consolidated financial statements and the group management report (including CSR reporting), interim financial information and the single-entity financial statements in accordance with the German Commercial Code (Handelsgesetzbuch – “HGB”).
|Principle 15||Add recommendation:
The Supervisory Board must have knowledge of the enterprise's information governance system and ensure that they can access and obtain sufficient information.
|F||Transparency and external reporting; add recommendation:
The company shall have an effective and robust information governance system in place that will ensure accurate timely access to all required information.
|Singapore||9||Add to Principle 9:
The Board is responsible for the governance of risk and ensures that Management maintains a sound system of risk management and internal controls, including information governance, to safeguard the interests of the company and its shareholders.
|10.1(b)||Add to the Audit Committee’s responsibilities:
reviewing at least annually the adequacy and effectiveness of the company's internal controls, information governance, and risk management systems;
|12.2||Add to guidance:
The company has in place an investor relations policy which allows for an ongoing exchange of views so as to actively engage and promote regular, effective and fair communication with shareholders. This policy is incorporated into the company’s information governance framework.
|13.1||Add to guidance:
The company has arrangements in place to identify and engage with its material stakeholder groups and to manage its relationships with such groups. These arrangements are incorporated into the company’s information governance framework.
|Philippines||11.2||Add a new recommendation 11.2 as follows:
Companies should ensure an effective system of information governance is in place, appropriate to the size and complexity of the business, that will, amongst other capabilities, enable the company to simply and cost effectively disseminate information to shareholders.
|12.5||Add to recommendation 12.5:
The Chief Risk Officer (“CRO”) must have a fulsome understanding of information governance and incorporate information governance into the company’s ERM.