Cascading good governance through the organization.

* Companies need to be sensitive to employee attitudes to corporate ethics

* UK survey reveals misconceptions underlying boardroom mindsets

* Good governance programs underpinned by a combination of enforcement, surveillance and advocacy

Since Enron and other subsequent

corporate failures, governance has become the number one issue for all stakeholders in business organisations. Just as Six Sigma (quality), Y2K (the end-of-millennium computer crisis) and Customer Relationship Management (CRM) were watershed developments at the end of the 20th century, launching a thousand corporate change programs, so governance is now top of boardroom agendas worldwide.

With the spotlight firmly on boardroom behaviour, companies in Europe, Australia and the US have begun to implement the recommendations of their various national reports (Higgs in the UK, Aldama in Spain, Tabaksblatt committee in The Netherlands, for example) and, where they are affected, the strictures of the US Sarbanes-Oxley Act, drawing up and implementing their own new corporate codes of practice.

But this is merely the tip of the iceberg. The real challenge is not the redrafting of corporate codes of conduct as such, but the effectiveness with which companies can cascade good governance down through the rank and file of the organisation. To perform their function, codes of governance must be embedded at every level of the business, front-line and back office, and in every business unit and subsidiary. Never has this been more important than now, when regulators routinely find companies in breach of ethical standards from misrepresentation to misselling.

Properly implemented, the process of clarifying responsibilities and increasing the transparency of decision making can be genuinely transforming. But poorly implemented and ill-conceived governance change programs will do more harm than good. Employee attitudes toward, and respect for, ethical standards are of critical importance when tackling these issues. No governance change program will succeed unless companies take the time to understand the ethical mindset of the organisation. Only then can a change program be implemented that meshes with the hard realities of day-to-day business.

The seven deadly myths of good governance

In practice, corporate governance comes down to relationships. People interacting with other people. People interacting with products and technology and people interacting with systems. Governance, at heart, is about human nature.

In order to find out what employees think PricewaterhouseCoopers (PwC) commissioned Market and Opinion Research International (MORI) to conduct a UK survey in January 2004. To encourage open, unbiased responses from a random cross-section of nearly 950 respondents (almost half of whom worked for large organisations of 250 or more employees), the interviews were conducted in respondents' homes (see Methodology Box).

The PwC survey set out to understand what employees feel about the way they work, what they are asked to do and how their colleagues and bosses behave. The responses were unequivocal. Perceived unethical behaviour (and fear of speaking out against it) is not uncommon within large UK companies (public and private sector alike). Organisational relationships are in need of serious counselling. Most important of all, the responses unearthed some misconceptions underlying boardroom mindsets. When asked to justify their actions around the governance issue, management resorts to a series of Pavlovian stock responses. These have been distilled in this article into Seven Myths of Good Governance, using the survey results to pinpoint the principal ways in which management is attempting to reassure itself (and the company's stakeholders) about its ability to deal with the governance imperative.

Myth 1: We have an effective code of governance

Too many companies tout their governance codes as evidence that they are taking action, without attempting to measure either how well they are understood, or how effectively they have been implemented. To an extent, these attitudes are reinforced by external commentators. Indices such as FTSE4Good, which measure companies' sustainability practices, continue to be challenged to check that codes are actually being put into operation. All this suggests we have yet to learn from recent history. It has often been reported that Enron had one of the most admired governance codes in the world. The PwC survey shows:

* 40 per cent of respondents do not believe that large companies behave in an ethical and honest manner

* employees in large companies believe that up to 20 per cent of their superiors, and 17 per cent of their colleagues, fail to follow the company's code of conduct

* 35 per cent of employees believe that they are asked to perform duties at work that conflict with their own sense of fairness or ethics

* 36 per cent of employees believe that financial or performance information is deliberately misrepresented in their organisations, at least some of the time

* 33 per cent of employees, at least sometimes, believe that their companies are misleading customers over products or services.

Myth 2: We have an effective process of internal challenge

Many companies believe that a good governance system must be constructed around an appropriate level of challenge throughout the organisation. Indeed, this 'due process' is often relied upon for effective risk management.

However, the PwC survey shows that companies should not be relying too heavily on this process as an enabler of good governance. In fact, many of those that do so are dangerously mistaken.

* 42 per cent of employees believe that speaking up on issues where they disagree with their superiors is likely to damage their career prospects (see Figure 1).

* These findings were broadly the same for employees of large companies in the public sector (41 per cent) and in the private sector (43 per cent).

* Employees in the transport sector feel most under pressure when it comes to disagreeing with their superiors (54 per cent believe that speaking up is likely to damage their career prospects).

The extent to which these employee attitudes undermine the effectiveness of existing or planned codes of conduct is likely to be significant. The findings suggest that, in a high proportion of large UK companies, existing systems of self-verification on their own may well be ineffective. By assuming that everyone feels able to speak out, management is labouring under a dangerous misconception.

Myth 3: Anyone breaking our code of conduct is soon identified and dealt with

Many companies rely heavily on internal surveillance systems to identify wrongdoers, whether via the monitoring of emails, Internet usage and sales techniques, or through a rigidly applied internal audit. Monitoring and enforcement account for by far the greatest proportion of rules and controls applied in respondents' companies (45 per cent and 24 per cent respectively).

* The bad news for management is that some incidents are probably unreported. After all, 35 per cent of employees in large companies believe that bullying and/or harassment occurs to some extent within their organisations.

* These findings have repercussions for the effectiveness of whistleblowing processes. How many employees will be willing to speak out about unethical behaviour if they are already concerned about the level of harassment (while fearing that speaking out will damage their career prospects)?

Myth 4: The majority plays by the rules

Notwithstanding the succession of high-profile examples to the contrary, companies still attempt to reassure themselves (and their stakeholders) with this fundamental belief in human nature. Touching as it may be, it ignores certain basic issues. How many companies have taken the time to investigate employee attitudes within the organisation? Where does one draw the line between ethical and unethical behaviour? And how institutionalised is wrongdoing--how many companies market their capabilities more liberally than they should and how many managers impose one rule on employees and another on themselves?

* Only 27 per cent of employees in large companies believe that all their senior managers are very honest.

* 63 per cent of employees believe that people in their organisations are exaggerating their skills or capabilities to get a job or promotion.

* 33 per cent of employees believe that people in their organisations incur personal expenses and charge them to the company.

* 32 per cent of employees believe that people are taking bribes or financial inducements at least some of the time.

The prognosis is clear--companies need to be much more rigorous about policing behaviour within their organisations (and make sure that they are being seen to do so).

Myth 5: Lax ethical standards are prevalent in other business sectors, not ours

Companies have a habit of pointing the finger elsewhere, claiming that, if problems do exist, they are unlikely to be in their own industry sector. Governance failures to date, however, have spanned a range of industries, from power to telecoms, and from financial services to foodstuffs. The PwC survey underlines just how widespread these attitudes really are.

* Sensitivity to, and awareness of, unethical behaviour is equally pronounced in the private and public sectors (with, respectively, 39 per cent and 40 per cent of employees believing that large companies fail to act in an ethical and honest manner).

* Only 14 per cent of employees in the manufacturing sector believe that their colleagues are all honest.

* 42 per cent of retail sector employees sometimes find themselves being asked to do something that compromises their own sense of fair play (see Figure 2).

* In both the manufacturing (43 per cent) and financial sectors (46 per cent), a high proportion of employees believe that people deliberately misrepresent financial or performance information.

* Seven per cent of manufacturing employees believe that people in their organisations are taking bribes or financial inducements.

Myth 6: Compliance with the law equals job done

If company boardrooms are happy with their efforts, it appears that their employees are not. Ensuring that the code of conduct complies with mandatory and recommended regulation is important, but our research shows that employees expect more than that.

* 30 per cent of employees in private sector companies would like codes of conduct to be tightened up.

* 26 per cent of employees across all large companies would like to see corporate rules and controls tightened up. Only six per cent consider them to be too tight already.

* 34 per cent of employees in manufacturing-sector companies, and 33 per cent in financial sector companies would like tighter rules and controls.

Myth 7: We understand what governance means

Companies risk confusing compliance with good governance, and good governance with ethical behaviour. To set boundaries for the organisation, management has to understand what employees are comfortable (and uncomfortable) with in the course of their day-to-day duties.

As already mentioned, around 35 per cent of all employees sometimes find themselves in situations at work where they are expected to carry out duties that conflict with their sense of fair play. If this is happening in one-third of large UK companies (or if employees think this is happening), it follows that management still has much to learn about governance.

Three key mechanisms

Effective corporate governance programs are generally underpinned by a combination of three mechanisms (although the precise balance and operation of these mechanisms may vary from company to company). They are enforcement, surveillance and advocacy.

Enforcement involves the application of stringent and enforceable controls, enabling the organisation to ensure that employees' behaviour remains within chosen governance parameters. The controls work by stopping people from breaking the codes, such as blocking access to webmail services or premium phone lines, or implementing passwords so only certain employees can carry out particular activities. A number of major companies have at some point banned their employees completely from using the Internet, arguing that this helps both security and productivity.

Enforcement is the 'big stick' of governance. It is often backed up by a culture of zero tolerance with heavy penalties for non-compliance. It is no coincidence that under regulations such as the Sarbanes-Oxley Act or the Foreign Corrupt Practices Act, external regulators use enforcement to compel companies to report the right information by the right deadline.

If enforcement is the big stick, it also has a big downside. When taken to extremes it can impose such a high degree of risk aversion that creativity and entrepreneurialism are killed. Even in today's market place, there are commercial banks whose business account managers still have no access to office email, to the intense irritation of customers. When a business gets that balance of enforcement wrong, it is the business itself that suffers.

Surveillance is closely related to enforcement; without effective surveillance, such as an accounts payable department monitoring every key stroke to record all the accounts to which a clerk is directing money, the company has no way of knowing whether the right behaviours are being enforced. Being watched may act as a deterrent, but to be truly effective surveillance must be underpinned by effective enforcement.

Other common forms of surveillance include checking the veracity of financial data and monitoring staff telephone calls, emails and Internet usage. Internal audit is a further manifestation of surveillance, checking that targets are really being met and that internal codes are being observed. In each case, the level of surveillance exercised will depend on the type of organisation, and the sensitivity or value of the data and transactions being handled.

It is interesting to note that employees in the PwC survey said they would actually welcome more surveillance, not less. They appear receptive to more monitoring of common areas of abuse such as email, Internet usage and expenses. If people know they are being monitored, they respect their organisation and any codes of conduct it espouses, more fully than if they are given free rein.

Advocacy involves management convincing employees of the underlying business benefits that spring from adherence to the organisation's chosen governance framework. It means communicating shared values and universally beneficial behaviours across the organisation, and encouraging people to challenge one another and, where necessary, to blow the whistle on wrongdoing.

The critical issue here is behaviour. If a member of management behaves in a way that is contrary to the code that he or she is waving around, people will follow the behaviour, not the code. The same principle applies across an entire business, as has been clearly demonstrated in recent corporate governance scandals. Corruption has to begin somewhere, and an organisation will take its lead from the way in which senior managers behave. If people do not trust the management, then advocacy will not work. So advocacy has an implied element of transparency within it--while other mechanisms are based on penalties, it rewards and recognises people for doing a good job. In essence, it is about rewarding good behaviour, as opposed to penalising bad behaviour.

The Governance Framework

To enable companies to take a behavioural snapshot of where they are now, as well as identifying where they need to move to and what mechanisms they must apply to get there, we have developed a Governance Framework (see Figure 3).

Using this, companies can pinpoint their existing ethical mindset (whether organisation-wide, in individual business units, or in overseas subsidiaries), as well as identify an appropriate balance between the three governance mechanisms: enforcement, surveillance and advocacy. It is also an aspirational roadmap--setting out the route that the organisation needs to follow if it is to move to the optimum mindset.

It is essential that a company understands the degree of propriety in its own organisation before it begins to implement any kind of governance change program. A one-size-fits-all formula will not work. Programs need to be drafted and honed specifically for the needs of the organisation: the areas of its operations, its past history and the attitudes of its employees.

By categorising corporate behaviour as one of three essential types, Institutionalised Impropriety, Isolated Roguishness and Consistently Principled, the framework forces companies to analyse their own cultures (or those of their individual business units/subsidiaries/front- or back-office functions).

At one end of the spectrum, cultures are characterised by Institutionalised Impropriety, with unethical behaviour endemic in material areas of the organisation. These organisations (Enron, for instance) demand constraining and punishment-based governance mechanisms.

The middle ground is occupied by organisations where Isolated Roguishness threatens to undermine the common good. These organisations tend to have their moral codes set by autocratic leaders who only accept advice from those they regard as 'virtuous'.

And at the far end, Consistently Principled organisations tend to replace over-reliance on control regulations with a greater reliance upon self-regulation. Good corporate governance is fostered by the adoption of 'inclusive procedures'.

Where your organisation fits into the Framework will not only define where you are now, but what actions you need to take to embed effective governance throughout the business. Whereas one might have expected to see most UK companies nestled at the Consistently Principled end of the scale, our UK survey data appears to suggest that they are clustered more towards the centre (with an approach geared mainly toward the risk of Isolated Roguishness). Our evidence suggests that large UK companies are suffering from a degree of 'governance drift' which could be corrected through increased surveillance and the appropriate use of the resulting information.

For governance to be effective, a company needs to be sensitive to employee attitudes to corporate ethics. Above all, it needs to encourage an environment in which employees are not afraid to question and challenge instances of corporate impropriety. And it needs to ensure that employees understand the implications of their code of governance on expected behaviour. Increased clarity as to how the enterprise works will improve reputation and minimise the likelihood of any largescale meltdowns of the type which have dominated recent headlines.

Glen Peters, who oversaw the research described in this article, is a partner of PricewaterhouseCoopers and leads the Reputation Trust, a coalition of companies interested in pursuing best practice in upholding corporate reputation. This article was originally published in European Business Forum (EBF), www.ebfonline.com, Issue 17, Spring 2004 and is reprinted with permission.

How Goldman Sachs reinforced its code of governance

A consistent ethical culture has always been very important at Goldman Sachs. The investment bank has 14 business principles that refer, among other things, to 'integrity and honesty' which are at the heart of their business. Its founder Marcus Goldman initially fostered these principles and in the 1970s they were codified in precise language by John Whitehead and John Weinberg. These seemed to serve the firm well for nearly three decades until Goldman Sachs went public in 1999. At this stage the company expanded rapidly from around 11 000 employees to nearly 25 000. The firm had to find another way to ensure that these principles were understood and observed by the thousands of new employees that joined the firm in a short space of time.

A Compliance and Reputational Judgment program is in the process of being rolled out to all its employees. Small groups of 10 or 20 people, usually led by a business unit leader, consider the principles and use them to resolve business dilemmas.

Whistleblowing at Rio Tinto

Rio Tinto, a company that operates in a high-risk industry, seeks to create a 'pervasive culture of safety'. Besides investing heavily in embedding core business principles throughout the organisation, the company also provides a whistleblowing procedure that allows its employees to report anonymously on non-compliance (via a third-party source). This is a courageous statement of intent by the management--it recognises that, for whatever reason, some employees will feel intimidated by having to report non-compliance through company channels.

This is in sharp contrast to the many reported governance failures over the last few years in organisations where the lack of appropriate whistleblowing procedures have destroyed corporate reputations.

Strengthening the framework inside BP

A prime example is BP, where group chief executive Lord Browne has taken a firm stance on governance, by stressing the hard business benefits that result from applying ethical values and behaviour across everything it does. The company takes the view that the board divests the responsibility for governance to the CEO. He in turn needs to cascade that responsibility clearly through the organisation.

In 2003, BP launched a program to strengthen and reinforce its internal governance framework for three reasons:

* there was a perceived global phenomenon of an erosion of public trust in large corporations

* the increased regulatory burden, particularly in the form of Sarbanes Oxley and Higgs, required companies to be sure that their controls were adequate

* there was a need to consolidate the nine companies that BP had acquired or merged with, in order to leverage the combined human capital.

While the legendary performance culture was to stay in place unchanged, the company sought to strengthen its process of internal challenge, give more voice to the functions, and create a one-enterprise culture. The first phase of the program involved a series of workshops around the world with the top 600 managers in the firm's leadership. The workshops sought to introduce the governance framework and to discuss the change in behaviours and the impact on the everyday operations of the company. Lord Browne and members of his top executive appeared and facilitated many of these workshops to get the message across and to hear views from the leadership.

Based on the experience of the first leadership phase, the program has now proceeded to the next tranche of several thousand employees worldwide. By this process of engagement, the revised governance framework will be communicated to all employees.

A strong example of advocacy at work.

Figure 1: Employees' fear of challenge

Question:

'Where you work, speaking up on issues where you disagree with
the senior management is likely to damage your career prospects?'

                 Agree   Disagree

         Total    42%       43%
 Public sector    41%       45%
Private sector    43%       43%
 Manufacturing    48%       42%
     Transport    54%       35%

Base: 439 working in large companies

Note: Table made from bar graph.

Figure 2: Conflicts with personal ethics are evenly spread

Question:
'How often, if at all, do you find yourself in situations at work
where you are asked to do something that conflicts with your
own sense of fairness or ethics?'

                 Rarely/Never   Sometimes   Very/Fairly often

         Total        63%          23%            12%
 Public sector        61%          26%            10%
Private sector        64%          21%            13%
        Retail        56%          26%            16%
     Financial        73%          19%             7%

Base: 439 working in large companies

Note: Table made from bar graph.

Figure 3: The Governance Framework

DEGREES OF IMPROPRIETY

GOVERNANCE    Institutionalised            Isolated
MECHANISMS    Impropriety                  Roguishness

Advocacy      * Encourage whistleblowers   * Public hangings
                                             for transgression
                                           * Reward good behavior

Monitoring    * Monitor non-compliance     * Review deep-dive forensic
              * Review controls              investigation
                                           * Monitor critical process

Enforcement   * Penalise non-compliance    * Zero tolerance
              * Rigorous control           * Independent auditing
              * Segregation of duties

GOVERNANCE    Consistently
MECHANISMS    Principled

Advocacy      * Clarify business case
              * Communicate values
              * Promote behaviors

Monitoring    * Measurement
              * Process improvement

Enforcement   * Self-verification
              * Emphasise accountability

Glen Petes, Partner, PricewaterhouseCoopers

RELATED ARTICLE: Methodology.

This article is based on the findings of the Operational Aspects of Corporate Governance Survey carried out by MORI on behalf of PwC in January 2004. Interviews were conducted face-to-face using the CAPI (Computer-Aided Personal Interview) technique. Data was weighted to reflect the profile of the national population of Great Britain aged 15-plus. The predicted accuracy for this sample is +/- 5 per cent. The survey details were as follows:

* number of respondents in full- or part-time employment: 933

* number of respondents in large organisations upon which our analysis is based: 439

* public sector: 206

* private sector: 233

* services: 163

* manufacturing: 66

* transport: 27

* retail: 60

* financial: 23

* other services: 57

* others: 15.