Sean Lyons – Principal at R.I.S.C. International – Ireland
In the minds of many stakeholders, an organisation has a corporate responsibility to defend its stakeholders’ interests. This responsibility includes safeguarding, protecting and valuing the interests of all of its stakeholders, with a view to ensuring the long-term sustainability of stakeholder value. This responsibility begins with the board.
The financial crisis of 2008 and the subsequent economic recession highlighted serious weaknesses in corporate business models and exposed a mindset of excessive risk taking in search of short-term rewards at the expense of achieving longer-term sustainability. Such recklessness has severely tarnished the reputation of the corporate world in the eyes of many of its stakeholders.
Consequently there has been increased stakeholder focus on, and scrutiny of, boardroom affairs, with many stakeholders now demanding higher standards of board oversight in order to provide them with better protection and greater assurance going forward.
An old sporting aphorism states that “offence wins games, defence wins championships”. In business, the ability to deliver sustainable value to stakeholders requires a subtle blending of both value creation (offence) and value preservation (defence) efforts. This requires an understanding of these two antagonistic yet complimentary principles, which are inherently intertwined and mutually interdependent within a dynamic environment. It requires an appreciation that these two principles represent two sides of the same coin and therefore cannot and should not be addressed in isolation of one another. Now more than ever, 21st century business requires a balanced integration of both value creation and value preservation at all levels of the business.
At a strategic level this should begin with a healthy corporate strategy that reflects a balanced focus on both value creation and value preservation. Unfortunately the financial crisis clearly highlighted the existence of an unhealthy imbalance in this regard. It is now apparent that in the build up to the financial crisis too many boards were preoccupied with focusing on short-term value creation at the expense of long-term value preservation.
Value Preservation Imperative
Value preservation is widely associated with the notions of guardianship and protection. In its broadest sense it encompasses an organisation’s collective efforts at self-defence. The concept of the value preservation imperative refers to the necessity to defend the organisation itself and the interests of its stakeholders. This requires safeguarding against a multitude of potential hazards (risks, threats and vulnerabilities), the occurrence of which could be detrimental to the achievement of the organisation’s objectives and consequently to its long-term sustainability. This includes the board being able to successfully demonstrate that it has taken all reasonable steps to ensure that there is a robust corporate defence programme in place to help achieve its stakeholder obligations.
Every day in the media we see scandals whereby organisations have found themselves after difficulties caused by their own entire making. These are often as a result of events and/or series of events that in retrospect the organisation could have and should have better anticipated, prevented, detected or reacted to. Typically these scandals have exposed deficiencies and weaknesses in their corporate defence programmes that have led to unnecessary large-scale losses, significant reputation damage and negatively impacted on stakeholder value. Clearly from a stakeholder perspective corporate defence represents a very important challenge that needs to be adequately addressed by the board. In fact some stakeholders would argue that the board’s true valuation of their stakeholders is most clearly reflected in the organisation’s corporate defence efforts.
A truly comprehensive defence programme represents an umbrella approach used to address an organisation’s collective programme for self-defence and reflects how it is organised to safeguard its stakeholder interests. In practice, defence programmes can typically vary from being a formal structured programme that is strategically aligned, to an informal unstructured programme relying on ad-hoc efforts. They can vary from structures where all defence related activities (see Figure 1) operate as integrated functions, or where they operate as standalone silo-type functions operating in isolation. They can vary from proactive programmes requiring discipline, diligence and vigilance, to reactive programmes that are based on day-to-day fire fighting, troubleshooting, emergency operations and continuous crisis management.
Prudence would suggest that effective defence requires a formal defence programme. A formal systematic approach can help an organisation to ensure that all defence-related activities are cross-functionally co-ordinated. Such a structured programme can help to better defend the organisation by creating a hardened system of “checks and balances” thereby enabling the organisation to better safeguard stakeholder interests and better protect stakeholder value.
Designing a Formal Defence Programme
A formal defence programme should begin with a formal corporate defence strategy which is approved by the board. This will help to ensure that all defence-related activities are in alignment with one another, and perhaps more importantly are in alignment with the organisation’s business strategy. In essence corporate defence requires a strategic focus as the “tone at the top” filters down the chain of command and sets the defence culture for the organisation.
Designing a defence programme requires a holistic perspective. It should be structured to provide an appropriate system of checks and balances to help ensure that an organisation’s defence related activities are strategically aligned, tactically integrated and operating in unison towards common objectives. This should include an assessment of the alignment and integration of the related tactical planning, organisational infrastructure and technological architecture.
The Critical Corporate Defence Components
The board in particular needs to be aware of, understand, and appreciate each of the critical components of a corporate defence programme and the purposes they serve. A corporate defence programme involves the collective management of all these components in order to help maximise their potential added value. Their collective management is required as recent developments in each of these disciplines has meant that the boundaries between these activities have become somewhat blurred, and therefore it is now increasingly difficult to determine where one component ends and another begins, as each includes elements of the others.
Effective corporate defence requires an appreciation of the continuous interaction, interconnections, and critical interdependencies which exist between these disciplines and the potential cascade of consequences which can result. It requires an understanding that the management of these complimentary components continuously impact on one another in this increasingly complex corporate ecosystem. In fact the symbiotic nature of their relationships means that each contributes to, and receives from, each of the other disciplines.
“Now more than ever, 21st century business requires a balanced integration of both value creation and value preservation at all levels of the business”
The Five Lines of Defence Approach to Corporate Oversight
Success in corporate defence requires vigilance and oversight in order to manage these multi-dimensional activities across the entire organisation, both vertically (top-down bottom-up) and horizontally (cross-functionally). A corporate oversight framework needs to provide a clear structure of accountability and a solid foundation from which to both safeguard stakeholder interests and optimise stakeholder value.
In order to gain a measure of comfort that the critical components are being appropriately addressed within the organisation, stakeholders increasingly rely on various lines of defence (LOD) (see Figure 2) to be in place and to operate as effective oversight layers within the organisation. A LOD oversight approach is intended to operate on the principle of providing transparency in the assignment of oversight responsibilities and in holding individuals (or groups) to account for these responsibilities. The logic of a LOD approach is that each LOD has “skin in the game” and has the capability to provide separate and additional levels of comfort which can be relied upon in the event that a subordinate LOD fails to operate effectively.
Operational Line Management has responsibility for overseeing the daily operations of staff, services, practices, mechanisms, processes, and systems.
Tactical Oversight Functions monitor, facilitate and coordinate the consistent, competent, adequate, and effective operation of defence activities established by operational line management. Examples include the compliance, risk management and internal control functions.
Independent Internal Assurance provides the board with a level of independent assurance in relation to the effectiveness of the activities of the other lines of defence. Examples include the audit committee, risk committee and the internal audit function.
Executive Management provides assurance to the board that the objectives of the organisation are being achieved by providing adequate oversight of those they manage and by ensuring that the organisation’s activities are consistent with business strategy and policies approved by the board.
The Board is responsible for overseeing the activities of the organisation and is accountable to the shareholders for the organisation’s strategy and performance. This includes overseeing the activities of its standing committees and executive management.
It is essential that each LOD recognises that it has specific responsibilities in relation to each of the critical corporate defence components. These responsibilities begin at the boardroom but run right through the organisation all the way to the front line, the 1st LOD. Corporate defence is ultimately a team sport in which each LOD is accountable for helping to safeguard the diverse interests of the multiple stakeholders. To operate effectively each LOD must play its part both individually and collectively (the chain is only as strong as its weakest link) thereby fulfilling their oversight duties within a holistic framework.
The Corporate Defence Management (CDM) Framework
A truly holistic perspective requires a conceptual understanding and practical appreciation of how to successfully integrate the critical defence components at each LOD. The CDM framework represents a multi-dimensional model which can help an organisation to visualise this integration while also helping to understand their continuous interactions, interconnections and critical interdependencies.(see Figure 3) The implementation of the CDM framework can help to better manage the critical defence components by unifying, aligning and integrating them at strategic, tactical and operational levels. Such a framework enables the board to provide appropriate oversight to address the organisational challenge of transparency over corporate defence responsibilities and accountabilities.
The introduction of such a systematic defence programme can help an organisation arrive at balanced, informed decisions and help to support the achievement of business objectives. Collectively the individual defence components, working together in unison within an LOD framework, can help provide the organisation with both defence-in-depth and defence-in-breadth, thereby helping to create a more robust and resilient organisation.
Ultimately the robustness of an organisation’s corporate defence programme will be influenced by the programme’s level of formality and maturity. Functioning properly however, the CDM framework can help to ensure that the organisation is fulfilling its fiduciary duties, legal obligations, and moral responsibilities, while at the same time helping to create durable value and sustainable economic performance. The existence of a formal corporate defence programme can therefore be regarded as a proactive statement of intent by the board to address existing stakeholder concerns.
About the author
Sean Lyons (R.I.S.C. International Ireland) is globally recognised as a corporate defence pioneer and thought leader. He is published internationally, and has lectured and spoken as a subject matter expert at seminars and conferences in Europe, North America and Asia. As the architect of the cross-functional discipline of corporate defence management (CDM) he is widely regarded as the foremost authority in this emerging field. With more than 20 years’ experience in corporate defence activities he is a firm advocate of the requirement for corporate defence to play a more prominent role in corporate strategy. In 2013 Sean was the invited keynote speaker at the Asian Confederation of Institute of Internal Auditors (ACIIA) Chief Audit Executive Leadership Forum in Mumbai. In 2011 he was an invited member of the International Corporate Governance Network (ICGN)’s taskforce on promoting the “ICGN Corporate Risk Oversight Guidelines”. In 2010 Sean was shortlisted as a finalist in the GRC MVP 2009 Awards run by the US based GRC Group (SOX Institute) which was co-chaired by Senator Paul Sarbanes and Congressman Michael Oxley. These awards recognised individual achievements and professional contributions in governance, risk management, and compliance, and honoured professionals who demonstrated excellence in this field. Contact author at firstname.lastname@example.org