June 22, 2017
As many banks and other companies have painfully experienced over the years, exercising due oversight and control over subsidiary companies can be difficult. Firms with foreign subsidiaries face extra control challenges due to a lack of global harmonisation around legislation and regulation as well as cultural barriers. Companies cannot rely solely on legal and regulatory norms applied at the parent level and need to be cognisant of local regulation and customs.
If you are a board member of the parent company how can you ensure that your business controls are adequate throughout the organisation?
Establishing effective control of integrity risks
Whilst not a substitute for proper systems, checks & balances and limits, the importance of the corporate integrity risk culture as a critical element of the control framework cannot be overstated. This has several aspects worth visiting. Firstly, and at the risk of stating the obvious, to benefit from a strong corporate integrity risk culture you must first have one. The observation that few companies can boast a genuinely robust risk culture, let alone one that addresses integrity challenges, is testimony that building one is a painstaking, long-term and strategic endeavour. The rewards are manifold but the journey is fraught with pitfalls.
As usual, it all starts at the top. At the parent company level, the board must consider it one of their key responsibilities to take fiduciary guardianship of the integrity risk culture as a corporate heirloom that needs their continued attention. The board also needs to accept being both beacon and lightning rod in adapting the risk culture to changing environments and to ensuring it is future-proof. Further, a governance structure should be in place that supports oversight and strategic leadership around integrity risk awareness.
The board should build a picture of desirable behaviours and continuously assess what management is doing to embed the right behaviours throughout the organisation. But making behaviours an integral part of decision-making throughout the company is easier said than done, especially when cultural differences come into play. What seems evident or culturally acceptable in one language or country might not necessarily make sense or be acceptable in another. The board must also provide leadership in this area. This means:
- providing clarity on what constitutes desirable and undesirable behaviour;
- being a role model (the ‘tone at the top’). The better, and the more consistent the examples given in an organisation, the more likely desired behaviour will be replicated.
- Encouraging openness and transparency. If people feel secure to talk about moral issues they are more likely to learn from each other.
- Showing commitment. When people are treated with respect and are engaged, it is more likely they will serve the organisation’s interests.
- Rewarding desirable behaviour and sanctioning undesirable behaviour – consistently.
Returning to subsidiary governance, it is essential that corporate integrity risk culture at the subsidiary level is assessed when considering an acquisition to ensure it is, or can become compatible with the desired company culture. Once the acquisition has been completed, the corporate culture and desired behaviour must be cascaded to the new subsidiary in a deliberate and resolute manner.
In addition to embedding a strong, credible integrity risk culture, the board needs to ensure it has a comprehensive picture of the risks at a subsidiary level to provide effective oversight. Active, multi-disciplinary engagement, open communication and transparency are key requirements. This also means the board should be gathering information from a range of sources, such as HR, Internal Audit, Compliance, Risk and the most valuable of all: first-hand experience – site visits.
Whilst there is no single solution to subsidiary governance, the practice at successful firms may provide some useful pointers:
- Make subsidiary governance part of the parent board agenda;
- Ensure that corporate governance is an integral part of the risk management framework;
- Closely monitor the level of compliance at the subsidiary level and address any areas of weakness diligently;
- Prioritise which subsidiaries require most attention;
- Consider appointing a chief governance officer with responsibility for subsidiary governance.
* Adapted from “Subsidiary Governance: The Elephant in the Room”, Peter Swabey, Risk & Compliance Magazine Apr-Jun 2017