Posts Tagged ‘corporate governance’

Executive salary caps are a red herring

Posted in Governing Programmes and Projects, News and Features on October 15th, 2009 by Raymond Young – Be the first to comment

Reflections on AICD seminar: ‘Directing Tomorrow Today’

The Australian Institute of Company Directors (AICD) has over 23,000 members, but fewer than 140 CEOs earn more than 10 times the average salary according to the Productivity Commission. Why should the other 22,860 members support AICD efforts to oppose government legislation on salary caps for executive pay? Does the AICD only represent the top 150 ASX companies or are directors simply out of touch? (and I am one of them!)

You cannot blame the government for trying to curb the excesses that lead us into the GFC. It was inevitable new legislation would be introduced. The public are angry and now that the economy is starting to recover, they expect something to be done.

Since the beginning of this year I have been urging boards and their management teams to be proactive and not wait for knee-jerk legislation (Preparing directors for the governance backlash). Anyone can make a mistake and we needed to restore confidence. We needed to show the public we can be trusted to self regulate and effectively govern the things that really matter. Recent AICD seminars on ‘Directing Tomorrow Today’ raised the question for me of whether we have the stomach to do the job.

Two statistics highlight the issue: (a) 60-75% of business failures are due to managerial incompetence[i], (b) 50-67% of all project investments deliver no business benefits whatsoever[ii]. Projects matter because they are the primary way of delivering strategy. I haven’t met anyone [yet] who deliberately sets out to fail yet these statistics are endemic. The problem relates to managerial over-optimism [iii] and surely it is the board that has to take overall responsibility to see it is addressed.

The AICD oppose legislation on remuneration because it is a primary role of the board to ensure risk is aligned to reward (and their implication is that additional legislation is unnecessary). However, the problem is a lot older than the GFC, there has been no shortage of advice pointing to the right direction (How much governance is enough?). During the AICD seminar the discussion focused on the appointment of the CEO and how they would be remunerated, but failed to recognise the problem needs to be dealt with at more than the CEO level. Boards need to implement workable solutions to ensure risk is matched to reward for all strategic initiatives and intercede often enough to ensure their managerial team deliver what they promise. There is even an Australian Standard providing guidance on how to do this: AS8016, HB280.

So the new legislation on executive remuneration, in my opinion, is a red herring. Our inaction has forced the government’s hand to do something. Are we our own worst enemy in not being able to self regulate on the things that actually matter?

Let me repeat some advice offered at the beginning of this year:

  • Following the GFC – governance practices will almost certainly be questioned
  • New governance requirements are likely to be introduced
    • Historically new requirements are introduced reactively
    • There is a risk new requirements will not add value
  • We should anticipate these developments
    • It takes longer for management to respond than for the board to ask
    • We should identify the key areas that need to be governed
    • We should check we have effective systems to monitor the key areas, and introduce new mechanisms where necessary
    • Governing major projects is one area worthy of attention
    • New Standards AS8016, HB280 have much to offer.

[i] M Van Vugt, “Follow me,” New Scientist 198 (2008): 42-45

[ii] R. Young, “What is the ROI for IT Project Governance? Engaging the board and top management.,” in 2006 IT Governance International Conference (Auckland, New Zealand, 2006)

[iii] D Lovallo and D Kahneman, “Delusions of success: how optimism undermines executive’s decisions,” Harvard Business Review 81, no. 7 (2003)

Risk, control and trust in Enterprise 2.0

Posted in Communicate / Collaborate on September 28th, 2009 by Leanne Fry – Be the first to comment

Risk, control and trust. Add any of these words to a business proposal, as issues to be addressed, and you can guarantee someone is going to be nervous.

Dion Hinchcliffe recently highlighted how these three issues were starting to push their way through the excitement of Enterprise 2.0 to become potential show-stoppers. For many organisations they may be already.

He was responding to blogs by Andrew McAfee and Dennis Howlett on what, precisely, Enterprise 2.0 was trying to solve.

In the context of products, customers, services, processes and governance, those three elements – risk, control and trust – are fundamental to a successful business.

And Enterprise 2.0 proponents should also keep in mind that for certain organisations, the penalties for failing to manage risk, to control what needs to be controlled or for breaching trust are significant and substantial. For some organisations operating in a highly regulated environment, brand or reputation damage from a You Tube video or Facebook group may be just the start of the problem.

Risk, control and trust in business aren’t bad. In fact, when you think about it, they are assumptions that underpin a customer’s willingness to engage with you. speed test website Aren’t they?

As McAfee observes, it is unhelpful and wrong to ‘… portray hierarchy, standardization, and management as enemies of innovation, creativity, and value creation.’ I’ve worked in organisations where a finely tuned balance of all of those elements made for a rich, rewarding and successful business.

As I see it, the challenge for Enterprise 2.0 is that the way it achieves things – the process, the interaction, the players and the speed – is so different to an organisation’s current risk/control/trust paradigm. And that happens at both the corporate level, where Ent 2.0 slams up against process, sign-off, hierarchy, and regulation, and at the personal level, where workers function every day using control, knowledge, and well trodden paths of interaction.

There are now numerous examples of Enterprise 2.0 tools facilitating the core business of an organisation, and McAfee lists many in his post.

So the objectives, and rationale, and expected outcomes must be clearly defined, at both corporate and personal levels. And all the enablers (people, process, culture, organisational) must be understood and either in place, or able to be dealt with. Which probably means that Enterprise 2.0 initiatives in many organisations should start as discrete, self contained, well thought out pieces of work. The degree of change required to fully leverage them is broad, and touches on so many important aspects of an organisation. Given the ROI of Enterprise 2.0 could be argued as in its infancy, for many organisations the risks will continue to outweigh the benefits.

How much governance is enough?

Posted in Governing Programmes and Projects, Practice Areas on August 19th, 2009 by Raymond Young – 1 Comment

Governing IT and project risk

Boards have been looking for credible advice for some time now on how to deal with IT risk [i]. The jury is still out – deliberating how much time should be spent governing IT and IT projects. Research released today may have tipped the balance towards more rather than less [ii].

Evidence gathered over a 10 year period has shown that IT project failures result in a 2% average drop in the share price. The fall is somewhat greater if it is a failure of a new project and less if it is an operating failure with a current system. Investors were shown to be quite well informed with larger falls when the failure was more severe and more again when there has been a history of failures.

So how much time should be spent governing IT projects? Today’s research suggests it is the amount justified to minimise the likelihood of a 2% fall in the share price, with particular focus on new projects and avoiding repeated failures. It is clearly not the minimal amount of time that Deloitte have identified as the practice with many boards, that in their words is “tantamount to negligence” [iii].

Boards approve around 40% of all projects [iv] and the minimum standard must be (a) at the time of funding to ask four of the six key questions recommended by Standards Australia [v] and (b) to address the remaining two questions by having mechanisms in place to monitor performance.

The guidelines (tabled below) are clearly more to do with good governance than rocket science. However, the statistics reported in the table also show that not one of the guidelines is addressed adequately more than 40% of the time[vi]. The best interpretation of these statistics is that less than 0.2% of projects are governed effectively. Surely we can do better.

Key governance criteria

% time effective

(1)   clarify what success looks like


(2)   understand the scale of change required to realise the benefits


(3)   confirm the sponsor is personally motivated to drive through the necessary change and accountable for the business benefits


(4)   determine how to measure and reward success.


(5)   have a culture to listen and resolve unexpected problems


(6)   monitor benefits realisation and intercede as necessary

0 – 13%

Note: The HB280 guidelines are usually a good starting point for most organisations. There will be times when more detailed help might be required and we have developed the 6Q Governance™ toolset to help institutionalise better practice. However, our approach is focused on the transfer of skills/competencies and not dependent on any tools.

[i] R.C. Young and E. Jordan, “Lifting the Game: Board views on e-commerce risk,” in IFIP TG8.6 the adoption and diffusion of IT in an environment of critical change, (Sydney: Pearson Publishing Service, 2002), pp. 102-113

[ii] Anandhi Bharadwaj, Mark Keil, and Magnus Mähring, “Effects of information technology failures on the market value of firms,” The Journal of Strategic Information Systems,  18 (2009), 66 – 79

[iii] Deloitte, What the Board Needs to Know About IT: Phase II Findings: Maximizing performance through IT strategy (Deloitte LLP,  2007)

[iv] KPMG, “Global IT Project Management Survey: How committed are you?.” 2005

[v] R. Young, HB 280-2006 Case Studies – How Boards and Senior Management Have Governed ICT Projects to Succeed (or Fail) (Sydney: Standards Australia,  2006)

[vi] References are available but not included to manage word length. Academic references have been cited over industry sources to increase rigour. Please contact the author for details.

A brief history of corporate governance

Posted in Governing Programmes and Projects on July 27th, 2009 by Raymond Young – Be the first to comment

Governance legislation since the Great Crash of 1929 has largely been enacted in response to corporate excess. Arguably, the objective of the legislation has had more to do with reassuring the public than reducing risk.

Most authorities point to the UK Cadbury report (1992) as the source of our modern ideas of corporate governance. The Cadbury report was a reaction to the collapse of BCCI, Polly Peck and Maxwell Communications. Like much of the corporate governance legislation to follow, the resultant Cadbury Code was responding to executive excess.

Australia’s Bosch Report (1995) followed the collapse of Rothwells, Elders, Bond Corporation, Tricontinental, Pyramid and Quintex. The unfettered actions of mavericks such as Laurie Connell, John Eliot, Alan Bond, Christopher Skase are now part of corporate legend.

Governance responses to corporate disasters

Corporate Disaster Response Main Details
Maxwell (1991), BCC1 (1991), Polly Peck (1991) Cadbury (1992) Directors responsibilities include safeguarding the assets of the company and preventing and detecting fraud and other irregularities
Rothwells (1986), Elders (1986), Bond (1987), Tricontinental (1989), Pyramid Building Society(1990), Quintex (1990) State Bank of VIC (1991), State Bank of SA (1992), AWA (1992) Bosch (1995)

ASIC (1989)


tough penalties against directors who breach their duties of care, diligence or do not comply with the legislation, especially so in relation to insolvent trading
Zeebrugge Ferry (1987), Kings Cross Fire, Lockerbie air disaster (1988) Hampel (1998),


Directors should have responsibility for all aspects of control and a duty to establish a robust system of risk management
Barings (1995), Allied Irish Bank (2002), NAB (2004) Basel
HIH (2001), One.Tel (2001), Harris Scarfe (2001), Ansett (2001) Clerp9
Enron (2001), WorldCom(2001),Tyco (2001), Adelphia (2001), Qwest (2001), Parmalat Sarbanes-Oxley (2002)
AWB (2004), James Hardie (2004)

Cadbury in the UK, COSO in the US, COCO in Canada, King in South Africa and Bosch in Australia, marked an end to the old boys club. Directors were made firmly accountable for preventing and detecting fraud. The 1992 AWA case in Australia lifted the stakes further in the Commonwealth countries. The ruling established that the law does not differentiate between executive and non-executive directors with all being equally liable.

Sabanes-Oxley represents the most recent knee-jerk reaction to the collapse of Enron, Worldcom, Tyco, and so on. Many feel this legislation is deeply flawed and at least one major Australian organisation has delisted from the US stock exchange rather than comply with unnecessary requirements.

The commonwealth countries have followed a different path with ‘comply or explain’ regimes of corporate governance. The UK’s Combined Code is probably the best example, and represents the maturing of the Cadbury Code following the Hampel, Turnbull and Higgs reviews.

Australia followed a parallel path with the CLERP9 reforms to the Corporations Act (2001) following the collapse of HIH and One-Tel. However, reforms have not been uniform and the resulting regulatory landscape is considered by the Australian Institute of Company Directors (AICD) to be one of the most complex in the world.

There are the ASX guidelines for listed companies, the generic Australian standard AS8000 for all companies, and applied industry guidelines relating issues such as doing business on the internet (security, privacy and spam). There is also competing and sometimes conflicting legislation at both state and federal levels. This includes the Tax Act and related accounting standards, the Trade Practices Act which is prosecuted vigorously by the Australian Competition and Consumer Commission (ACCC), environmental legislation at state and federal levels that is also prosecuted to make an example of any transgressions, the Anti-money Laundering and Counter Terrorism Act and various conflicting state legislations around occupational health and safety, bullying and anti-discrimination, and so on. The most severe jurisdiction is arguably in the ACT where directors can be imprisoned for up to 20 years for industrial manslaughter.

The legislative line is very punitive with directors and officers assumed to be guilty and needing to prove they have taken every reasonable precaution. A culture of compliance is advocated by the AICD as the best defence.

Impact of the financial crisis on governance

Posted in Governing Programmes and Projects on July 27th, 2009 by Raymond Young – Be the first to comment

The financial crisis has regulators, governments, and the media focused on economic stimulus. However tough questions will soon be asked about what went wrong. Ineffective governance will be one of the first targets, and it won’t be just the financial sector that faces increased scrutiny[1].

Few doubt that effective governance has value, but to paraphrase Warren Buffet “the tide has gone out, and Sarbanes-Oxley for example, looks like it was swimming naked”. Investor confidence has not increased, management accountability is being called into question and the tens of billions spent by boards for compliance has not stopped or prevented the crisis.

RY picFor years, as an academic and as director, I along with many others have been pointing out the flaws of governance only for the sake of compliance.  Most governance prescriptions are a response to corporate excesses and enacted to reassure the public and few prescriptions actually improve performance or reduce risk[2].

Now the tide is out, higher levels of scrutiny must be expected. What will it expose? I believe the corporate governance of major projects will stand out as one of the highest priorities for attention.

Management of large-scale expenditures is a fiduciary duty requiring careful oversight. However a Deloitte survey of boardroom directors revealed oversight of IT projects was either “blind” (29% with inadequate information) or non-existent (16%)[3]. They warned in 2007 that the results were “tantamount to negligence” and the AICD have long reported statistics suggesting the problem is more widespread[4] (Figure 1). My own research suggests that as many as two out of three projects fail to deliver the expected benefits[5]. Increased scrutiny could reveal the real failure rate. However what might be worse in the current financial environment is to have two out of three strategic initiatives fail to increase revenue, enhance customer service or reduce cost and threaten survival.

To survive, thrive and also to minimise the governance backlash, the first step must be to get the right information needed to govern effectively. The board bears the responsibility to set clear guidelines and expectations about the kinds of information they want to see filter up. What benefits are being targeted? [how is this consistent with our strategic priorities?] Do we have the organisational capacity to realise these benefits and what other risks are involved? How will we measure success? Do we have the right person driving the change? Are there any warning signs that the project is going off track? Are the benefits being realised? These questions seem simple but none of the directors I have spoken to had an effective process to terminate failing projects. Benefits are usually quantified (66%), but they are often overstated (27%)[6], change is not always considered (40%)[7], individuals are not held accountable (5-23%) and few organisations track benefits through to realisation (10%)[8]. Organisations do not focus on the true determinants of success.

In the absence of guidance, management has turned to so-called ‘best practice’ and focused on efficiency measures such as on-time and on-budget. Unfortunately on-time on-budget reporting was never the most appropriate focus for governance. It is certainly not enough in this new world. Only effectiveness will count because average or below-average performance will not guarantee survival. Above-average performance gained through acceptable levels of risk is the true objective of governance[9], the standard to which the board must aspire and the standard to which management must be accountable. Governance effort for compliance only, even if it is with a so-called ‘best practice’ framework, is a governance luxury we can no longer afford.

[1] 2009 Corporate Governance Conference: New Risk, Accountability and Leadership Challenges. Toronto 6- 7 May
[2] See related article providing A brief history of corporate governance 15 July 2009
[3] What the Board Needs to Know About IT: Phase II Findings (Deloitte, 2007),,1002,sid=36692&cid=151800,00.html
[4] D. Lovalla and D. Kahneman, “Delusions of success: how optimism undermines executive’s decisions, Harvard Business Review,” Harvard Business Review July (2003): 58
[5] R. Young, “What is the ROI for IT Project Governance? Establishing a benchmark.,” in 2006 IT Governance International Conference (Auckland, New Zealand, 2006)
[6] Chad Lin, Graham Pervan, and Donald McDermid, “IS/IT investment evaluation and benefits realization issues in Australia,” Journal of Research and Practice in Information Technology 37, no. 3 (2005): 235-251
[7] KPMG, “Global IT Project Management Survey: How committed are you?,” 2005,
[8] John Thorp, “Unlocking Value – Delivering on the Promise of Information Technology,” in Delivering Value, 2008,
[9] F.G. Hilmer, Strictly Boardroom: improving governance to enhance company performance (Melbourne: The Business Library, 1993)