Eliminating Bureaucracy – Modernizing Public and Internal Control
Yesterday I had a light-bulb moment as I was listening to Humanocracy, written by Gary Hamel and Michele Zanini (of the London Business School and the Management Lab). As a developer of standards and internal control my career may, to many, be perceived as a promoter of bureaucracy. Hamel and Zanini present bureaucracy as a killer of human capability and innovation. Yet, I have never seen what I do as bureaucracy, especially not the way they refer to it. Rather I have viewed it as protecting value. Since my days as an accounting student at BYU, I have been interested in value creation and value preservation.
I think the interest began in 1996 in (a prior Marriott Executive) Professor Stone’s Government class. He was speaking about the Government role in ensuring fairness on Wall Street. He noted, “financial statements do not equal the true picture of the value an organization has, but they are the best public information available.” That statement stuck with me. When I joined PricewaterhouseCoopers Los Angeles office in 1998 I was hungry to make a difference. I applied and was accepted into a fast track PwC training program. Over two years I gained extensive training and hands on experience in financial statement audit, internal audit, technology audit and mergers and acquisition due diligence. I found the work interesting but was most fascinated by what led to an error or fraud and how it could be efficiently controlled.
Now entering my 23rd year as a professional internal auditor, I can sit back with a clear picture of the history of governance, risk and internal control. In 2017 my position on an international committee for the Institute of Internal Auditors, put me in a place to guide the redevelopment of one of our core books for the profession, Sawyers. Two years later we presented a brand new book to the world, “Sawyers 7th Edition, enhancing and protecting organizational value.” Internal Audit is one of the few professions that sets international standard for most of the world. As such our book was able to draw 10 authors from 7 countries. Most importantly it articulates five distinct evolutionary periods in internal audit products and services. This evolution illustrates directly the latest ideas on how an organization can best protect the value it seeks to create through wise governing structures, smart internal controls and minimal risk mitigating programs. More importantly, it hints at good management practices for the creation of value.
When Control Leads to Bureaucracy
A clear understanding of the value protection ideals can also illustrate what leads to bureaucracy. In short the potential for bureaucracy begins as a desire for control and the authority to mandate it, including many different internal and external parties. These parties can set rules that impact an organization. When these rules focused on control are prescriptive, like “fill out the 9 boxes on our form”, and not principle based, like “create an effective compliance program,” they accelerate bureaucracy. Unfortunately, the more independent non-government entities are, the less likely they are to collaborate with government on public focused control. This puts professionals less aware of internal control leading practices, like lawyers in a position to write the rules and they are almost always prescriptive. The United States is particularly vulnerable to prescriptive regulation. Both the US healthcare and banking industries can brag more than one million pages of rules and regulations they must follow. This is value killing external bureaucracy. However, internal bureaucracy can also destroy value in the name of preserving it.
Many departments within a mid to large sized entity have responsibilities for value protections. These departments may include Compliance, Quality, Information Security, Intellectual Property, Risk Management, Safety, Business Continuity, and more. When leadership within these departments gets overzealous, they also can create prescriptive requirements to mitigate perceived risks that cross the line into bureaucracy. Finally, the value creation or performance management process can also be part of the bureaucratic problem. Stephen M. R. Covey’s book, “The Speed of Trust” illustrates that in an environment of broken trust it is human nature to create complex work arounds to avoid encountering people we do not trust. In nearly every audit I have performed I have found some element of redundancy due to mistrust. It can be minor because staff competence is in question or it can be Board Members directing redundant monitoring of part of the organization because they do not trust an Executive.
We in the internal audit profession who as of 2015 have the mission to “enhance and protect organizational value,” have elevated our services to not only focus on the existence of risk mitigating control, but to focus on the value produced. This focus has enabled us to better identify ideals in both value creations (Strategic Planning Controls, Governance Design Controls) and value preservation (Operational Capability Development Control, Risk Mitigation Program Controls).
Why the Bureaucracy Problem to Solve is tied up in… Value Creation and Value Preservation Standards
Like my BYU Professor Stone noted in 1996, today’s public financial information does not match the actual value of the organization. This difference between available public reporting and actual value has only accelerated over the last 24 years. This, in part, is due to ever increasing complexities making once stand-alone entities part of larger market systems with interdependencies. Larger market interdependent systems attract more vested stakeholder groups, multiple government entities, shareholders, social interest parties, unions and professional associations. This creates an explosive potential for Bureaucracy. The only answer to battling value killing bureaucracy, is creating a new common standard that all accept. This standard can only be Value.
Total value is in short, the maximum shareholder and social benefit that can be derived from resources leveraged. Setting the financial standard aside to focus on a value standard is not a new idea. It has been around for more than 20 years, possibly longer. This means that we have much to work with already. Any organization seeking to realize total value will recognize the risk trade off between value creation activities and the preservation of value. Run too fast and the value created can be destroyed.
The task of creating new value focused standards as complex and true as financial reporting standards is not small. After all accounting is more than 500 years old. But it is needed and we have a lot to start with.
Value Creation Standards – where to begin
I will not pretend to have an MBA or to have done extensive leading practices research on modern business management practices. However, I have been a Director of Strategy, know how standards are created, and have collected good examples that I believe could contribute to value creation standards. These are typically related to my experience in governance, risk, and internal control. This is far from a complete list, but it implies the opportunities.
1. Decision Science – The Strategic Decision Group, more than 40 years in business has a model based on aiding Executives in quantifying all that can be quantified so that decision choices are clear, free from cognitive bias and sitting on the absolute best information available.
2. The King Code – South Africa in the early 1990’s was struggling in the post-apartheid world and anxious to grab onto all leading practices that could ensure public transparency and trust moving forward. The King Code in my opinion is the best “principle” based governance guidance in the world as a result. Since they were starting from scratch, they like the post-WWII Japanese Auto industry were able to borrow the best ideas with no allegiance to past bureaucracy.
3. Aligned Influence – is a small Colorado based company, created by a University of Colorado Executive and Professor, Ken Schuetz. About 12 years ago, Ken was asked to aid an effort to reduce bureaucracy and improve governance. As a result, Ken created a simple six-word model showing Boards need to Direct, Protect and Enable and Management must Leads, Manage and Accomplishes. Ken’s model has effectively become the simplest way to define the purpose of good governance execution, which can aid in policies that are internal and principle based and not written by lawyers who typically default to external standard compliance losing the connection to value creation.
4. Operational Capability Maturity – As the internal audit profession has evolved its definition of internal control from a transaction focused activity to higher levels some realities about the creation of value have become clear. For example, formality matters. The more formal or mature the definition of operational objectives and how they cascade down a chain of authority are – the more likely they are to be achieved. The principle of formality then flows into the metrics, monitoring and policy development. Finally it can also be applied to the effective alignment of people with skill, efficient processes and enabling technology. Capability maturity models are a good way to measure formality.
For the potential future of value preservation standards, I have much more research and international understanding.
1. Public Financial Reporting – It has now been more than a decade since “principle” based International Financial Reporting Standards have been in practice around the world; however the United States SEC determined in 2012 that these standards were not prescriptive enough for the US, so the US continues to follow their own GAAP standards.
2. Non-Financial Public Reporting – for more than 30 years the discussion of the evolution of public reporting to better reflect the value of an organization has led to much discussion and modeling as noted below. Lessons and examples are available.
· In the United Stated starting in the late 1990’s was an effort to demonstrate social impact of an organization for public marketing purposes. This was largely called Social Responsibility Reporting. However, this has largely been replaced by ESG reporting defined below.
· About the same time that the United States was focused on Social Responsibility Reporting, the European Union and African Nations were focused on Sustainability. The main difference was a greater emphasis on the use of natural resources.
· The International Integrated Reporting Council is the largest non-financial reporting standard setting entity throughout the EU, Africa and the US. It’s Integrated Reporting Framework lists 5 non-financial capitals (Manufactured, Human, Intellectual, Social/Relationship, Natural). Redefine from South Africa has a good example of an Integrated Reporting public report. This is widely used today.
· In 2014 EU directives followed by World Bank standards in 2018 now mandate what are called ESG reports. These reports (example available on the Redefine link above) are intended to illustrate the Environmental, Social and Governance non-financial aspects of an entity. They are a combination of all the elements above but only focus on 2 of the 5 Integrated Reporting Non-financial capital areas (Natural and Social/Relationship).
· Other significant non-financial public reporting efforts include the Workforce Disclosure Initiative, focused on the human transformation aspects.
3. Internal Reporting – since the beginning of time leaders have developed ways to manage risks and preserve value. They have purchased insurance, taken only sure bets, or they have hired internal auditors to watch what is happening outside the normal chain of command. Today this internal monitoring of risk is defined by The three lines model. Management is the first line, responsible for value creation. The second line (internal value preservation) is composed of functions with risk mitigating duties; the Compliance department, information security, business continuity, insurable risk management, quality, facility safety, etc. The third line is internal audit, with a direct role in providing independent information to the Audit Committee of the Board to enable its risk oversight duties. A couple significant evolutions have happened related to this set up. They are noted below:
· Enterprise Risk Management – In the early 2000’s with the failure of Enron in the United States increasing pressure fell on Boards. Meeting simply fiduciary duties was no longer enough, Boards needed to understand the risks within the organizations – risks taken and exposures. The idea of Enterprise Risk Management is the creation of Transparency around value creation and preservation across the three lines. Two primary models guide this effort. COSO ERM in the United States and ISO 31000 Risk Management in the EU.
· Integrated Risk Management or GRC – About the same time that ERM was envisioned the same goals were tackled from an application perspective. How, for example does all that is being done in the second line, get made known to the first line as they make decisions needing better information? The GRC theory driven by the Open Compliance and Ethics Group framework (OCEG.org) spawned a GRC application development craze in the 2010’s, creating a market with sells in the 20 billion per year. However, since the applications largely preceded the innovation in sharing risk data across functions, they were largely unsuccessful at their border goals. This has led to a renewal of the need for integration of risk information for management under the name “Integrated Risk Management”.
Conclusion – Bureaucracy is Misapplied Internal Control
In summary, the existing bureaucracy today is illustrating two needs: 1. To realign internal and public reporting around value creation and value preservation to promote better decisions, and 2. To recognize that various shareholders and stakeholders will have different values that will need to be carefully considered by internal control experts so that they do not result in prescriptive and redundant controls leading to bureaucracy.
The future is available, including the bright future than maximizes human innovation and skill illustrated in Humanocracy. However, it requires setting new internal and public standards around value creation and value preservation. The better we get at internal control the more enabling of value will happen and the easier it will be to avoid bureaucracy.