You may have noticed that regulations and standards have played a frequent role in our discussions of “E is for Environment” and “S is for Social.” In truth, E, S, and G are not mutually-exclusive categories but more like convenient, often-overlapping labels. Though G is the last letter in the ESG acronym, governance metrics are the most established and well-known, typically focusing on an organization’s board, executives, controls, certifications, self-regulatory organization membership, and political lobbying.
It is worth noting that even without any extrinsic motivation, companies typically benefit from strong governance, starting with the board of directors and executive contracts. Long before researchers began to investigate diversity and social capital, economists and management researchers had documented the positive benefits of strong, independent boards. In fact, the presence of an independent chairperson and competent board has been a critical factor for decades among US investors. More recently, research has shown that diverse boards can help break the cycle of “groupthink” and can help organizations adapt in the face of changing environments.
Likewise, the contractual terms and incentives that an organization negotiates with its executives can also have a strong impact on the perception of an organization, not just its performance. Organizations that align executive compensation with sustainable equity growth instead of base salary or other benefits are typically viewed more favorably by investors. Furthermore, organizations with well-rounded executive teams are often better positioned to build and maintain relationships with the wide variety of internal and external stakeholders.
Much like a “real” government, the rules and processes that an organization lives by are often more important than the leaders who come and go. These “organizational laws” most often take the form of controls, policies, and procedures (P&Ps). Strong controls and well-designed P&Ps can help organizations reduce the risk of fraud, information security issues, or other misuse of company assets or opportunities. These concerns are typically addressed through strong compliance programs, and many software or data organizations could benefit from a technology-focused compliance maturity assessment.
Just as countries sign treaties or agree to international standards, so too do organizations when they interact with self-regulatory organizations (SROs) or obtain audited certifications. SROs may exert authority in addition to or in place of direct government regulation, like in the case of Financial Industry Regulatory Authority (FINRA). In other cases, popular standards like the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Framework, the Control Objectives for Information and Related Technology (COBIT) Framework, and Diversity, Equity, and Inclusion (DEI) Frameworks guide businesses in their internal controls, policies, procedures, and decision making. In cases where organizations want a stronger signal for their partners, they often obtain certifications like SOC 2 or ISO 27001. We’ll delve deeper into the differences between SOC 2 and ISO 27001 in a future post, but at a high level, both address information security and how the company’s internal controls mitigate the risks. The resulting deliverable for SOC 2 is an attestation report from a service auditor, while under ISO 27001 it is a certificate that states that the company’s information security management system (ISMS) meets the ISO/IEC 27001 standards.
Regardless of whether a business is technology-focused, employees, customers, and investors want to know that an organization is committed to good governance. Luckily, the benefits of easier access to capital, reduced risk, increased management performance, and happier employees add up to more than the costs.
Now that we’ve covered E, S, and G, you might be wondering what the best steps are to begin your journey. In our experience, the lowest-hanging fruit is often aligned with other value-creating or risk-minimizing projects that an organization can pursue.