The life cycle of any company evolves over time by defining and updating its goals and periodically monitoring their achievement.
Prominent among these are always those that relate to economic performance, compliance with all current regulations to which the company is subject based on the location and markets (country and sector) in which it operates, the management and growth of human resources, environmental sustainability, the evolution of the technology used, and many other issues more specific to its business.
These objectives are then declined into corporate policies and guidelines that determine the ways to achieve them. These are then detailed, with the methods used to apply them in day-to-day operational activities, in procedures and, in the best of cases, in instructions.
Obviously, all of the above is subject to periodic (audit) spot or sample checks and global and regulatory risk assessment activities, actions implemented by the functions of the Internal Control System (ICS).
All these activities are what can be described as the main "actions" that are carried out for corporate governance.
Over time, there is a tendency to create one's own customized internal model with cues from others' experiences, various best practices or relying on proprietary models proposed by GRC solution producers (if such a supporting tool is used), tying oneself to a specific approach that although valid does not necessarily correspond to the best solution.
Proprietary governance models are now outdated by ISO standards. Adoption of the ISO model for governance enables integrated operation of all functions, according to an internationally recognized and certifiable standard.
Among the main ISO normative references for control functions that have been updated very recently, manifesting the great sensitivity of even regulators to these issues, are:
- ISO 37000:2021 for Governance
- ISO 37001:2016 for Anti-Bribery
- ISO 37301:2021 for Compliance
- ISO 37002:2021 for Whistleblowing
- ISO 19011 for Audit
- ISO 31000 for Risk Management
- ISO 26000 for SDG
All these standards are also united by having the same structure, also defined by ISO and called the High Level Structure (HLS). This translates into the possibility of having a single integrated management system, rather than several separate single-issue systems that need to be integrated, that can be directly used to obtain the various certifications.
In almost all cases, companies manage all of this with traditional document-based file-based tools, the main practical effect of this mode of managing rules based on information in traditional format (it is not enough for it to be on an electronic document to be considered digital) is the both in maintenance and lack of control over the actual application of the rules, except with spot checks and a posteriori controls on which to base the evaluation of the effectiveness of the rules themselves.
The digitization of governance makes it possible to change this scenario. The principles and activities of defining corporate governance remain the same, but their implementation and application change completely. So imagine defining all elements directly in a tool that guides you in compiling organized and structured information and allows you to link together regulations, processes, organizational structures, assets, IT tools, policies, procedures, instructions, controls, standards, stakeholders.
This allows you to monitor any aspect at any time and understand with every single change in one element the impact on all others. For example, if a regulation changes you can know immediately what processes, roles, IT systems, procedures etc. are affected to be managed. And if there are operating instructions, changing the rules based on these changes will provide immediate assurance that the new rules are being followed.
Similarly, for example, if a vulnerability is detected on an IT system, one will be able to know immediately on which business processes (possibly with alerts in the case of priorities) it impacts, which vendors to contact, which activities it involves etc.
In short, you can thus have real-time control over your business.
The best approach to digitizing governance is to implement digitization in small steps and on complete processes, and to provide for the definition of all aspects and the satisfaction and involvement of affected users on the three organizational macro-levels right from the start:
- board
- management
- operations
The incremental approach allows for a number of benefits, including the achievement of concrete results in a short time and thus a short-term ROI, the gradual natural promotion of a digitization culture based on internal successes achieved and user satisfaction, and the gradual adaptation of users to new ways of working.
Every company and entity, including public ones, is continually subject to evolutionary pushes both internally (reorganizations, business evolution, technological changes) and from outside (e.g., regulations, customer demands, supplier evolution) that require ever-increasing adaptation efforts.
With digitized corporate governance these efforts are significantly reduced and reaction times compressed significantly making the company more adaptive, competitive and resilient.
Getting to full governance digitization is not an immediate process, but a progressive one; however, benefits can be reaped from the very first practical implementations.
Some illustrative use cases to use as insights into one's own reality may be those operations performed internally that could be performed instead by stakeholders (customers, suppliers, agents) in self-service mode. A classic example is the evaluation of suppliers, which is increasingly done by requesting the upload of documents and data directly to special portals, avoiding manual internal management and the exchange of unstructured e-mails and information. However, this model can be applied in many other contexts as well, of course, if one has the appropriate application tools to quickly and fully implement the functionality required for the specific management and to make it securely accessible to the external stakeholders involved.
Pieralberto Nati - CEO & Founder Advanced CGS Group SA
with support from the editorial staff of itSMF Switterland
This article is a reproduction of the article that appeared on itsmf.ch, dated 04/04/2022 visible at the link https://www.itsmf.ch/blogs/post/corporate-governance-in-action