Sibenco Legal & Advisory

Information Governance Key to Good Corporate Governance

Corporate Governance

by

Information governance reflections on 2020 and insights for 2021

Information governance, data protection and security, privacy, cybersecurity and artificial intelligence (AI) have all become critical topics for boards and government bodies to consider. Historically, the issues tended to be dealt with under either ‘IT’ issues or records and information compliance issues.  In recent years, the importance of cybersecurity, AI and data analytics together with changing privacy regulations have brought new governance challenges to the forefront of the minds of directors.

Top issues for Directors

There are common themes in the surveys of top issues confronting Boards of Directors, which have been carried out in recent years.  These include the opportunities and challenges arising from technology innovation and disruption, the overriding concern of cybersecurity and data breach, which is highlighting the importance of information security, and regulatory compliance including changing privacy regulations.

The Akin Gump Lawyers group in the USA report an annual “Top 10 topics for Directors” each year, which is published in the Harvard Law School Forum on Corporate Governance and Financial Regulation website.[1] The 2020 report, that came out in January 2020, placed cybersecurity at number 7 (the 2019 report had it as the number 8 issue). Similarly the EY Centre for Board Matters ranked “prioritizing cybersecurity and data privacy” as their number 4 key issue for boards.[2]

To add further evidence to the importance of this topic, Diligent, in its  2020 Foresight: year ahead in corporate governance report sets out that, “[t]echnology, processes and insights are the foundation  of modern governance, enabling boards to effectively navigate this changing landscape.”

The top law firm, King & Wood Mallesons, in its 2016 Directions report had listed digital disruption at number 3. By the release of its 2019 Directions: navigating a new order[3] report, the issue of managing IT and cybersecurity had moved to the number 2 spot as a priority for boards.  Adams wrote “The Top 2018 governance concerns”[4] with the acronym SEMTEX[5], of which the “T” was for technology and still is valid for all directors in 2020.

In 2019, the Governance Institute of Australia released its own paper, entitled “The Future of the Governance Professional”[6] and had three major themes – technological disruption was the third highest priority for governance changes into the future (2025). Over 75% of the respondents agreed that the issue was vital or very important due to “the use of new technology and its effects on the workforce, and also because the rate of change and implementation of these technologies is accelerating”.[7] The other themes of complexity and regulatory change are top of mind for many directors and governance professionals. However, it is the impact of technological disruption that is having far-reaching consequences.  This is seen by the growing use of AI and its earlier incarnation, machine learning, in business to change the role of the governance and compliance professional.  There is a role for humans and that is perceived to oversee machines and to make qualitative judgments.

There is acceptance that machines will be better than humans at some tasks, including taking minutes, gathering vast amounts of information and highlighting what is relevant for directors. But there will still be a need for emotional intelligence and creativity, which humans bring to the table (with bias and other unconscious attitudes). As well as AI, the developments in real-time information flows, big data analysis, increased automation and improved regtech with blockchain and voice recognition to all affect the governance role. The 2019 report notes that 39% of respondents thought it would make the governance professional role more interesting and high level, as well as 25% thought it would improve the quality of information that the board receives in its papers.

It is worth hypothesising whether the devastating impact on CBA for the AUSTRAC action for money-laundering in 2018[8] and the Westpac litigation for money-laundering and facilitating child-exploitation,[9] would have been avoided if the board had better digital disruption skills and knowledge. Hindsight is a wonderful attribute, but boards need to balance the fine detail with enough information to make informed decisions and to ask the right questions of management.

Corporate governance in the digital economy

Previously in 2018, the authors examined the link between corporate governance and the digital economy in Governance Directions.[10] The definition of information governance has generally been accepted as “the activities and technologies that organisations employ to maximise the value of information while minimising associated risks and costs”. This definition has been affirmed by 90% of the Information Governance ANZ (InfoGovANZ) survey report, published in 2019.[11] This survey built on the 2017 edition[12] and reinforced that information governance is an umbrella concept that describes all information management activities.

Over half of all respondents said that their organisations, both private and government, had information governance framework with policies and procedures in place.

Traditional governance processes are lagging behind digital innovations and so no longer meet the expectations of governments, regulators, owners and employees. There is a distinction between governance practices in the digital age and a framework for contemporary governance.

Information governance core to good business management

The 2019 InfoGovANZ survey report had 340 industry participants and highlights the importance of an information governance framework. Implementing such a framework was seen by 46% of industry professionals as the most important issue. The survey derived that the three main drivers for information governance projects were:

  • Good business management practices – 75% respondents in 2019, which reflected a 16% increase from the 2017 survey;
  • External regulatory, compliance or legal obligations – 75% respondents in 2019, which was 5% lower than the 2017 survey; and
  • Internal technology restructuring or transition – 55% respondents in 2019, which was a massive 21% increase from the 2017 survey.

Three main drivers for information governance projects graph

Over half of all respondents said that their organisations, both private and government, had information governance framework with policies and procedures in place.  74% had identified specific information governance projects to be underway or planned for 2020.

Information governance programs in organisations are now maturing, 54% of respondents indicated their programs were intermediate of advanced.

Impact of Privacy Regulations

42% of the respondents stated that recent changes to privacy regulations had been a driver for their current projects in information governance. This could be identified by two significant changes that occurred in 2018.  The first was the European Union’s General Data Protection Regulation (GDPR), which came into force on 25 May 2018, imposing a significant change to privacy laws in Europe. Organisation that fail to comply with GDPR requirements (including non-EU country organisations) can face fines of up to 20 million Euros or 4% of global turnover. The other factor in Australia, was the implementation of the Notifiable Data Breaches Scheme (NDB Scheme) that came into force on 22 February 2018. The NDB Scheme requires organisations to notify the Australian Information Commissioner and individuals whose personal information is involved in a data breach that is likely to result in serious harm.

An interesting aspect is that those industry professionals that worked in the private sector (55%) were more driven by these changes to privacy laws than the government employed professionals (36%).  This may be due to a greater number of corporates handing personal information of EU data subjects and dealing with cross-border transfers of personal data as a result of the GDPR.

Information Governance Framework

Implementing an information governance framework was identified as the key area of importance by 46% of respondents.  Compliance with privacy regulations, data loss prevention and updating of policies and procedures rounded out the top four key areas of importance – 16.2% were driven by compliance with privacy regulations, 10.4% were driven by data loss prevention and 9% for updating policies and procedures.

Most participants believed that a chief information governance officer (CIGO) was essential to the information governance frameworks success within an organisation. The words “information governance” or “data governance” only appeared in about 12% or 11% respectively title for those with the accountability for the organisation.  But in 2017 survey report, the term information governance was only in 5% of job titles. More significantly, 41% of respondents who were accountable for information governance were part of the senior executive (C-Suite) team within the organisation.

Information Governance Maturity

Information governance programs in organisations appear to be maturing with 54% indicating their programs were intermediate or advanced.

Responses indicated a fairly even split between proactive and reactive approaches to information governance.  This was most in line with the previous survey results, however, participants appeared to have better clarity of their programs, with only 7% indicating they didn’t know compared to 16% in the previous survey.

This data can be compared to the USA, where ARMA International has published survey results in the Information Governance Maturity Index Report – 2020.[13] This survey had over 1,200 responses, which were subject to a gateway question (of qualifications and skills) and checks for duplications and incomplete answers to establish 912 full responses. The scale applied for all the domains were from level 1 (a non-existent framework) to level 5 (transformational). The middle level 3 was stated to be essential (which equates to a basic requirement in information governance to do the job).

Across all domains measured, including infrastructures, supports, processes, capabilities and a steering committee, 66.2% stated that their organisations were essential (level 3) or higher.  Within particular domains or attributes, ARMA found that having a Steering Committee, with information governance leadership, and links to information management and business unit applications, scored a maturity index of 62.7%. In the area of Authorities, meaning authoritative frameworks, privacy requirements and best practices, 72.1% scored essential level 3 or higher.  Finally for the attribute Supports, including change management and project management, the maturity score was 67.7% for level 3 and above.  The ARMA report highlights that a clear majority of respondents reported that their organisations have the essentials in place or better with respect to each of the domains and for their overall information governance programs.  All this data indicates the growing maturity of information governance within organisations and allows information governance professionals to assess how their organisation is tracking against the survey results of the InfoGovANZ and ARMA reports.

Alignment key to information governance

The key to good information governance is to align data and information governance with overall strategic objectives.  This requires organisations to identify and coordinate different IG areas and activities and activities.  The Elements of Information Governance diagram illustrates the various areas, which can be adjusted as necessary, to provide a clearer understanding of how the overarching information governance framework enables alignment of policies, procedures, people and technologies.[14]

The elements link to the icons and the IG centre in a continuous chain. All of the elements must combine and connect to provide an effective information governance system.  The elements on the top and middle rows to the left reflect people-focused activities, while those to the right are data-focused activities. The elements on the bottom row are information-focused and reflect foundation services.

The icons surrounding the IG centre represent information governance and the elements to be aligned:

  • innovation and technology initiatives (lightbulb);
  • optimising the value of data and minimising costs by reducing risk (dollar sign);
  • technologies, systems and people across organisational silos (cog/gear);
  • data and information security (lock);
  • people skills and collaborative culture with supporting structures (the information governance committee or equivalent) across organisational silos to meet information governance and organisational objectives, and an external focus on customers and citizens and the handling of their personal information and transparency (people);
  • policies and procedures (house).

The house icon services as a reminder that robust information governance requires a top-down strategic approach building on a strong foundation of clear policies and procedures.  The information governance framework enables Directors and senior executives to achieve organisational objectives and to optimise the value of data and information while minimising risks and costs by:

  • identifying all the areas and technologies– that is, the information governance elements in your organisation;
  • putting strategic objectives and priorities in place for managing, controlling and securing the data and information your organisation collects, uses and stores;
  • optimising the opportunities of new technologies and innovations to harness value and insights from data;
  • implementing appropriate risk management to minimise costs, such as those associated with a data breach and eDiscovery in litigation and legal proceedings.
  • implementing measures to protect the organisation’s intellectual property;
  • complying with regulatory and legal obligations including, record keeping obligations and, in particular, changing privacy regulations.

Conclusion

The key to good corporate governance is a strong information governance framework aligned to achieve organisational objectives with top-down leadership.   Effective information governance is when policies, technologies and people all align and work together to enable data and information to be optimised and regulatory compliance of privacy, record keeping and other information regulations to increase the overall performance of the organisation.  The key issues for directors confronting both opportunities from technology innovations, AI and data analytics and challenges arising from cybersecurity, data breach, privacy and other regulatory drivers can be met with strong information governance.

Authors

Professor Michael A Adams FGIA(Life) FCIS, Professor of Corporate Law & Governance, School of Law, University of New England and
Susan Bennett, FGIA, CIPP/E, Principal, Sibenco Legal & Advisory, Co-founder and Director of Information Governance ANZ

This article was published in Governance Directions, May 2020, Vol 72, Issue 4.

References

[1] Akin Gump, Top 10 Topics for Directors in 2020 – https://www.akingump.com/en/experience/practices/corporate/ag-deal-diary/top-10-topics-for-directors-in-2020-executive-summary.html

[2] EY Center for Board Matters, Eight Priorities for Boards in 2020 – Harvard Law School Forum on Corporate Governance : https://corpgov.law.harvard.edu/2020/01/14/eight-priorities-for-boards-in-2020/

[3] King & Wood Mallesons, Directions 2019: Navigating a new order – https://www.kwm.com/en/au/knowledge/hubs/directions-non-executive-directors

[4] Adams, M; “Top 2018 governance concerns: #SEMTEX” Governance Directions 2018 September

[5] SEMTEX stands for Strategy; Evaluation of risks; Multi-generational; Technology; Environment/CSR; toxic.

[6] GIA, The Future of the governance professional, August 2019 – https://www.governanceinstitute.com.au/media/884166/govinst_the-future-of-the-governance-professional_august-2019.pdf

[7] Op cit fn 8 at page 9

[8] AUSTRAC v CBA [2018] FCA 930 http://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/FCA//2018/930.html and AUSTRAC media release – https://www.austrac.gov.au/austrac-and-cba-agree-700m-penalty

[9] AUSTRAC media release https://www.austrac.gov.au/about-us/media-release/civil-penalty-orders-against-westpac

[10] Adams, M & Bennett, S, 2018, “Corporate governance in the digital economy: The critical importance of information governance” 70(10 Governance Directions

[11] Information Governance ANZ, IG Industry Survey, July 2019 https://www.infogovanz.com/wp-content/uploads/2020/01/IGANZ2019ReportFinal.pdf

[12] Information Governance ANZ, IG Industry Survey, August 2017 https://www.infogovanz.com/wp-content/uploads/2020/01/IGANZ_Industry_Survey_AUGUST_2017.pdf

[13] ARMA International, Information Governance Maturity Index Report 2020 – https://www.arma.org/page/ig-report

[14] Information Governance ANZ – https://www.infogovanz.com/information-governance/information-governance-optimising-the-lifeblood-of-organisations/

by

  • Corporate governance in the digital economyInformation is critical to decision-making and plays an essential role across all three pillars of governance.
  • The emerging driver of good information governance globally is compliance with regulatory obligations, particularly with the growth in global privacy laws.
  • Effective information governance requires top-down board and senior executive leadership.

Good corporate governance in the data driven and digital economy poses significant challenges for Boards and seniors executives.  This article highlights the importance of information governance to ensure there is a unified strategy and framework to govern information effectively.  Good information governance enables organisations to maximise the value of information as a business asset while minimising risks and costs, particularly those associated with data breach.

Over the last 25 years there has a lot been written about corporate governance.  There have been debates about the value it adds to an organisation and even the share price on the Australian Securities Exchange (ASX). One fact that is not disputed is that the companies and organisations still fail, in a corporate governance sense.  This has been illustrated through the media in September 2018, with the Australian Broadcasting Corporation (ABC) public dismissal of its managing director and then the forced resignation of the chair of the board, a few days later. Similarly, the scathing criticisms of the four major banks and other financial services providers through the Interim Report[1]of the  Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Hayne royal commission) in respect of their culture and corporate governance.

Previously, it has been noted, that there is a “three pillar”[2]approach to good corporate governance and sometimes, both management and boards, get a little confused as to the distinction between the specific pillars of corporate governance, due diligence and compliance. Before briefly explaining the importance of each of the three pillars of governance, it is essential to note that the role of technology in every organisation has changed how and why things are done and recorded. It is critically important that the board and by entension the whole organisation, understand information governance is key to good corporate governance. Unfortunately, research by the Information Governance ANZ[3]shows that there is confusion as to what this concept means and who should be responsible for it.

It is possible to express information governance as a component or one aspect of corporate governance, but this misses the point, that information is critical to decision-making and plays an essential role across all three pillars of governance from corporate governance to due diligence to compliance.  The importance of technology was explained in the 2018 directors’ top concerns, under the title #SEMTEX.[4]This will be explained in more detail below.

Corporate governance

The amorphous nature of corporate governance is what makes it simultaneously defies definition, but many commentators have attempted to definitively account for corporate governance.

In 1992, the now world famous Cadbury Report took a simple approach, proposing that corporate governance is ‘the system by which companies are directed and controlled’. In Australia, the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations, third edition adopted the following definition,

‘The phrase “corporate governance” describes “the framework of rules, relationships, systems and processes within and by which authority is exercised and controlled within corporations. It encompasses the mechanisms by which companies, and those in control, are held to account.” Good corporate governance promotes investor confidence, which is crucial to the ability of entities listed on the ASX to compete for capital.’

The fourth edition is currently under consultation and flagged to publish in 2019.

Our preferred academic definition is found in Cochran and Wartick’s 1988 publication Corporate Governance: A Review of the Literature, which suggest that corporate governance is “an umbrella term that includes specific issues arising from interactions amount senior management, shareholders, boards of directors and other corporate stakeholders”. There are numerous studies[5]as to the benefits of corporate governance for global entities, whether they be the transnational corporations or the more traditional multinational companies. Around the globe, by far the majority of business entities are privately owned, with a small percentage being quoted on a local stock exchange, in a single legal jurisdiction.

Corporate governance has many elements, including risk management, due diligence and compliance. They are not terms of art, but certainly three distinct, yet inextricably fused elements of corporate governance. With an overlay of information governance, it is easy to see how confusion can arise.

Internal Due diligence

Due diligence, in the corporate governance context has evolved beyond its original role as a defence for transactions (buying and selling businesses or fundraising prospectuses). Due diligence is now seen as within a corporation’s internal operations that the link governance (at the board level) to the operational compliance programs. The use of the expression ‘due diligence’ to describe the system implemented within a corporation of checking day-to-day legal statutory compliance. These risks and duties can cover a range of issues, but often are linked to legal risks, such as consumer laws, property rights, (including physical and intellectual property), employment relations, environmental, corporate and privacy law). Due diligence and compliance are related but not to be treated as one and the same.

A simplified internal due diligence risk model, would normally have six steps, commencing with a legal risk audit. This is followed by a compliance plan for the whole entity or particular operating divisions.  The next step normally involves the implementation of the compliance plan and at some stage (set time period) a review of the established compliance program. It is important that the compliance programs, through the due diligence process are formally reported to the board of directors. Finally, after a couple of years, any due diligence and compliance system should be re-evaluated and another audit of risk be commenced.

Compliance programs

All commercial environment have become increasingly regulated in recent years. The 2018 Hayne royal commission is illustrating that even Australia’s largest corporations are failing to have good governance and compliance systems, which have led to misconduct in the financial services sector. Compliance is demanded with a greater number of statutes, regulations, industry standards and principles than ever before. What is more, society is becoming more litigious, and regulators are having their arsenal bolstered by greater powers and a greater range of penalties. Although, there has been criticism of the lack of enforcement by ASIC and APRA, many other regulators regularly enforce their, criminal, civil and civil- penalty provisions.  Out of the Hayne royal commission, it is reasonable to assume that ASIC and APRA will be conducting much more enforcements of the law than in the previous decade. It can be presumed that shareholder class actions will continue where there have been corporate governance failures and breaches of the law.

Information governance

What has become apparent over the last decade is the importance of information relating to the organisation. There are many different priorities, but the impact of e-discovery in litigation and the traditional requirements of archiving records for future management, together with increasing numbers of data breach have led to an explosion of laws and compliance issues. The EU impact of the General Data Protection Regulation (GDPR) and the introduction of the Notifiable Data Breach Scheme (NDB Scheme) in Australia this year, are two examples of how boards have a much greater responsibility to have a systematic approach to information governance.

What is Information Governance

Information governance is the framework, policies, technology and roles for controlling and securing information throughout an organisation to optimise the value of information, meet regulatory and legal obligations, manage risk and support business objectives.[6]

The goal of effective information governance is to maximise the value of information, recognising the potential value of data as the ‘new oil’ and to minimise the risks and costs of holding information.  The risks and costs include: those resulting from data breach, eDiscovery (the production of documents in litigation and in regulatory inquiries), ROT – the storing of redundant, outdated and trivial data that increases data storage costs, the costs of eDiscovery, and the costs of additional internal resources to manage data.

Drivers of IG: Litigation, inquiries and royal commissions

The growth of information governance in the United States over the past decade was driven largely by the enormous costs of eDiscovery and document production in litigation and regulatory investigations.  The Hayne royal commission provides a current Australian example of the substantial resources and costs involved in document production. The Hayne royal commission which was established in December 2017, has now issued over fourteen hundred Notices to Produce to institutions, requiring them to produce documents within tight deadlines.  The notices have required production of documents in some instances covering a 10-year period.  The Australian Financial Reviewreported on 28 September 2018, that CBA had responded to 106 Notices to Produce to 30 June 2018.

The Hayne royal commission and large litigation matters involving significant and ongoing document production or large eDiscovery result in teams of people, including lawyers and internal resources, to assist in identifying, reviewing and producing documents, the extensive use of specialised eDiscovery technology, and substantial costs in the millions, and even tens of millions, of dollars.   These costs are minimised when there is good information governance, because ROT is disposed of and there is ongoing defensible disposition of data in accordance with records and information record retention policies.  This enables relevant documents to be more easily and cheaply identified and retrieved from the vast volumes of data being stored by organisations.

Drivers of IG: Growth in privacy laws and data breach

The emerging driver of good information governance globally is compliance with regulatory obligations, particularly with the growth in global privacy laws.   Good data governance and privacy compliance starts with knowing where your data is and mapping it, so appropriate steps can then be taken to secure and control it – for most organisations this is a significant challenge.

The GDPR includes expanded accountability and governance requirements including record keeping, privacy by design and privacy by default, and a requirement for data protection impact assessments to be carried out where high risk data processing is being undertaken.  Australian Privacy Principle  (APP)  1.2 requires that organisationsmust take reasonable steps to implement practices, procedures and systems that will ensure it complies with the APPs.  The Australian Government Agencies Privacy Code issued in July 2018 sets out requirements of APP 1.2 for privacy management and governance, including that agencies are required to carry out privacy impact assessments in relation to all high privacy risk projects.

Boards and senior executives need to be aware that under the GDPR and APP11.2, organisations are not permitted to retain personal information for longer than the lawful purpose for which the data was collected.  It means that organisations must either destroy or de-identify data.  The touting of data analytics and data as the ‘new oil’  means that many organisations are storing vast quantities of data, including data of customers and employees both past and present.   The protection of personal information under privacy regulations requires organisations to understand and properly govern the personal information they hold, including disposing of personal information.

Drivers of IG: Requirement for government agencie

Australia’s Digital Continuity 2020 Policy, sets out as its first principle that information is valued.  It requires agencies by 2020 to manage their information as an asset, ensuring that it is created, stored and managed for as long as it is required, taking into account business requirements and other needs and risks. This recognises that information is a key strategic asset and economic resource, and that digital information management enables efficiencies in service delivery, increases opportunities for information sharing and can improve business decisions and accountability. As part of the first principle, agencies are required to implement an information governance framework and annual survey reporting on information governance.

Top-down leadership

Effective information governance requires top-down leadership from the Board to set the strategic objectives and priorities for managing information assets.  The objectives will vary according to the nature of the industry, size of the organisation, and where a particular organisation sits in relation to cybersecurity threats, the types of data collected and opportunities to extract value from data, and use of new technologies.

Effective information governance enables Boards and senior executives to be proactive in respect of the opportunities that can be derived from data and technology, and proactive in respect to potential threats.  Preventing misuse or data breach of customer personal information is key in industries such as banking and health.  For organisations in these industries that collect and store vast quantities of customer personal data there are increasing regulatory requirements, including the need to be able to quickly respond to data breaches of personal information both to comply with the requirements of the NDB Scheme as well as to manage reputation in the public domain and retain the trust of customers.

For other industries, such as mining and pharmaceutical, the primary concern may be to protect valuable intellectual property from cyberattack and theft.   Where intellectual property theft is a key concern, then in addition to cybersecurity investments to protect the IT network perimeter of the organisation there will need to be increased information security within the organisation to prevent rogue employees from accessing and/or misusing information. Information security measures will include stricter control of ‘shadow IT’ such as employees using their own devices or apps, through appropriate BYOD policies and IT auditing and surveillance, and human resource risk management.   The broad range of issues necessitate a coherent and strategic plan across organisational silos to minimise risks and costs.

A robust information governance framework that is led from the top-down and effectively implemented throughout an organisation will enable this. The Information Governance ANZ Survey 2017 found that 98% of respondents said that defining and implementing an IG framework for their organisation was important, and that should they have the budget and authority to do so, half of all respondents said they would do so as a priority.

Information governance framework

The first step to building an information governance framework is to clearly understand where information is being managed throughout the organisation and the positions of those across the silos responsible for managing the information and/or technology systems.  The next step is building an information governance framework and system to facilitate the effective interaction between the stakeholders to ensure the policies and activities undertaken for each of the information areas are aligned with each other, the overarching information governance policy and with the overall strategic goals of the organisations.

The framework includes the overarching information governance policy which:

  • sets out an overarching description of how information is governed including leadership and planning;
  • describes the factors and business drivers which determine or influence the creation, management and use of information, including legislation, regulations, compliance, risk, and business needs; and
  • documents the organisation’s commitment to information governance and provides senior management endorsement.

The Information Governance ANZ Survey 2017 found that 55% of respondents said their organisation governs IG with a formal framework with policies and procedures.

The information governance framework above demonstrates the various areas within an organisation where information is typically managed, although in some organisations there will be more areas.   It is the co-ordinating of these areas to efficiently and coherently safeguard that the organisation will deliver on its information governance objectives and support overall achievement of organisational objectives.

Information governance committee

In large organisations, an information governance steering committee is the best mechanism to ensure that the overarching information governance objectives are implemented in a consistent and systematic way.   It may take different forms, to suit the needs and structure of the organisation including:  board, committee, working group, or as part of an existing governance committee.

It is important that the committee comprise all key information stakeholders to encourage collaboration and effectiveness of information governance activities.  The committee members may include – General Counsel (GC), Chief Information Security Officer (CISO), Chief Privacy Officer (CPO), Chief Data Officer (CDO), Chief Marketing Officer (CMO), Chief Data Scientist (CDS), Records & Information Manager (RIM) and others appropriate to the needs and priorities of the organisation.

The information governance steering committee should have a suitable Chair to ensure the committee:

–      is collaborative to ensure that those members of the committee lead their respective areas to break down information silos with a culture of information and data collaboration;

–      is well-structured, meets regularly, and has a clear agenda that is implemented and achieved.

Senior executive responsible for information governance

Best practice information governance includes the appointment of a dedicated senior executive responsible for leading information governance and accountable for enterprise wide information governance. This may be the included in the responsibilities of an existing senior executive, but best practice is the creation of a dedicated position – the Chief Information Governance Officer (CIGO).  The Information Governance Initiative (IGI), a US IG think-tank describes the CIGO’s role as ‘to balance the stakeholder interests from each facet of IG and develop the right operational model for the organization.’

As part of the Digital Continuity 2020 Policy, the creation of the CIGO role for Australian government agencies‘is critical for digital innovation and capability, and for championing the importance of effective information management’.   The CIGO role is also important for establishing and maintaining a culture for a more accountable and business-focused information management environment.

Information governance reporting

There should be regular information governance reporting of progress on initiatives, programs as well as evaluation and auditing.  The reporting should be to the designated C-level executive responsible for information governance, such as the CIGO and/or the information governance steering committee.

The senior executive responsible for information governance, such as the CIGO, and/or the information governance steering committee then report to the relevant Board committee.  The relevant board committee may be the audit and risk committee  or another relevant board committee.  It is critical that there is at least or more one member of the committee (and on the Board) that understand the requirements of good information governance, including privacy regulatory obligations, the role of technology and cybersecurity.

Conclusion

The growth of data breaches and privacy regulatory requirements, together with the costs and burden on institutions involved in responding to the current Hayne royal commission, should be prompting boards to review and assess whether their current information governance is adequate to manage information risks and meet legal and business requirements.

Good corporate governance requires a robust information governance framework. This will include an information governance steering committee and/or dedicated senior level executive with the responsibility and accountability for information governance.  Importantly, information governance reporting needs to feed into relevant Board committees, so that the board has appropriate oversight.

Effective information governance requires top-down board and senior executive leadership to enable the organisation to deliver continual strategic and proactive governance as digital disruption impacts the organisation and digital transformation continues.

With good leadership, a properly executed information governance framework and program should deliver effective security and control of data and information by minimising risks and reducing costs of holding information and maximising the value of information held by the organisation.

 

Professor Michael A Adams FGIA(Life) FCIS, Professor of Corporate Law & Governance, School of Law, Western Sydney University and
Susan Bennett, FGIA, CIPP/E, Principal, Sibenco Legal & Advisory, Co-founder and Director of Information Governance ANZ

 

This article was published in Governance Directions, November 2018, Vol 70, Issue 10

[1]https://financialservices.royalcommission.gov.au/Pages/interim-report.aspx

[2]Adams, M. (2018) “Three Pillars of Corporate Governance” 70(6) Governance Directions, p 302.

[3]http://www.infogovanz.com/featured-articles#iganzsurveyreport-anchor

[4]Adams, M. (2018) “Top 2018 governance concerns: #SEMTEX” 70(8) Governance Directions,p 477.

[5]Adams, M. (2012) ‘Global Trends in Corporate Governance’ 64(9) Keeping Good Companies516, 518.

[6]  See also – What is Information Governance and how does it differ from Data Governance?– Governance Directions, September 2017, Vol 69, Issue 8

by

Corporate governance – how a corporation is controlled and directed, and how it manages its risk profile – is generally contained in a framework of policies, rules, codes of conduct and processes.  Despite many corporations having a plethora of documentation to guide and control the behaviour of their employees and executives, internally generated corporate scandals that damage reputation and financial standing, and expose directors to legal proceedings, continue to occur.

This is because good corporate governance is not simply policies, rules and processes – equally important is how delegates apply them. For purposes of efficiency, corporations, through governing boards, need to delegate decision-making.  This means that executives and employees who are lower in the chain can have authority and power, increasing an organisation’s risk profile.  Delegations, therefore, need to be part of a corporation’s risk management framework.

Delegate behaviour

While outside events can have a significant impact on organisations, many scandals erupting in the corporate world have arisen largely through the behaviour of an organisation’s own employees or executives. The New South Wales Independent Commission Against Corruption has stated that many of the reports it receives involve allegations of corrupt behaviour in the misuse of delegations.[i]  Therefore, the governing authority must not only consider delegation risk as part of risk management, and provide a system for monitoring the decisions and actions of delegates, but provide corporate guidance for those entrusted with decision-making.

Risk management

Risk management involves adopting a risk forecasting and evaluation system, coupled with a risk appetite matrix setting out the prioritisation of risks and application of resources, to minimise, monitor and control the probability and impact of risk factors.

Where delegates’ behaviour is concerned, corrupt criminal behaviour can, by its nature, result in increased risk, but risk factors can also arise where behaviour results in violations of mandatory internal codes of conduct and policies. An aspect of this is where employees and executives operate outside corporate culture: e.g., where a ‘silo mentality’ exists in defiance of established corporate norms. Again, how individuals behave when carrying out delegated authority is central to corporate operational risk and an essential part of risk management.

Delegations and monitoring

Delegations are necessary – they allow for nimble decision-making, empower employees, can reduce ‘red tape’ and increase organisational efficiency and performance. However, having delegations in place without accountability controls and regular monitoring can allow behavioural issues to go undetected. For successful monitoring, there must be transparency, accountability and an effective flow of information, and an effective board that is prepared to set up the necessary controls.

How can delegation risks be minimised through board governance?

Good governance includes devolution of authority and maintaining control over that process.

The following systems assist in good decision-making and operate as risk management tools:

  • a comprehensive, readily accessible, delegations framework, identifying clearly monetary limits, boundaries and accountability structures linked to a policy framework, human resources and risk management systems (i.e., it is not a ‘stand-alone’ document);
  • available and readily accessible policies and procedures that articulate clearly the corporate culture, expectations and obligations;
  • a framework of regular reporting to the board on specified decision-making, which corresponds to the organisation’s risk matrix and risk appetite;
  • a risk management framework that is regularly reviewed and incorporates the organisation’s risk appetite;
  • a regularly reviewed table of internal and external audits;
  • a comprehensive fraud risk education program, which employees undertake each year; and
  • a system of training programs for board members, to ensure board members understand fraud management, legal responsibilities and are kept up to date with topical issues and case studies.

Apart from these formal systems, there is much that a proactive board can do, on an ongoing basis, to reduce risk associated with delegated behavior by:

  • regularly monitoring the delegations framework;
  • regularly revisiting corporate objectives and key performance indicators;
  • ensuring board members have the necessary skill sets, which assists in directors being aware of their legal responsibilities and accountabilities, and satisfying ‘duty of care’ requirements under the Corporations Act;
  • regularly ensuring and monitoring compliance with legal and regulatory requirements;
  • creating an atmosphere where board members are encouraged to ask difficult questions and are engaged in discussion;
  • encouraging management to tell ‘bad luck’ stories, as well as ‘good luck’ ones;
  • encouraging management to be forthcoming about corporate cultural issues;
  • endorsing a ‘talk the talk’ and ‘walk the walk’ approach, to encourage ethical behaviour throughout the organisation;
  • creating an atmosphere where employees can raise concerns – i.e., ensuring whistleblowing is not discouraged; and
  • ensuring management knows it is responsible for managing risk and disclosing, not hiding, difficult situations.

A well-designed, regularly monitored corporate risk management framework with an appropriate delegations framework and policy, should result in increased organisational efficiency and performance.

Pamela Steele LLB, MSoc.Sci, Consultant & Susan Bennett LLM, MBA, Principal

 

If you would like assistance with your delegations framework, please contact us – +61 2 8226 8682 or email info@sibenco.com.

Click here for the pdf version of this article

 

__________________
Follow us to receive updates on LinkedIn


__________________

This article is for reference purposes only and does not constitute legal advice.

__________________

i Independent Commission Against Corruption (NSW), ‘Knowing Your Risks’

by

How well an organisation deals with its delegations is fundamental to its efficiency to maximise opportunities and minimise risk.  From a practical management perspective it is necessary in every organisation to devolve decision-making from the central source of authority downwards. This enables decisions to be made at the coal-face, by employees or committees with the required specialised knowledge, and in a timely way.  However, decisions made without proper legal authority can put your organisation at financial and legal risk.

What is a Delegation?

Delegations empower employees and committees with the authority to make legally binding decisions on behalf of their organisation. Delegations are a function of administrative law expressed, in ordinary terms, as ‘who can legally do what’.

Delegations are the formal authority:

  • given from a legally authorised source of power;
  • to an individual or committee by the source of power;
  • to make enforceable decisions that commit and/or incur organisational liabilities; and
  • for which the specific individual or committee will be held accountable.

Source of authority

The source of authority depends on the type of organisation:

  • companies – Corporations Act 2001 (C’th) and its Constitution;
  • government departments and agencies – the relevant enabling Act; and
  • statutory corporations – the relevant enabling Act and Constitution;
  • universities – the relevant enabling Act, or its Constitution if not created by legislation.

An organisation must act within the boundaries of its Act and/or Constitution. Understanding the source of authority is important – for example, in the University of Western Australia v Grayi the Full Federal Court held the University exceeded its source of authority when it purported under its Act to make regulations affecting the property of others (intellectual property of academics), when its Act gave authority only to manage and control its own property.

How is authority delegated?

The authority to delegate is contained either in the enabling Acts or the Constitution which contain specific provisions authorising the governing body (e.g Board of Directors, Senate or Council) to delegate to employees and committees.

Many organisations have Delegation Frameworks at varying levels of sophistication that consolidate and list delegations, enabling employees and the outside world to identify decision-makers and the extent of authority.

For government organisations and statutory corporations there are provisions in the State and Commonwealth Interpretation Actsii, which provide for delegations.  It is important to note in these cases, a delegation cannot be sub-delegated unless there is an express statutory power to delegate, there is an express statutory power to appoint an authorised officer or there is an implied power to authorise.iii

Delegation Principlesiv

  • Delegates must exercise their own discretion – a specific direction authority source that a decision must be made in a particular way is not a delegation.
  • Delegations can be general or specific but must be in writing.
  • Delegations cannot be sub-delegated unless the enabling legislation specifically states otherwise.
  • The exercise of a delegation is deemed to be the act of the body granting the delegation.
  • Delegations are hierarchical and can always be exercised ‘upwards’ in the chain of command.
  • Delegations can always be revoked.
  • Delegations are generally conferred on positions and not individuals.
  • Delegations can be to future positions.
  • A delegation needs to identify the delegate with sufficient certainty.

AUTHORISATIONS (in the public sector)

Authorisations in the public sector concern the power of a Minister to devolve decision-making power downwards within their department.

What is an Authorisation?

An authorisation in the public sector, is a legal mechanism developed by the courts permitting a delegate under a statutory delegation of authority conferring a right on a subordinate to exercise specific powers given to that delegate – it is referred to as the Carltona principlev and operates on the basis that a delegate can appoint an agent to perform his/her functions under certain specific situations.

An authorisation is nota delegation. This is because ultimate accountability for the exercise of the decision-making rests with delegate not the person authorised. Authorisations need not be in writing although it is advisable to do so.

A delegate cannot ‘authorise’ an individual to exercise all powers of the delegate. An authorisation should not be made where:

  • significant rights of an individual would be affected; or
  • the delegation instrument clearly anticipates a personal decision from the delegate.

It is important to note from court decisions, that the boundaries of what can be legally authorised is unclear and that all legal decisions relating to authorisations are to-date in the government sector.

Benefits of Delegations and Authorisations

  • They decentralise decision-making and reduce red-tape.
  • They relieve senior officers from routine decision-making.
  • They encourage personal initiative and promote a wider skills base.
  • They can promote a better risk appetite.
  • They allow staff to know at all times ‘who can do what’.
  • Decision-making can be done more quickly and with less formality.
  • Decision-making can be done by those with specialised knowledge.

Pitfalls to avoid

  • Devolution without care and supervision can result in misuse of power creating risks.
  • Too complex a system can promote a red-tape culture.
  • They may fail if there is no institutional culture of accountability.
  • Lack of regular training can mean misalignment of decision-making especially where temporary positions are involved.
  • Failure to update can result in invalid decision-making.
  • The inherent nature of particular organisational environments may mean delegations and authorisations are difficult to manage.

To maximise effective decision making, organisations must develop a strategic context for decision-making, ensuring that policies and decision-making processes are up-to-date, transparent and readily accessible to all. A well-constructed set of policies and delegations framework together with an appropriate system to oversee and monitor are all necessary.  It is also important that all employees understand who can make decisions within their organisation and that the decision-makers are well trained in the principles governing delegated powers.

 

Pamela SteeleLLB, MSoc.Sci, Consultant & Susan Bennett LLM, MBA, Principal

For further information or training on governance frameworks or delegations for your organisation phone 02 8226 8682 or email info@sibenco.com

__________________

Follow us to receive updates on LinkedIn


__________________

This article is for reference purposes only and does not constitute legal advice.

__________________

i [2009] FCAFC 116

ii Acts Interpretation Act 1901 (C’th) and Acts Interpretation Act (NSW)

iii  Acts Interpretation Act 1901 (C’th) ss 34AA and 34AB

ivNote 2 ss34AB(Cth) and s49 (NSW)

v [1983] 153 CLR 1