In recent articles, I talked about the role and attributes of leaders, managing security through metrics and leaders’ self-awareness. It is time to talk about governance – accountability, responsibility, delegation – from the board and chief executive officer down.
Every leader is responsible for the provision of good governance. “The concept of governance is not new. It is as old as human civilization. Simply put, governance means the process of decision making and the process by which decisions are implemented (or not implemented). Governance can be used in several contexts such as corporate governance, international governance, national governance and local governance” (United Nations Economic and Social Commission for Asia and the Pacific, 2007 What is good governance?).
This definition covers a lot of ground but, most importantly, it is about making decisions and getting things done or, in the case of security risks, getting things done to stop other unpleasant things being done!
Good governance has eight major characteristics, as follows:
- anticipatory
- consensus oriented
- accountable
- transparent
- responsive
- effective and efficient
- equitable
- inclusive
- follows the rule of law
Although not an exhaustive list, it is good governance for any organisation to establish a framework which provides for the following to meet organisational and community expectations. There must also be a clear definition of roles and accountabilities for all decision makers and decision-making bodies, such as committees. This is especially true for the roles and accountabilities of leaders, particularly at an executive management level, which should be articulated and documented.
A board exists to provide strategic oversight of its operations, while the executive management is responsible for the day-to-day operations of the business. Managers should be assisted in their work through the establishment of key committees, such as an audit and risk management which may address a range of issues from financial to security risks and compliance. Such committees should have appropriate terms of reference or charters (not just activity statements) and be geared towards achievement of business objectives. Such objectives and structures should be regularly reviewed.
It is interesting to note that many commentators suggest that the global financial crisis (GFC) resulted from systemic failures of governance in the financial institutions. Ironically, in 2004, three years before the GFC, the Basel Committee on Banking Supervision published International Convergence of Capital Measurement and Capital Standards – A Revised Framework (known as Basel II). The governance arrangements and metrics suggested in the paper would, if not prevented, have greatly mitigated the spread of the GFC.
I have taken the liberty to take out the reference to banking and finance measures and substituted ‘security’ in the governance section of the report. It makes a useful structure for thinking about security governance.
Corporate governance (paraphrased from Basel II, p90)
All material aspects of the security rating and estimation processes must be approved by the organisation’s board of directors or a designated committee thereof and senior management. These parties must possess a general understanding of the security risk rating system and detailed comprehension of its associated management reports. Senior management must provide notice to the board of directors or a designated committee thereof of material changes or exceptions from established policies that will materially impact the operations of the security system.
Senior management also must have a good understanding of the security rating system’s design and operation, and must approve material differences between established procedure and actual practice. Management must also ensure, on an ongoing basis, that the rating system is operating properly. Management and staff in the security control function must meet regularly to discuss the performance of the rating process, areas needing improvement, and the status of efforts to improve previously identified deficiencies.
Internal ratings must be an essential part of the reporting to these parties. Reporting must include risk profile against expectations. Reporting frequencies may vary with the significance and type of information and the level of the recipient.
In summary, security is a core component of good governance and should have appropriate attention from the board through to the operational level. It is the job of leaders at all levels to ensure good governance to achieve organisational goals.