We are often asked about the operational responsibilities of directors. There is a large degree of subjectivity associated with the answer, and therefore no short, definitive answer that applies to all. The importance of getting it right, however, cannot be overestimated. Ask any executive about the frustrations and inefficiencies of a director getting it wrong towards the heavy end; and then ask any shareholder about the disappointments in a well-paid director being on the barely asleep side of involvement. So how do some get it right, and what constitutes “right”?
Like most things practical, the question is best answered by going back to the basics.
Let us assume then that, as is the case in most organisations, the shareholder is removed from management, i.e. the shareholder is not involved in the business. In effect, the shareholder gives his/her money to a (remote) organisation, which then utilises this money in its chosen field of business (e.g. making chairs). In time, through the activities of the business, the shareholder hopefully gets more money back from the organisation than the amount which he/she initially provided.
Most shareholders, in return for their money, require some sort of input into the strategic direction of the organisation into which they invest (i.e. to ensure that the chair-makers do not suddenly decide to make video recorders, for example, or sell the chair-making equipment to fund a fleet of Ferraris for the executives). The legislation therefore allows that these shareholders can appoint directors to the organisation who are then, in effect, the bosses of the company. These directors are not chair-makers, and they represent the shareholders in a non-executive capacity. They are therefore also removed from the organisation, although not quite as far as the shareholder.
The director’s first and most important job is to appoint the CEO, or chief chair-maker, if you will. The CEO’s job is to give effect to the strategic decisions of the directors on an operational level, be their person on the ground. He or she would therefore start by appointing other operational managers, who in turn would appoint other operational staff, etc.
So, is the director’s only job to make strategic decisions, i.e. to provide strategic direction to the CEO?
No, surely not. Our contention is that the directors can strategise as much as they want and generate perfect strategies, but if the organisation is not invoicing every chair that it sells, or ensuring somehow that it is making quality chairs, all that strategising is for nought. The shareholder will lose his/her money, and the part of his/her funds that went towards paying the directors to represent and grow his/her interest, is therefore wasted.
The directors, therefore, must also have an operational responsibility which they have to somehow discharge before spending time on strategy. How, then, do they fulfil this mandate?
They can ask the CEO whether, operationally, everything is in hand, and take his or her word for it. If they appointed the perfect CEO and have worked with him or her for the last 20 years, this may be appropriate. (They are, after all, appointed to exercise judgement on behalf of the shareholders.) Alternatively, to form an opinion and ensure that all operational risks are appropriately managed, they can spend six months shadowing the CEO, then six months shadowing the Head of Chair-making, then six months shadowing the Head of Procurement, etc…
Clearly, under normal circumstances, the answer to the directors forming a view on the operational landscape is somewhere in the middle. Enter the assurance provider, who can be defined as any person removed from the person that is managing a risk directly, and who is willing to provide assurance on the appropriate management of that risk. An assurance provider can be an external auditor, an internal auditor, an electrician, a handyman, an in-house lawyer, a plumber, a pest control company, an investment committee, a health and safety expert, an IT technician, etc. The further removed from the function managing the risk, presumably the stronger the assurance provided.
The objective or value of the assurance provider is in providing additional assurance to the directors that the key risks of an organisation are being managed appropriately. The word “additional” is key in this definition, as the first level of assurance that the directors must obtain is surely from the person who is being paid by the shareholders to manage that risk, i.e. management. If management admits that a key risk is not being managed appropriately, why would the directors want to have that confirmed by someone independent from the function? Perhaps it is to assist management in fixing the management of that key risk, but it is our view that the directors then need to ask serious questions about the capabilities of the manager being paid to manage that specific key risk.
The weapons in the director’s arsenal in getting assurance that all the operational issues are in hand is in the first instance management, and the second instance the assurance providers.
So how do the directors decide which areas or risks they want the assurance providers to look at? Obviously, in the first instance, only those areas that management have indicated are in fact being managed appropriately. If resources were unlimited, and the cost of the assurance providers are less than R100, the answer is easy – all of them. This is obviously not the case, and it now becomes (like any decision in business) a cost-benefit exercise. Once again, how do the directors make this decision? Is it by working at the operational level of the business for two years to obtain an appropriate level of operational knowledge of the business, to enable them to prioritise different areas? This is clearly impractical. In addition, how do they keep track of all the different assurance providers, and the specific assurance they are obtaining, to holistically guard against over- and underlap (and the commensurate exposure or waste of money)?
They need a mechanism or some sort of management tool, that provides a simple, concise view of the organisation. This mechanism needs to clearly show the objectives of the organisation, to ensure that the starting point, or foundation, is commonly accepted and understood. From the objectives now flow the risks. And let’s prioritise those risks using a commonly accepted rating. The level of detail within this process is fundamental to its success. It must be deeper than “everything is in hand operationally” but less detail than “we haven’t signed every single purchase order this month”.
What is also fundamental to the success of this management tool is that it must now become the focal point of all assurance activities. Management, as well as assurance providers, must provide their assurance against the stated risks in the tool, in the form of a simple “yes” or “no” answer. Is the organisation currently managing the risk appropriately? If the answer is “no”, what do they need to do to for the answer to become “yes”?
This mechanism or tool now provides a foundation to allow meaningful, constructive discussions on the prioritisation of efforts (not just of assurance providers, but also of company resources). Every director can now form and voice an informed, contextualised opinion, and yes, there will be differences. There is a reason why a typical board has a range of diverse skills. A finance person would not necessarily agree with an IT person, who would differ from an operational person with regards to key risks. A degree of healthy debate and differences on an oversight function is very healthy, and necessary. What is unhealthy, however, and very destructive, is if those disagreements are not based on a set of commonly accepted assumptions or principles. Discussions and decisions can go too deep, affecting the delicate operational balance. Or alternatively, decisions can be made based upon incomplete or erroneous assumptions.
What is this wonderful mechanism or tool? It is called a Risk Management Process. It needs to be simple, practical, understood by all, but most importantly, actually used by all as a management tool.
Getting a Risk Management Process in place takes a bit of time, and could be seen as relatively expensive. But, much like implementing an IT system, doing it properly and extensively first time is definitely worthwhile, because the long term benefits to all levels within an organisation can be staggering.
Without a proper Risk Management Process that includes a contextualised feedback process on an oversight level, it is our contention that it is virtually impossible for directors to discharge their full responsibilities towards the shareholder.