• Corporate Governance Risks: Learning from shared experiences

Corporate Governance Risks: Learning from shared experiences

15 July 2020

How many times when you were growing up did your parents caution you, or indeed, have you said to your own children ‘don’t make the same mistakes that I did, learn from my experience’?

It’s the same with governance. The experience of organisations in both the private and public space has contributed to the development of corporate governance in the UK. Incidents of corporate malfeasance relating to: Maxwell, Arthur Andersen, Enron and more recently Carillion, BHS and Sports Direct have helped to shape our domestic corporate governance landscape.

But do the organisations that we run and work with make use of such events to critique their activities and values and challenge the way that they do things? Perhaps not. How effectively do they include lessons learnt and benchmarking data (where available) from outside of their organisations in their risk analysis? Do they proactively ask themselves ‘how do we know this couldn’t happen here?’. Or do they just have a post-mortem when things go wrong?

The Charity Commission has recently published its adjudication following its regulatory investigation of The Royal National Institute of Blind People (RNIB). The issues raised by the investigation are numerous. On the back of this, The Commission has written to hundreds of charities to warn them of the risks of weak governance. The full report is worthy of a read and can be accessed here.

Simply put, it is a call not to make the mistakes that many other charities have made. Whilst the guidance is aimed at large service delivery charities, there are lessons to be learnt for all organisations, irrespective of scale, structure, maturity and sector. There are so many benefits of good governance – corporate longevity, achievement of objectives, happy stakeholders, financial viability and a good reputation amongst them.

As internal auditors, the issues in the RNIB adjudication come as no surprise to us. We come across them in our work every day. On this basis, why is it that we seem to be unable to influence proactive change amongst the organisations that we work with? The truth is, there is no singular answer to that. Competing priorities of resources, time, focus and a whole host of structural and cultural factors conspire to create a perfect storm and can easily lead to a full blown crisis. Though Internal Audit can help, this is contingent on having the necessary access, being seen and used as a trusted adviser and having a seat at the table where the decisions are made. We have a contribution to make far beyond the audit plan.

However, delivering assurance through the annual internal audit plan continues to have value. A common thread amongst corporate governance failures is sanitised management information. Unsurprisingly, there can be a reluctance to willingly share bad news! Including consideration of the quality and veracity of data used for decision making as either a standalone review, or incorporated in the scope of another audit review can send a message that the assurance framework is taken seriously within the organisation.  It also enables the Internal Audit function to lead trustees to the gaps so that they can be addressed before a crisis emerges. We have distilled what we see as some of the headline corporate governance themes arising from the RNIB adjudication, below, which are appropriate for organisations with both singular and group structures to work through in considering the risks associated with weak governance.

The below themes will reveal some questions you might want to use to stimulate conversations amongst your senior management teams, audit committees and boards around corporate governance risks to challenge yourselves, to ensure you are benefiting ‘from the experience of others’.

Appropriate Leadership

  • When was the last board effectiveness evaluation/ governance review - either internally or externally facilitated? Have the results been actioned?
  • Does the governance framework enable the board to discharge its responsbilities? Do the members understand those responsibilities?
  • Are governance arrangements (such as meeting frequency, board size etc.) adequate given the complexity of the organisation and scale of activities?
  • Is the organisational structure overly complex or unweidly?
  • Does the Board have adequate oversight over subsidiaries, the highest risks and regulated activity?
  • How does the Board receive assurance? Is the coverage of that assurance adequate in relation to the complexity and structure of the organisation?


  • Is there a clear and unambiguous scheme of delegation in place? Does the scheme of delegation ensure that the Board has visibility of and accountability for the most pressing and risky areas of activity?
  • Are important risk areas delegated to second tier governance committees?
  • Is the work of the Group aligned, with consistency as far as niche activities allow, or is there a great deal of autonomy over which there is little visibility or oversight in governance terms?
  • Is the Board responsive  and able to take decisions swiftly where needed?
  • Is there a rolling governance action plan in place to capture, monitor governance issues as they arise until resolution?
  • Is there a coherent strategy and business plan in place?
  • Has sufficient foresight been exercised in developing strategy,  including change management and the necessary resourcing?
  • Is sufficient time set aside in governance meetings to cover strategy?
  • Is the Board easily distracted by operational matters/ caught up in detail?
  • Is the strategy periodically reviewed and sufficiently agile?


  • Is there a coherent strategy and business plan in place?
  • Has sufficient foresight been exercised in developing strategy,  including change management and the necessary resourcing?
  • Is sufficient time set aside in governance meetings to cover strategy?
  • Is the Board easily distracted by operational matters/ caught up in detail?
  • Is the strategy periodically reviewed and sufficiently agile?

Risk Management

  • Is the organisation appropriately sighted on risk with regular identification, assessment and monitoring across the governance structure and subsidiary organisations?
  • How does the Board engage with risk? Has the Board considered its appetite in relation to its risks?
  • Does the risk register cover all the relevant activities? Particularly where there is a group struture in place
  • Is there a silo approach to risk where there is a group structure?
  • Does our risk horizon scanning take account of lessons learnt in the PESTLE environment?


  • Is staff recruitment and induction robust and fit for purpose in terms of communicating organisational expectations? Are staff qualified to do their role?
  • What is the ratio of employed vs agency staff? 
  • Do staff recieve job specific training which is periodically re-run?
  • Has there been a recent staff survey?
  • Are there effective systems for complaints management and the raising of concerns? Does the Board receive management information on this? Are there effective data management systems in place?
  • How are records maintained? Are there detective controls in place to ensure compliance?
  • Do the procedures in place provide adequte  management and oversight of staff management in all parts of the structure?


  • Is the organisation clear on its organisational culture and values?
  • Is there a consistent Code of Conduct in place and are the values set out there in promoted and championed across the organisation/ group structure. Is there 'no tolerance' where poor behaviours/ practice are exhibited?
  • Is there a culture of trust and honesty throughout the organisation?
  • How is culture and value disseminated throughout the organisation?

Back to top

Reporting & Monitoring

  • Is there centralised collection of management information relating to high risk/ regulatory activities? Is it meaningful and has its veracity been tested?
  • Does the Board have SMART management information available to it, which cover the full range of organisational activity, particularly high risk and regulated activities to support its decision making?
  • How do subsidiary entities report into the governance structure, most particularly the Board?

Financial Management

  • Has the organisation defined its financial strategy through a long term financial plan and forecast?  Is there a process in place for reforecasting?
  • What is the strategy around reserves? Is it sufficient to meet the costs associated with any creditors, staff and closure? Is the organisation operating with a deficit year on year?
  • How robust is financial reporting? Does it flag financial risks? Are reports both quantitative and narrative?
  • Are there board members with financial expertise on the Board? Has the Board received any financial training so they understand what they are looking at?
  • Is there a Finance Committee in the governance structure who have adequate time to properly consider the organisational finances?
  • Is financial control sufficiently robust?

Regulation & Inspection

  • What assurance is there over regulatory activity and compliance outside of external inspection?
  • Is there an over-reliance on the inspection regime/ is it taken seriously? Or is external criticism dismissed?
  • Is the organisation an honest broker in terms of proactive transparency with regulators where there are emerging and serious issues?

Audit & Internal Control

  • Is there an internal audit/ inspection regime and is it respected/ have the appropriate profile within the organisation?
  • Is there a risk, assurance and compliance function within the organisation?
  • Is the audit regime independent with the autonomy to undertake work in all parts of the organisation (including subsidiary bodies)?
  • Does Internal Audit have freedom of access to the CEO and Audit Committee?
  • Are recommendations arising from Internal Audit taken seriously with responsibility for action allocated at senior management level and implementation within agreed timelines?