First published Oct 6th 2011
Our recent past is littered with large scale systemic failures, each of which has led to probing reviews, a myriad reports and the inevitable rewriting of regulation, each time marking a new dawning of governance and protection for innocent casualties. Maxwell! Enron! Clapham! Barings! Baby P! Bristol! Alder Hey! MidStafford!
In some ways the review findings are predictable. Technology has enabled practice to outstrip and outsmart the regulator. The regulator caught napping! Regulators essentially caught colluding with the deceit – Enron was the first of these to reach my consciousness.
When you peel the layers away, every one of these is a failure of risk management process. Inadequate consideration of, and planning for, the risk that things might not work out as we want them to. Insufficient integrity in those controls which should have been starting to glow red as the likelihood of impending failure rose. Insufficient emphasis on assurance – that triangulation process which seeks independent confidence that all is well.
But then, risk management is too easily relegated to the “process nerds” who interfere with innovation and shun entrepreneurial flair, demand that proper time is allocated to consider complex issues in depth.
An opportune moment perhaps to rewrite that perception?
In 2009, Sir David Walker’s report on the failure of banking recorded some of the most memorable words from a governance review:
“……improvement in corporate governance will require behavioural change in an array of closely related areas in which prescribed standards and processes play a necessary but insufficient part. Board conformity with laid down procedures such as those for enhanced risk oversight will not alone provide better corporate governance overall if the chairman is weak, if the composition and dynamic of the board is inadequate and if there is unsatisfactory or no engagement with major owners. The behavioural changes that may be needed are unlikely to be fostered by regulatory fiat, which in any event risks provoking unintended consequences. Behavioural improvement is more likely to be achieved through clearer identification of best practice and more effective but, in most areas, non-statutory routes to implementation so that boards and their major owners feel “ownership” of good corporate governance.”
Earlier this year, Professor Eileen Munro reported on the circumstances of the Baby P tragedy, concluding that the child protection system had been built up of layer after layer of so-called assurance, which ultimately diverted attention away from the very purpose for which the processes existed, recommending that energy in safeguarding needed to be brought back to its core aims:
“These forces have come together to create a defensive system that puts so much emphasis on procedures and recording that insufficient attention is given to developing and supporting the expertise to work effectively with children, young people and families”; and:
“instead of ‘doing things right’ (i.e. following procedures) the system needed to be focused on doing the right thing (i.e. checking whether children and young people are being helped)”
Can the combination of Walker and Munro mark a sea change in thinking about risk management and governance? Yes, process is an important part of the story, but it can never be seen as more than just a part.
I have a few simple mantras which, if applied in a few more places could improve effectiveness. One of these applies here. Information rarely gives you answers – it simply helps you understand and formulate the important questions to ask!
Put simply, it is the duty of management to use the best available information and evidence, combine it with experience and professional judgement, and subject it to peer review from as wide a cross section of perspectives as practical. That for me is a statement of good governance and the duty of both individual managers and whole boards.
So, when we read the litany of misfortune and the apparent disarray within CQC, we have to be worried, even after stripping out the undoubted misreporting, exaggeration and sensationalising of the telling.
Easy to make a transcription error that puts the wrong number down for the number of inspections carried out last year, but impossible to misjudge your core business by a factor of two! Valuable for board members to be setting aspirational plans for how they want to see processes becoming more consistent and controls being tightened, but unacceptable to then misjudge the gap between today’s reality and that future goal. Commendable to see an internal review conducted when staff properly raise concerns about process quality, and easy to understand why sharing such a review publicly would need careful handling, but impossible to see how an organisation whose very raison’d etre is to provide public assurance, could misjudge the importance of transparency and consider disciplinary action as a first resort.
And the biggest question of all! What can be done to enable the CQC board to achieve Walker’s sense of “ownership of good governance”, to generate an effective balance between process and culture, when the government imposes increasing demands, expands the scope and reduces resources at the drop of a hat? Where is the meaningful consideration of risks, the integrity of the controls and the confident, independent assurance and exercise of professional judgement. Surely, at the very heart of this governance minefield, it is ironic indeed to see the Department of Health acting almost in the role of Shadow Directors of CQC, removing the very ownership the board should have in determining how to square this shrinking circle!
This feels to me to be the very antithesis of the assurance process for which CQC exists.