Actions are dictated by values. Identifying organisational values – both proclaimed and
actual – will assist an organisation to ensure that most, if not all, its actions are
commensurate with these values, and enable it to put in place a robust structure to support
the ‘operationalisation’ of its values.
Many governance and risk management problems for multinationals and companies trading
far from their home base, for example, arise because of differing value systems. A
governance and risk management audit helps an organisation to establish clear guidelines
about the limits of acceptable behaviour which are consistent world-wide, while recognising
where appropriate local social differences. In other words, a governance and risk
management audit articulates the core values of an organisation, and assesses the
consistency of their internal and external application: internal with respect to what the
company or organisation says about itself in its various documents, such as statements
about mission and conduct; external with respect to how they act in their host societies and
internationally.
A governance and risk management audit always begins internally, with a review of ‘paper’,
‘processes’ and ‘people.’ The findings of the audit are then tested out with stakeholder
groups, to ensure that the values base is one which is shared by, or at the least acceptable
to, key stakeholders. The results provide important management information, and can (and
ideally should) be used to report on the organisation’s social and/or governance
performance, either as part of the Annual Report or as a supplementary report.
In this assessment, you are asked to conduct a governance and risk management audit of
an organisation with which you have had some association. It could be a large company, a
family business, a school, a hospital, a not-for-profit organisation. It could be any
organisation that provides a service or conducts any form of social activity that involves:
In this assessment, you are asked to conduct a values and risk audit of an organisation with which
you have had some association. It could be a large company, a family business, a school, a
hospital, a not-for-profit organisation. It could be any organisation that provides a service or
conducts any form of social activity that involves:
1. Some form of statement about what it does and its commitments. This could be a company
or organisational mission statement; or marketing material; or any document in which the
organisation defines its commitment to abiding by the law, or certain moral codes, or
specific cultural or communal commitments. In other words, anything that articulates what
the company/organisation stands for with respect to governance and social responsibility. It
might be as generic as saying, as Google does, “do no evil”, or as specific as BHP Billiton’s
commitment to observing best practice in land remediation of spent mines;
2. Some level of financial management and accountability. This can be at a very high level for
a large company, or very modest in a small family business. Either way, there has to be
some level of financial or resource accountability, and some level of responsibility for what
the organisation does in the conduct of its activities;
Page 2 of 7
3. A recognised set of risks to the organisation’s well-being, or to the interest of its
stakeholders, that are articulated in some way, whether in the form of an organisational risk
management strategy, or some other less formal method of assessing and addressing
organisational and/or stakeholder risks.
4. A defined set of services or products. That is, the organisation’s outputs – what it offers its
client or customers;
5. A customer or client base. There must be some customer or client base for the audit to
make sense, and this needs to be identified, namely, who the organisations serves or
supplies.
6. Some level of management structure or identifiable managerial accountabilities
responsible for organisational governance and risk assessment and management.
For our purposes, an anarchic group of people just doing things for the sake of it to
help others, or themselves, but with no formal structure, is not a suitable subject for
this exercise. There must be some specific roles and accountabilities, even if poorly
defined.
