Have you visited ABC Place on Waiyaki Way? If you happen to be driving there you first arrive at a poorly designed ticketing booth, maneuvering your car to an impossible angle that will enable the driver’s window to align with the knob you need to press in order for a parking ticket to emerge. Having just missed scraping the ticketing booth with the front bumper, you lurch forward and find polite but firm security guards who do a car search. These astute and fairly discerning gentlemen request you to open your door, open all the passenger doors, throw a bleary eye into the glove compartment and subject the boot of your car to a physical search. Once done, they will cheerily wave you off. Wait. If you have a handbag, or any other bag in your car, they will not subject it to an internal search since handbags in cars purportedly do not present clear and present danger. So the other day I take a taxi to ABC Place and as we are approaching the vehicular entrance via the deceleration lane, the taxi driver politely asks if I can disembark before he drives in. Why, I ask? He says that if he drives me inside he will have to pay for parking even for the 2 minutes it would take for me to haul myself out. Being of reasonable extraction, I obliged him and stepped out and watched him fishtail out of there in relief. I walked in as if to enter and those usually polite-because-I’m-in-a-car security guards stopped short of baring their teeth at me. I was informed in no uncertain terms that pedestrians have their own entrance, round the back towards the parking exit. I tottered all the way back towards said entrance and had to go through a turnstile, handbag search and security black magic wand over my body. I learnt a valuable lesson that day. Security threats via individuals are to be found more from pedestrians with handbags than occupants of motor vehicles.
Why do I narrate this long and unnecessary soliloquy? Boards of Directors are often managed in a similar manner. I have avoided commenting on the Imperial Bank saga largely because it is difficult to fathom and erroneous to paint a broad brush of culpability on the entire board of directors. It is always an enormous reputational risk that individuals assume when agreeing to join any governance board as they are lending their name to the purported governance mechanisms that the organization subscribes to. To the outsider, a board denotes oversight and accountability and a safe pair of hands that stakeholders have entrusted to protect the organization from unfettered management excesses. But the directors as a collective are in exactly the same position as the security guards at ABC Place. They open doors and check the boot and glove compartment, seeing as much as is physically possible with the naked eye.
The pedestrian body search is done at board committee meetings. Greater detail is discussed and more time is spent with management in understanding the scope of financial and operational issues that the organization encounters. But it is critical to note that the operating system of any institution, just like the engine of a car, can be compromised and it would take a forensic investigation or Oketch your car mechanic to open it up and figure out why that catalytic converter light keeps coming on when your driving at 87 km/h. The management of any organization is the actual owner of the business while shareholders are just owners of capital. The management can deliver or destroy value. Management can aim to execute with integrity but still have a few bad apples that sing from a fraudulent hymn sheet against which tight internal controls and compliance should ideally act as a gatekeeper.
Board directors see what the owners (read management) of the car want them to see. A clean boot, an empty glove compartment and a sparkling interior. The engine may be compromised but the car is running smoothly, or so they think. No smoking gun, no grenades. As a director, you only see what management wants you to see. You can ask questions – very hard questions- but if a (manipulated) system generates legitimate reports that are used to guide board oversight then raking directors over hot coals for poor oversight is placing them in a difficult position. Directors spend less than 3 days a quarter providing oversight on a company’s operations. They do not have access to any of the operating systems, nor should they have. They do not have signing powers over any of the bank accounts, nor should they have. But they do carry a heavy responsibility to ask the right questions and demand audits or deeper external investigation where they get a sense that something is not right.
Now if those that are charged with undertaking those external audits are themselves compromised, then the board’s goose is collectively cooked. I have had the pleasure to professionally engage with audit firms during various board assignments. The role of the auditor is to review the processes with which the financial accounts have been generated, to test the assumptions being made by management as well as to interrogate the inputs into the system and the outputs therefrom. If that system has been compromised at the highest level, you’d need the x-ray vision that our security guards are purported to have to assess handbags in cars. A lot of responsibility is placed on audit firms to be all seeing and all knowing. Collectively heaping blame on auditors whose mandate cannot cover running end-to-end tests of all transactions passed is a flawed abrogation of duty. Whose duty is it then? Is it the board, which only comes in four times a year to provide oversight? Is it the shareholders, who have delegated oversight authority to the board and only come together during the annual general meeting? Or is it management who, in actual truth, are the true owners of the business?