Governance ensures your company operates effectively in alignment to your objectives.
In the earlier stages of a company, your culture holds it together. You hire passionate people, that align to your vision and goals, and the smaller team size gives you greater influence and oversight of your people.
Company culture continues to be important from a startup through to a public global enterprise. But that culture gets diluted and harder to manage as the company grows.
If you’re not familiar with culture, it’s the concept of shared beliefs, attitudes, and the standard practices or customs of your employees. It’s hard to identify and measure, and therefore hard to manage.
It’s widely believed the most important factor in culture is the “tone-at-the-top” (ie. the leadership). That’s epitomised when you see an impressive leader at the helm of an impressive high growth unicorn. They manage to scale at light speed while keeping employees aligned and performing to the best of their abilities. There’s various components that support culture like well-aligned incentives, good leadership at all levels of the organisation, clarity of goals, responsibilities and operating practices and ensuring there’s ownership and accountability. The purpose of this post is not to explain all things culture; but to highlight the importance of governance that nurtures and manages your culture in a formal way.
So what is governance?
Basically, all those things just mentioned. It’s the systems and processes that gets your employees aligned to your business goals, and monitors and corrects diversions before it becomes a new cultural norm of the wider organisation.
The basic elements of people management are having a clearly defined and articulated organisation chart with teams and reporting lines and defined job responsibilities so everyone knows where they fit. The boundaries and expectations of their role are important to understand to work effectively in the broader team(s).
The communicated company objectives and performance measures set out the bigger picture goals that they are in some way supporting. And the defined policies and procedures including the Code of Conduct and Disciplinary Policies clarify the boundaries and expectations of employees within their roles and more broadly.
Employee performance reviews are a practice for review and feedback on the individual behaviours and activities of employees to encourage the right behaviours and correct those that don’t fit the culture or goals of the business.
There's other elements related to how to source the right people in the first place, the Hiring and Onboarding Policy, Onboarding checklists, and sign offs on the Code of Conduct and Acceptable Use Policy. Then there's training plans, security awareness training and other ongoing skillset development practices for your people. These are covered in more depth in the Best Practices: Attracting, Developing and Retaining Talent.
Operational management meetings can happen at an individual team level, senior management meetings across all teams, and Board of Director meetings at an independent oversight level. They each apply the same principle of employee performance reviews, but at a higher level looking at teams and the organisation as a whole. Company-wide meetings are also a great opportunity to nurture culture; often less about correcting diversion and more about proactively keeping everyone aligned to the goals and culture of the organisation. See our Best Practices: Management Meetings where we explore these meetings in more depth.
The SOC 2 perspective
The control practices discussed in this post, fall within the Control Environment criteria, with some overlap to the Information and Communication internal comma criteria. The bolded text above are control practices often included in SOC 2 reports to support these criteria.
COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
AssuranceLab's Best Practices Series
AssuranceLab's best practices series, is about highlighting the "real operational benefits" that comes from effective control practices. At best, they support your company culture, provide structure and clarity, and enable scalable growth. At worst, they tick the box of what your customers expect, reduce the reactive "firefighting" and time-wasting, and help you demonstrate your compliance with leading standards like SOC 1, SOC 2 and ISO 27001.