Governance lighthouse
2015
Contents

About the Governance Lighthouse

The Governance Lighthouse is a strategic early warning system. This guide provides practical advice and resources to implement successful governance in the public sector. It covers eight principles and 17 key governance components. This guide, produced by the Audit Office, has been produced specifically for State and local government entities in New South Wales. 

This guide provides practical advice and resources on implementing successful governance in the public sector. It covers eight principles and 17 key governance components.

Terminology and references to legislation and directions relate to NSW Government agencies.

The principles and components are based on the ASX ‘Corporate Governance Principles and Recommendations’ and draw from other publications such as the Australian National Audit Office ‘Public Sector Governance – Strengthening  Risk Management Policy for the NSW Public Sector.

The guide also takes into account the 3rd edition of the ASX ‘Corporate Governance Principles and Recommendations’, and the Australian National Audit Office ‘Public Sector Governance – Strengthening Performance through Good Governance, Better Practice Guide. 

Local Government

Local government councils should adapt the best practice principles in this guide to their governance arrangements. 
As part of the NSW Government’s local government reform agenda, amendments to the Local Government Act 1993 (the LGA) have been passed with changes aimed at improving council governance and strategic business planning. The amended LGA also gave the Auditor-General the mandate to audit NSW local councils to support the reforms specifically aimed at strengthening governance and financial oversight in the sector and improve performance, financial management and public accountability. 

The importance of a good governance framework

Good governance promotes public confidence in government and its agencies. The better agencies are governed, the better they will perform and the more satisfied the public will be. Sound governance is paramount to service delivery and the economic and efficient use of public  money. 

Good governance is those high-level processes and behaviours that ensure an organisation performs by achieving its intended purpose, and conforms by complying with all relevant laws, codes and directions while meeting community expectations of probity, accountability and transparency. 

Governance should be enduring, not just something done from time to time. It is important to recognise that implementing a set of processes and procedures will not deliver good governance unless they are accompanied by a good governance culture. The attitudes, values, beliefs, and behaviours of leaders must support good governance. 

Governance Lighthouse - a strategic early warning signal

Public sector governance is about shining a light on what agencies and government are doing and leads to agencies better meeting their obligations to taxpayers and the public. 

Good governance sets a clear direction, a way to get there and tracks progress. It provides independent assurance that management is achieving this direction in an ethical and legal way. Risks and opportunities are recognised and addressed. The rights of stakeholders including the public are respected with open and transparent information on organisational activities and performance. And importantly, the organisation and its leaders embrace a governance culture that focuses on achievement, accountability and ethical behaviour. 

Eight principles and 17 components of public sector governance

Governance Lighthouse

Key stakeholder rights 17 - Key stakeholder management program
Risk management

16 - CEO and management sign-off on internal controls

15 - Risk management program

Remuneration 14 - Remuneration is fair and responsible
Disclosure

13 - Continuous disclosure

12 - Annual report

Corporate reporting

11 - CEO and CFO sign-off

10 - Internal and external audit

9 - Audit and risk committee

Ethics

8 - Compliance framework

7 - Fraud and corruption control framework

6 - Ethical framework 

Structure 5 - Key governance committees
Management and oversight

4 - Diversity policy

3 - Clear accountability and delegations

2 - Regular reporting against plans

1 - Leadership and strategic and business plans

 

Issues

Governance structures need to be independent

Strong governance requires a well-defined set of governance committees responsible for high-level direction and control. Ideally, the structure and purpose of these committees should collectively set organisational direction and provide independent assurance on the performance and conformance of management. This assurance is part of an organisation’s overall internal control framework. 

Many agencies have an audit and risk committee, some also have a board and others have remuneration committees. These committees would usually have a majority of or all independent members. 

Many public sector agencies do not have a board with the agency head taking on many of the roles of a 'board' and being accountable to a minster/s and/or parliament. In these cases, independent assurance functions should report directly to the agency head. When considering independence, agencies should look beyond the position a person holds and consider whether a member has an interest, association or relationship that might materially interfere,  or reasonably be seen to interfere, with the member’s capacity to bring an independent judgement. 

In organisations with no board, management often form executive management committees to oversee strategic and key operational activities and to provide advice to the agency head and minister. In some cases, these committees may appear to take on 'board like' functions such as overseeing the activities of the audit and risk committee and internal audit. This should be avoided as executive management should not be controlling activities designed to hold them  to account for their performance and conformance. The role of the executive management committee should be restricted to achieving organisational outcomes and providing advice to the agency head. 

Governance arrangements in cluster agencies should be clear

Organisational structures and legislation should facilitate the proper governance of public sector organisations. This is particularly important when public sector organisations are clustered with other like organisations. A departmental Secretary usually leads the cluster on behalf of a Minister or Ministers with a chief financial officer (CFO) looking after financial management and reporting. For cluster governance to work properly, the authority, autonomy and accountability for the Secretary and CFO should be clear. 

For example, there may be statutory bodies and State Owned Corporations that report to different cluster ministers, making it difficult for the Secretary and CFO to exercise the expected oversight/control. 

These challenges require government, ministers, boards, departmental Secretaries, head of the organisations, CFOs and management to work together to clarify governance arrangements in clusters to remove ambiguity and ensure the necessary direction and control. 

Risk management should be clearly linked to strategic and business planning

Too often, organisations treat their risk management and strategic planning as separate processes. Strategic risks and opportunities should be a fundamental input to strategic planning.  

However a strategy itself doesn’t manage risks. An enterprise management approach is needed. Leadership, effort by all levels of management and staff, and careful monitoring  by the governing committees are needed to make the strategy a success and properly manage risk. 

Transparency and performance reporting can be improved

The public sector is accountable and should have a culture of establishing and publicly reporting on their performance across the full service delivery chain – inputs, outputs, processes and outcomes. Benchmarks should also be published to show how well organisations are performing against similar jurisdictions and service providers. 

Often public sector organisations publish limited and inconsistent information on their performance. Performance reporting is often internally focussed on processes and tasks, which reduces transparency and excludes the information needs of some key stakeholders. 

Compliance management, internal audit and audit and risk committees

Compliance management continues to be an area needing attention. The Audit Office October 2012 report on internal audit and risk management for the NSW public sector identified that some agencies do not have a formal, documented regulatory compliance management framework. A framework is important as it: 

•    promotes a culture of compliance
•    fosters continuous improvement in compliance processes
•    ensures obligations are met and helps the organisation demonstrate its corporate and social responsibilities.

The absence of a formal regulatory compliance framework was evident in the limited compliance reporting to audit and risk committees. Some committees see very little information on: 

•    key legislation affecting an organisation
•    how management addresses and monitors legal and compliance risks
•    how management identifies breaches and implications.

Agencies were also not promptly acting on internal audit recommendations they agreed to implement nor properly reviewing the performance of their audit and risk committees. 

Audit and risk committees were not meeting with the external and/or internal auditors at least once during the year without management being present. 

Fraud control requires an ongoing commitment

Fraud control requires an ongoing commitment that goes well beyond setting up policies and procedures. The Audit Office November 2012 survey of fraud control identified that some agencies simply ‘tick the box‘ and are not committed to fraud control. To illustrate this, the survey indicated that: 

  • not enough agencies are revising fraud risk assessments when there is a major change to their role or function
  • while a high proportion of agencies have a code of conduct, a much lower proportion require staff to regularly attest they know and understand it
  • weaknesses in fraud awareness and training exist.

Agencies should refer to the 2015 Audit Office Fraud Control Improvement Kit, which consolidates previously issued Audit Office resources into one document and places additional focus on the cultural elements that need to be present to implement an effective fraud control framework. 

Governance lighthouse checklist

Organisations may not need to implement all 17 components of the lighthouse and the level of sophistication required for each component will vary between organisations. Where a public sector organisation decides not to have a particular component, it should satisfy itself that the component is not necessary or develop alternative compensating measures. The reasons for not using a particular component and any compensating measures should be documented. 

How to use the governance lighthouse checklist

Public sector organisations  and universities should: 

  • review their governance frameworks against the governance lighthouse checklist
  • pay particular attention to ensuring:

- governance committees are independent

- fraud and corruption control is part of the culture and not just an exercise.

- there is a formal regulatory compliance framework to ensure legal obligations and central agency policy directions are followed

- performance information on key metrics, inputs, outputs, processes and outcomes is regularly disclosed and benchmarked

- an ethical framework exists that supports all people acting ethically and in the public interest

- risk management is clearly linked to strategic and business planning and an enterprise risk management approach is taken

- governance arrangements in cluster agencies are clear

Lay solid foundations for management and oversight - accountability and service

1. Leadership and strategic business plans

  • Do strategic and business plans or equivalents exist?
  • Are they signed-off by the head of the organisation where relevant?
  • Are they signed-off by the board or executive management committee?
  • Has it been provided to the relevant Minister/s?
  • Do senior executives actively connect staff with the organisation’s purpose (e.g. through forums, attendance at meetings, walking the floor, performance agreements and connecting day-to-day work with purpose)?
     

2. Regular reporting against plans

  • Are written quarterly status reports based on the strategic and business plans or equivalent provided to the head of the organisation?
  • Are reports presented to the board, executive management committee, the relevant Minister/s , staff and other applicable stakeholders?
  • Are results against plans disclosed in the annual report?

3. Clear accountability and delegations

  • Do all staff know what they are to do, for whom, when and to what level of performance – including their obligations under the Ethical Framework for the NSW Government sector?
  • Are delegations documented, regularly reviewed and available to all staff?
  • Are the responsibilities between Ministers, governance committees and management clear and understood?

For agencies with boards :

  • Is there a clear division of responsibilities between Ministers, boards and management?
  • Is the performance of the board periodically evaluated?
  • Is the performance of the board disclosed in the annual report?
  • Are there written terms of appointment for all board members and senior executives?

4. Diversity policy

  • Is there a policy outlining measurable objectives concerning diversity?
  • Is there an annual assessment on how diversity goals are being achieved?
  • Are results against diversity targets published in the annual report?

Structure to add value - accountability

5. Key governance committees

  • Is there a set of well-defined key governance committees responsible for high-level direction and control?
  • An effective governance committee structure for general government agencies will consist of a board, internal audit, an audit and risk committee, and where relevant a remuneration committee to provide independent assurance.
  • Are these governance committees independent of management?
  • If there is an executive management committee, is its role restricted to achieving and reporting on organisational outcomes and advising the head of the organisation?
  • Are the responsibilities and reporting lines for these governance committees clearly understood and documented in a charter?
  • Does each of these governance committees have a chair who is independent of management and a majority of independent members?
  • Do the key governance committees collectively have the required level of experience, capability, independence of mind and diversity to meet the needs of the business and legislative requirements?

For agencies with boards: 

  • Are the chair and a majority of members independent of management?
    A chair or member is independent of management if they do not have an interest, position, association or relationship that might materially interfere, or reasonably be seen to interfere, with the member’s capacity to provide independent judgement. For example, a member would not been considered independent if they:

- are an employee or have a material or recent relationship with the organisation

- had held a senior management position at the organisation in the last three years

- had a material business relationship with the organisation in the last three years.

  • Are the interests, positions, associations or relationships that do or may compromise the independence of the members disclosed, in particular during committee meetings?
  • Are the names, skills and length of service of each member disclosed?
  • Are members inducted and provided with appropriate development?

Act ethically and responsibly - integrity, service and trust

6. Ethical framework

  • Does the organisation follow an ethical framework? For further guidance refer to the Ethical Framework for the NSW Government
  • Is the code of conduct endorsed by the head of the organisation and Board?
  • Is the code of conduct signed annually by all staff?
  • Does the code of conduct cover conflicts of interest, gifts and benefits and secondary employment?
  • Is the code of conduct publically available – e.g. on the internet?
  • Is there a statement of business ethics?
  • Do senior management ‘walk the talk’ on ethical behaviour:

- Is the code of conduct current - has it been reviewed in the past two years or when there is a significant change to the nature of the organisation’s business or its key processes?

- Are staff surveyed on whether:

> senior management ‘walks the talk’ on integrity and ethics issues?

> ethical breaches are dealt with properly and promptly?

  • Do senior management have an open door policy where staff feel safe and comfortable to openly raise questions, concerns or state their views?
  • Do senior management regularly review ethical breaches?

7. Fraud and corruption control framework

  • Is there a documented fraud control framework?
  • Does the framework cover the prevention, detection and response to fraud? For guidance, refer to the 2015 Audit Office Fraud Control Improvement Kit.
     

8. Compliance framework

  • Is there a documented approach or plan that covers how compliance is identified, monitored and reported?
  • Have all key compliance obligations (relevant laws, regulations and government directions) been identified along with their risk ratings and appropriate mitigation?
  • Is there regular reporting to the audit and risk committee on an organisation’s compliance with key laws, regulations and central directions?
  • Are breaches of compliance obligations addressed adequately and promptly?
  • Are all key policies clear, available, regularly updated and monitored for compliance?

Safeguard integrity in corporate reporting - accountability and service

9. Audit and risk committee

  • Is there an audit and risk committee that meets the requirements of Internal Audit and Risk Management Policy for the NSW Public Sector including its establishment, role and responsibilities and processes for the selecting, appointing and rotating independent members?
  • Does the committee examine the adequacy of corporate as well as financial reporting?
  • Is the internal and external auditor invited to attend all audit and risk committee meetings?
  • Do executive management appreciate the independence and role of the audit and risk committee?

- Does the audit and risk committee have full access to all relevant information, staff, internal and external reviewers?

- Is executive management’s role restricted to achieving organisational outcomes and providing advice to the organisational head?

Executive management should not take on 'board like' functions such as overseeing the activities of the audit and risk committee and internal audit, as these activities are designed to hold them to account for their performance and conformance.

10. Internal and external audit

  • Is there an internal audit function that meets the requirements of Internal Audit and Risk Management Policy for the NSW Public Sector including the role, responsibilities, authorisation, activities and reporting relationships? 

    Internal audit should provide assurance to the head of the organisation and the audit and risk committee that financial and operational controls properly manage risks and achieve objectives and are operating in an efficient, effective and ethical manner. 
  • Is the internal audit plan publically available, e.g. on the website?
  • Are internal audits completed in accordance with the plan?
  • Does executive management facilitate and respond constructively to reviews, findings and their recommendations?

- Are recommendations or corrective action implemented on a timely basis?

- Are key review findings and agreed recommendations available to the public?

- Is internal audit able to access sufficient skills and experience?

11. CEO and CFO sign-off of financial report

  • Has the CFO and head of the organisation certified that the financial records of the entity have been properly maintained and that the financial statements comply with the appropriate accounting standards and give a true and fair view of the financial performance and position?
  • Have the head of the organisation and CFO signed the management representation letter and forwarded it to the external auditor?
  • Where a board exists, has the head of the organisation and CFO provided a similar representation?

Make timely and balanced disclosure - integrity and accountability

12. Annual report

  • Has the annual report been forwarded to the relevant Minister on time?
  • Has the annual report been tabled in Parliament on time?
  • Is the annual report published on the organisation’s website?
  • Does the annual report include performance information on key metrics, inputs, outputs, processes (i.e. quality control etc.) and outcomes?

Make timely and balanced disclosure - integrity and accountability

13. Continuous disclosure

  • Is there a documented continuous disclosure policy that is endorsed by the head of the organisation and board?
  • Does the policy provide for regular disclosure of performance information on key metrics, inputs, outputs, processes (i.e. quality control etc.) and outcomes, in addition to the annual report? E.g. regular publication on the internet.
  • Does the policy promote the disclosure of positive and negative information?
  • Has the policy been reviewed in the past two years or when there is a significant change to the nature of the organisation’s business or its key processes?
  • Is the policy published on the organisation’s website?

Remunerated fairly and responsibly - accountability

14. Remuneration is fair and responsible

  • Is the head of the organisation’s remuneration linked to achieving the strategic and business plans or equivalent?
  • Are the head of the organisation’s direct reports’ and staff’s remuneration linked to achieving the strategic and business plans or equivalent?
  • Is there a remuneration committee with independent members?
  • Does the remuneration committee have a charter? Ideally, the committee should oversee whether remuneration policies are fair and responsible.
  • Is the policy for remunerating senior executives publically disclosed along with the remuneration and performance of senior executives (e.g. in the annual report)?

Recognise and manage risk - accountability

15. Risk management program

  • Is there a documented risk management policy and has it been endorsed by the head of the organisation and board (where one exists)?
  • Is the risk management framework appropriate and consistent with the Risk Management Toolkit for the NSW Public Sector?
  • Has the organisation adopted an enterprise risk management approach?
  • Is there a strong risk management culture:

- Is the risk management framework reviewed at least annually or when there is a significant change to the nature of the organisation’s business or its key processes?

- Is the risk management framework clearly linked to strategic and business planning?

- Does the organisation document and have a shared understanding of its risk appetite?

- Do individual staff members accept personal responsibility for identifying and managing risks in their area?

- Are risks actively monitored and mitigating controls implemented?

  • Do risks include any material exposure to economic, environmental and social responsibility risks?

Recognise and manage risk - accountability

16. CEO and management sign-off on adequacy of internal controls

  • Have senior management provided the head of the organisation with a sign-offs on the operation of internal controls to support the head of the organisation’s sign-off?
  • Has a signed statement on the adequacy of an organisation’s internal controls been published in the organisation’s annual report?

Respect the rights of key stakeholders - accountability

17. Key stakeholder management program

  • Is there a documented program to facilitate two-way interaction with key stakeholders and the public?
  • Is the program reviewed annually, or when there is a significant change to the nature of the organisation’s business or its key processes?
  • Is information about an entity’s functions, key policies and practices, and governance structure freely available? – e.g. published on the web – additional to the annual report
  • Is there a complaints handling policy and procedure and are these publicly accessible and easily understood?
  • Are there prompt responses and actions towards complaints and grievances?

Footnotes

1 Audit Office of New South Wales, October 2012,Compliance Review Report – Internal Audit and Risk Management for the NSW Public Sector, Auditor-General’s Report to Parliament, Volume Three. 
2 Audit Office of New South Wales, November 2012, Fraud Survey for the NSW Public Sector, Auditor-General’s Report to Parliament, Volume Seven. 
3 Brown, R. and Gorgens, T. March 2009, Corporate Governance and Financial Performance in an Australian Context, Australian Government Treasury Working Paper 2009-02.