Governance is critical to every company and operation. Whether we are talking IT, accounting, manufacturing, or especially sales, assuring that employees’ behavior and company assets aren’t being misused, and employees aren’t being abused, is critical to the successful operation of the entity.
Having been in internal audit teams and often failing to fix known problems because calling out the problem is career limiting (even for someone in the relatively well-protected audit department), watching Facebook’s board struggle with Facebook behavior has been painful. And, in this instance, it isn’t that Facebook’s Oversight Board lacks competence or the will to make a difference; it’s that they lack the authority to make that difference, mainly due to Facebook’s internal structure, and they are redundant to Facebook’s equally crippled Board of Directors.
This week, let’s talk about the problems associated with a mismatch of responsibility and authority related to oversight.
Why it is Important to have oversight
We are watching several whistleblowers in the US and UK eviscerate Facebook for practices the company should have eliminated. This behavior isn’t unusual. Managers and employees act out because they are human, after all. You have internal controls and oversight to ensure this behavior is caught before it does damage, and to create a clear and present disincentive to bad behavior. For instance, people who know the police are watching don’t speed, but if they think no police are around, roads become racetracks, and things can get dangerous. In large companies, when employees or executives believe they can act with impunity, things can get way out of hand, as we have seen on Facebook.
An oversight board, if properly provisioned and supported, gives you two defenses. It shows you take eliminating bad behavior seriously, likely forming a protection against a charge of negligence. In addition, you are more likely to find and fix problems before a whistleblower or regulator calls them out and makes your problem public. (Even if you get a whistleblower, you are more likely to be aware of and already working to fix the problem, which can significantly reduce the damage a whistleblower can do to your brand and reputation)
Setting up oversight
When setting up an oversight board or any group, like internal audit, that identifies and eliminates destructive behavior, you need three things.
First, the people on that board need to be qualified to do the job. When IBM set up my team, it handpicked CPAs and MBAs who had experience as investigators and managers.
Second, the board or group must have the authority to act in management as internal consultants. In my team’s case, we dotted line reported to both the CFO and board, which backs us up. This reporting structure means that when a problem is discovered, the board can act to mitigate the problem even if that problem was the CEO. When we caused an employee to be terminated at IBM, we replaced that employee initially out of our ranks. This replacement policy ensured we weren’t frivolous with our power because we tended to own the fixes we proposed.
Third, and finally, you need complete access to pursue an investigation wherever it goes. If there is enough information flowing in, you can identify potential problems before those problems become public knowledge.
If any of these elements are left out, the oversight board, or whatever you call them (in our case, we were called a Tiger Team, but our function was the same), is essentially useless. Ideally, and this is something we didn’t do that we should have done, the team should be made up of people at the end of their careers because you don’t want team members having to choose between doing what’s right and losing their jobs.
I recall one instance where I was investigating a rather significant theft. I was told I could pursue the investigation and would likely win but would sacrifice any future in the company I might have by doing so. That threat came from my boss. He wasn’t trying to cover up anything so much as he was concerned that I was likely committing career suicide. His concern wasn’t about the theft; it was about the fact that another more senior executive should have caught it and, being vindictive, that executive would likely want to have me fired.
Where Facebook’s board is broken
Facebook’s oversight board is well staffed by experienced executives and people who don’t appear to have a career at Facebook outside of that board. However, they don’t have good access to information and seem to be dark about Facebook’s harmful practices. They also don’t have sufficient authority to act; they can only recommend.
Finally, Facebook’s ownership structure makes Zuckerberg more of a sole proprietor than a CEO. Most voting shares in perpetuity belong to him. This ownership structure makes it impossible to rein him in, and CEOs often misbehave if they believe they can’t be touched. While most of them can be fired, Zuckerberg can not, which creates a significant governance problem for Facebook’s board and shareholders. (Even Zuckerberg has effectively gone on record pointing out this problem).
This situation is similar to the problem we had earlier with risk managers responsible for mitigating company risks but had no authority to execute that responsibility, leaving them unable to protect the financial companies they reported to from the sub-prime mortgage catastrophe of a few years back.
This deficiency highlights the Facebook’s board’s real danger: making it look like Facebook’s board lacks both the authority to act and timely access to information, rendering their controls ineffective.
Every large company must have active internal oversight to prevent problems and abuses that commonly occur from becoming catastrophic. But to function, that board or team must be staffed by experienced people who don’t have a career path back into the company and have near-total access to company information to identify and then research potential problems. They must have the authority to act against ANY employee, including the CEO if that employee misbehaves.
Here’s a final thing I’ve observed from my own experience. As a team at IBM, we were exceedingly effective, so much of our time was spent investigating the executives’ problems. More times than not, our investigations began with a call from the executive that ran the unit we were investigating. But we were disbanded and replaced because some executives felt that if we went away, they’d look better.
I’ve seen many compliance teams end this way, and the result has always been awful for the company, suggesting that those performing the role of oversight also need to be grandfathered into unbreakable policy. Otherwise, they’ll eventually be eliminated to stop the appearance of problems, even though that will only ensure those problems will never be addressed.