Monthly Features: What's New? | Guest Speaker | Real-Time Chronicles
|Featured Guest Speaker
Posted: January 28, 2005
William L. Livingston, PE
aka Bete Noire Engineering
William Livingston is author of Friends in High Places, New Plague, and Have Fun At Work; with a book in process tentatively called Amicus Rex, about the engineering/law relationship. He is a Professional Engineer with more than 100 patents to his name, and has extensive background in the Energy and Utility sector.
From: William Livingston
Sent: Thursday, January 27, 2005 8:05 PM
Subject: Commentary on your "Draft OECD Guidelines on the Corporate Governance of State-Owned Enterprises."
The following responds to the request for comment on your “Draft OECD Guidelines on the Corporate Governance of State-Owned Enterprises.” As a registered professional engineer and member of the Institute of Internal Auditors, I am a scarred veteran in the design of internal control systems for contemporaneous compliance. Comments were previously supplied in response to your corresponding 2004 project concerning the “OECD Principles of Corporate Governance.” As your draft articulates, governance distinctions among institutional types appear only at the second remove. From an architectural and functional standpoint, all institutions are the same – equally at the mercy of their culture.
Comments are restricted to the control strategy of the guidelines and assumed that the compelling purpose of the guidelines is stakeholder protection paramount, as stated. Since the approach taken by the OECD toward this end is conventional regulatory agency practice and thoroughly proven to fail, commentary on pieces and parts of the guidelines, many excellently constructed, would be senseless.
As you have defined, “A crucial condition for protecting minority and other shareholders is to guarantee a high degree of transparency.” The transparent attribute for corporate governance and institutional management, through internal control, is peppered throughout your guidelines. “As in large public companies, it is necessary for large SOEs to put in place an internal audit system that will bring a systematic and disciplined approach to improve risk management, financial control and governance processes.” The improvement sought is, exactly, transparency. It acts as a solvent of the clots of intellectual confusion, prejudice and misrepresentation.
To an engineering professional seasoned in control science and mechanics, a transparent internal control system for contemporaneous compliance has a completely objective technical specification. Genuine transparency begins only when all illusions end. Such a system incessantly audits itself, which is how the contemporaneous requisite is attained. There is nothing subjective or ambiguous about any system of control (governance). There is no degree to the transparency attribute in a compliance control system. “Translucent” controls don’t regulate part way: they don’t work at all. There is only one standard of transparency, not low or high, and it is yes or no. Non-transparency amounts to a borrowing of trouble.
To the professional practitioner engaged in data-driven contemporaneous compliance, transparency is not a tally of transpired transactional consequences. It is not a tour of the factory to see how things eventually get to the loading dock. Transparency is the complete institutional control system strategy for dealing with the future. Pragmatic transparency, readily attained, is an idiosyncratic amalgam of 1) institutional objectives 2) the institutional problem-solving strategy 3) the value system used to choose among the alternatives of control action 4) the associated risks of future disturbances. All else is obstruction.
For the practitioner of pragmatic transparency, there is a psychological price. What could be more threatening to false institutional distinctions than a transparent process that makes no cultural distinctions? What is more institutionally alien than an impersonal mode of cognition which has a logic and independent reality apart from the user?
The limits of rules of action
To attain the goal of stakeholder protection, as it is defined through contemporary litigation, two dissimilar sets of “critical success factors” are involved. The first familiar category, expressed in regulations, contracts and statutes, is hindsight-driven rules of action. Your guidelines are filled with them. Rule-based operations (internal control) form the core of institutional process where regulating rules appear as just another item in the rule spectrum for selecting what action is to take place for the next work cycle. Regulatory process and institutional process is one and the same thing – seamlessly interchangeable. Rule-based conduct is always based on the wreckage of history with a large time lag between events and salvaging efforts on event consequences. The residuum of damage response always cycles back in the form of more rules.
In codes of professional conduct, “protection” is defined as damage avoidance or proactive damage attenuation to the extent damage is considered incidental by the stakeholder. Stakeholders are very difficult clients. Comprising a gullible public living in a culture that welcomes engineering virtuosity while resisting social change, they certainly need an advocate.
Hindsight driven rules of action are restricted in utility for stakeholder damage control, of course, to events that replicate previous experience. To account for the novelty intrinsic to every future, the second category of law, tort, covers the requisite competency of “pragmatic foresight.” This critical success factor mandates forward looking procedures that examine possible events in the future and evaluate control means to deflect the possibility of negative stakeholder consequences. Attaining the intended goal of protection, as enjoyed by the stakeholders, must comprise both hindsight and foresight practice. The OECD guidelines, bloated with brute force rules of action, indirectly reference the essential future dimension by frequent use of the outlook code word “transparency.”
The challenge of the stakeholder protection objective
The basic assumption that an institution is capable of doing anything it desires to do is patently fallacious. As for any viable system, the institution can only do those tasks compatible with its identity as an economic system than runs on noneconomic motives. It is as misleading to assume the institution rules by the law of value as it is ruled by the value of law. There are absolute limits to the problem-solving capabilities of hierarchical formations operating by a chain of command. No law of man can change those limits. To require an institution to do what it cannot, will remain the pursuit of the impossible.
The OECD cannot lock means and ends together. No entity can. As all hierarchies are captive hindsight affairs, the institution cannot attain goals which can only derive from foresight. The illusion that more rule trees and aggressive enforcement will “make” the institution do what it cannot stands on the myth that more hindsight is a viable substitute for foresight.
The legal protection requirement, spanning both time perspectives, presents a monumental regulatory dilemma. Rule based operations and the competency of foreseeability are institutionally incompatible activities. To preserve institutional identity, no expense is spared in portraying and defending rules of action as the necessary and sufficient benchmark for all compliance.
There is an absolute limit, set by the laws of nature - the second law of thermodynamics in particular, to the effectiveness of rule-based methods and crisis response capability to safeguard the future of stakeholders from damage. This limit is defined fresh for specific cases through tort litigation. Tort demonstrates to the defendant that obedience to rules of action has zero relationship to foreseeability – a technological competency delegated exclusively to engineering. The tort process illustrates to a computer-savvy public that the OECD notion of “transparency,” tort’s “foreseeability,” and the process of engineering are one and the same methodology.
The OECD cannot have transparency paramount and regulate exclusively through rules of action at the same time. The guidelines reveal the choice already made – one made by various regulators many times before. The regulated institution, functionally incapable of foreseeability, has no choice but to translate the guidelines into a checklist of rules of action to be taken by blind obedience and cover up the untranslatable remainder with make believe. However, reality has the capacity to resist false interpretations. Obedience to rules of action represents man’s loss of freedom over his means of freedom.
Fortunately for the OECD, the same path taken by the OECD in these guidelines has a precedent so reliable there is no need to feel curious about the impact your guidelines will have towards your purpose. This precedent was set by the SEC and has, since the OECD principles were issued in 2004, been thoroughly analyzed and quantified. What has developed during the interval between your principles of corporate governance and the SOE initiatives is that SOX 404 took effect. Since the OECD initiative is functionally equivalent to the SEC regulatory framework before 404 kicked in, contrast between the before and after of 404 provided an unprecedented opportunity to obtain an accurate fix on corporate compliance with the intent of regulations via a rules-based system.
As you know, SOX 404 is the first regulatory initiative putting teeth on the mandate for institutional transparency. SOX 404 addresses the transparency (of compliance) attribute obliquely but, for enforcement purposes, rather effectively. Step one requires management to assert the effectiveness of its internal control system design – and that’s right where I work. Step two involves an independent attestation that, sure enough, management’s internal control system achieves its control goals truly as management asserts. [Dove - Apogen could verify this] Nowhere is there an explicit requirement that the goal of internal control is to help management steer the institution towards its stated objectives. Such control goals of internal control are universally assumed – erroneously. Management always builds the internal control competency it wants.
Numerous and extensive surveys of the efforts of listed institutions to comply with SOX 404 showed the national status of internal control, pre 404, in considerable detail. Many of these surveys are available for inspection on the web. In the majority of institutions, we now know, the problem of determining the effectiveness of internal control was exacerbated by the fact no description of the internal control system in use even existed. Whatever management was using to formulate operating decisions, dependable business performance data from internal control, commensurate with corporate objectives, was not included.
If institutional performance data is not used to navigate, transparency is impossible. When results of institutional activity are omitted in directing the future of the institution, the entire matter of regulatory compliance via internal control implodes. Recent surveys confirm the implosion. Many institutions and the attesting community have preemptively warned stakeholders that compliance with 404 will not be achieved in 2005 and will be reported as such to the regulators as a material deficiency in internal control. An example issued by venerable Kodak in January 2005 shows the form.
“Company officials determined that an internal-control deficiency exists at the company that constitutes a ‘material weakness‘ as defined by the Public Company Accounting Oversight Board’s auditing standards. Consequently, management will be unable to confirm that the company's internal controls over financial reporting were effective as of Dec. 31, 2004.”
Material deficiencies in internal control are not a regulatory violation. It remains to be seen how the markets will react. As professional internal auditors and experts on control design, we cannot isolate financial reporting, from business operations, from legal compliance. The SEC can’t either, but that’s not how Congress constructed SOX.
It is important to recognize that the foreseeability competence is not something the institution refuses to engage because management is manifestly unethical. Pragmatic foresight is a competency so alien to the institutional framework, the corporation has no place to begin. The licensed engineer engaged in objective foresight is so maladapted to institutional norms, he must choose between deliberate obscurity and finding another occupation. He cannot escape the fact that the three goal-seeking procedures - for design, for tort, for accountability - are one and the same.
The inescapable OECD dilemma
What the OECD will do in these regards, of course, is to issue the guidelines as a set of rules of action and orphan transparency as an option wrapped in ethics. It means that the pragmatic foresight requisite of law will be left unaddressed, as usual. This choice will be widely applauded by tort lawyers in the OECD realm as their full employment act. What is different about this choice today, as compared to the same choice a decade ago, is that the technology of pragmatic foresight is advancing at tsunami rates. It is how, exactly, you now have a cell phone.
The increase in the pragmatic foresight competency is so large and abrupt, stakeholders are increasingly aware that most of the damage they suffer, legally, should have been prevented. Obedience to the rules is no longer an excuse to a damaged stakeholder. As anticipating stakeholder damage is standard engineering design practice, it is only a matter of time before regulators will be punished, once again, for failing the responsibility entrusted to them by society. The shift in stakeholder perception is not that regulations failed to prevent the damage. The cognitive swing is that the damage suffered could have been foreseen by ordinary engineering care and that regulators are, accordingly, willfully derelict in their primary, paramount duty.
What regulators have reluctantly begun to realize is that the quantitative offense of the regulated, cost wise, has relocated to a realm over which the arsenal given to their agencies has minor influence (table below). There has been no revolt of the regulated to disobey the promulgated rules of action. On the contrary, the record shows the regulated have increased the level of obedience to the regulatory agency rulebooks. The amount fined for a given violation may have gone up, but the rate of violations relative to the proliferation of rules is markedly down. Every institution is diligent in compliance to the rules of action. Every institution has a formal process by which regulatory compliance by rules is subsumed as an operational norm.
The OECD is encouraged to note how the new Federal agency to regulate the accounting profession, established by SOX, addressed this significant risk exposure created by pragmatic foresight - as a top priority. In its first year of operations, in a brilliant move, the PCAOB clearly and dramatically transferred the responsibility for transparency compliance to internal audit of internal control. After designating internal audit as the principal gatekeeper, the explicit onus on internal audit was reinforced by mandating that transparency compliance be maintained on a contemporaneous basis. The PCAOB then validates uninterrupted compliance through an annual audit of the accountancy. In this way, the PCAOB can detect a violation of tort law before stakeholder damage occurs.
By punishing the offense against requisite transparency before stakeholder damage takes place, the PCAOB has shielded itself against culpability in any institutional scandal during its watch. Since transparency can be attained on a fully objective basis, the personal equation is eliminated as a contributing factor and the issues of ethics disappear from consideration. For example, before the PCAOB acted, fraud prevention was everyone’s job and no profession’s responsibility. The PCAOB correctly made internal audit solely responsible for preventing fraud – an offense that cannot be prevented by hindsight and investigative techniques. It can only be prevented by the rigor of transparency.
By avoiding the foreseeability conundrum in the short term, the OECD retains full exposure to tort culpability. It will take years for the rebound to take place, but not as many as you might prefer. Take the size of the litigation explosion as a direct measure of the gap engendered by the exclusive regulatory focus on rules of action. The larger the gap gets, the less transparency can be ignored with impunity.
The bind the OECD cannot escape is that, unlike regulation by rules, tort has no remedial feedback loop. For several profound reasons, lessons learned from one tort case never get incorporated by those in a position to avoid the next. Because of the enormous sums of money transferred in tort litigation, the more litigation grows the more litigation is encouraged by the community it so richly rewards. In control engineering terms, it is an open loop system.
No institution of the Establishment can attenuate the expanding scope, depth and range of pragmatic foresight. The use of objective foresight, risk-informed decision making, will increasingly displace the subjective methods employed by the chain of command. No institution can escape the growing, relentless legal consequences of rule-based governance. While the institution is being run by one standard, obedience to rules, business as usual is being evaluated on another, completely different legal basis. Since pragmatic foresight has gone fully objective, incontrovertibly so, subjectivity has been rapidly displaced as a legitimate means for managing the future. This displacement can be measured by the increasing frequency the business judgment rule is being suspended.
Due diligence and willful blindness
As an institution, the OECD can self validate the hostility towards pragmatic foresight by witnessing your own reaction to the commentary provided. You will choose to do what you must. To stand at the crossroads of transparency and obedience to the authority of rules takes more strength than you possess. Fortunately, the conditions of my professional license limit my legal obligation to the inform/consent milestone, as discharged here. It is my duty as an officer of the court to inform without advocacy and it ends there. You get to choose. What this disclosure achieves through the legal principle of deliberate ignorance, by informing you of the consequences of your choice in this vehicle, is substantial escalation of the severity associated with your selection. Henceforth the law views your informed choice to be ineffective, as intentional. This elevated status of culpability has some interesting applications in future litigations.
Attached below for your reference, is a home grown table of salient features of the landscape of contemporary compliance. The table is regularly used in our work. It is an idiosyncratic engineering view from the operational reality of internal control and audit and close enough to the full truth for PCAOB gatekeeper purposes. The constantly changing emphases triggered by cycles of regulation and litigation requires frequent updating of the table.
The OECD is commended for providing the opportunity for comment.
Contemporaneous Compliance Framework (Time/means and ends) January 2005
|Would you like to offer some advice or add to the dialog?
Your sending of a comment automatically grants us permission to edit and
post at our discretion. Comments will be forwarded to the author. Send your
========= Reply =========================
Monthly Features: What's New? | Guest Speaker | Real-Time Chronicles
Send mail to
with questions or comments about this web site.