On the difference between governance and bureaucracy

Most governance failures I have seen up close were not failures of governance. They were failures of a governance structure that had quietly become bureaucracy. The two look the same from a distance and behave differently up close, and one of the more useful working questions a board can ask itself is which one it has built.

Governance is the design of decisions. It answers four questions. Who decides. On what evidence. With what accountability. To whom the answer goes. A board that knows the answer to those four questions about every material decision in the group has good governance. The four questions can be answered briefly. They can also be answered without a hundred-page manual.

Bureaucracy is the proliferation of processes that do not change the answers to the four questions. A new committee that reviews a decision already governed by an existing committee is bureaucracy. A new policy that restates an existing policy in slightly different language is bureaucracy. A new approval step that adds a signature without adding scrutiny is bureaucracy. None of it is malicious. It is the by-product of a group of people responding to past mistakes by adding controls without removing the controls that did not work.

The clearest test I know is to ask, for any given control, what changes when the control is operating well. If the answer is 'nothing visible to the business,' the control may still be useful, but it should be questioned. If the answer is 'nothing visible to anyone,' the control is bureaucracy. If the answer is 'a regulator would be unhappy,' that is a reason to keep it but also a reason to write it down honestly as a compliance control rather than as governance.

There is a related test for the governance map. A regulated group should be able to draw, on one page, the chain of decisions for any material risk category. Credit risk runs from the underwriting decision to the credit committee to the executive committee to the risk committee to the board. Five steps. If the on-paper chain has eleven steps, the chain has either grown organically without being pruned or has been written for an audience that does not exist. The map will tell you which one. So will a conversation with the underwriter.

Good governance is usually quieter than bureaucracy. The committee that meets when it needs to and does not meet when it does not is doing better work than the committee that meets monthly because the calendar says so. The policy that lives in operational practice and is updated only when the practice changes is doing better work than the policy that is reviewed annually because the calendar says so. The annual review is sometimes the right answer. It is not the same as good governance.

My working test for whether a regulated group has good governance is to ask three people at three different levels of the group the same question about a recent decision. If the answers agree about who decided and why, the governance is working. If the answers disagree, or one person does not know who decided, the governance has either failed or has been replaced by bureaucracy that nobody trusts and everyone has worked around.