The four principles of good governance

Author: Jochen Werne | First published in German on September 6, 2019 in the BANK—BLOG

Author Jochen Werne

How banks create stability to survive in change

The “cobra effect” is a prime example of failed incentive structures. Good governance in banks and savings banks must serve stability and flexibility at the same time. Compliance with four principles is indispensable.

Well-intentioned is not well done yet. Science calls this the cobra effect. It goes back to an event when India was still a British colony. In order to control a cobra plague, a British governor placed a bounty on every snake that he killed. With the result that enterprising Indians began to breed cobras to collect the bounty. When the governor learned of this practice, he had the program stopped and the breeders released the snakes. Result: The problem had multiplied.

The Kobra effect is regarded as a prime example of failed incentive structures – and thus of failed governance. This word, derived from the French “governance” for government, is often used today, and with its almost inflationary mention, the blur surrounding it is also growing.

So let us recall: governance refers to the structures and forms of governance that exist in a society. This refers to the interaction between the state, the private sector and interest groups. The aim is to improve the management of an organisation or a political or social unit in order to achieve better results.

Stability as an objective of governance

However, it has become common practice to use governance primarily when it is not a question of state structures. For example, the term plays an important role in practically all companies that deal with the public in the form of customers or stakeholders. As a result of the blurred use of the term, case studies from politics are often used today to explain economic frameworks.

Undoubtedly, there are many parallels between the governance of states and the governance of private companies, in their structure and processes and thus also in their form of governance. The decisive factor for both is first and foremost stability and thus the ability to cope with major crises. For states, the core of stability is the constitution, which enables leadership during the crisis and at the same time serves as the basis for a way out of the crisis. A current example of this is the national crisis in Austria. The government has failed; until the next elections a transitional government of experts will lead the country and thus guarantee stability. Around this core, however, a state structure must also have a certain flexibility in order to be able to react to developments.

Stability plus flexibility

And this is where the differences to the private sector begin. States are not in competition with the private sector and generally continue to exist even after crises, even if in extreme cases the political system and its fundamental form of governance may change. The situation is different for companies. Of course, they also need a stable core. But they must be extremely flexible and adapt to market situations in order to survive in the long term. Their stability is based on the flexibility of the process organisation. When it comes to flexibility, smaller companies often have an advantage over large, difficult-to-maneuver corporations. We see this in the financial services industry with the example of FinTechs and InsurTechs. However, these relatively small companies often lack the stability they need to survive when consolidating.

Let’s take the example of the banking industry: It faces clear challenges – digitization, new competing business models, exponential technology leaps and ever shorter product cycles with lower margins and increasing regulation. Sustainable answers and the resulting strategies will only be found by those houses that are stable in themselves on the one hand, but are also capable of a degree of flexibility that has never been demanded of them in history on the other.

Four principles of good governance

But how does a company obtain the necessary stability? There are four principles for good, i.e. successful, governance, which must always be present:

Accountability: There must be an organization that is controllable and controlled.
Accountability: The company as a whole and each individual employee are accountable for their actions.
Openness: Only when employees, customers and stakeholders understand what is happening is transparency actually lived out.
Fairness: Ethical conduct is one of the foundations for long-term value creation.

Governance must be lived

In order to achieve a satisfactory situation for both sides, the four principles of governance are indispensable. However, it is not enough to lay them down in statutes; they must also be lived by each individual.

In addition, the current major transformation issues, which not only the banks but also the entire economy have seized, should be seen as an opportunity for companies with a consolidated governance structure and remind us of a statement by the Roman philosopher Seneca, who said: “Only the tree that has been constantly exposed to gusts of wind is firm and strong, because in battle its roots are consolidated and strengthened”.

The Cultural Dimension of Cyber Threats

Country-specific aspects of cybercrime.

The number of cyber attacks on businesses, governments and individuals is increasing worldwide. The human being in his cultural environment is an important element. Different cultures seem to be associated with different susceptibilities.

by JOCHEN WERNE – Original published in German on January 18, 2019 at Der Bank-Blog – Translation with DeepL.com



In its annual management report “The Situation of IT Security in Germany 2018”, the Federal Office for Information Security records a threatening scenario: The number of cyber attacks on the federal government, German industry and private individuals is increasing at an alarming rate. Germany, in particular, is being massively targeted by criminal hackers.

One thing is certain: almost 90 percent of all cyber attacks have a criminal background. Approximately ten percent of all cyber attacks are caused by state cyber warriors. The goal of criminals is either personal data (account connections, credit card numbers, passwords, etc.) or capturing the computer for new attacks via bot network or to extort ransom money for the renewed release of the computer. The ransomware “Wannacry” is an equally prominent and frightening example of this. If state systems become the target of hackers, this usually results in sabotage, espionage and the spying out of trade secrets. The BSI discovered 800 million malicious programs for computer systems last year. In the previous year, the figure was 600 million – around 400,000 malware variants are added daily.

Cyber Security and the Human-Cultural Factor

The view must be directed to an important dimension of the human factor: The influence of different cultures on the handling of technology and in particular on the behaviour of individuals in the context of cyber security. Cultural peculiarities influence preferences, prejudices and behaviours. In his renowned book “The Culture Code”, anthropologist and marketing expert Dr. Clotaire Rapaille explores how members of different nationalities have developed very different codes for the image of products, companies or countries.

These findings come from client assignments in which Dr Rapaille conducted extensive interviews with focus groups to identify cultural preferences, prejudices, idiosyncrasies and behaviors. In more in-depth analyses, a piece of generalized psycho-cultural characteristics is then derived from representatives of the countries studied.

Country-specific aspects of cybercrime

Questions arise as to what protective concepts and guidelines might look like that take this background into account appropriately? And what role do cultural and country-specific aspects play here, such as the famous “German Angst” and corporate cultural aspects, such as the comparison of a classical hierarchical system versus Holacracy models, which have become increasingly en vogue in times of digital transformation?

Some concise examples from the findings of Dr. Rapaille: Americans define themselves strongly through their work. In this culture, professional activity largely determines the image of one’s own identity. The importance of money in this culture is proof of diligence and success.

The author sees completely different meanings in European countries. In France, for example, work and money are regarded more as “necessary means to an end” – those who can afford it expect at least a certain amount of entertainment and comfort from their job there. According to Dr. Rapaille, quality and technical perfection play an important and in some cases even absolute role in Germany or Japan, while US-Americans, according to his analyses, in many cases content themselves with “It just works” and are even sceptical about excessive perfection.

The author recognizes the Germans’ tendency towards perfectionism, which is partly exaggerated from a foreign point of view, as decisive for the quality of “German Engineering” and the global economic success of the Germans in this field. Dr. Rapaille is convinced that US culture, on the other hand, is characterized by a widespread refusal to grow up, which in turn leads to a great competitive advantage in the field of innovation.

Conclusions for more cyber security

This raises the question what are the appropriate protection concepts in an increasingly complex threat situation. A classic approach is the definition and enforcement of policies, both on a technical and organizational level, which are intended to guarantee compliance with security measures. The more hierarchically and authoritatively a corporate culture is aligned, the more restrictive the corresponding guidelines usually become.

However, the approach of establishing security primarily through bans and restrictions on user freedoms has proven to be double-edged in practice. The more the possibilities of an individual user are restricted, the more this encourages the tendency to escape the corset of safety-related rules.

A typical consequence is the “Bring Your Own Device” (BYOD) problem with which many company IT departments have been confronted for years – if the functions and authorizations of their work equipment are too limited, users bring private end devices with them to the workplace. These are then often not integrated at all into the protection and security concepts of the company. If the BYOD escape route is also suppressed, such measures often result in a refusal attitude à la “The desired is not possible with the means available – if the IT department wants it that way, then this task cannot be solved”.

Flat hierarchies and personal responsibility as a solution?

Is the better way, then, in holacracy models, in flat hierarchies, or in “loose reins” in terms of security and a strengthening of employees’ personal responsibility?

For the reasons derived in the preceding sections, this approach is by no means a guarantee for higher IT and information security. A healthy middle course could lie in adequate risk management. Technical and organisational security measures take into account the hazard level of specific data and applications. Sensitive areas and particularly sensitive data are subject to more stringent security measures, business areas or processes with less sensitivity are also protected, but assign employees a higher degree of personal responsibility. All protective measures take into account the above-mentioned psychological and cultural-historical findings.