THE recent scandal surrounding the UK’s postal service may not have made the headlines in Singapore, but the incident – which must rank as one of the worst-ever lapses in corporate governance – holds many useful lessons for listed companies everywhere, particularly their boards of directors.
It also offers valuable insights into how the Singapore Code of Corporate Governance might be tweaked or sharpened in future to ensure that companies here avoid a similar debacle.
The scandal
The crux of the problem was that for almost two decades, UK’s Post Office Limited (POL) insisted that its electronic point of sale system, Horizon, was fit for purpose when it was in fact defective.
POL then mistakenly pursued hundreds of criminal and civil prosecutions against subpostmasters (SPMs) on the basis of alleged financial shortfalls identified by Horizon. SPMs are independent business operators approved by POL to run post office branches.
In 2019 after a lengthy investigation was completed, the High Court determined that Horizon was riddled with “bugs, errors and defects”, and potentially vulnerable to external manipulation by the Fujitsu staff who ran the software.
Unfortunately, between 1999 and 2015, more than 900 SPMs and others were wrongly prosecuted on charges including false accounting and theft. Several thousands more had their contracts terminated or were ordered to hand over money they had not taken.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
Many were ostracised by the communities they had served. At least five took their own lives. Hundreds died before they could be exonerated or receive compensation.
In short, the lives of thousands of innocent people were catastrophically ruined because top management and the board assumed the computer system couldn’t be faulty and that human wrongdoing had to be behind the debacle.
Subsequent investigation findings
In October this year, the UK’s Institute of Directors (IoD) released its report on the scandal, stating that although ostensibly an IT issue, the root causes were failures in human decision-making, organisational culture and business ethics.
“Post Office governance – and specifically the board of directors – proved unequal to the task of addressing these issues’’ said the IoD.
Lessons for Singapore directors and framers of the Code
1. A curious nature is needed to overcome complacency: The single overriding reason why the scandal progressed as far as it did was clearly complacency in the top echelons of POL. Everyone assumed that the system was working fine and accepted, without question, management’s belief that the culprits must have been the SPMs. Nobody questioned the status quo or possessed sufficient professional curiosity to ask the right questions.
One possible example of this in Singapore was the case of Hyflux, where the board most likely failed to challenge a decision made by a strong and charismatic CEO to diversify from water purification to power generation, a decision that ultimately led to Hyflux’s demise.
Did Hyflux’s board exercise sufficient independent judgement when approving the ill-fated diversification? Was a proper risk assessment performed or did everyone simply assume the CEO knew best?
Of equal relevance is: Was there an adequate independent element within the board, or was the board comprised mainly of long-serving, rubber-stamping compliant personnel who only appeared to be independent?
2. Corporate culture is crucial: Clearly, the POL’s corporate culture was toxic, which in turn bred mistrust of the SPMs and contributed significantly to the scandal.
There is no doubt that proper culture is one of the most important cornerstones of good governance. It should be obvious that developing and maintaining the right culture is the responsibility of the board and top management, both of whom failed in POL’s case.
The latest Singapore Code has been criticised for a lack of sufficient focus on corporate culture: Critics argue that the Code could do more to emphasise the alignment of corporate culture with the organisation’s purpose and values.
While the Code mentions the need for a “desired organisational culture”, it lacks specific provisions to ensure this alignment.
More can therefore be done to codify greater specifics into the Code with regard to having the right corporate culture that would encourage ethical behaviour and value creation.
3. Have at least some directors who are IT and AI-savvy: The UK IoD found that most POL directors were ill-equipped to provide proper oversight of major IT projects or legal risks. There was also the suggestion that they suffered from “groupthink’’.
The Singapore Code states that the board “as a group should provide the appropriate balance and mix of skills, knowledge, experience, and other aspects of diversity such as gender and age, to avoid groupthink and foster constructive debate’’.
However, the local Code does not directly address emerging issues such as digitalisation, artificial intelligence (AI), and cybersecurity. Navigating the AI transition and managing cybersecurity threats will become ever more important issues for directors.
Consideration should thus be given towards explicit requirements in the Code that some directors be IT-savvy or IT-literate to mitigate risks posed by the rise of AI and other forms of technology.
4. Assessing board performance: The UK Corporate Governance Code recommends that boards conduct an internal review every year, bolstered by an external review – done by an independent body, such as the IoD – every three years.
However, the only board review of POL was an internal one from 2013, which was undertaken by Alice Perkins, the former chair.
One panellist said: “The 2013 review… was ineffectual. There is little evidence of rigour in terms of process, and it’s an annoying tale of directors marking their own homework.” (In Singaporean parlance: “Ownself checking ownself.”)
That is one reason why independent external reviews were introduced in the first place, and became part of the Code.
Singapore’s Code requires that the board undertakes a formal annual assessment of its effectiveness as a whole, and that of each of its board committees and individual directors. However, there is no requirement for an external party to be involved.
Rather than “ownself checking ownself’’, consideration should be given to whether board assessments should be done by external parties and the findings published in annual reports.
5. SID membership should be mandatory: Among the recommendations made by the UK IoD was that the government should require the directors of all publicly owned entities to sign up to the IoD’s Code of Conduct for Directors.
This would provide individual directors and stakeholders with a widely accepted benchmark from which to challenge toxic attitudes and behaviour that may have become entrenched in the culture of certain organisations.
Currently the requirements for individuals to serve as Singapore company directors, as laid out in the Companies Act, are simply too broad.
All first-time directors in Singapore with no experience serving on listed boards should be accredited by the Singapore Institute of Directors (SID) and also be subject to periodic assessments by it.
A final word
All told, even though the UK’s postal service episode must rank as one of the saddest chapters in the history of corporate governance anywhere in the world, valuable lessons can be learned.
Company directors must understand the importance of exercising true independence and question all existing assumptions. Selection committees should ensure their boards are manned by directors with a diverse skill set, particularly in IT and AI.
Last but not least, regulators can consider tweaking the Code and rules to make membership in SID mandatory. In addition, boards should be subject to periodic assessment, preferably by independent parties, and the results disclosed.
The writer is founder, president and CEO of the Securities Investors Association (Singapore)