What’s the Most Direct Path to Good Corporate Governance?

Last week’s oil spill has me thinking about how – and when – government regulation is the ideal path to mandate corporate governance. Specifically in the IdM space, I’ve watched government regulations evolve to address transparency, privacy and consumer data protection. As I look back at what’s happened, it’s apparent that most of these data protection regulations were put in place to deal with the fact that, left to their own devices, most enterprises do not invest adequately to protect privacy, prevent fraud, or effectively manage risk. (It’s interesting to note that the negligence of a small group of companies has had a significant impact on the market as a whole.) This appears to be what happened in the case of such well-known regulatory efforts as SOX, HIPAA, MAR, PCI, NERC CIP, Basel II, etc. The foundational belief is that government, or in some cases, industry, must mandate action in order to motivate the right behavior from companies.

But, do these approaches work? Even with the alphabet soup of regulations around the globe, we still see “compliant” companies reporting major breaches. Why? I believe many companies lost sight of the original intent of the regulation (risk management, security, data protection) because they were so focused on following the letter of the law to pass the IT audits. As a result, it’s pretty common to see companies investing significant resources into achieving literal compliance, but sometimes, in their zeal to be “compliant,” these firms push security (and common sense) to the side. The goal of proving compliance becomes the main focus of many companies, at the expense of holistically assessing, preventing, and mitigating risks.

The flip side of the debate about regulation is to let the free markets drive good corporate governance. The theory is that companies who “allow” security breaches will lose brand value and customers, and therefore will approach security and privacy protections as good business strategy. However, as a number of analysts and industry watchers have pointed out, breach disclosures don’t always affect revenue or stock prices. The TJX data breach was one of the biggest, costliest and most publicized breaches ever – yet customer and investor confidence in TJX remained largely unshaken in the aftermath. TJX’s stock was worth about $30 per share when the breach was disclosed, and its closing price a year later was just over $29. And during the one year following the breach, TJX reported that comparable-store sales increased 4%.

We probably all agree that strong corporate governance is necessary – and in fact, I’d suggest it’s a strategic differentiator for many companies. But as I talk to companies approaching the same problem from different perspectives, I still wonder: Should we let free market forces determine what corporations do, or should we mandate the “right” behavior to protect consumers and stakeholders?

What do you think?