Why Using the Right Words Really Does Matter

We all know the importance of effective communication, in both formal and informal settings, to get our messages across as intended. But how many times have we been misunderstood, or we didn’t understand an idea someone else was trying to convey? The consequences of bad communication range from simply extending a conversation to gain clarity, to talking at cross-purposes resulting in extraordinarily bad business decisions. Yes, tone of voice and body language are important in sending the right message, but using the right words is usually critical.

The governance, risk, and compliance realm certainly is not exempt from lousy communication, and indeed seems to lend itself to misunderstandings. I’m not sure why this is the case, although it might stem from the relative newness of some of the inherent concepts and terms.

With this backdrop, we’ll look here at some of the most commonly misused words, and how to avoid saying one thing and having business colleagues—employees, bosses, shareholders, directors, lawyers, auditors, regulators, or others—hear something very different. For those of you who read the New York Times magazine section on Sundays, this is not an attempt to become the William Safire of governance, risk, and compliance. Rather, this is about saying what we mean and meaning what we say.

Is it Really the Control Environment?

One of the most egregious errors in communication involves misuse of the term “control environment.” My guess is that we’ve all used that term more times than we can count—but I can assure you, we’ve often been meaning different things. All too frequently we’ve heard someone refer to the “control environment” when it turns out the speaker really meant to say “internal control system.”

The control environment actually refers to one of the five components of internal control. (The term “internal control” may be used as a shortcut for “internal control system.”) The control environment is critically important to effective internal control, dealing with the likes of the integrity, ethical values, and competence of an organization’s people; management’s philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by the board of directors. It encompasses the tone at the top of the organization and serves as the foundation for the other internal control components. These definitions are from COSO’s Internal Control—Integrated Framework, which is what we use in connection with Sarbanes-Oxley Section 404.

Why am I so concerned about use of these words? Well, there are numerous instances where a speaker is trying to advise others to focus on the whole of a company’s internal control system, but recipients of the message think the intent is to look at only one component. Or, conversely, a problem actually exists in other internal control components, but is misrepresented as occurring in the control environment component. These misunderstandings can have, and have had, serious consequences.

Let’s Talk Governance

The term “governance” (or “corporate governance”) has been bandied about more often than Tiger Woods racks up birdies on the golf course. The term has been so overused it’s almost humorous—except that such usage contributes to misunderstandings. “Governance” now seems to be applied to virtually anything that comes to mind, often for self-serving purposes. Because it’s evident that governance is a good thing, the word is now applied to many different areas by those with a particular interest therein.

For example, we hear a great deal about IT governance, where speakers sometimes use the term for anything from strategic use of IT in an organization to more mundane management activities of the IT function to a board of directors’ responsibilities in overseeing where and how IT is used. We hear about management’s role in “governing” the organization, including how senior management runs the business and extending far downstream to all managerial activities in a company. “Project governance” now is used to describe how a discrete project is organized and managed. Sometimes the term is used for shareholders’ role in “governing” an organization. These are just a few examples of how use of the term “governance” has spread.

In the business context, that is our focus: “Governance” is most appropriately applied to the allocation of power between the board of directors, management, and shareholders. If memory serves, this definition was coined by Canada’s Dey Commission; in any event, it captures how the term was traditionally used before being extended far beyond. My advice is that we use the term “management” to mean what management does and leave “governance” to the higher levels originally intended.

Looking at Risk Management

The words “risk,” “risk management,” and “enterprise risk management” are used in many ways. Without going into painfully detailed definitions, suffice it to say here that the COSO Enterprise Risk Management—Integrated Framework is probably the best and most authoritative source of sound terminology. Yes, having led the development of the framework, I’m somewhat biased in that regard, but that report is increasingly looked to for guidance and a common language around the topic of risk management.

Here, however, let’s look at a couple of areas where communication can totally fail.

Being proactive. Some months ago I read: “It’s important to deal with risks proactively, not reactively.” That’s great advice, in terms of the intended meaning. But the writer is carried away with jargon. When looking at risk, the only way one can do it is proactively. That’s because risk relates to uncertainty—an event that has yet to occur. It’s simply not possible to react (that is, be “reactive”) to something that hasn’t yet happened! On the other hand, it’s perfectly appropriate, and accurate, to suggest that risk management involves being proactive, by taking prudent action before a potential event occurs.

Risk assessment. How many times have we heard someone speak of “risk assessment” when it later turns out that he/she really had intended to refer to “risk management”? Risk assessment is a part of risk management, yes, but it’s just one part. A risk assessment typically is a snapshot, taken at one or more points in time. Risk management involves a number of activities, including identifying risks—that is, events that might occur in the future—analyzing those risks, and taking action to manage the risks on an ongoing basis. We sometimes hear supposed experts suggesting that performing a risk assessment is equivalent to having an enterprise risk management process, which in fact takes dealing with risk to a still higher level! Recently, a supposedly knowledgeable person in differentiating risk assessment from ERM was quoted as saying, “I don’t know a large percentage of companies out there that actually perform true ERM.” Well, a company doesn’t perform ERM—rather, an ERM program or system needs to be embedded in an organization. Here, too, semantics indeed are important to get the right thoughts across in a meaningful way.

Key Controls

The term “key controls” recently has been used in connection with dealing with Section 404 of Sarbanes-Oxley, referring in most instances to those controls that, if absent or working incorrectly, would result in a material weakness in internal control over financial reporting. Working on a hunch, I searched the SEC’s SOX 404 guidance to management, and the PCAOB’s AS5, and found no use of the term “key controls.” It’s interesting that “key controls” was first used years ago by at least one large accounting firm to refer to those company controls on which the auditor planned to rely in determining the nature, extent, and timing of substantive tests. In that context, the universe of key controls was much smaller than the number of controls that could result in a material weakness in internal control. This is because it often was more efficient from an audit standpoint to perform substantive tests in certain areas than to test the related controls.

There’s no major problem in how the term “key controls” is sometimes now used. It is, however, extremely important to define the term when used, so that all parties are working off the same page.

Words Really Do Matter

Using the right words is not about precision for its own sake, but it is about ensuring we are communicating effectively. We all slip up from time to time, and I hope that no reader looks back to my prior writings too closely! But we can, and should, do our best to be sure we’re getting our messages across as intended. Words really do matter.