Compliance and Internal Controls: Perspectives on the Organizational Structure of Companies

How Compliance Influences Corporate Governance

The concept of compliance nowadays appears to be intimately linked to the governance of corporations. Particularly with reference to public companies, regulatory sources (concerning, for example, AML matters, consumer protection, and privacy) have acquired primary centrality in the analysis of the duties of corporate directors. Such an observation, moreover, involves clear references to practices established in the European Union and the United States. Compliance is also of such importance that boards should pay close attention in the business choices they are called upon to make.

Indeed, the ability to contain the risk of regulatory defiance has become a standard for evaluating the management of companies. The adequacy of internal structures, in fact, is closely linked to the powers and duties of directors, whose oversight role is enshrined in American case law and is established in many European countries as well. The pursuit of orderly and sound corporate governance cannot be achieved without (i) the internal allocation of responsibilities and (ii) the effective deployment of an organization that can identify and manage operational and regulatory compliance risks.

In relation to these findings, therefore, it is necessary to investigate how business-critical functions, which can be broadly defined as internal controls, relate to each other: specifically, I refer to the necessary information flows between said functions, the management and the board, the implementation of an adequate risk management office, and the establishment of a regulatory compliance department.

Information Flows in the Context of the Internal Organization

The efficiency of companies’ internal compliance is primarily ensured by the establishment of adequate systems of information flow. Internal controls, moreover, rest essentially on the reporting activity carried out on two alternative and complementary levels.

Primarily, the first aspect concerns the origin of information from the enterprises’ bottom lines to the top. Secondarily, and reversely, the efficiency of the system relies further on the information that is directed from the board and top management to all employees of the company.

To achieve an appropriate standard of information, it is then necessary for employees to undergo training about the procedures that preside first- and second-level controls. It is absolutely relevant that employees are aware of any changes in the corporate policies and can effectively supervise over the control activity assigned to them.

In addition to the HR management function, the board should also be concerned with the establishment of continuing training practices. Indeed, the oversight duty requires that directors be held accountable for tackling any red flags related to possible pathological effects of corporate management. However, such a duty is premised on the assumption that management is able to establish appropriate organizational and administrative structures capable of intercepting risk factors related to corporate affairs.

The duty to act in an informed manner is thus fulfilled when the decision made by each of the board members is weighed against reliable and truthful information. The directors’ duties, then, translate first into organizational prerogatives, aimed at the proper implementation of internal controls, and afterwards into managerial responsibilities, essentially relating to the vote cast in the meetings of the board. Attention to organizational adequacy, in short, serves as an outpost for proper management, of which compliance has now become a fundamental component.

The Holistic Nature of Risk Management and its Implications for Compliance

International regulations highlight a proactive approach in the context of risk management – especially with reference to large financial institutions, i.e. public companies, banks, and insurance companies – and emphasize the need for corporations to have an internal organization aimed at preventing negative effects arising from risks relating to tax, competition, labor, human rights, environmental issues, equal opportunity, digital security, data privacy and personal data protection, and health and safety.

This has also happened as a result of the changes in the international environment, where risk has progressively come to be of fundamental importance, especially with regards to governance in the supervised sectors, starting from the Basel I Accord up to the Basel III Accord.

Thus, the correlation between organizational duties and the establishment of a system of internal controls is now closely linked to the creation of a risk management system, intrinsically connected to entrepreneurship. The organization serves as a guarantee of the adequacy of the internal control framework, on the one hand, and, on the other, as an internal tool for governing the particular risks that companies face in carrying out their business activities.

Risk management is relevant in the context of performance, as it can enable sound and prudent management of enterprises.

The optimal level of objective attainment, furthermore, can be achieved if the approach to risk is understood as a holistic effort and, therefore, maximally oriented toward presiding over every part of the business. Above all it shall not be tied to mere formal fulfillments, but, among other things, it shall follow the need for internal controls to act continuously in the monitoring process.

Risk management and compliance are correlated: they are two aspects that enable organizations to achieve goals by dealing with uncertainty and acting with integrity. In other words, for corporate governance to be appropriate and to ensure sound and prudent management, it is crucial that the organization, the internal procedures and the tools for the detection of risks (both normative and operational) act in a complementary manner with each other and serve as a support base for the detection and removal of critical issues that may be detected in the work of both the compliance and the risk management functions.

Final Remarks

The considerations mentioned above, in relation to the corporate governance of entities has to do with ever-evolving issues as a result of the constantly changing legislation. The central issue, i.e. the adequacy of internal controls as an element in running enterprises efficiently, however, is a core aspect in the study of corporate law. Therefore, directors should give serious consideration to the organizational aspect of the managerial duty, since, if not effectively fulfilled, it could lead to deficiencies in the administration of entities as well, with evident repercussions as to their possible liability.

Luca Vernero is a Corporation Law LL.M. candidate at NYU School of Law, a Graduate Editor for the NYU Journal of Law & Business and a current Ph.D. candidate in Corporate Law at the University of Turin. Prior to attending law school in New York City, Luca worked as a lawyer for a boutique law firm in Italy, focusing on corporate litigation and corporate arbitration proceedings.