Geoffrey Miller on the corporate "compliance function"

12/01/2014

Geoffrey Miller on the corporate "compliance function"

There's an important and useful new paper by Geoffrey Miller that provides a useful overview of the corporate compliance function:

Abstract: The compliance function consists of efforts organizations undertake to ensure that employees and others associated with the firm do not violate applicable rules, regulations or norms. It is a form of internalized law enforcement which, if it functions effectively, can substitute for much (although not all) of the enforcement activities provided by the state. Together with its close cousins, governance and risk-management, compliance is an essential internal control activity at corporations and other complex organizations. This paper will examine the following topics: the analysis of compliance within a general theory of enforcement; the development of the compliance function; the concept of internal control; the distribution of the compliance function among control personnel; oversight obligations of directors and executives; compliance programs and policies; internal investigations; whistleblowers; criminal enforcement; compliance outside the firm; and business ethics beyond formal compliance.

The Compliance Function: An Overview (November 18, 2014). Available at SSRN: http://ssrn.com/abstract=2527621.

For a detailed treatment of one aspect of the compliance function--i.e., the relationship between Delaware case law (i.e., Caremark and Stone v. Ritter) and risk management--see my paper Caremark and Enterprise Risk Management (March, 18 2009). Available at SSRN: http://ssrn.com/abstract=1364500:

Abstract: The financial crisis of 2008 revealed serious and widespread risk management failures throughout the business community. Shareholder losses attributable to absent or poorly implemented risk management programs are enormous.

Efforts to hold corporate boards of directors accountable for these failures likely will focus on so-called Caremark claims. The Caremark decision asserted that a board of directors has a duty to ensure that appropriate "information and reporting systems" are in place to provide the board and top management with "timely and accurate information." Although post-Caremark opinions and commentary have focused on law compliance programs, risk management programs do not differ in kind from the types of conduct that traditionally have been at issue in Caremark-type litigation.

Risk management failures do differ in degree from law violations or accounting irregularities. In particular, risk taking and risk management are inextricably intertwined. Efforts to hold directors accountable for risk management failures thus threaten to morph into holding directors liable for bad business outcomes. Caremark claims premised on risk management failures thus uniquely implicate the concerns that animate the business judgment rule's prohibition of judicial review of business decisions. As Caremark is the most difficult theory of liability in corporate law, risk management is the most difficult variant of Caremark claims.

Posted at 01:21 PM in Corporate Law | Permalink

Comments

There's an important and useful new paper by Geoffrey Miller that provides a useful overview of the corporate compliance function:

Abstract: The compliance function consists of efforts organizations undertake to ensure that employees and others associated with the firm do not violate applicable rules, regulations or norms. It is a form of internalized law enforcement which, if it functions effectively, can substitute for much (although not all) of the enforcement activities provided by the state. Together with its close cousins, governance and risk-management, compliance is an essential internal control activity at corporations and other complex organizations. This paper will examine the following topics: the analysis of compliance within a general theory of enforcement; the development of the compliance function; the concept of internal control; the distribution of the compliance function among control personnel; oversight obligations of directors and executives; compliance programs and policies; internal investigations; whistleblowers; criminal enforcement; compliance outside the firm; and business ethics beyond formal compliance.

The Compliance Function: An Overview (November 18, 2014). Available at SSRN: http://ssrn.com/abstract=2527621.

Abstract: The financial crisis of 2008 revealed serious and widespread risk management failures throughout the business community. Shareholder losses attributable to absent or poorly implemented risk management programs are enormous.

Efforts to hold corporate boards of directors accountable for these failures likely will focus on so-called Caremark claims. The Caremark decision asserted that a board of directors has a duty to ensure that appropriate "information and reporting systems" are in place to provide the board and top management with "timely and accurate information." Although post-Caremark opinions and commentary have focused on law compliance programs, risk management programs do not differ in kind from the types of conduct that traditionally have been at issue in Caremark-type litigation.

Risk management failures do differ in degree from law violations or accounting irregularities. In particular, risk taking and risk management are inextricably intertwined. Efforts to hold directors accountable for risk management failures thus threaten to morph into holding directors liable for bad business outcomes. Caremark claims premised on risk management failures thus uniquely implicate the concerns that animate the business judgment rule's prohibition of judicial review of business decisions. As Caremark is the most difficult theory of liability in corporate law, risk management is the most difficult variant of Caremark claims.