Newsletter | Volume 1

Characterizing the financial, oversight, fines, social and other costs of noncompliance can be as catastrophic or panicky. The cascading effects of ongoing noncompliance can further accelerate the costs and provide irreparable damage to reputation, trust and credit with the stakeholders. This article recommends prevention, controls, early recognition, monitoring and intervention as vital components of compliance.

Control is a business issue, not a specialist issue to be outsourced to finance staff, c-level officers or risk managers. Corporations have to treat Governance; Risk, Compliance and IT security (GRC) mandates not as an economic dilemma, but as a trade-off between cost and benefits.

In a particular incident the internal control problems were identified within the following processes:

Application of cash to accounts receivable, revenue recognition
IT system security and payroll bank account reconciliation.

Were these issues addressed in a timely way, the noncompliance costs amounted to several million € could have been avoided as Compliance incurs those costs, which easily can be determined.

From trust to documentation to evidence
The added benefits of corporate governance are more ambiguous. Increased attractiveness to potential customers, employees, lower cost of capital, detection and preferably prevention of breaches of internal controls are benefits. The economic trade-off is not unequivocal.

Cultural differences may vary the legal requirements from "trust me" to "show me." However, in the United States of America trust was at its lowest, so "prove me" became institutionalized in the various mandates and directives passed since the Sarbanes-Oxley Act of the early 2000.

European compliance more or less became known as soft law based upon the "comply or explain" principle. While the international background may differ between the origin and elaboration of initiatives to improve corporate governance, the objective was the same: to restore trust. The approach in general was the same, to increase transparency.

Cost of corporate governance
Implementation programs to comply with the GRC provisions fall in two categories:

Changing the structure. Legal changes are required to change e.g. take-over protection clauses in the articles of association.

Increasing transparency. Internal control systems are implemented both to allow risk management programs in order to safeguard the achievement of strategic, operational, financial reporting and compliance objectives and to enable voluntary or required external reporting on the effectiveness of internal control systems and other corporate governance issues. The corporate governance report with many components like CSR or anti-Corruption is now a mature part of any annual report.

Increasing moral conduct. Business ethics programs were developed to increase, safeguard or revise ethical behaviour of employees in order to prevent unethical and/or illegal behaviour of people, who sometimes were even acting on behalf of the corporation.

Controls. Companies that control their processes strategically, by means of e.g. a higher degree of centralized transaction processing and control, a higher percentage of automated versus manual controls and a greater reliance on company-level controls.

Integrated and embedded. Companies have established standardized and distributed compliance programs, which are embedded within the daily and operational business. As a result, they use fewer full-time resources, follow a broad view of risk, stimulate a substantive interaction with business owners and deploy internal audit strategically.

While no single approach exists for implementation of GRC requirements and provisions, some lessons can be learned by paying undivided attention to corporate governance, by means of compliance to external requirements or as the results of intrinsic business improvement efforts increased the quality of GRC in organizations at all levels.