The correlation between corporate governance & compliance
In many contexts, corporate governance and compliance are inextricably linked. Adhering to laws and regulations (compliance) and creating a guiding structure for company leadership (corporate governance) are distinct and yet, together, signal to stakeholders that the organization is well run.
As both efforts constitute a response to risk management, this link makes sense. Businesses wish to integrate and align their governance and compliance initiatives wherever possible to eliminate duplication, conflicts, wastefulness and gaps.
But to understand the intricate relationship between governance and compliance, it’s useful to pull them apart for a second and unpack the motivations and intentions that underpin these initiatives, including:
- The definition of corporate governance versus compliance
- The core differences between compliance and governance
- How corporate governance and compliance are related
- Why a unified approach to governance, risk and compliance (GRC) matters
- Best practices for effectively leveraging both
Defining corporate governance vs compliance
Governance
Governance is the overall management approach board members and senior executives use to control and direct an organization. It instills control mechanisms to ensure employees at all levels carry out company strategies and directives systematically and effectively. Good governance also incorporates comprehensive reporting and internal controls, assuring that appropriate organizational levels receive important information in a complete, accurate and timely fashion.
When corporations successfully implement a governance framework, it balances the interests of a company’s many stakeholders, such as shareholders, management, customers, suppliers, financiers, government and the community at large. Corporate governance is intended to increase accountability and to facilitate prudent management.
Compliance
Compliance is the process through which companies demonstrate that they follow relevant laws, regulations, contracts, strategies and policies. This includes compliance assessments, which determine the present state of compliance and measure the projected cost of implementing compliance against the potential cost of noncompliance. Compliance initiatives must then prioritize, fund and implement any corrective actions deemed necessary.
What are the core differences between corporate governance and compliance?
1) Origins
Both corporate governance and compliance involve rules of conduct and controls on behavior. In issues of compliance, those rules originate from external sources. These may be legislation, contracts, industry standards or other policies that obligate the company’s response. Compliance policies are not optional; these requirements must be met to stay within the bounds of the law. Enforcement consequences for noncompliance might include penalties, fines, legal action, loss of contracts, and revocation of licenses or permits.
In contrast, corporate governance originates internally. These are the rules agreed upon by the board of directors and other C-suite executives that are intended to manage and mitigate risk and set the ethical tone for the business at large. Thus, these rules reflect the overall vision of the company. The consequences for breaching government mandates are left up to each company but may include such measures as removal from the board, demotions or termination.
2) The letter of the law vs. the spirit of the law
Many organizations understandably view compliance mandates as onerous, time-consuming and, in some cases, costly chores. Thus, there is the tendency to think of them as a series of boxes; if you can check all of the boxes, then you can demonstrate that you comply with the letter of the law. Unfortunately, this is often the kind of thinking that leads to loopholes and exemptions.
By comparison, governance initiatives are more about the spirit of the law. While not as heavily concerned with the particulars of any one piece of legislation, corporate governance lays the groundwork for how a company approaches matters such as fair business practices, shareholder activism and ethical standards.
3) Tactical vs. strategic
Because compliance initiatives are focused on the more limited goal of meeting the obligations of particular sets of regulations, the approach toward dealing with them tends to be more tactical. What changes need to be made to work within the purview of this law? What kind of reporting needs to happen so that we can demonstrate the changes we’ve made?
Governance concerns tend to be more interested in the long view. How can the company as a whole position itself concerning ethics and risk? How does the company’s overall business strategy reflect its attitude and reputation? Such considerations factor into decisions such as which vendors or service providers a company chooses to use, which markets they want to enter and how the company wants to align itself with the community.
What is the relationship between corporate governance and compliance?
Though corporate governance and compliance have their differences, they’re also part and parcel. There is no achieving compliance without strong corporate governance practices, nor would governance be truly effective if it didn’t align with legal and regulatory standards.
Both functions also share priorities, including:
1. Risk management
Both corporate governance and compliance are integral to how boards manage risk. Good corporate governance structures provide mechanisms for identifying, assessing and managing risks, which include risks related to compliance.
As a result, compliance is folded into a company’s risk management strategy. Without it, governance practices won’t successfully mitigate the legal, financial and reputational risks of non-compliance.
2. Accountability
Corporate compliance and governance also aid in accountability and transparency. One of the primary purposes of corporate governance frameworks is to shed light on how and why corporations operate at all levels. Similarly, organizations that comply with laws and regulations hold themselves accountable to shareholders, regulators and the public alike.
Non-compliance can also harm the principles of corporate governance by introducing legal penalties, reputational damage and loss of trust — all of which governance exists to prevent.
3. Internal controls
Robust controls underpin both corporate governance and compliance. Internal controls are how corporate governance frameworks ensure operations are efficient, effective and ethical.
Compliance also depends on internal controls, without which corporations would have no way to monitor and enforce adherence with relevant laws, regulations and policies.
The importance of a unified approach to GRC
Because of the many mechanisms they share, compliance and corporate can’t and shouldn’t be siloed. Corporations have built upon the two to create a holistic view of corporate governance, risk management and compliance, or GRC. This empowers boards to address both governance and compliance as parts of a whole, increasing their ability to see both functions through.
Embedding both governance and compliance in equal measure gives way to:
- Efficiency: Organizations that integrate GRC functions into a unified framework avoid duplicating their efforts. This streamlining is more cost-effective and ensures executives strategically allocate resources across the organization.
- Better risk management: The uncertainty of which risks pertain to compliance and which pertain to governance can lead to costly missteps. GRC is a more comprehensive approach that looks at all areas of operations simultaneously so the organization can better anticipate and respond to risks.
- Enhanced decision-making: Organizations that adopt GRC have a unified view of the organization’s risk profile and compliance, rather than having to piece together data from multiple different functions. Boards can then make more informed decisions, knowing how risks may impact governance objectives, regulatory requirements and performance.
- Strategic alignment: Streamlining GRC activities means boards can more easily match those activities to the organization’s strategic objectives. This alignment ensures corporate governance, risk management, and compliance propel the organization toward its objectives.
- Transparency: Unified GRC creates a clear line of responsibility for corporate governance and compliance activities. This chain of command strengthens ethical behavior throughout the organization, building trust and reducing the likelihood of breaches.
Corporate governance and compliance best practices
Though the overlap between governance and compliance is clear, it’s no surprise that putting the two into practice is a little less so. Rather than a rigid or static list of instructions to implement compliance and governance together, it is more than likely a dynamic, ever-evolving set of conditions that varies a bit from organization to organization.
That said, there are a few core attributes that typify most successful corporate governance and compliance programs, including:
1) An independent board not beholden to the CEO: Since the board acts as a kind of stay on the power of the CEO and as an advisor to the CEO, it must maintain a sense of independence and constructive, critical distance. Effective board governance involves assessing the strategies put forth by the CEO but not setting the strategies. Boards should include members who represent diversity in age, experience, and background to optimize the vision of the company in any given subject.
As board positions open up, the existing board should use those opportunities to identify gaps within the current board complement and try to recruit incoming board members who can meet those needs.
An engaged board should be willing to question and challenge the management on issues regarding governance, risk and compliance. The board should also undergo regular reviews to assess whether each director is fulfilling his or her duties, and other such performance evaluations.
2) An organizational commitment to long-term planning and vision: As noted above, management is responsible for developing and implementing corporate strategy. The board acts in an advisory role, approving those strategies that seem most likely to produce sustainable, long-term value.
As part of this duty, board members should take lead roles in establishing the company’s risk tolerance and develop a clear, comprehensive GRC framework. Directors are responsible for understanding the current risk and compliance threshold facing the corporation and must be ready to challenge management’s assumptions concerning the company’s risk management procedures.
3) A dedication to common accounting standards: The board helps ensure the accountability of management, overseeing regular financial reports. These reports are designed to present the company’s financial condition fairly and completely, disclosing to investors all details needed to assess the financial business soundness and the risks of the company. They’re also subject to strict regulations, making them an essential compliance tool.
In addition, the board’s audit committee should retain and manage the relationship with inside and outside auditors and oversee the company’s annual financial statement audit.
4) An active commitment to disclosure, transparency and ethical dealings: The board is responsible for setting the overall tone of integrity and fair dealing throughout the corporation. As the final arbiter of corporate behavior, they must have an active engagement in developing a set of ethical expectations for the company, including adherence to corporate governance and compliance standards.
To that end, directors must declare any conflicts of interest and abstain from voting on matters in which they have an interest. They should also maintain policies that ensure principled compensation decisions for directors. Such fees should be suitable to attract quality candidates but should not create an appearance of indebtedness or conflict with the director’s independence.
The idea of corporate ethics expands beyond the internal dealings of the corporation and includes matters of social and ethical responsibility. Increasingly, consumers and investors look for corporations that take an active role in promoting social good. Corporate ethics stress the idea of growing the business while acknowledging and taking proactive measures to balance the environmental, political and social impact of the corporation’s financial dealings.
5) An ongoing dialogue between board members, senior management and all other shareholders: The Harvard Law Forum suggests that the board “engage with long-term shareholders on issues and concerns that are of widespread interest to them and that affect the company’s long-term value creation.” Successful corporate compliance and governance strategies must take into account the ripple effect of board decisions and the way policies may resonate both within the company and beyond.
Effective governance programs will include appropriate ways for the board to communicate ideas and concerns throughout the organization and, in turn, establish and publicize safe, reliable mechanisms for employees to communicate their concerns to the board.
While most direct engagement with customers, partners and the general public is reserved for senior management, the board still needs to remain keenly aware of public sentiment regarding the company and must be able to consider those opinions when shaping corporate strategy.
Corporate governance and compliance in the modern world
In recent years, corporate governance and compliance have also evolved. Though the board's independence and effectiveness remain pivotal, technological advancements have also profoundly shaped the governance landscape.
Modern software solutions have further enabled organizations to unify their GRC approach, which has both lowered the barrier to organization-wide governance and compliance and, as a result, increased the standard organizations must meet.
Governance platforms designed specifically for GRC streamline and automate many risk-related processes, including risk assessments, policy management, compliance monitoring and reporting. Boards can also detect and mitigate risks or compliance issues in real-time. These changes have only intensified the need to integrate corporate governance and compliance once and for all so the organization is as responsive as the technology it uses.
“Software has transformed the way organizations approach GRC. Boards can have a more collective approach to corporate governance and compliance at their fingertips, making it easier to lead the way on these critical issues.”
How boards can effectively leverage corporate governance and compliance in unison
Corporate governance and compliance were once separate functions. But in reality, the risks they are designed to protect against are often interdependent, and the controls that modulate a company’s behavior are often shared.
That’s why it’s better to conceive of them as essential cogs in a larger governance machine. Just as governance and compliance must be connected, so, too, should your governance solution.
The Diligent One Platform is the only unified solution designed to centralize both board management and GRC activities. Get a consolidated view of governance and compliance, then deliver those insights right to the board so they can make better, more informed decisions.