Introduction

A. WHAT ARE GOVERNANCE, RISK MANAGEMENT, AND

COMPLIANCE?

Governance, risk management, and compliance are in vogue. Activist shareholders,

institutional investors, and policymakers look to these activities as crucial means for
improving business ethics, enhancing compliance with legal norms, and deterring
firms from engaging in unsafe or unsound practices. Regulators encourage com-
panies to upgrade their activities in these areas; if companies do not comply, the
regulators find ways to force them to do so. Companies large and small seem to have
"got it"; during the first and second decades of the twenty-first century they have
greatly upgraded the role of governance, risk management, and compliance in their
decision processes- and massively increased spending on these functions as well.
These developments, moreover, are hardly limited to the United States; similar
expansions in governance, risk management, and compliance can be observed
throughout the world.
VVhat are governance, risk management, and compliance, and why are they
important? VVhy has their significance grown so rapidly in recent years? Will GRC
achieve the goals that its proponents have set for it? VVhat is the future of GRC: Is it a
fad, with only passing significance, or is it a sea-change in how businesses and other
organizations are managed? VVhat is the role of attorneys in the area, and what
should it be?
This book explores these and other issues raised by the explosion of GRC. Our
focus will principally be on the business corporation, but we will attend also to other
organizations where GRC plays a role: nonprofit firms, charities, religious organiza-
tions, and governments (among others). In these respects the coverage of the book
is broad. But we will also examine GRC from a specific perspective: that of law, the
legal system, and the legal profession. We will not be considering the topic from the
standpoint of accountants, auditors, information technology experts, or people
involved in specific lines of business. We will not examine GRC as an aspect of
business strategy. These limitations on scope are needed, not only to make the

1
2 Introduction

book manageable, but also because of the in tended audience. This book is designed
for two purposes: first for use as a textbook or resource in law school classes; and
second as an introduction to the topic that can be useful for attorneys in govern-
ments, organizations, and private law firms who find themselves swept up in the GRC
phenomenon.
Before launching into the substance of our topic, it is useful to define terms. At
the outset, we can see that the term "governance, risk management, and compli-
ance" suggests two things. The combination of words in a single phrase, and espe-
cially the use of an acronym ("GRC"), indicate that the topic has an internal unity:
Governance, risk management, and compliance are not simply three things that
companies do that are grouped together in arbitrary fashion; rather they have
something fundamental in common. But the use of separate words, each with its
own history arid connotations, indicates that despite the overlap, there are also
differences between these functions. Let's consider what is different about the
key terms, as used in this book, and then turn to what they have in common.
First, what do we mean by "governance"? The term has to do with the structure of
control within an organization. The governance of organizations is often complex,
involving layers of responsibility and a variety of different offices and positions, with
lines of authority projecting in many different ways. The formal structure of gover-
nance, moreover, may not present a full picture of how the process actually works.
Creating an office and endowing it with formal authority does not necessarily mean
that the authority will actually be exercised or that the office will perform its job
competently. Power and decision making in
an organization may sometimes have more
to do with history, personality, and interper- "Governance" refers to the pro-
sonal relationships than with job descrip- cesses by which decisions relative
tions. Unless one is inside an organization, to risk management and compliance
however, these subtle ebbs and flows are not are made within an organization.
readily observable. For the student of gov-
ernance, risk management, and compli-
ance, there is often no realistic option but
to go by organizational charts, committee charters, and job descriptions-
recognizing that the structure of authority presented in these documents may
only partially reflect the actual distribution of power and influence within the
organization.
Risk management takes account of the risks facing an organization. Unlike gov-
ernance, risk management has a significant technical component. Organizations,
especially these days, often attempt to quantify risk in p·recise ways, using where
appropriate (and sometimes where not
appropriate) complex mathematical for-
mulas and analytical methods. The goal of
risk management is not to eliminate risk but "Risk management'' refers to the
rather to manage it: The risk management processes by which risk is identified,
function recognizes that the activities of the analyzed, included in strategic plan-
enterprise necessarily involve uncertain ning, and either reduced through
outcomes· with different consequences for risk control and mitigation tactics
the success of the organization's mission. or accepted as inherent in activities
that the organization wishes to
We will use the term "compliance" in a
conduct.
·Somewhat specialized way. In normal usage,·
the term means that a person conforms to
A. What Are Governance, Risk Management, and Compliance? 3

some set of norms. Here we mean

something more particular: the processes by
"Compliance" refers to the pro-
which an organization seeks to ensure that
cesses by which an organization
employees and other constituents conform polices its own behavior to ensure
to applicable norms- norms that can that it conforms to applicable rules.
include either the requirements of laws
and. regulations or the internal rules of
the organization. The compliance function usually does not create or establish
these norms; it accepts them as given and seeks only to ensure that they are
observed.
As we will see repeatedly in the pages that follow, the functions of governance,
risk management, and compliance are not hermetically separated. Much of the law
pertinent to compliance has to do with governance; it dictates how responsibility for
enforcing applicable norms is allocated within an organization. The same goes for
risk management, although to a lesser extent: Much of the law governing risk man-
agement requires that the regulated entity act through defined offices and institu-
tions. Thus governance has a close relationship with both risk-management .and
compliance. Compliance and risk management also obviously have much in
common: Non-compliance is itself a risk-and a significant one that organiza-
tions must evaluate and attempt to control.
These overlaps are more than simply
matters of definition. They arise out of a
deep structural similarity between the The law of governance, risk manage-
three GRC functions. Considered from ment, and compliance is the body of
the most general perspective, governance, rules, regulations, and best practices
risk management, and compliance serve a that, individually and collectively,
common purpose: ensuring that organiza- are intended to ensure that organi-
tions are managed well (effectively and in zations are managed effectively and
such a way as to enhance social welfare). in such a way as to enhance social
welfare.
The law of governance, risk management,
and compliance is the body of rules, regula-
tions, and best practices that, individually
and collectively, are intended to ensure that organizations achieve this goal.
The law of governance, risk management, and compliance includes, not only
conventional rules and regulations, but also "soft law" recommendations from
non-governmental organizations. Among the most important of these is the Com-
mittee of Sponsoring Organizations of the Treadway Commission (COSO), an
umbrella organization of trade groups involved with GRC. COSO promotes the
idea of "internal controls" to capture the essence of the GRC process. As set
forth in the most recent iteration of its integrated framework, COSO defines inter-
nal control as "a process, implemented by an entity's board of directors, manage-
ment, and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives relating to operations, reporting, and compliance." The
COSO framework identifies the following key elements of internal control:
• Control environment: the general tone of the organization: its culture, atti-
tudes, values, philosophy, human development procedures, and operating
style. COSO views the control environment as the most important element
of internal control.
4 Introduction

• Risk assessment: the process by which the organization identifies and evalu-
ates material risks to its operations, both intemal (e.g., a fraud committed by
senior officers) or extemal (e.g., changes in market prices).
• Control activities: the procedures and policies that an organization employs
to ensure that decisions made by the board of directors and senior manage-
ment are faithfully and competently executed throughout the organization.
• Information and communication: the means by which agents of the organi-
zation are supplied with the information needed to perform their duties.
• Monitoring: a process of quality assurance, both on an ongoing basis as opera-
tions are performed, and separate evaluations conducted after the fact.
What value can an effective system of intemal controls add to an organization?
According to COSO, intemal controls help ari organization achieve its objectives while
reducing risk. The objectives of the organization include not only meeting profitabil-
ity targets and reducing costs, but also ensuring compliance with applicable laws and
regulations. At the same time, COSO warns that intemal controls are no panacea or
guarantee. They do not ensure success, are unable to predict adverse events, and
cannot perform the alchemy of transforming a bad manager into a good one.

Questions and Comments

1. COSO is an umbrella organization of five organizations: the American Account-

ing Association, the American Institute of CPAs, Financial Executives Intemational,
the Association of Accountants and Financial Professionals in Business, and the Insti-
tute of Intemal Auditors. Its mission is to improve and modemize practices for cor-
porate directors and managers in the areas of intemal controls, enterprise risk
management, and fraud prevention. Together, COSO's sponsoring organizations
carry considerable clout as spokespeople for authoritative opinion in the worlds of
accounting, auditing, and corporate finance.
2. Do you see any logic inherent in the order of COSO's list of key intemal
control functions?
3. Is there anything in the report, as described above, that could not be divined
through the exercise of common sense?
4. Why was the COSO report so influential? Does it offer something for everyone,
without goring anyone's ox?
5. How, if at all, does the concept of intemal controls serve the interests of
COSO's sponsoring organizations?

Those who think about govemante, risk management, and compliance display a
nearly pretematural affection for metaphors. A leading metaphor in the field is that
of the "three lines of defense." In conventional usage, the lines are the following:

The Three Lines of Defense

Line One: operating executives have initial responsibility for

implementing internal controls within their own areas.
Line Two: risk-management and compliance operations catch
problems that are not weeded out at the front line.
line Three: internal audit checks up on everyone, including
risk management and compliance, in an attempt to make sure
that no problems remain.
B. The Role of Attorneys 5

Questions and Comments

1. Consider the image of the "three lines of defense." What human activity does
it refer to?
2. What attitudes are invoked by this metaphor? Lines of defense are needed
when a country is threatened by an external foe; the threat is to the institution as a
whole and everyone in it. The enemy seeks to invade the organization's territory if
given an opportunity. Everyone in the organization shares an interest in keeping the
lines of defense as strong and as effective as possible.
3. The lines of defense metaphor seems to convey a mixed message about the
organization's state of preparedness. The fact that three lines of defense are in place
is reassuring; multiple backups minimize the chance that the destructive agent will
penetrate to the organization's core. Yet the fact that three lines of defense are
needed also warns that the threat is powerful and dangerous and that, if the
worst case happens and the lines are penetrated, the consequences for the
organization are likely to be grave.
4. Why is external audit not included in the lines of defense? Should it be con-
sidered a fourth line of defense?
5. What about regulators?
6. What purposes does the "lines of defense" metaphor serve?
7. vVhy is metaphoric language so powerful, and apparently so useful, in this
supposedly scientific and rational enterprise?
8. The metaphor of the three lines of defense has tended to focus attention on
the second and third lines- risk management and compliance, and internal audit.
Is tl1ere a danger tl1at the emphasis on the second and third lines will distract
attention away from the place where the problems can most easily be avoided- the
day-to-day business operations where appropriate diligence can prevent problems
from arising in the first place?

B. THE ROLE OF ATTORNEYS

A distinctive feature of governance, risk management, and compliance is that these

functions are inherently cross-disciplinary. Governance, for example, has a signifi-
cant legal element: The rules allocating responsibility and authority for compliance
and risk management are contained in formal legal documents such as charters,
bylaws, and board resolutions-not to mention laws, regulations, letter rulings,
judicial opinions, consent decrees, deferred prosecution agreements, and admin-
istrative orders. But governance also has-important non-legal elements: Many deci-
sions are made within the discretion of the board of directors or senior managers,
without significant legal input.
The same holds for compliance. Many of the underlying norms and rules that are
administered tluough tl1e compliance function are legal in nature; but some are
internal institutional policies or procedures not mandated by law. Lawyers are often
used for investigations into allegations of misconduct by corporate employees; but
investigations are also carried out by private investigators, computer technicians,
forensic accountants, and other people. Much of the compliance function today,
moreover, is outsourced to non-lawyer vendors who provide software systems that
operate automatically and outside the direct control of lawyers.
 6 Introduction

Risk management, likewise, involves a combination of legal and non-legal con-

siderations. Some of the most important risks an organization faces are explicitly
legal in nature-for example, the risk that the institution will face onerous new
regulations, or that it be required to pay a legal judgment or be subjected to punitive
governmental sanctions. Yet other risks facing an organization have less to do with
law: Examples are the risk that a financial institution will lose money in its trading
operations, or the risk that private customer information will be stolen from a
company's computerized records. Even tl1ese latter risks have a legal dimension,
however: For example, most financial institutions are required to operate in a safe
and sound manner, so that very large trading losses could represent a violation of
legal obligations.
Lawyers thus play an important role in the area of governance, risk manage-
ment, and compliance, but far from the only role. People specializing in other
fields-management, accounting, investigation, finance, and information tech-
nology, among others-play major roles. Moreover, new professional roles have
been developing at an astonishing pace. Many educational institutions offer cer-
tificates or degrees in the GRC area; Stanford University's Center for Professional
Development, for example, awards a certificate in risk management. The Whar-
ton School of the University of Pennsylvania, in cooperation with the Financial
Ii Industry Regulatory Authority (FINRA), offers a program of instruction whose
graduates earn designation as Certified Regulatory and Compliance Professionals
•',
!I (CRCPs). An organiz?•ion called "GRC CertifyTM, offers a menu of certifications
in the combined field t. risk management, and compliance. And
these are only a sample of dozens of programs offering instruction or certification
\1
in the area. We may in fact be witnessing the birth of two new professions-
i'l compliance and risk management- that combine elements of law, accounting,
human resources, business, ethics, and more.

Questions and Comments

1. Notably missing from the list of COSO sponsors is any representation by

lawyers. Neither the American Bar Association nor any other organization repre-
senting the legal profession sponsors this initiative. Given that one of the principal
objectives of internal controls is "compliance with applicable laws and regulations,"
why are lawyers not represented?
2. Aware that GRC is a growth area for professional practice, law firms are now
vigorously pursuing this line of work. The websites of many large law firms contain
sections touting services in the area of compliance-services that range from
specialized representations when a client gets into trouble to audits of compliance
areas to full-scale outsourcing of tasks and responsibilities. Law firms are more
tentative about offering risk management advice; but many clearly imply that
their services will be valuable in controlling or mitigating legal, regulatory, and
operational risks.
3. The growth of governance, risk management, and compliance as a discrete
field of professional service, including important legal elements, raises the question
whether professional service providers may offer a comprehensive and integrated
package of services that includes both legal and non-legal expertise. Could one of
tl;le big accounting or consulting firms hire lawyers and put them to work providing
C. Subject Areas 7

legal services to clients in engagements that also involve accountants, economists,

marketing consultants, finance advisers, and other trained professionals? .
4. Do attorneys perform their jobs differently than other compliance profes-
sionals? One might think so, given the special features of legal training-
socialization into how to "think like a lawyer," sensitivity to legal rights and duties,
awareness of the responsibility of zealous representation of clients, and immersion
in an adversarial system of justice. A study of Australian firms concludes, however,
tl1at in general, lawyers don't perform their compliance jobs in a distinctive way.
Robert Posen, Christine Parker & Vibeke Lehmann Nielsen, The Framing Effects of
Professionalism: Is There a Lawyer Cast of lviind? Lessons from Compliance Programs, 40
Fordham Urb. LJ. 297 (2012).

C. SUBJECT AREAS

Our definitions of governance, risk management, and compliance are formulated at

an abstract level that does not depend on any specific subject matter. Appropriately
so: The functions served by governance, risk management, and compliance are
quite general. All organizations-for-profit corporations, not-for-profit corpora-
tions, religious institutions, governments, and many others-must perform these
functions. Thus the law in this area is not the law· ofany particular field of activity or
area of commerce; it is a topic that pertains to all complex organizations.
At tl1e same time, other elements of governance, risk management, and compli-
ance are specific to particular subject matters. The ways in which governance, risk
management, and compliance play out across areas of human endeavor is partially a
function of the specific field. The rules pertaining to hospitals differ. ·-om the rules
that apply to commercial airlines; those rules, in turn, differ from 1:1. ' rules that
apply to securities broker-dealers. Each field has its own underlying policies and its
own political environment that shapes the rules we observe. History also plays a role:
We will see that rules often change in response to large and stressful events that are
deemed, in one way or another, to have resulted from a breakdown in governance,
risk management, or compliance.
This feature of governance, risk management, and compliance law- that it has a
common structure but also includes specific and sometimes idiosyncratic rules-
influences how this book is organized. We deal with issues in their general and
abstract form, but also provide a "deep dive" into specific areas.
Part I of this book looks at the topic of governance from a general perspective.
This part introduces the cast of characters within the organization: shareholders
(Chapter 1), the board of directors and board committees (Chapter 2), and internal
management (Chapter 3).
Part II turns to compliance. We take this up before reaching the topic of risk
management-and thus deviate from the conventional order- because it is an
area of particular pertinence to lawyers. Here, we examine in more detail what
the compliance function is (Chapter 4). We then turn to the technology of com-
pliance, examining the role of internal enforcement (Chapter 5), regulators (Chap-
ter 6), prosecutors (Chapter 7), whistleblowers (Chapter 8), gatekeepers
(Chapter 9), and plaintiffs' attorneys (Chapter 10). Next, we focus on specific topics
where compliance plays a role: information security (Chapter 11), off-label drugs
(Chapter 12), foreign corrupt practices (Chapter 13), money laundering and bank
8 Introduction

secrecy (Chapter 14), and sexual harassment (Chapter 15). These specific topics are
important in their own right and also illustrative of general issues that arise in the
compliance space. We end the unit on compliance by examinl.ng activities beyond
compliance such as charitable gifts, code of ethics, corporate social responsibility,
sustainability, and institutional culture (Chapter 16), and instances where compli-
ance fails (Chapter 17).
Part III takes up the topic of risk management. Mter examining what risk man-
agement is (Chapter 18), we evaluate different approaches to risk management
(Chapter 19). The book concludes with an examination of cases where risk man-
agement fails (Chapter 20).
 Part I

ov m n
Consider a company like Citigroup. In 2015, this vast financial firm serviced approxi-
mately 200 million customer accounts and did business in more than 160 countries
and jurisdictions. With more than $76 billion in annual revenues, Citigroup would
rank in the top 100 countries in the world by gross national product. Its quarter
million employees could represent the workforce of a substantial city. Even more
staggering is the amount of assets under its control-$1.9 trillion and counting.
And Citigroup is not even the largest financial institution in the United States;
JPMorgan Chase, Bank of America, and Wells Fargo are larger still.
Given the size and influence of complex organizations, it is obvious that decisions
made by their managers have an impact on social welfare. If a company is well
managed, it will tend to generate profits that enrich its shareholders and employees,
who then are more willing to spend money and contribute to the health of the
economy. Well-managed companies also represent efficient allocations of
resources, since the assets under the control of the managers of these companies
will be devoted to profitable uses. If a company is poorly managed, the opposite
happens: People become poorer, spend less, and invest less; and the assets con-
trolled by these companies are not put to their highest and best use. In the worst
case, bad decisions can have systematic consequences: Poor investment policies by
financial firms contributed to the financial crisis of 2007-2009. The question of
governance-who decides what a complex organization will and will not do-is
therefore one of considerable public importance.
For large organizations, the problem of governance is often conceptualized as
that of the "separation of ownership and control" - a phrase that traces back to
an influential book published in 1932 by Adolph Berle and Gardiner Means
entitled The l'viodern Corporation and Private Property. Almost no one reads the
book any more, but the concept of the separation of ownership and control
remains a defining issue for corporate governance. The basic idea is this:
Large corporations have thousands or millions of shareholders; even tl1e largest
of these owners has only a small percentage interest in the firm. The sheer
number of shareholders makes it virtually impossible for them to exercise effec-
tive governance. Rather, managers control what happens in big companies,

9
 10 Part I Governance

subject to only minimal checks from shareholders or other constituencies. But

managers, if not controlled from without, will too often give in to the temptation
to expropriate the benefits of control for themselves. Managerial misconduct of
this sort is given various names "abuse" by those (such as Berle and Means)
who were steeped in the political values of the Progressive Era; and "agency
costs" by later scholars who work in the framework of law and economics. No
1'1

II matter what the conduct is called, its consequences are the same: Corporations
I will not be managed so as to serve the best interests either of shareholders or of
society as a whole. This concern about managerial incompetence or misconduct
is the essential problem of corporate governance.
I The issue of corporate governance has long been at the front burner of policy
debate, both in the United States and around the world. A host of white papers, best
practice manifestos, and official government policies purport to define how com-
panies ought to be managed. Prestigious institutes, think tanks, politicians, and
I scholarly organizations offer their opinions on a regular basis.
Over time, the focus of enthusiasm on the part of these experts has shifted.
Beginning with an emphasis on the importance of independent boards of directors,
I the outer edge of policy has moved successively toward an emphasis on the "market
I for corporate control" (the corporate takeover market); to reliance on institutional
II investors with large ownership stakes; to a focus on board committees; and to the
!I governance reforms de jour of the 2010s: revamping compensation practices and
!I enhancing shareholder power.
Do these or other corporate governance reforms improve the welfare of society?
!I
:!
Definitely yes, in the judgment of advocates. Empirical researchers tend to be more
I,
,, cautious. Some studies find benefits of reforms; others do not. In general, it may be
lr fair to say that some corporate governance reforms improve how large institutions
II are managed and others observe the Hippocratic principle of "do no harm." Still,
! skeptics question whether the plethora of corporate governance reforms is worth
! the candle in terms of results obtained.
Consider in this respect the following excerpts, one from the Organization for
Economic Cooperation and Development (OECD), and the other from the author
of a treatise on the law of corporate governance.

OECD Principles of Corporate Governance

2004

... In today's economies, interest in corporate governance goes beyond that of

shareholders in the performance of individual companies. As companies play a
pivotal role in our economies and we rely increasingly on private sector institutions
to manage personal savings and secure retirement incomes, good corporate govern-
ance is important to broad and growing segments of the population. . . . The
[OECD's] Principles [of Corporate Governance] are a living instrument offering
non-binding standards and good practices as well as guidance on implementation,
which can be adapted to the specific circumstances of individual countries and
regions. . . . To stay abreast of constantly changing circumstances, the OECD will
closely follow developments in corporate governance, ident:if)>ing trends and seek-
ing remedies to new challenges.
Part I Governance 11

Douglas M. Branson, Proposals for Corporate Governance

Reform: Six Decades of Ineptitude and Counting
48 Wake Forest L. Rev. 673 (2013)

This article is a retrospective of corporate governance reforms various academics

have authored over the last 60 years or so. . . . The first finding is as to periodicity:
even casual inspection. reveals that the reformer group which controls the "reform"
agenda has authored a new and different reform proposal every five years, with
clock-like regularity. The second finding flows from the first, namely, that not
one of these proposals has made so much as a dent in the problems that are per-
ceived to exist. The third inquiry is to ask why this is so? Possible answers include the
top down nature of scholarship and reform proposals in corporate governance; the
closed nature of the group controlling the agenda, confined as it is to 8-10 aca-
demics at elite institutions; the lack of any attempt to rethink or redefine the chal-
lenges which governance may or may not face; and the continued adhesion to the
problem as the separation of ownership from control as Adolph Berle and Gardiner
Means perceived it more than 80 years ago.

Questions and Comments

1. The OECD is a respected good-governance organization. According to its

website, its mission is to "promote policies that will improve the economic and
social well-being of people around the world .... We set international standards
on a wide range of things, from agriculture and tax to the safety of chemicals."
2. The OECD Principles of Corporate Governance are not law. No country is
obligated to adopt these principles as a matter of internal law. Yet recommended
"best practices" such as these can be influential. Why? Consider the following
possibilities:
a. The OECD's standards are good ideas, and when they are understood by
others, they are adopted because they are recognized as a better way to
govern.
b. The OECD's standards provide a focal point around which a consensus of
regulators and policy makers can coalesce. Once many people get behind a
proposed reform, it has greater prospects for success than, say, if the idea is
being promoted by a solitary academic.
c. The OECD's standards make it easier for governments to adopt internal
reforms because domestic political interests find it hard to resist proposals
that have the backing of prestigious international organizations.
d. The OECD's standards serve the interests of organizations and individuals
who pursue agendas that do not necessarily align with the public interest.
Which of these possibilities seems most plausible to you?
3. Notice the difference in tone between the two excerpts. Implicit in the OECD
statement is an optimistic view about the potential for progress in improving cor-
porate governance. Standards would not be necessary if all companies were already
following the OECD's recommendations. The OECD's approach carries with it an
idea that working together, governments and private organizations can genuinely
improve corporate behavior and that the result will be beneficial for everyone.
 12 Part I Governance

4. The OECD seems confident that its recommendations are wise and appropri-
ate. What is the basis for this confidence? The OECD's opinions about corporate
governance seem to be grounded, not on controlled studies but, rather, on the
consensus of government officials. Is this a reliable source of information? What
shapes the opinions of the government officials who take part in the OECD's coun-
cils? Could it be that these officials rely on the views of prestigious organizations
such as the OECD? Is the process circular?
5. Branson's analysis displays a markedly different tone. He wonders whether
governance reforms do much good at all and doubts that much has been learned
over the years.
6. What, in Branson's view, drives changes in corporate governance recommen-
dations? He suggests that a handful of academics have shaped opinions for everyone
else. Is this plausible?
7. On what basis qoes Branson conclude that corporate governance reforms
haven'tworked? One of his key exhibits is evidence that these reforms are creatures
of fashion- every five years or so another proposal becomes popular and flourishes
for a while, only to be supplanted by a newcomer. If governance reforms are so
fickle, Branson suggests, perhaps they are not grounded in real benefits. Do you
agree?
8. For other critiques of fashionable corporate governance requirements, see
Roberta Romano, Quack Cmporate Governance, 28 Reg. 36 (2005); Stephen Bain-
bridge, Dodd-Frank: Quack Federal Corporate Governance Round II, UCLA School
of Law Law-Econ Research Paper No. 10-12 (2010); Luigi Zingales & Dirk A.
Zetzsche, Quack Corporate Governance, Round III? Bank Board Regulation
Under the New European Capital Requirement Directive, European Corporate
Governance Institute Law Working Paper No. 249/2014 (2014).
9. Even though at this point you may not yet have a well-developed opinion about
the value of governance reforms, whose view seems more persuasive?
Corporate governance was once largely within the discretion of the regulated
entity-subject, perhaps, to the gentle pressure of "best practice" principles but
not otherwise within tl1e purview of outside influences. No more. At least in the area
of financial institutions, and increasingly in other industries, regulators are taking a
close look at corporate governance practices and, at times, imposing the heavy hand
of compulsory rules. Consider in this regard the following excerpt from the Basel
Committee on Banking Supervision's "Core Principles of Banking Supervision," a
document that purports to identify minimum acceptable standards for supervision
of banks around the world.

Basel Committee on Banking Supervision

Consultative Document- Core Principles
for Effective Banking Supervision
i
December 2011
;I
PRINCIPLE 14: CoRPORATE GoVERNANCE
:I
! The supervisor determines that banks and banking groups have robust corporate
governance policies and processes covering, for example, strategic direction, group
·and organizational stn1cture, control environment, responsibilities of the banks'

li
Part I Governance 13

boards and senior management, and compensation. These policies and processes
are commensurate with the risk profile and systemic importance of the bank.

Essential Criteria

• Laws, regulations, or the supervisor establish the responsibilities of the bank's

board and senior management with respect to corporate governance to
ensure there is effective control over the bank's entire business. The super-
visor provides guidance to banks and banking groups on expectations for
sound corporate governance.
• The supervisor regularly assesses a bank's corporate governance policies and
practices, and their implementation, and determines that the bank has robust
corporate governance policies and processes commensurate with its risk pro-
file and systemic importance. The supervisor requires banks and banking
groups to correct deficiencies in a timely manner.
• The supervisor determines that governance structures and processes for
nominating and appointing a board member are appropriate for the bank
and across the banking group. Board membership includes experienced non-
executive members, where appropriate. Commensurate with the risk profile
and systemic importance, board structures include audit, risk oversight, and
remuneration committees with experienced non-executive members.
• Board members are suitably qualified, effective, and exercise their "duty of
care" and "duty of loyalty."
• The supervisor determines that the bank's board approves and oversees
implementation of the bank's strategic direction, risk appetite and strategy,
and related policies, establishes and communicates corporate culture and
values (e.g. through a code of conduct), and establishes conflicts of interest
policies and a strong control environment.
• The supervisor determines that the bank's board, except where required
othenvise by laws or regulations, has established fit and proper standards
in selecting senior management, plans for succession, and actively and criti-
cally oversees senior management's execution of board strategies, including
monitoring senior management's performance against standards established
for them.
• The supervisor determines that the bank's board actively oversees the design
and operation of the bank's and banking group's compensation system, and
that it has appropriate incentives, which are aligned with prudent risk taking.
The compensation system, and related performance standards, are consistent
'vith long term objectives and financial soundness of the bank and is rectified
if there are deficiencies.
• The supervisor determines that the bank's board and senior management
know and understand the bank's and banking group's operational structure
and its risks, including those arising from the use of structures that impede
transparency (e.g. special-purpose or related structures). The supervisor
determines that risks are effectively managed and mitigated, where
appropriate.
• The supervisor has the power to require changes in the composition of the
bank's board if it believes that any individuals are not fulfilling their duties
related to the satisfaction of these criteria.
14 Part I Governance

Questions and Comments

1. Should regulators be dictating corporate governance of banks?

2. Is there a danger of abuse, if the regulators are self-interested or vindictive?
3. These are set forth as minimum requirements. What else would you recom-
mend, if anything?