Global Journal of Management and Business Research, A: Administration and Management, Volume 23 Issue 10

Sustainable Compliance Programs in Complex Organizations Global Journal of Management and Business Research ( A ) XXIII Issue X Version I Year 2023 3 © 2023 Global Journals (2005) contends that executives are concerned about potential increased litigation risk due to weak internal controls. There are also cultural differences in corporate governance quality that can affect the propensity of European firms to adopt SOX compliance programs. For example, in the UK Corporate Governance Code (2015) requires companies to take the responsibility for internal monitoring to identify and create an effective risk – control matrix for the organization. However, the UK voluntary code is based on ‘comply or explain’ 1 III. I nfluences on R egulatory C ompliance C ulture . This section explores the demand for, and supply of, sustainable compliance programs through identifying various influences related to recent regulatory demands for greater accountability related to regulatory compliance programs related to (a) regulatory compliance and complexity and (b) internal control culture and (c) corporate governance effectiveness. Figure 1 summarizes the complexity theory framework that underlies the various external and internal influences on regulatory compliance culture. a) Regulatory Compliance and Complexity As the organization expands geographically, the complexities of managing compliance increases dis- proportionately. For example, a public limited UK firm with an American subsidiary, would need to satisfy at the minimum: financial regulatory obligations (IAS reporting, Sarbanes-Oxley (SOX), as well as new information privacy rules (EU newly updated General Data Protection rules related to customer communication, California data privacy rules). Swingly (2005) provides real-life examples in the banking industry, trying to cope up with the new Basel II regulations. He refers to “oversight committees” and “steering groups” (e.g. “KAS Bank”), comprising of the operational heads of the business units, along with the auditors, treasury and the risk management leads, that jointly plan and manage the project “from analysis of the consultation papers, to the assessment of what processing will be affected and ultimately to who needs to be involved”. He also provides examples of “whole- sale restructuring of the organization in creating a ‘centralised’ compliance group, which would then have the responsibility for overseeing the compliance program, including targeting the processes and departments to ensure compliance”. 1 Firms can opt-out, as long as they meet the minimal guidelines set by the regulatory bodies and can provide a satisfactory explanation of their work practices, when required. between a completely ‘centralised’ enterprise-wide compliance group, to completely ‘autonomous’ business-unit/functional level compliance management groups. While the former, provides an ‘enterprise wide’ oversight, and theoretically, can ensure that the best resources are used in the most appropriate task once – (i.e.) better possibility of using resources efficiently, the latter provides the flexibility of the ‘business’ experts extending their operational expertise into the area of managing their unit’s compliance needs. The business- unit heads generally favours the latter model, as it still leaves the compliance program under their control, whilst the former turns compliance into a ‘corporate’ function. Requirements from regulatory compliance programs like SOX (that holds the management responsible for ensuring the appropriately qualified person performs the role), has also increased the need for organizations to train their employees. For SOX, organizations have two different training needs that need fulfilling – generic end users training on SOX requirements and compliance, and, more function specific training that relates to SOX implications on the specific job role (for process owners). While the process management (standardized vs. non-standardized) has bearing on the scope of training, the execution of the training itself is dependent on the structure of the organization (CEB, 2004). However, the process literature generally fails to explain the potential for agency conflict that gave rise to SOX. The placement of the internal controls unit within the organization also has a direct impact on all aspects of internal controls setup for SOX – control testing, co- ordination, and control design. CEB (2004) suggests a positive relationship between process standardisation and the centralisation of the compliance unit function. Another key element in the organization structure is the presence of the risk management function and its proximity to the compliance unit. The emphasis on risk management by the existing frameworks (COSO) expanding the monitoring to beyond financial controls has resulted in firms looking to integrate their existing risk management practices with the new compliance units to achieve economies-of-scale with their internal controls testing (CEB, 2004). b) Compliance Culture in Organizations To create a sustainable compliance program, the ethical behaviour of management and employees is a critical factor. There is a strong need to build a culture that would accept ‘change’ in work practices. This acceptance of change is crucial, as this would enable the employees of the organization to assimilate the newer (compliance-oriented culture) requirements into their daily work practices, enabling the organization to achieve efficiencies faster. Swingly (2005) provides a glimpse on the ongoing debate of the actual running of the compliance programs within the organization. The models range