The Risks of Corporate Legal Principles of Risk Management
Corporate governance codes and corporate law contain provisions of internal control and risk management. First, this paper analyses the state of the art of these provisions in five Western European countries. The regulatory framework stretches from a Frühwarnsystem in Germany over the internal control report of the French chairman of the board and the internal control statement of the Dutch board to the European corporate governance statement and the UK sound risk management maintenance principle. Next, the paper provides insights how a sample of REIT's put the internal control and risk management rules and principles into corporate practice over the last decade. The analysis demonstrates that risk identification, financial risk management and risk response grew to an advanced stage while risk assessment - in particular the impact assessment of non-financial risks - and control activities are still in a development stage. The evidence shows that risk management practices are driven by regulation and legislation. Many but not all internal control features have been harmonized. The last section discusses some of the legal consequences of the finding that in view of both the regulatory developments and corporate practices new risks have emerged. First, the legal requirements as well as the eagerness of companies to fully comply with all best practices create a field of tension between the basic assumption of risk management frameworks in providing (only) reasonable assurance and the (reported) state of the art of managing and apparently controlling all (material) risks. Second, there is the risk related to the friction between the progress in identifying the risk management responsibilities of the concerned corporate parties while there is a standstill of other areas of law and in particular of the liability regimes.