THE COMPLIANCE MOVEMENT IN RUSSIA: WHAT IS DRIVING IT? Текст научной статьи по специальности «Экономика и бизнес»

THE COMPLIANCE MOVEMENT IN RUSSIA: WHAT IS DRIVING IT?

THOMAS KRUESSMANN, University of Tartu (Tartu, Estonia)

DOI: 10.17589/2309-8678-2018-6-2-147-163

The introduction of compliance management systems is becoming more and more important in Russian companies. Initially limited to anti-corruption compliance and driven by foreign extraterritorial legislation, corporate leaders are now considering the benefits of enhanced risk management systems. From a corporate law perspective, the driving force behind this is the business judgement rule. Corporate leaders should be encouraged to take reasonable entrepreneurial risks without fearing liability. Therefore, by adopting compliance and risk management systems corporate leaders will be able to exculpate themselves when business decisions go wrong and losses are suffered. But the question is who will be the driving force in the Russian corporate context: the executive director or the board of directors? This paper examines two strands of domestic compliance regulation: anti-corruption compliance and the 2014 Code of Corporate Governance. It shows that while there are grounds for the possibility that in Russia the executive directors will be the drivers of compliance, the greater likelihood is that the board of directors will be collectively responsible. Important incentives for the day-today management of the companies will therefore most likely be missed.

Keywords: compliance management system; risk management; business judgement rule; Code of Corporate Governance; anti-corruption.

Recommended citation: Thomas Kruessmann, The Compliance Movement in Russia: What is Driving It?, 6(2) Russian Law Journal 147-163 (2018).

Corporate compliance is becoming increasingly popular in Russian companies. No doubt, a certain part of this movement is in response to extraterritorial anti-

corruption legislation, such as the U.S. Foreign Corrupt Practices Act or the UK Bribery Act. By comparison, the Association of European Businesses' has started to promote codes of good practices for various branches of industry, most notably the automobile and pharmaceutical industries, which also include compliance commitments. But beyond such foreign-induced influences, what is really driving the compliance scene in Russia? And how deeply can we expect Russian companies to adopt such practices?

The questions raised go to the heart of compliance program because, as the iSO '9600:2014 standard illustrates, every compliance management system should be of a cyclical nature. There should be an ongoing process of monitoring and adjusting the company's compliance efforts to variations in risk factors, internal (re-) organizations and changing external influences. Given that all organizations possess a kind of institutional inertia and are averse to change, it is critical to understand what will be driving the compliance movement in Russia.

1. Pro-Compliance Incentives in Corporate Law

When going through the various standards of corporate governance, compliance and risk management, there is no clear indication who should be behind such programs beyond the so-called gate-keepers, i.e. the chief compliance officer (CCO) or the chief financial officer (CFO). Principle Vi of the G20/OECD Principles of Corporate Governance places an emphasis on the monitoring function of the board vis-à-vis the management:2

The corporate governance framework should ensure the strategic guidance of the company, the effective monitoring of management by the board, and the board's accountability to the company and the shareholders.

in the sphere of banking, the Basel Committee on Banking Supervision, on the other hand, emphasizes the senior bank management's responsibility for effective management and limit the bank's board to a supervisory role:3

Principle ':

The bank's board of directors is responsible for overseeing the management of the bank's compliance risk. The board should approve the bank's compliance

' Association of European Businesses (Jun. 2, 2018), available at https://www.aebrus.ru/.

2 G20/OECD Principles of Corporate Governance, OECD (2015), at 51 (Jun. 2, 2018), available at http:// dx.doi.org/10.1787/9789264236882-en.

3 See Compliance and the Compliance Function in Banks, Basel Committee on Banking Supervision (April 2005), at 9-10 (Jun. 2, 2018), available at https://www.bis.org/publ/bcbs113.pdf.

policy, including a formal document establishing a permanent and effective compliance function. At least once a year, the board or a committee of the board should assess the extent to which the bank is managing its compliance risk effectively.

Principle 2:

The bank's senior management is responsible for the effective management of the bank's compliance risk.

Principle 3:

The bank's senior management is responsible for establishing and communicating a compliance policy, for ensuring that it is observed, and for reporting to the board of directors on the management of the bank's compliance risk.

Principle 4:

The bank's senior management is responsible for establishing a permanent and effective compliance function within the bank as part of the bank's compliance policy.

So, while having a corporate compliance program in place is most likely a function of strategic planning and thus primarily associated with the board of directors, the day-to-day operations and the continuous improvement and adjustment are closer to the executive function. Therefore, it is arguably the executive directors' fear of personal liability which is the driving force behind the institutional evolution of compliance management systems. Especially incoming directors are rightly concerned that they are unable to oversee in their new function the entire gamut of their companies' dealings, and they critically depend on management procedures to identify risks in an appropriate way.

The director's role as the driving force of his or her company is recognized by the so-called business judgement rule. Put most simply, corporate leaders will not be held liable for losses of the company, as long as they observe all reasonable precautions and act in the best interest of the company. Obviously, the purpose of this rule is to distinguish regular entrepreneurial risk-taking from those cases in which corporate leaders act either not in the interest of the company or, believing to do so, omit reasonable precautions. Arguably, the business judgement rule creates the most important incentive for innovating compliance and risk management systems. Having such systems alert and up-to-date, corporate leaders can exculpate themselves, when business decisions go wrong and shareholders threaten legal action.

in most countries of the continental legal system, the source of the business judgement rule is statutory law. This also holds true for Russia, but here the situation is less well-defined. The fundamental problem with the business judgement rule

in Russia is that there is a statutory presumption in the Civil Code4 that a director is presumed to have acted in good faith and in a reasonable manner, unless there is proof that he did otherwise. So, in case shareholders want to bring legal action against the director, the burden of proof is on the shareholders to show that there are objective grounds for assuming that the director acted not in good faith or in an unreasonable manner. This legal situation left it practically to the courts to decide what strength the legal presumption would hold and what amount of objective grounds was necessary to tip the burden of proof. Obviously, in large companies in which directors were politically well-connected, it was fairly easy to use behind-the-scenes influence on the courts to prevent any major legal challenge from arising.

This situation changed in 2013 when the Plenary of the Supreme Arbitration Court of the Russian Federation (Vysshiy Arbitrazhnyi Sud Rossiyskoy Federatsii) adopted a ruling5 that meant to address this detrimental inversion of the burden of proof by introducing fresh business judgment rule thinking into the statutory framework. At para. 1, it injected a degree of risk analysis by claiming that there should be no liability for losses if the management decision was within the limits of regular entrepreneurial risk-taking. And it also proposed check-lists of cases and red flags to determine when a director's action can be assumed to be not in good faith and/or to be not reasonable.

Examples of behavior that is not in good faith include the following:6

- situations of conflict of interest;

- hiding or presenting incomplete information on agreements entered into;

- agreements entered into without the required consent of corporate bodies or the regulator;

- after the end of his or her tenure withholding documents on agreements entered into during his or her tenure;

- actual or inferred knowledge that at the time of concluding an agreement this was not in the best interests of the company.

in addition, the Ruling gives a number of instances in which behavior is considered to be unreasonable:7

4 Гражданский кодекс Российской Федерации (часть первая) от 30 ноября 1994 г. № 51-ФЗ, Собрание законодательства РФ, 1994, № 32, ст. 3301 [Civil Code of the Russian Federation (Part One) No. 51-FZ of 30 November 1994, Legislation Bulletin of the Russian Federation, 1994, No. 32, Art. 3301], Art. 10(5).

5 Постановление Пленума Высшего Арбитражного Суда Российской Федерации от 30 июля 2013 г. № 62 "O некоторых вопросах возмещения убытков лицами, входящими в состав органов юридического лица" [Ruling of the Plenary of the Supreme Arbitration Court of the Russian Federation No. 62 of 30 July 2013. On Some Questions of Compensating Losses Caused by Persons, Being Members of the Bodies of Legal Persons] (Jun. 2, 2018), available at http://www.consultant.ru/document/ cons_doc_LAW_150888/.

6 Id. Para. 2.

7 Id. Para. 3.

- decisions are taken without considering relevant information;

- before decisions were taken, there was no effort to obtain the amount of information necessary in the light of normal business practices;

- contracts were concluded without observing the usual internal procedures.

The detailed check-lists were meant to give guidance to the lower arbitration

courts when assessing the concrete situation in which a decision was taken or an agreement concluded. But it is currently difficult to say how lasting the impact of these interpretations will be. Only a few months later, in November 2013, the State Duma of the Russian Federation adopted a Law that abolished the system of specialized arbitration courts and merged their functions with the ordinary courts.8 However, Plenary Rulings of the Supreme Arbitration Court of the Russian Federation remain in force until the Plenary of the Supreme Court of the Russian Federation adopts its own decision.9 So, for the time being the abovementioned Plenary Regulation of July 2013 is still applied by the ordinary courts.

The business judgement rule is tailored to the executive level where operational decisions are being taken. And it favors the position of the executive director as the main driver of compliance. The alternative, i.e. leaving responsibility to the board, seems less suitable. There is, of course, much to be said for using the company's supervisory mechanism to adopt responsibility also for the company's compliance management system. But there are also some significant flaws to this idea:

- the board of directors (obviously) does not run the day-to-day operations of the company;

- the board of directors exercises its duty primarily by creating committees and supervising their activity. As a rule, the risk management committee as well as the other related committees (audit, internal controls) do not report to a specific member of the board of directors, but respond to the board of directors on the whole;

- the Law on Joint-Stock Companies limits the possibility for individual shareholders to bring action against members of the board of directors.10 A minimum

9

Закон РФ о поправке к Конституции РФ от 5 февраля 2014 г. № 2-ФКЗ "О Верховном Суде Российской Федерации и прокуратуре Российской Федерации," Собрание законодательства РФ, 2014, № 6, ст. 548 [Law of the Russian Federation No. 2-FKZ of 5 February 2014. On the Supreme Court of the Russian Federation and the Prosecutor's Office of the Russian Federation, Legislation Bulletin of the Russian Federation, 2014, No. 6, Art. 548].

Федеральный конституционный закон от 4 июня 2014 г. № 8-ФКЗ "О внесении изменений в Федеральный конституционный закон 'Об арбитражных судах в Российской Федерации' и статью 2 Федерального конституционного закона 'О Верховном Суде Российской Федерации,'" Собрание законодательства РФ, 2014, № 23, ст. 2921 [Federal Constitutional Law No. 8-FKZ of 4 June 2014. On the Introduction of Changes to the Federal Constitutional Law "On Arbitration Courts in the Russian Federation" and to Article 2 of the Federal Constitutional Law "On the Supreme Court of the Russian Federation," Legislation Bulletin of the Russian Federation, 2014, No. 23, Art. 2921].

Федеральный закон от 26 декабря 1995 г. № 208-ФЗ "Об акционерных обществах," Собрание законодательства РФ, 1996, № 1, ст. 1 [Federal Law No. 208-FZ of 26 December 1995. On Joint-Stock Companies, Legislation Bulletin of the Russian Federation, 1996, No. 1, Art. 1], Art. 71(5).

of 1% of voting stock is required for shareholders to claim compensation for losses incurred by the company. But if the substance of the claim is that the member of the board of directors was negligent in establishing or maintaining an up-to-date compliance management system, the individual member would be able to "hide" behind the collective failure to act. Rarely would an individual behavior (e.g. persistent obstruction of a vote on introducing a compliance management system) give rise to individual responsibility.

All in all, it appears that by localizing the compliance function among the board of directors and not the executive directors, the threat of shareholder action is significantly diminished and an important incentive for innovating compliance management systems not realized.

2. Additional Sources of Compliance

While there is uncertainty about the effectiveness of the aforementioned Regulation of the Plenary of the Supreme Arbitration Court, clarification may come from another corner. in fact, by 2013 there were at least two other strands of developments emerging which worked towards establishing compliance mechanisms in Russian companies. The one is anti-corruption compliance, the other (general) compliance in joint-stock companies. A third very important field, i.e. Central Bank regulation in the banking sphere and the wider financial services industry, plays also an important role, but is rather separate as a source of influence. Both beforementioned strands of developments have their particular antecedents, and it is unclear at this stage how they are going to merge in the future.

2.1. Anti-Corruption Compliance

Anti-corruption is one policy field in which the Government has taken a highprofile stance. in 2012, the Government introduced a new Art. 13.3 into the Federal law of 25 December 2008 No. 273-FZ "On Counteracting Corruption"11 which required that "organizations" must establish anti-corruption compliance programs. in referring to "organizations," the Law chooses to address both the public and the private sector, thus making anti-corruption compliance mandatory both for the administrative and the corporate sphere including state-owned enterprises of all shades.

Федеральный закон от 3 декабря 2012 г. № 231-ФЗ "О внесении изменений в отдельные законодательные акты Российской Федерации в связи с принятием Федерального закона 'О контроле за соответствием расходов лиц, замещающих государственные должности, и иных лиц их доходам,'" Собрание законодательства РФ, 2012, № 50 (ч. 4), ст. 6954 [Federal Law No. 231-FZ of 3 December 2012. On the Introduction of Changes to Several Legal Acts of the Russian Federation in Connection with the Adoption of the Federal Law "On the Control of the Correspondence of Expenditures by Persons Having State Offices, and Other Persons with Their Incomes," Legislation Bulletin of the Russian Federation, 2012, No. 50 (part 4), Art. 6954].

Article 13.3 was implemented by Presidential decree12 which at para. 25 tasked the Ministry of Labour and Social Protection of the Russian Federation, in cooperation with other interested Federal agencies and in collaboration with the Russian Federation Chamber of Commerce and industry, the "Russian Union of industrialists and Entrepreneurs" and the business associations "Delovaya Rossiya" and "OPORA Rossiya," to develop so-called methodological recommendations. The result of this collaboration, entitled"Methodological Recommendations for the Development and implementation of Measures to Prevent and Counteract Corruption" was adopted on 8 November 2013.13 it comprises 47 pages plus 55 pages of attachments including a so-called Anti-Corruption Charter of Russian Business.14

The sheer size of this work, combined with the fact that it contains "only" sets of recommendations, may have diminished its chances for success from the very beginning. indeed, it would be an exaggeration to say that the document has made its mark in the literature.15 But there are, indeed, novel features both in terms of substance and in the particular mode of creation and dissemination which make it an interesting case.

Let us first take a look at the substance of the Recommendations. What is striking when going through the bulk of the text is the clear treatment of risk management. Chapter 1, para. 2 gives a definition of compliance which is, on the one hand, attuned to the role of extraterritorial legislation in anti-corruption regulation, and, on the other hand, offers a vision for the entire field of compliance in Russia. According to para. 2,

12 Указ Президента РФ от 2 апреля 2013 г. № 309 "О мерах по реализации отдельных положений Федерального закона 'О противодействии коррупции,'" Собрание законодательства РФ, 2013, № 14, ст. 1670 [Decree of the President of the Russian Federation No. 309 of 4 April 2013. On Measures for Realizing Several Provisions of the Federal Law "On Counteracting Corruption," Legislation Bulletin of the Russian Federation, 2013, No. 14, Art. 1670].

13 Методические рекомендации по разработке и принятию организациями мер по предупреждению и противодействию коррупции [Methodological Recommendations for the Development and Implementation of Measures to Prevent and Counteract Corruption] (Jun. 2, 2018), available at http:// rosmintrud.ru/docs/mintrud/employment/26.

14 Attachment No. 6.

15 The Recommendations are rarely mentioned and even more rarely discussed. Exceptions include Иванов ЭА. Антикоррупционный комплаенс-контроль в российских компаниях // Международно-правовые чтения. Вып. 12. Воронеж: ВГУ, 2014. С. 91 [Eduard A. Ivanov, Anti-Corruption Compliance Control in Russian Companies in International Law-Readings. Issue 12 91 (Voronezh: Voronezh State University, 2014)] and Smith D. Assessing Compliance with Requirements for Anti-corruption Compliance Programs // Материалы III Международного Конгресса "Предпринимательство и бизнес в условиях экономической нестабильности" [David Smith, Assessing Compliance with Requirements for Anticorruption Compliance Programs in Materials of the III International Congress "Entrepreneurship and Business under Conditions of Economic Instability"] 133-135 (Moscow: Financial University under the Government of the Russian Federation, 2015).

Compliance is the process of making sure that the activity of the organization is in line with requirements of Russian and foreign law as well as other binding obligations from regulatory documents, and also the creation of mechanisms within the organization to analyze, detect and evaluate spheres of activity with heightened corruption risks and to guarantee the complex defense of the organization.'6

We thus see a dual approach in the definition which combines traditional elements of legislative compliance with a risk-management perspective. This duality is continued into the list of key principles which stands at the beginning of the operative part of the Recommendations.'7 it is surely not by chance that the first principle places an emphasis on legislative compliance: "Compliance of the organization's policies with the law in force and universal norms." Principles two and three are more or less common-place from a Western perspective, but then the fourth principle stands out: "Proportionality of anti-corruption procedures with corruption risks." The same is true for the eighths principle: "Permanent control and regular monitoring." Both thoughts are not entirely novel, of course, but rarely have they in Russian legal history been expressed as key principles.

The next highlight from a risk-management point of view is Chapter 3 "Evaluation of Corruption Risks." it sets out:

The goal of the evaluation of corruption risks is the identification of concrete business processes and transactions in the activity of the organization which carry the highest risk of corruption violations by the organization's staff both for the purpose of obtaining a personal benefit and for giving the organization a benefit. The evaluation of corruption risks is the most important element of anti-corruption policies.

This quote could have been taken from any state-of the-art Western textbook on compliance. Chapter 3 continues in this spirit, recommending organizations to draw up a map of corruption risks of the organization and to define critical junctures where corrupt practices can most likely be expected. Hidden in the voluminous text of the Recommendations, these prescriptions are extremely valuable because they open up the perspective of a progressive, dynamic, and risk-based corruption analysis.

Since the Recommendations address any organization, defined as a legal person independently of ownership status, legal form and sector affiliation,'8 they cannot be very specific in explaining who should be in charge of implementing these

16 Italics are not in the original.

17 Chapter 3.

18 Para. 2, lit. "v" of the Methodological Recommendations.

policies. There is only the general guideline that every organization should create a structural sub-unit or designate a staff member who is in charge of anti-corruption policies depending on the organization's needs and capabilities. Furthermore, the Recommendations state that this sub-unit or designated staff member should be directly subordinate to the organization's leadership and should be endowed with the powers necessary to implement anti-corruption policies even with a view to those persons who hold leadership positions in the organization. So, the Recommendations actually envision anti-corruption policies not as a paper tiger, as is the case so often, but as a real force in holding the organization's leadership accountable. it is not to be excluded that this rather aggressive pitch is the reason why the Recommendations have not gained wider popularity.

Let us now take a look at the mode of creation and dissemination of the Methodological Recommendations. it was in a Federal law that the initiative was formulated for the first time, then taken up by Presidential decree and implemented by the Ministry of Labour and Social Protection. interestingly only, para. 25 lit. "b" of the Presidential decree of 2 April 2013 ordered the Ministry to develop the Recommendations by inviting the following four explicitly named business associations to collaborate:

- the Chamber of Commerce and industry of the Russian Federation;

- the Russian Union of industrialists and Entrepreneurs;

- the All-Russian social organization "Delovaya Rossiya";

- the All-Russian social organization of small and middle-sized businesses "OPORA Rossii."

For lack of deeper knowledge on the actual consultations that have taken place (if any), let us observe that the chosen format does not, of course, amount to a full-fledged public consultation. it does not give voice to other business associations outside the four explicitly named ones. We may even assume that given their officially recognized role as business associations, they have had ample opportunity to lobby on the follow-up to the newly introduced Art. 13.3 of the Federal law "On Counteracting Corruption" and include themselves into the subsequent procedure for realization.

From looking purely at the Methodological Recommendations, there is not much evidence that the abovementioned associations have had any impact. To a large extent, the Recommendations appear to be a result of the Ministry's stock-taking, paraphrasing already existing legislation and including specific anti-corruption topics from the field of labor relations which are not commonly discussed, but which show the Ministry's handwriting. When mentioning the follow-up to the Recommendations, it is probably here that the abovementioned business associations have taken the greatest interest. The last chapter of the Recommendations introduces a set of suggestions for collective action which includes:

1) joining the Anti-Corruption Charter of Russian Business;

2) using in contracts standard anti-corruption reservations;

3) publicly rejecting collaboration with individuals or organizations charged with corruption-related crimes;

4) organization of joint training activities on preventing and counteracting corruption.

In fact, the annexes to the Methodological Recommendations include a document called "Anti-Corruption Charter of Russian Business"'9 and a road-map for joining the Charter.20 So, by all likelihood, it was expected by the Ministry that the Charter would act as a transmission belt for bringing the substance of the Recommendations to businesses, using their membership in the four named business associations and an internet-based, publicly accessible register of Charter members.2' The truth, however, is different. The Charter begins with a list of nine fundamental principles which ideally should mirror the eight fundamental principles contained in the Recommendations. However, this is absolutely not the case. The Charter's fundamental principles are mostly a watered-down set of commonplace notions without any mentioning of the risk-based anti-corruption strategy that is the highlight of the Recommendations. Even when giving credit to the creative freedom of the authors of the Charter, it would have been clearly in the spirit of the Recommendations to use the Charter as a kind of executive summary, giving membership in the Charter clear contours and a firm guidance for corporate practice. Sadly, none is the case. Without further background information, it is not serious to speculate on the reasons for this, but it appears that the process of implementing the Recommendations has effectively been hijacked by the business associations with the purpose of emaciating them and turning them into a paper tiger.

Whether this conclusion is true or not remains to be seen. This is because beyond the mandate of the Recommendations the four business associations have used the Charter to create a mechanism that is similar to the UN Global Compact, but more tightly focused on anti-corruption. The Register of Charter members which at the time of writing (November 20'7) contains a total of 352 entries, is the basis for asking every Charter member to fill in declarations every two years in which they describe their activities related to anti-corruption. In addition, it is possible to undergo an independent anti-corruption audit by the two partner auditors of the Charter and receive a certification. The bi-annual declaration of activities may be just enough to satisfy the requirements of Art. '3.3 of the Federal law"On Counteracting Corruption," so, in fact, there is a high likelihood that Charter membership in practice is equal to an exercise in ticking boxes. The voluntary certification, on the other hand, is

19 Annex 6.

20 Annex 5.

Антикоррупционная хартия российского бизнеса [Anti-Corruption Charter of Russian Business] (Jun. 2, 2018), available at http://against-corruption.ru/ru/.

a potentially serious tool. One of the two accredited auditors is Ernst & Young. So, if the Charter mechanism induces companies to undergo an anti-corruption audit, it is surely not a bad idea. The question remains, whether such sectoral initiatives will really help companies to establish comprehensive systems of compliance, at least by taking the lessons learned from anti-corruption and transferring them to other areas of risk exposure.

2.2. Compliance as Part of Corporate Governance Standards

in Russia, the first-ever Code of Corporate Governance was introduced by the Federal Securities Commission back in 2002 following Government approval in 2001.22 it is foremost a recommendation to all joint-stock companies founded on the territory of the Russian Federation, combined with an invitation to annually report on the Code's implementation. in addition, it addresses the stock exchanges in the country and recommends that only stock of companies should be traded which are able to demonstrate to the stock exchange that they follow the prescriptions of the Code of Corporate Governance.

This first Russian experiment in corporate governance codes is arguably an interesting one, and it came at an interesting time. After the nineties had seen the heyday of "Wild East" capitalism, corporate law in the early years of the millennium was still far from consolidated. But the overall economic situation became more optimistic, and there were increasing forecasts that Russia would be entering a period of growth.23 Against this background, the Federal Securities Commission felt that because strengthening the corporate law framework was still a long way off, it was important to bring at least new standards of best practice and ethical behavior to Russian companies. it decided to do so by imposing a kind of "soft law," using the leverage that the stock exchanges had over the joint-stock companies whose shares were publicly traded. Whether this innovation in rule-making was successful is difficult to say even with the benefit of hindsight. Russian literature on this first Code of Corporate Governance is scarce, and there has obviously never been an attempt to measure changes in corporate behavior.

in terms of substance, the 2002 Code turned out be an exercise in bringing u.S. practices to Russia. For some reason, the Federal Securities Commission in collaboration with the European Bank for Reconstruction and Development (EBRD)

22 Распоряжение Федеральной комиссии по рынку ценных бумаг от 4 апреля 2002 г. № 421/р "О рекомендации к применению Кодекса корпоративного поведения" [Order of the Federal Exchange Commission No. 421/r of 4 April 2002. On Recommendations to Apply the Code of Corporate Behavior] (Jun. 2, 2018), available at http://www.consultant.ru/document/cons_doc_LAW_36269/.

23 Семенов А.С. В России появился новый Кодекс корпоративного управления // Акционерное общество: вопросы корпоративного управления. 2014. № 6(121). С. 55-60 [Alexander S. Semenov, A New Code of Corporate Governance Appeared in Russia, 6(121) Joint-Stock Company: Corporate Governance Issues 55 (2014)].

chose a consortium that was made up primarily of U.S. advisors (Coudert Brothers, Ethics Resource Center and Sovereign Venture inc.).24 When it came to compliance, however, the advice was solidly in line with OECD standards. Most importantly, the 2002 Code required the board of directors, in representing the interests of the company's shareholders, to establish a risk management system to pro-actively identify risks in the course of business activity and to minimize their potentially negative outcomes.25 While this was obviously a very important point in line with compliance management, the Code was decidedly vague in guiding companies how to achieve this goal. The only clue to implementation was suggesting that the board of directors, in addition to four mandatory committees (strategic planning, audit, HR/remuneration and corporate conflicts) may create a committee for risk management and an ethics committee.26 This approach was in line with conventional corporate organization of joint stock companies in Russia and did not in any way address the philosophy of having an independent compliance function, as is the current standard word-wide. it also missed the point that compliance, in the light of the OECD principles on corporate governance, is a tool for strategic management and is therefore arguably close to the tasks of the strategic planning committee.

it would be an exaggeration to say that this first Code of Corporate Governance had been making waves in Russia. in fact, only when the second Code of Corporate Governance was enacted in 2014, there appeared a sizable literature discussing its role and effect.27 This second Code of Corporate Governance was adopted by the Central Bank of the Russian Federation on 10 April 201428 after having been approved by the Government of the Russian Federation on 13 February 2014. Again, it relied on the leverage that the Central Bank had vis-à-vis joint-stock companies the

24 Поведение акционерных обществ будет регулироваться кодексом // Со-Общение. 2001 [Behavior of Joint-Stock Companies Will Be Regulated by Code, Co-Mmunication (2001)] (Jun. 2, 2018), available at http://www.soob.ru/n/2001/11/news/0.

25 Para. 1.2.2.

26 Para. 3.3.

27 Островская М.Ю. Инновационные положения кодекса корпоративного управления // Государство и бизнес. Современные проблемы экономики: Материалы VII Международной научно-практической конференции (Санкт-Петербург, 22-24 апреля 2015 г.). Т. 2. С. 121-123 [Marina Yu. Ostrovskaya, Innovative Provisions of the Code of Corporate Governance //State and Business. Modern Problems of Economics: Materials of the VII International Scientific and Practical Conference (St. Petersburg, 22-24April2015). Vol. 2] (Jun. 2, 2018), available at http://to-future.ru/wp-content/uploads/2015/06/% D0%93%D0%B8%D0%91_2015_%D0%A2%D0%9E%D0%9C2.pdf; Шашкова А.В. Значение Кодекса корпоративного управления Банка России 2014 г. // Вестник МГИМО Университета. 2014. № 4(37). С. 253-263 [Anna V. Shashkova, The Meaning of the Code of Corporate Governance of the Central Bank of Russia, 37(4) MGIMO Review of International Relations 253 (2014)].

28 Письмо Банка России от 10 апреля 2014 г. № 06-52/2463 "О Кодексе корпоративного управления" [Letter of the Central Bank of the Russian Federation No. 06-52/2463 of 4 April 2014. On the Code of Corporate Governance] (Jun. 2, 2018), available at http://www.consultant.ru/document/ cons_doc_LAw_162007/.

shares of which were publicly traded. But in contrast to the First Code, the Federal Government, via the Federal Agency for State Property Management, adopted the policy that all companies with a state share of at least 50% must adopt "road maps" on the implementation of this Code.29 So, the new Code acquired binding force in a much larger share of the Russian economy than it appears at first sight.

Compared to its predecessor, the 2014 Code gives detailed guidance on compliance. Commentators agree that it pursues a substantially different approach, synthesizing the Russian experiences in the development of the corporate sector in the first decade of the 21st centu ry a nd enca psulating both the lessons from the yea rs of the oil boom and of the financial crisis.30 No less important is the WTO accession of Russia in 2012. Commentators see it as giving thrust to the idea of compliance in Russian companies because they will be increasingly facing international competition on global markets.31

The 2014 Code represents a fundamentally new approach to compliance, introducing the idea of a so-called "system of risk management and internal control" ("sistema upravleniya riskami i vnutrennego kontrolya"). Paragraph 259 defines this system as the

...totality of organizational measures, methods, procedures, norms of corporate culture and activities, undertaken by the organization to achieve the optimal balance between increasing the value of the organization, its profitability and risks, to maintain the financial stability of the organization, the effectiveness of its economic operations, to protect the integrity of assets, compliance with legislation as well as the organization's statute and other internal documents and the timely preparation of accountability reports.

in this definition, the traditional positivist understanding of legislative compliance appears only as one among many factors within a determinedly holistic approach to

29 Директива Правительства Российской Федерации от 2 сентября 2014 г. № 5667п/П13 [Directive of the Government of the Russian Federation No. 5667/p/P13 of 2 September 2014]; see also Кашеварова А., Панов П. Госкомпаниям рекомендовали перейти на Кодекс корпоративного управления // Известия. 12 мая 2015 г. [Anastasia Kashevarova & Pavel Panov, State Companies Were Recommended to Move to the Code of Corporate Governance, Izvestiya, 12 May 2015] (Jun. 2, 2018), available at https:// iz.ru/news/586040.

30 Semenov 2014.

31 Доева Ф.Н., Гиголаев Г.Ф. Роль системы комплаенс в управлении рисками банка // Развитие экономики и менеджмента в современном мире: Сборник научных трудов по итогам II Международной научно-практической конференции [Fatima N. Doeva, Georgy F. Gigolaev, The Role of the Compliance System in Risk Management of the Bank in Development of Economics and Management in the Modern World: A Collection of Scientific Works on the Results of the Second International Scientific and Practical Conference] 169-172 (Voronezh: Innovative Center for the Development of Education and Science, 2015).

risk management. This notion is underscored by the recommendation to draw on the universally accepted enterprise risk management standards contained in the COSO "Enterprise Risk Management-integrated Framework" and also the iSO 31000:2009 risk management standard, among others.32

A second element of the 2014 Code's approach is to place risk management into a wider evaluation mechanism by the company's audit function. So, the audit function is not to deal with certain types of risks, but bears an overall responsibility for the functioning of the risk management. To this end, the 2014 Code elaborates a complex structure.

The 2014 Code proposes a highly sophisticated and multi-layered system of risk management. Perhaps the most significant feature of it, and the one that clearly continues the regulatory impulse of the 2002 Code of Corporate Governance, is to assign the ultimate responsibility for risk management and thus compliance to the board of directors: the board is responsible for choosing the principles and approaches to organizing the system of risk management and internal control.33 How the chosen principles and approaches are to be realized is answered by the 2014 Code in a way that is characteristically different from the previous regulatory experience. Whereas early regulations had simply demanded the creation of a dedicated compliance sub-unit, the 2014 Code envisions a solution that embraces all levels of management and is built on the distinction between an operational and an organizational dimension. Operationally, the Code addresses the management of all corporate levels34 with the task of finding specific risk management solutions for all the various business processes concerned.35 Consequently, the roles and functions of the board of directors, management, revision commission (revizionnaya kommissiya), internal audit and other sub-units shall be formalized in the internal documents of the joint-stock company.36 Organizationally, the Code provides for the creation of a cross-cutting coordination mechanism, i.e. a separate structural sub-unit for risk management and internal control.37 The purposes of this structural sub-unit are described in the following way:

- to provide overall coordination for risk management;

- to develop methodological documents to support risk management processes;

32 Para. 252 and concomitant footnote 15.

33 Para. 251.

34 This is expressed by using the term "executive organs" ("ispolnitel'nye organy") in the plural. If this phrase were meant to address only the executive function under corporate law, it would invariably have to be singular because a joint-stock company has only one executive organ, either an executive director or an executive board.

35 Para. 257.

36 Para. 255.

37 Para. 258.

- to organize staff trainings in the areas of risk management and internal control;

- to analyze the risk portfolio of the company and to propose reaction and risk mitigation strategies;

- to introduce accountability and reporting tools;

- to operatively control the policies of risk management related to specific business processes in the company's sub-units and also in affiliate companies, where applicable;

- to prepare feedback on the effectiveness of the risk management systems to the board of directors and the various levels of management.

The board of directors is asked to check at least once a year into the organization, the functioning and the effectiveness of this system of risk management and internal control and to publish the results in the company's annual report.38

Now, the major novelty of the 2014 Code consists in the fact that this entire system is subject to an internal audit function, tasked with working continuously on a "systematic and independent" monitoring.39 it is perhaps here where the international standard for an independent compliance function is most clearly expressed. The Code suggests to the board of directors to create this internal audit function in the shape of a separate structural sub-unit. its hallmark should be its independence, and this independence shall be guaranteed in a dual fashion:

- administratively, by subordinating the internal audit function to the single (edinolichnyi) executive director with the goal of providing the audit function with the needed amount of financial resources from the company's budget and also to open up channels of accountability;40

- functionally, by subordinating the audit function directly to the board of directors or its audit committee.41

3. Normative Cohesion

The 2014 Code recommends the creation of two sub-units within joint-stock companies: a "risk-management and internal control" unit to coordinate enterprise risk management procedures to be integrated into the various layers of the company and its business processes, and an "independent" internal audit subunit, subordinated to the board of directors or, alternatively, to the board's audit committee as one of the core standing committees introduced by the 2002 Code of Corporate Governance. So, the 2014 Code invariably preserves a compliance model that is geared to the board of directors without fully integrating the proposed model

38 Para. 262.

39 Para. 5.2.

40 Para. 268.

41 Para. 267.

into the legal structure of joint-stock companies. This raises the question how well-suited this model is for the given corporate structure.

A second point to note is that there is obviously no attempt at coordination between the Methodical Recommendations on anti-corruption compliance of November 2013 and the 2014 Code. The latter's para 260 calls on joint-stock companies to reconsider their anti-corruption policies in the light of the system of risk management and internal control proposed by the new Code. And there are obviously no real frictions because the 2014 Code, in addressing only joint-stock companies compared to the broader "organizations," has a deeper and more comprehensive approach. But it is potentially problematic to have one set of recommendations, bolstered up by business interests' support, to create anticorruption compliance, and to have a second regulatory approach tied to the legal form of a joint-stock company. in the last paragraph of the"introduction" to the 2014 Code, the authors express the hope that the Code's recommendations, although geared to joint-stock companies with a large number of shareholders, can mutatis mutandis be applied to other types of legal persons.

Hoping for such an outcome may in fact not be enough. While complexity in models is good and variation is certainly needed, the question is whether the specific arrangement chosen in any given company is capable of capturing all the risks the company is faced with. Natalya Ermakova and Chulpan Akhunyanova refer to a study by PricewaterhouseCoopers42 according to which the practice of creating compliance committees (e.g. a committee for corporate control and audit next to the standard audit committee under the board of directors) is in most cases not capable of covering the major risks a company is confronted with.43

Conclusion

Following the 2014 promulgation of the Code of Corporate Governance, a great number of Russian joint-stock companies have adopted codes of corporate management and are reporting annually on their compliance activities. The most prominent one is Sberbank which even obtained iSO 19600:2014 certification from the international Compliance Association in December 2016. Looking at Sberbank's Code of Corporate Governance (adopted 20 April 2015), it clearly proclaims that the Supervisory Council (Sberbank's version of a board of directors) is responsible"for the definition of principles and approaches to the organization of a system of internal controls and risk management in the bank." By comparison, the executive organs

42 Unfortunately, no reference is given.

43 Ермакова Н.А., Ахуньянова Ч.Ф. Комплаенс-контроль в системе внутреннего контроля корпорации // Международный бухгалтерский учет. 2014. № 3. С. 9 [Natalya A. Ermakova, Chulpan F. Akhunyanova, Compliance Control in the System of Internal Control of the Corporation, 3 I nternational Accounting 2, 9 (2014)].

of the company are in charge of taking care of the founding and the functioning of efficient mechanisms of internal controls and risk management in the bank as well as implementing all decisions of the Supervisory Board. Using the word "taking care" in the Russian original signals an activity on the level of implementation which is clearly subordinated to the "being responsible" which is ascribed to the Supervisory Board.

All things taken together, chances are that the Russian version of the compliance movement will retain its focus on the board of directors and will be less driven by the Western, perhaps individualistic, idea of director's fear of liability. Hence, there is the danger that some important incentives in keeping compliance systems alert are not realized and a greater likelihood that compliance in Russia will not move beyond a corporate exercise in ticking boxes.

References

ЕрмаковаН.А., Ахуньянова Ч.Ф. Комплаенс-контроль в системе внутреннего контроля корпорации // Международный бухгалтерский учет. 2014. № 3. С. 2-10 [Ermakova N.A., Akhunyanova Ch.F. Compliance Control in the System of Internal Control of the Corporation, 3 International Accounting 2 (2014)].

Иванов Э.А. Антикоррупционный комплаенс-контроль в российских компаниях // Международно-правовые чтения. Вып. 12. Воронеж: ВГУ, 2014. С. 86-101 [Ivanov E.A. Anti-Corruption Compliance Control in Russian Companies in International Law-Readings. Issue 12 86 (Voronezh: Voronezh State University, 2014)].

Шашкова А.В. Значение Кодекса корпоративного управления Банка России 2014 г. // Вестник МГИМО Университета. 2014. № 4(37). С. 253-263 [Shashkova A.V. The Meaning of the Code of Corporate Governance of the Central Bank of Russia, 37(4) MGIMO Review of International Relations 253 (2014)].

Smith D. Assessing Compliance with Requirements for Anti-corruption Compliance Programs // Материалы III Международного Конгресса "Предпринимательство и бизнес в условиях экономической нестабильности" [Smith D. Assessing Compliance with Requirements for Anti-corruption Compliance Programs in Materials of the III International Congress "Entrepreneurship and Business under Conditions of Economic Instability"] 133-135 (Moscow: Financial University under the Government of the Russian Federation, 2015).

Information about the author

Thomas Kruessmann (Tartu, Estonia) - Coordinator of the Jean Monnet Network "Developing European Studies in the Caucasus," Johan Skytte Institute of Political Studies, University of Tartu (Estonia) (36 Lossi, Tartu, 51003, Estonia; e-mail: kruessmann.thomas@gmail.com).