As John McKessy states in his nice post on Knowledge of Good and Evil: A Brief History of Compliance you could say that Adam's bite of the apple was the first recorded compliance violation - but for sure not the last. As I already cited in my opening post Compliance means today conforming to a rule, such as a specification, policy, standard or law. Compliance with company guidelines was always expected but understood rather as loyalty towards the company. There were and still are normative and coercive measures in place as well as extrinsic rewards such as salaries, bonuses, and benefits to ensure that employees kept this loyalty.
Modern compliance history started with the need to set up public safety agencies at the end of the 19th and beginning of the 20th century like the Federal Drug and Drug Administration in 1906. Another example are the German Berufsgenossenschaften ( Accident Prevention & Insurance Associations) founded by legislation already in 1884. Suddenly private companies not only had to adhere to legislation but also to a growing set of regulations and policies issued by a growing set of bodies taking care of the oversight on specific areas of business life and technical progress. With the growing global markets those bodies tasked with certain areas of public interest became involved in national interests and economic policies and sometimes where used or misused (depending on viewpoint) to ensure national interest.
Today it has become more and more difficult to draw the line between (non-)compliance and unethical business behavior. A good example for that was the common practice to "incentivize" foreign officials or consultants to gain access to major contracts - often completely in accordance with local law. Today the Foreign Corrupt Practices Act, the German Antikorruptionsgesetz, an OECD convention and similar legislation are measures to cut down such practices internationally.
Since the 80s companies created managerial positions to oversee a company's adherence to proper and ethical business practices, known today as compliance and ethics officers. In the 90s legislation started also to define standards and give guidelines defining elements of effective compliance and ethics programs. Regardless of these developments the last two decades were marked by a never ending series of public scandals. Worldcom and Enron being the most prominent as they led to the issuing of the Sarbanes Oxley Act in 2002.
The connection of risk with fraud and compliance has only recently be recognized. In 2005 the Basel Committee on banking supervision defined compliance risk as “the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities” and set one cornerstone to today's perception of Risk & Compliance Management to be tightly integrated. The events during the financial crisis showed the degree how external risk events may ultimately lead to a loss of confidence resulting in permanent reputational damage and impaired shareholder value. (Lehman, Bear Stearns, etc.)
In part 2 "From Financial crisis to the near future" I will have a look on the advancement of software support and today's challenges in GRC.
For more information, please see www.grc-lounge.com