2.1. External Norms that guide Business Management

Compliance is a legal institution that serves different purposes. It demonstrates that, in the legal field, along with transcendental purposes such as preserving justice, peace or the protection of people´s dignity, less monumental but no less important aspirations, such as preventing certain risks, contributing to generate wealth or developing a vigorous business activity coexist. In this second perspective, norms adopt an instrumental character, which does not deprive them in any way of their essential features, since it represents one of their classic functions as techniques for guiding social behaviors (^{Amselek, 1989}). In this area, the importance of legal tools is not manifested so much in their instrumental nature, but in the goals towards which they intend to lead behavior. Hence, compliance aims to be a legal guide that allows companies to achieve the objectives of their private corporate purpose, while addressing matters of general interest. It is about ensuring effective attention to risks that, due to their importance, have been expressly identified by law.

Governing a company is an activity subject to norms. Hence, the law has been considered as a tool of Administration (^{Amann and Lethielleux, 2005}) since it seeks to act as the guiding hand, or as the instrument that leads the development of the economic activity of the company along safe paths. Additionally, regulations can operate as a guide for the most convenient economic strategy. In this sense, norms would not only take the businesses hand to guide, but would also guide the gaze towards horizons that are legally possible. Therefore, ^{Thibierge (2008)} makes reference to a special function of norms: establish the course to follow, or become a benchmark, sometimes a forced one, of the behavior to be adopted. Hence, the Dictionary of the Real Academia de la Lengua Española (Royal Academy of Spanish Language) defines “rule” as the established way of doing something. Following the norms is thus revealed as the safe way to developing a business project and security, in business, is closely linked to economic success.

As a result of compliance´s law, there is a diverse set of rules that identify risks of different nature. Such is the case of the norms on money laundering and terrorist financing, those that prevent corruption or environmental, health, or personal data management risks, etc. In these areas, the notion of compliance implies identifying specific risks. In that event, legislators take a first step that is fundamental in the risk management process: the identification of the vulnerabilities to which the development of the corporate purpose of a company is subject. The legal approach, based on the prevention and precautionary principles, is an instrument that proposes new ways to govern companies (^{Charpentier, 2014}). However, compliance does not only forces companies to comply with the risk prevention norms to which they are subject, but rather seeks to provide administrators with the standards they must follow for risk management. Thus, according to the purpose of the company, norms identify the risks to which it is exposed. Therefore, a diligent administrator must, first of all, address the provisions regarding the prevention of certain types of risks and then, adopt the standards that indicate how to manage risk.

It should be noted that compliance is an institution of a modest State, which does not act directly as an agent in the market, but rather limits its intervention mainly to economic regulatory activities. Therefore, the protection of the legal values is not proposed through the direct action of public officials. It rather encourages companies to adapt its mode of government in order to ensure respect for values associated with general interest. This is a topic that uses soft law tools, which are sometimes more effective than coercive provisions. Consequently, it recognizes substantial room for maneuver for companies to implement the strategies they deem relevant in order to mitigate risks identified by the norms. In this way, it raises the need for searching a balance between the legitimate interest of a company in freely deploying an initiative that allows it to obtain private profits, without implying the sacrifice of principles related to the prevalence of the common good.

However, the notion of compliance questions not only the strategies through which the State promotes in the economic world the values it considers relevant. It also challenges business management models in three aspects that deserve to be highlighted: a) traditional corporate governance forms; b) the conception of business ethics; c) the influence of technical expertise in management.

As for traditional corporate governance models, compliance implies a new mutation of the organizational structure of companies under an ethical perspective. (^{Arjoon, 2005}). This, given that in this area, once again, the conflict between the agent and the principal arises. Therefore, it is pertinent to preserve the independence of those in charge of compliance missions, as well as the activities carried out in developing them. This, in order to prevent that those actions be hindered by too bold or unscrupulous managers, who take risks or involve companies in risky or illegal adventures that will subsequently affect the company´s owners. Hence, it is necessary to detach the person in charge of a compliance program, the compliance officer, from the hierarchical authority of administrators. In this regard, it is necessary to guarantee a proper budget for the implementation of this policy. For this reason, decisions in that regard must be taken by the shareholders assembly. Additionally, to effectively integrate compliance, it may be appropriate to reorganize the administrative structure of companies or institute new instances within the boards of directors, to deal exclusively with these matters.

Regarding ethics issues, compliance implies awareness of the material relevance of reputation, as has been raised in analyses such as the one carried out by ^{Eccles, Newquist, and Schatz (2007)} for Harvard Business Review. This study criticizes executives who are unaware of the economic importance of the reputation of their companies, which is an intangible asset. This is because the company’s good reputation has several impacts that go beyond image and have an impact on economic issues. Indeed, good name is a factor that can generate advantages that range from charging higher prices for products, to accessing credit in more favorable conditions, and having easier access to the capital market by having a favorable opinion from institutional investors. Similarly, the implementation of compliance programs has a positive impact before regulatory authorities and judges (^{Borga, Marin, and Roda, 2018}). The perception about the firm changes when the authorities have the certainty that the entity has integrated the management of risks identified by the law.

The influence of technical aspects in terms of compliance is even more important than those related to corporate government and ethics. Indeed, proper risk management is essentially a matter of technical expertise. Hence, the State shares its regulatory power with international technical bodies such as the International Organization for Standardization (ISO). This organization has issued a set of international technical standards related to this matter, starting with the ISO 19600 standard that establishes guidelines for the implementation of compliance systems and the ISO 31000 standard that provides technical guidelines for risk management in general. Additionally, it has adopted technical criteria for the management of corporate social responsibility (ISO 26000), for the management of environmental risks (ISO 14000), for sustainable purchases (ISO 20400) and for the management of bribery and business ethics risks (ISO 37001) among others.

2.2. The Internal Normative Power of a Company

Companies are not guided only by external norms adopted by States or international bodies. Since the already classic studies by Gerard Farjat (^{Sanclemente-Arciniegas, 2018}) the importance of the regulatory power of private companies, especially multinational, has been emphazised. That power is added to their economic power and, as a result, the regulatory standards adopted by these companies can have effects comparable to State norms. Indeed, these provisions can influence many people, such as workers, contractors or consumers. In various countries they stand as models for judges, legislators or regulatory authorities. According to the interpretation of ^{Santos (1987)} this would be a mutation of law typical of postmodernity: the regulatory monopoly of the State disappears, giving rise to a pluralism that implies the coexistence of several legal systems that circulate through diverse networks, generating increasingly complex relationships between law, economy, and society.

In compliance law, the regulatory power of companies is expressed on the one hand, through codes of ethics, and on the other, through compliance programs. These expressions of an organization´s internal regulatory power constitute the first expression of its willingness to effectively comply with the external norms to which it is subject. Additionally, codes of ethics have been defined (^{Martín 2000}) as a pact that ensures the moral cohesion of a company, in a logic that gives precedence to the company’s social interest over the personal interests of the individuals that integrate it. Its implementation makes it easier for the organization to achieve diverse objectives, such as structuring its own business culture, managing effectively human resources or legitimizing management roles. However, within the aims they pursue, those identified as the basis of compliance activity have been emphasized (^{Rodríguez, 2015}).

Overall, there is a significant distrust about the scope and relevance of companies´ regulatory expressions. They would be only simple marketing operations. However, acute analyses such as the one posed by Gunter ^{Teubner (2011)} show the important effects that these norms have in practice. Contrary to what is usually thought, this author identifies a theoretical trend by virtue of which it is possible to argue that the provisions of transnational corporations have greater coercive power than State norms themselves. As an example, it makes reference to the effective sanctions provided for in compliance norms, which oppose the soft law mechanisms evoked by State norms. In their concept, companies´ norms are constitutions in the strict sense of the term, since they contain norms of different hierarchies that regulate conflicts between them; that way, they condition the regulatory production of the organization. The principles of the corporate constitution, which indicate the values guiding the company, are in the upper level. The norms for the application and monitoring of the higher provisions are in the middle level, while the lowest level includes norms that establish specific conduct instructions in various areas.

Similarly, ^{Manacorda (2015)} refers to compliance programs as constitutions of internal legal order of companies. Within said order, some norms can be identified: Some of a substantial nature that establish prohibited conduct and others of procedural type that organize the internal procedures. From a procedural viewpoint, that criminal lawyer also emphasizes the usefulness of such programs in criminal proceedings where the company’s conduct is questioned. In this event, compliance programs would be an important element in the defense strategy since they would demonstrate the absence of negligence in the control of activities, a fact that may lead to the establishment of criminal responsibility.

We highlight the organic aspect of compliance programs, which makes reference to the administrative structure and procedures through which the compliance policy will be applied. In that perspective, the organization of the performance of the compliance officer stands out (^{Weber & Fortun 2005}). That is the person in charge of the strategic and operational leadership of compliance policy. This role is responsible for disseminating these policies, implementing internal sanction procedures in case of non-compliance, monitoring that they are being obeyed and ensuring that the policy ceases to be a simple document and really permeate the daily work of the company instead. In order to enable the compliance officer to properly carry out these missions, the compliance program must provide them with an internal statute that ensures them to be independent from the administration, and suitable human and financial resources to carry out their tasks. In addition, it must ensure direct access to senior management, so that actions contrary to business ethics can be communicated without the Manager´s interference.

On the other hand, the compliance program must set norms that protect whistle-blowers. Whistleblowing makes reference to the way how in the past British police officers alerted about the commission of crimes, by sounding a whistle. In compliance programs, this figure allows any person in a company to alert about the illegal or suspicious acts. The importance of procedures that allow reporting in a safe, anonymous and confidential manner has been considered vital for people to be encouraged to do so. It is about, on the one hand, encouraging people to report dishonest acts and, on the other, establishing clear procedures that guarantee those who report that they will not suffer negative effects. Hence, different international entities have produced regulatory bodies in which these procedures are regulated in detail (^{Vandekerckhove & Lewis, 2012}). Consequently, the compliance program can integrate the guidelines that entities such as Transparency International, the European Union or the International Chamber of Commerce have written.

Moreover, the compliance program should consider that the mere adoption of norms to prevent risks is not an effective solution. Additionally, it is necessary that the company’s personnel effectively appropriate corporate values. For this purpose, it is suitable to establish training devices, through which the compliance program be disseminated among company’s employees. In the same sense, including compliance norms as obligations in the labor relationship may be an appropriate incentive to ensure the effective observance of compliance norms. However, in those cases it is necessary, on the one hand, that the training program be continued in time, so that it informs the updates to the company´s policies in relation to relevant risks. In the same vein, given that the consequence of non-compliance with norms may imply penalties or even dismissal, it is necessary that due process be clearly respected by clearly typifying prohibited behaviors and punitive actions that will be implemented in case of violation.

Finally, the compliance program must consider that companies have an intense relationship with non-company actors who are closely linked to them, as contractors, suppliers or customers. Compliance norms usually provide for the way in which they are linked to the company’s compliance policies. In this sense, analyses such as those by ^{Nielsen and Parker (2008)} point out that the provisions of organizations that have a compliance program, when influencing third organizations, may be more effective regulatory instruments than the provisions of State authorities. This as an expression of due diligence in the selection of third parties with which companies will develop their purpose. Neglect on that regard can be critical, as the company’s reputation is compromised, by the actions both of its direct agents and its contractors or suppliers. Hence, it is necessary to prevent the compliance program from being frustrated by a contagion of business practices of related with which they have close relationships.

3.1. Compliance Norms Threaten Negligent Corporate Governance Models

The importance of compliance norms is mostly explained by the severe penalties that ignoring them implies. In fact, in that area, States have not limited to reinforcing the norms on civil responsibility, but have appealed to the ultimate ratio in terms of penalties: criminal law, because negligence in the prevention of risks that norms clearly identify has been considered as a serious offense. In this way, obligations derived from the theories of corporate social responsibility, which cease to be voluntary, become more serious. Compliance norms force organizations to develop actions aimed at effectively protecting legal values that are identified by the legislator. Although these are matters of public relevance, their treatment is closely related to the development of economic activities by private agents. In this regard, we want to highlight as a prototype of compliance norms, the regulations for fighting against corruption, which have been adopted in recent years, in countries all over the world.

In that regard, the leadership of the United States is partly explained because this country adopted the Foreign Corrupt Practices Act in 1997. This law prohibited US companies from bribing authorities in foreign countries in order to obtain contracts or gain access to markets. The above, at the risk of severe penalties, both civil and criminal. The norm was adopted at a time when paying bribes was the regular way of accessing State contracts in many countries around the world. Hence, it was raised that their effects threatened the competitiveness of North American companies (^{Salbu, 1997}). Given this, as a way of guaranteeing a leveled field in the global market, the application of the same norms to companies in different jurisdictions was encouraged. Subsequently, in 2003, the United Nations Convention against Corruption was signed, integrated into the Colombian legal system by Law 970 of 2005. The Convention has led many countries around the world to adopt measures like those provided for in the Foreign Corrupt Practices Act.

In development of these influences, in Colombia, the legislature adopted the Law 1778 of 2016, by which norms on the liability of legal persons for acts of transnational corruption were set forth as well as other provisions related to the fight against transnational corruption. This law set forth sanctions of administrative(art. 2) and criminal (art. 30 and 34) nature for legal persons that, through one or more of their employees, contractors, associates or administrators offer or promise a foreign public servant, for their benefit or that of a third party, directly or indirectly, sums of money, any object of pecuniary value or any other benefit or utility in exchange for the latter performing, omitting or delaying any act related to the exercise of their functions and in relation to an international business or transaction. In this way, the Colombian legal system partially sets itself in¹ line with international compliance regulations, which have long focused their attention specifically on companies behavior. Indeed, in Colombia, although the criminal liability of companies has been considered as legally appropriate and Law 491 of 1999 expressly established it in the case of ecological insurance, after Decisions C-599 C- 843 of 1999, there has been limited legislative development.

It should be noted that, since the Foreign Corrupt Practices Act, compliance norms on corruption are not limited to establishing penalties for companies incurring such behaviors, but also require companies to adopt internal mechanisms to prevent them. Thus, the law aims to modify the governance model of companies so that they take part in the prevention of such behaviors. Thus, article 23 of Law 1778 of 2016, empowers the Superintendent of Companies´ Office to promote among legal persons subject to its supervision the adoption of transparency and business ethics programs, internal anti-corruption mechanisms and norms for internal auditing and for the promotion of transparency. This norm is a development of the provisions of the United Nations Convention against Corruption, especially its article 12, according to which States must involve the private sector in the fight against corruption, by promoting the formulation of norms and procedures aimed at safeguarding the integrity of relevant private entities. To this end, the Convention establishes that sanctions should be adopted to prevent corruption in the private sector and, where appropriate, establish effective, proportionate and deterrent civil, administrative or criminal sanctions in the event of non-compliance with these measures.

In development of these norms, article 7 of Law 1778 of 2016 identifies the existence, execution and effectiveness of transparency and business ethics programs or anti-corruption mechanisms within companies as a criterion for making gradual the sanctions provided for in that law, Therefore, companies involved in corrupt practices will be sanctioned more severely, if their management bodies have ignored the legal norms that urge them to adopt programs aimed at preventing such risks from ocurring. Thus, a legal evaluation of the way in which the company is managed is proposed, especially of the way how the company manages the risks that have been identified by compliance norms. This verification implies a gaze that is placed in the future and directs its attention to the administrator’s past actions. Therefore, another criterion for make gradual the sanctions provided for in the same article of Law 1778 is having carried out an appropriate due diligence process, prior to a merger, spin-off, reorganization or acquisition of control in which the company that commited the infraction is involved.

In the law of countries such as France (^{Schiller, 2017}; ^{Lequet, 2017}) that set of new activities that a company must develop in development of compliance norms has been referred to as the duty of surveillance; in Spanish legislation, reference has been made to the duty of control (^{Gómez-Aller, 2013}). In all cases, it is about forcing companies to adopt a proactive attitude aimed at identifying and preventing different types of risks, including corruption, and environmental, health risks or human rights violations. The means through which the company expresses its intention to fulfil that duty is the compliance program that we have referred to in the preceding section. This obligation is accompanied by sanctions in the event of non-exercise of the duty of surveillance. In this event, the legislative intention is aimed at encouraging the application of the precautionary principle. It is about forcing companies to abandon a passive attitude and undertake a commitment prior to the occurence of losses. Thus, compliance norms challenge business administration models and leave the sphere of simple soft law recommendations that have characterized the theories of corporate responsibility, now taking the coercive aspect of public order norms that are imposed imperatively on the company.

Good private corporate governance thus becomes a matter of public interest due to the serious effects it could have on society. Issues such as environmental pollution, corruption or financing of terrorism are developed through the activity of private companies that cannot be indifferent to the social impacts of their activities. In these and other sectors, compliance norms represent a mutation of law because they hold criminally accountable companies that do not address diligently the risks they face. Additionally, the threat is reinforced by the technical approach and the transnational scope that characterizes such norms. Thus, the way to effectively control corruption is not subject to fruitless political discussions, but rather it is about standardized procedures that are available to all companies around the world, who want to follow the respective technical standard. The advisability of effectively complying with these recommendations is also reinforced in light of the extraterritorial scope of the provisions of US law (^{Audit 2018}). In addition, the pressures emerging from the compliance programs of large multinational companies need to be considered since they influence smaller companies that intend to do business with them.

As the notion of compliance contains a public interest nature, ignorance of some of its norms may have effects that go beyond the economic area and involve the company´s criminal responsibility. In this regard, ^{Gómez (2018)} points out that the notion of criminal liability of legal persons would be based on the idea of an organizational disorder that would lead to the violation of legally protected values. Hence, existing norms that clearly define the standards to be followed cease to be the helping hand that kindly guides a company´s safe operation, to become a severe judge who clearly reveals the shortcomings of a negligent administration. For example, anti-corruption regulations such as Law 1778 of 2016 or ISO 37001 Standard, considerably reduce the uncertainty about the identification of management practices that coexist with this phenomenon. Likewise, these norms establish the strategies and procedures that a company should adopt to avoid the occurrence of such accidents.

3.2. The Costs of Compliance

The implementation of compliance programs implies costs and an administrative capacity that is not available to all companies. Hence, in principle, it is recognized that the adoption of such norms should only be mandatory for companies that have major resources. For example, in applying these criteria, article 23 of Law 1778 of 2016 establishes that the Superintendent of Companies´ Office will determine which legal persons should adopt business ethics programs, considering criteria such as the amount of their assets, their income, the number of employees and their corporate purpose. In this way, the exclusion of small businesses from the charges implied by compliance norms is allowed, with the understanding that, due to their size, they are not able to develop activities that significantly undermine the legal values that through said norms are to be protected.

Despite this, it is necessary to clarify these assumptions. Firstly, because small businesses cannot be completely indifferent to compliance norms. Secondly, the assumption that compliance is only a source of expenses has been challenged by studies that are oriented in the opposite direction. With regard to the first aspect, difficulties in the conception of the notion of compliance are clearly manifested. Indeed, if compliance is understood only as the obligation to comply with the law, there would be no reason to consider that small businesses are not subject to compliance, since that is a duty for all legal subjects. It is justifiable to exempt small businesses from compliance obligations if this notion is conceived as a new mode of administration that implies deploying a series of specific activities and putting in place a particular administrative structure, with its own staff and resources, that small businesses do not have. However, in the case of small businesses that are subsidiaries of large companies, the compliance obligations must be performed by the holding company. In this regard, article 2 of Law 1778 of 2016 establishes that agencies that have the quality of holdings will be liable and will be penalized if one of its subordinates, acting with the consent or acquiescence of the parent company, incurs in the corrupt behaviors that this norm penalizes.

Thus, the law considers that sometimes small businesses are used by large companies to avoid complying with the obligations they are subject to. Therefore, it is not appropriate to establish as a general criterion that all small businesses are exempted from the obligations arising from compliance with the law. In Colombia, there have already been scandals over the abusive use of small businesses, such as the case of fraudulent acquisition of properties in the highlands by large companies that, in order to avoid limitations, were posing as small businesses. In the same sense, in Odebrecht case, small companies have been used to make fraudulent payments. The challenges for small and medium-sized companies to implement compliance programs were analyzed by the French Competition Authority on the occasion of the guidelines issued by that entity in that regard. In the process of issuing this guideline, several entities had asked to completely exempt SMEs from such obligations. However, that Authority rejected these requests and instead decided that such companies are not required to implement a program of compliance identical to that of large companies, but these programs may undergo substantial variations so that they can be adapted to the economic and institutional capacity of SMEs (^{Claudel, 2012}).

In that sense, the way how compliance affects the issue of transaction costs raised by ^{Coase (1937)} in his theory about the firm deserves particular attention. Indeed, for that author, the nature of a company is distinguished precisely by avoiding costs that are present in the market. Hence the company constitutes a more efficient institutional framework than the market because there are no costs incurred by the company to access the free pricing system. Compliance alters this perception, since it forces the company to address special risks, in a way that is legally outlined. Thus, it implies new costs, which are not generated by accessing the market, that is, they are not external costs for the company, but can be considered as internal costs. Consequently, compliance would lead to depriving the company of that advantage vis-à-vis the market, establishing additional bureaucratic procedures and controls and reducing its agility and flexibility to meet the challenges it must face. In that case, the relationship between economy and law makes it clear that, beyond the economic costs, there are aspects that pose existential risks for the State and before which economic logic must yield.

With regard to the second aspect, according to which the activities carried out by a company to ensure regulatory compliance are simply an increase in costs, this interpretation has been subject to criticism that emphasizes the benefits that can be derived thereof. In that regard, it has been considered that the ability of a company to effectively comply with the norms to which it is subject is a strategic advantage from which economic benefits can be derived. Hence, the economic returns of its implementation can be very attractive. Thus, studies such as those by ^{Danet (2011)} have noted that the legal performance of a company can impact its overall competitiveness, so that, if the company is not able to meet the regulatory standards of the economic sector where it operates, it will not be effective in achieving its proposed economic objectives, since compliance with the norm is a determining condition for its access to and continued presence in the market. In the same sense, that author has emphasized the importance of the institutional effort required to adapt to legal requirements. If a company needs to focus its main efforts on complying with the norms, the resources dedicated to that activity will penalize its economic efficiency.

Consequently, the ability of a company’s governance model to adapt to the legal challenges posed by compliance would demonstrate its ability to evolve positively in the market. The above, because the qualities required by compliance are the same that characterize successful companies. Thus, a dynamic and open-to-change business culture will imply less effort to adapt to the new demands that compliance norms represent. By contrast, a company that shows strong resistance to change will be an entity opposed to the innovation necessary to ensure lasting economic success. In such event, choosing to ignore the pressures that compliance entails means to ignore that these norms convey social values that can fully determine the operation of a number of economic sectors moving forward.

Additionally, there are other threats arising from compliance norms that are not linked to the costs that a company must incur for its implementation, but are linked to the consequences that may arise from finding a non-compliant action. Firstly, as I have said before, a company´s good or bad reputation has important economic effects. Secondly, in addition to the criminal penalties, which we have referred to in the previous section, compliance norms (Arts. 5, 21 and 34 of Law 1778 of 2016) establish severe pecuniary sanctions, which may go up to two hundred thousand monthly legal minimum wages. Likewise, the fact of not having adopted a compliance program will be taken as a criterion for making gradual the sanction in a more drastic sense. But it is not enough that the company adopted the compliance program. The aforementioned law, in its seventh article, mandates the evaluation of the enforcement and effectiveness of the transparency and business ethics programs or anti-corruption mechanisms that the company adopted. Thus, companies do not fulfill their obligation with the simple adoption of the program. In addition, they will have to prove that it is not about complying with the simple process of writing a document, but that the slogans set forth therein effectively guide the company´s daily activities.

According to the analysis of ^{KPMG (2005)} the efforts entailed by compliance should not be perceived only as unproductive costs, but as a new way of doing business in a globalized world. This transformation does not only challenge corporate governance models, but legal advice activities within companies are also put to the test by that new institution, which covers vast economic sectors, taking on particular characteristics in each of them. The aspects of compliance that we have referred to would express the advent of a new legal world, a mutation that expresses profound changes in economic law (^{Gaudemet, 2016}). In their midst, the relationships between regulations and administration take on a new aspect, forcing jurists to participate in the creation of value, since this participation is characterized by not meddling directly in the missions of wealth creation but in the adoption of mechanisms that would prevent the loss of value by improper risk management. Hence, the legal management of compliance must be carried out independently of the manager’s own tasks. It is about protecting the company from taking disproportionate risks that will subsequently weaken it. Thus, handling the interaction between management and the body in charge of compliance policy is an additional challenge for both disciplines.