Skip to main content


In recent years, the emphasis in corporate governance has shifted from board composition, independent directors, separating the position of chairperson and CEO, and establishing board committees to “being in control” and risk management issues. However, the corporate law perspective of internal control and risks management does not match up to the multidisciplinary perspective of these themes. This paper analyses the dichotomy between the US and the EU corporate law approaches to internal control and risk management. Lawmakers from the US, the EU, and the EU member states reacted to the scandals between 2000 and 2003 with provisions requiring public companies to have internal control and risk management systems in order to restore public confidence, but the substance of their responses differed. A regulatory framework is put forward in order to address the steps to be taken in establishing an operational internal control and risk management framework and to address the role of the different parties involved from a corporate law perspective. The above mentioned steps are: (1) initiate and identify, (2) assess and operate, (3) monitor, and (4) report on the systems relating to the companies’ risks and uncertainties, strategy, financial reporting, and operations. The parties legally involved include: (1) senior management, (2) board, (3) audit committee, and (4) auditor. The US and the EU regulatory frameworks indicate not only that their corporate law approaches to internal control and risk management are different, but also that both approaches are incomplete – but not necessarily insufficient – in several areas.

Related Working Papers

Scroll to Top