August 12, 2023



Governance, Risk Management and Compliance (GRC) is the system of managing an organisation of people and resources. The goal of incorporating GRC is to ensure that law firms follow good practices. Corporate governance (CG) guides the way in which an organisation runs business, enterprise-wide risk management (ERM) guides the way in which an organisation assumes and manages risks and refrain from creating risks for others, and compliance guides an organisation within a system of standards and regulations.

CG refers to a system of management that is transparent, responsible and accountable. It originates in the separation of ownership and management and regulates the exercise of power, authority, direction and control within an organisation.

CG arrangements are embodied in company legislation, common law and the KING Code of good practices, a voluntary governance code incorporated into law by the Companies Act and legal precedent (The Department of Trade and Industry (SA): South African Company Law for the 21st Century Guidelines for Corporate Law Reform. (May 2004) (, accessed August 11, 2023)). In the event of a conflict between legislation and KING Code, the provisions of the legislation will prevail. A corporate practice, which is generally accepted, is often adopted by the Courts. The King III Report applies to all entities regardless of the manner and form of incorporation.

CG is concerned with supervising and monitoring management performance and the activities of the practitioners. The practitioner remains accountable to monitor the exercise of authority. CG is a system used to describe business culture at an organisation. Good CG has its foundations in leadership that is both effective and ethical; and is effectively about the responsibility to act with integrity, competence, responsibility, accountability, fairness and transparency. Competent and effective management fosters good governance. CG is beyond management and is about ensuring that business is run properly.

Risk management

Risk management is an essential element of business governance; and takes the responsibility for overall risk management practices and processes. Practitioners are ultimately responsible for the integration of risk management into the daily business activities of their practices. The practitioner determines the level of risk and should assume the responsibility for governance of risk which includes how risk should be approached and addressed.

Risk culture would help law firms to identify risk literacy that will help in developing the risk culture. Developing and maintaining a strong positive risk culture has an influence on compliance. Understanding and expressing risk culture is a compliance requirement for corporate governance and risk management effectiveness (Kumar, S. (2021) ‘Risk Culture Is a Necessary Condition for Enterprise Risk Management to Succeed’, accessed August 11, 2023)).

Risk management is only effective as an on-going process. Management bears the responsibility to design, implement and monitor the risk management plan. A framework set in place must be implemented to increase the probability of anticipating unpredictable risk. Law firms must recognise their risk exposure. Strong ethical corporate culture and leadership are essential in achieving proper management of risk in law firms.

Compliance framework

Compliance is a system of standards and regulations that help an organisation to comply with the legal requirements and minimize risk of non-compliance. The practitioners should establish a compliance policy that is appropriate to the purpose of the practice. A compliance policy is an outside statement that seeks to determine compliance with the spirit of the law; that should articulate the scope of the compliance management system.

An effective compliance program will include training so that employees understand their compliance obligations and will promote organisational culture that encourages commitment to compliance with the law. Practitioners should determine leadership and commitment with respect to compliance management system.

The legal practitioner is responsible for supervising the practice concerning the design and efficacy of internal risk management and control systems, risk inherent in the practice’s activities and compliance with the laws, regulations and internal rules from the compliance management plan perspective. The control environment is the ‘tone’ of the organisation and is the foundation for all other controls. Compliance with the regulations is closely related to risk management; and it is an integral part of the organisation’s effort to manage risk.

Each practice should design, develop, implement and maintain a compliance risk management program (CRMP), a compliance framework that will be appropriate to the practice. The duties in respect of compliance ultimately lie with the legal practitioner. Both KING III and KING IV Codes make it clear that it is fundamental to understand and appreciate the context within which the risk management should be performed.

Ownership structure

Ownership is the basis of power over an organisation. In legal practice ownership takes the form of a sole proprietorship, partnership or private company. The only form of a commercial juristic entity that is permitted to operate a legal practice is a private company (s 34(7) of the Legal Practice Act 28 of 2014). Only a private company comprising exclusively of legal practitioners may conduct a legal practice. Ownership in law firms is concentrated in the practitioners.

In a concentrated ownership structure, a conflict of interests exists between the controlling shareholders (managers) and the minority shareholders (clients) since the concentration of ownership could be used to extract private benefit from firms rather than to pursue wider corporate interests. CG is concerned with the resolution of collective action problems amongst dispersed investors and the reconciliation of conflict of interest between various corporate claimholders (Marco Becht et al. ‘Corporate Law and Governance’ (, accessed August 11, 2023)).

 CG structure

CG is a dynamic process in which CG practices are revised and enhanced contingent on new corporate realities (Marco Becht et al. (op cit)). The CG reforms have an impact on the internal as well as external environment of the organisation. Internal characteristics are those that result from decisions and actions of the shareholders and the management, and external characteristics include monitoring by outside parties, e.g., external auditors. External governance characteristics are beyond the control of the shareholders and management. They complement internal governance characteristics. The alternative mechanisms that may mitigate the conflict are: (i) partial concentration of ownership and control; (ii) voting rights, which concentrate ownership and/or voting power temporarily when needed; (iii) delegation and concentration of control in the board of directors; (iv) alignment of managerial interests with investors; and (v) clearly defined fiduciary duties for management.

The entrenchment effect of the controlling owner is mitigated by the alignment effect; and decreases with the increase in the level of ownership stake beyond the minimum level needed for effective control and can be achieved through alternative mechanisms (Marco Becht et al. (op cit)). Employing a mechanism to align the interests of the management with those of the investor, e.g., equity payment, will reduce the entrenchment effect of the practitioner. Fidelity guarantee, increased professional indemnity and cyber insurance cover can be used as alternative mechanisms of increasing the level of ownership stake in legal practice, thus aligning the interest of the practitioners and the clients. Foreign ownership has a better monitoring ability and complements organisations as external governance agents in monitoring managerial performance.

In legal practice, increasing the voting rights of the minority shareholders (investors) can be achieved through the legal/regulatory framework for effective enforcement of their property rights by heightening the regulations. The external mechanism of CG of appointing outside directors to the GB can be achieved through the appointment of Compliance Officer (CO). External supervisory parties play a positive role in the management’s monitoring and control function. External governance affects the intensity of the managerial discipline.

The resultant alternative CG structure constitutes a supervisory board that is responsible for monitoring managerial performance and balancing the competing interests in law firms. The supervisory board will ensure that the practice is compliant with applicable laws, rules, codes of conduct and good practices. The application of the principles of CG in legal practice will enhance the protection of the interests of the clientele (investors).

Picture4 1

Regulatory landscape

Every industry has specific legislations that apply to it. Compliance with regulatory requirements may be interpreted as the necessity for an organisation to meet regulatory requirements that apply to that particular business sector in which it operates (Compliance Institute Southern Africa (CISA): Generally Accepted Compliance Practice Framework – Principles, Standards and Guidelines; January 2013; 14). Law firms are obliged to be open and co-operate with the minimum standards set in the regulatory requirements.

There is an expectation on the part of the Legal Practice Council that the manner in which law firms are conducted is adjusted to meet the minimum standards. The responsibility for the understanding and overseeing compliance with the regulatory requirements resides with the practitioners. Every organisation should have a function responsible for ensuring that compliance works efficiently at all times. The compliance function is ideally suited to deal with compliance risk as part of operational risk. (CISA, 18)

 Compliance function

The practitioner is responsible for the process of risk management which includes oversight, the management of compliance and the governance structure that must facilitate this. The role of the compliance function is to assist practitioners to comply with the regulatory requirements through the provision of compliance risk management, defining the compliance universe and monitoring activities, and assessing the compliance risk of the organisation. Compliance is an important part of risk management and governance structures of an organisation, responsible for ensuring the practice meets the regulatory requirements in its day-to-day operations.

People are a key ingredient for successful implementation of a compliance program. The compliance function is responsible for facilitating the development, maintenance and conducting of on-going compliance training program and promotes the compliance culture. Compliance is related to risk management and is a platform to institutionalise a compliance process ((Compliance Institute of Southern Africa (CISA) King III Practice Note: The Compliance Universe (2007) (, accessed August 11, 2023)).

 The structure of the compliance function

The compliance function is an extension of monitoring structure and must be perceived to be independent, associated with all aspects of compliance including the monitoring of the compliance risk process, with routine formal reporting to top management. The compliance function is required to militate against the danger of self-review and should not have a limited focus or be perceived as an internal police officer.

Law firms must provide for a formal and structured monitoring of compliance process, to ensure compliance with applicable legislation, to establish and maintain a culture of compliance, co-ordination of compliance functions within the firms. An organisation is usually in a state of being in accordance with the regulatory requirements or in the process of becoming so (CISA, 15). The development of a fully effective compliance function, however structured, can take some time before the value of the function is fully developed.

Although law firms may not have a fully developed and mature compliance function, it is important that they are constantly working towards that goal through the implementation and monitoring of a coherent compliance. Law firms need to be more proactive in creating ethical culture and climate. Having a set of process and procedure in place to manage through the change is important to help ensure your legal practice is responding to the regulatory changes.

Compliance with regulatory affairs is a small investment to ensure an organisation’s success and the long-term sustainability of business. Issues of CG, transparency and accountability are fundamental to the organisation’s continued existence. The Law Society of South Africa Legal Services Sector Charter (December 2007) encourages the development and implementation of an effective mechanism to ensure compliance with the Charter and to adopt a good governance policy.

Good corporate governance does not guarantee business success; however, poor governance could be symptomatic of a business failure (Joshua Abor and Charles Adjasi “Corporate Governance and the Small and Medium Enterprises Sector: Theory and Implications”) April 2007 (, accessed 01 – 08 – 2022)). The advantages of good CG lie in the way properly governed organisations are able to identify and manage business risks and increase the chances of longevity and limit their potential liability.


Please note that our blog posts are informal commentaries on developments in the law at the time of publication and not legal advice.


About the author 

Sipho Nkosi

Sipho Nkosi is an experienced Legal Professional with a demonstrated history of working in the legal services industry. A strong legal professional with a B Proc degree focused in Law from the University of Natal (Howard College), with a keen interest in corporate governance and a profound insight into Compliance Risk Management. Skilled in litigation and procedural law, and an affiliate member of the Compliance Institute Southern Africa.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}