Wrongdoing happens somewhere. What is tested is whether you had, in advance, built a system in which it is hard to occur. This piece returns to Article 362(4)(vi) and (5) of the Companies Act and Article 100 of the Enforcement Regulation to confirm the duty imposed on the board of a Large Company to build an internal control system, and sorts out how the materials-review structure sits within that internal control.

01The Board's Duty to "Decide"

Building an internal control system is not a voluntary improvement effort run by the floor. At a Large Company, deciding how to structure that system is itself a duty of the board (Companies Act, Article 362(4)(vi) and (5)). Not deciding — or deciding but leaving the substance hollow — can both be judged a failure to discharge the duty.

This duty connects directly to materials review. The in-house structure for materials review is part of the system for ensuring the propriety of operations — that is, part of internal control. A missing or hollowed-out review structure surfaces not as a floor-level slip but as a problem of the board's duty to build. Trace "whose responsibility" one step up, and you arrive at the side that decides the structure.

02Article 362(4)(vi) and (5) and Article 100 of the Enforcement Regulation

Look at the text. Article 362(4)(vi) makes the decision on building "a system to ensure the propriety of operations" an exclusive matter for the board, and does not allow it to be entrusted to individual directors. Paragraph 5 then obliges Large Companies to make that decision. What concretely must be put in place is enumerated by Article 100 of the Ordinance for Enforcement of the Companies Act.

Article 100 lists, for example, the retention and management of information, the management of the risk of loss, the efficiency of the execution of duties, employees' compliance with laws and regulations, and the system across the corporate group. The abstract "proper system" is broken down into items at the level of the regulation. The structure for creating, reviewing, and recording materials overlaps with the compliance and risk-management systems among these.

Decision

Art. 362(4)(vi)

Makes the decision on building a system to ensure the propriety of operations an exclusive matter for the board, and forbids wholesale delegation to individual directors.

Duty

Art. 362(5)

Obliges Large Companies to make the decision on building that system. The absence of a decision can itself amount to a breach of the duty.

Specifics

Enforcement Regulation, Art. 100

Enumerates the items to be put in place: retention and management of information, risk management, compliance, the corporate-group system, and more.

03"Built" Alone Is Not Enough — Construction and Operation Are Separate Layers

The duty to put a system in place and the duty to monitor whether the system actually functions are two different things. Deciding and building the mechanism discharges only half the duty. There is a phase of watching whether the mechanism you built is not spinning idle, whether deviations are being left unaddressed.

How far the monitoring of operation reaches the directors — its scope — is taken up in Vol. 9. Here, hold on to the point that construction and operation split into two layers. Materials review is the same: setting the review criteria is not enough; the reality of operation is what is tested. However fine the manual, a control that does not actually function remains nominal.

04The Line Drawn by the Daiwa Bank Shareholder Derivative Suit

A leading example that showed the scope of the duty to build is the Daiwa Bank shareholder derivative suit (Osaka District Court, judgment of September 20, 2000). The judgment held that putting a risk-management system in place is included within the content of a director's duty of due care. A system that is absent, or that lacks substance, can be judged a breach of that duty of care.

What was tested in this case was not so much the result that a loss had occurred, but whether a system to prevent the loss and to grasp it early had been put in place. "I didn't notice" can be the flip side of not having built a system that lets you notice. The presence or absence of a system becomes the watershed that divides the weight of responsibility. The three-lines arrangement in which the floor, the management departments, and internal audit share the defense is taken up in Vol. 8.

05Down to the Materials-Review Floor — Review as Part of the System

Everything so far comes down to the practice of materials review. The materials-review structure is part of the compliance and risk-management systems listed in Article 100 of the Enforcement Regulation, and its deficiency does not stop at a floor-level problem but connects to the board's duty to build. The reviewer stands at the front line of internal control.

So the reviewer is strong when able to speak of their own structure not only as "present / absent" but as "functioning or not." Are there criteria; is there a route to escalate deviations; are records kept — these are the evidence of operation. How review records work as evidence of governance is taken up in Vol. 10. The duty to build a system, and the duty to keep it running. Being able to show that review is built into both is what gives the floor its persuasive force.

Key Points — Four to Take Away
  1. The board of a Large Company bears the duty to "decide" on building an internal control system (Art. 362(4)(vi) and (5)).
  2. The concrete content of the system to be put in place is enumerated as items by Article 100 of the Ordinance for Enforcement of the Companies Act.
  3. The duty to build and the duty to monitor operation are separate layers. "Built" is not enough; whether it functions is what is tested.
  4. The materials-review structure is part of internal control, and its deficiency connects directly to the board's duty to build.
Sources & References
  1. Companies Act, Article 362(4)(vi) and (5) (Establishment of an Internal Control System). Obliges the board of a Large Company to decide on building a system to ensure the propriety of operations.
  2. Ordinance for Enforcement of the Companies Act, Article 100. Enumerates the concrete content of the system to be established (retention and management of information, risk management, compliance, the corporate-group system, etc.).
  3. Daiwa Bank Shareholder Derivative Suit (Osaka District Court, judgment of September 20, 2000). Held that putting a risk-management system in place is included within a director's duty of due care.