REQUIREMENTS FOR THE MANAGEMENT IN THE ESTABLISHMENT OF A COMPLIANCE FUNCTION
A question that arises again and again in corporate practice is that of the scope of discretion in the establishment and operation of a compliance management system. Here, a distinction must be made between bound and entrepreneurial decisions of the company management.
There is no discretion in complying with statutory provisions. These must be complied with without any ifs and buts. These are binding decisions.
On the other hand, there is a certain amount of discretion when it comes to defining and implementing organisational measures. After all, the company's management does not usually take on the task of ensuring compliance with laws and regulations as an original task, but delegates this to a certain group of people and in doing so provides the organisational framework. Even monitoring and control can be delegated to supervisors. In this respect, these are original management and organisational tasks that fall within the scope of entrepreneurial tasks - and for these there is undoubtedly entrepreneurial discretion.
The following requirements exist when establishing a compliance function:
- Organisational requirements
Liability for breaches of the law is not strict liability. The liability is borne by the management in persona if it fails to take appropriate organisational measures. The case law[1] assumes here that the company management has the duty to create the organisational conditions to ensure that the authorised representative can actually fulfil the duty to avoid compliance violations. The scope of the duty is related to the size and structure of the company. The case law does not provide further details on the "how" of a compliance organisation, which allows the reverse conclusion that it sees the establishment and design of a compliance function as an original entrepreneurial task.
In addition to the aforementioned aspects of personnel allocation, organisational anchoring, task definition and control/supervision, the main organisational requirements include the interlinking with other management functions in the company. These include, in particular, general risk management, quality management, controlling and auditing. The form in which this dovetailing takes place depends on the organisational structure; however, it is essential that the compliance function does not represent an isolated "island solution".
- Monitoring and control requirements
In principle, the organisation used (both within the meaning of § 130 OWiG and § 43 GmbHG) requires appropriate monitoring and control of the persons to whom the tasks of the compliance function are assigned. The random control of employees thus represents an elementary basic function of the business organisation.
However, the monitoring and control measures must be practicable and reasonable. Where exactly the limits of practicability and reasonableness are to be seen is not clearly defined. However, they are likely to be exceeded if the intensity of monitoring and control is so strong that it comes close to the supervisor actually performing the tasks of the supervised person himself. This would de facto nullify the right to delegate tasks.
- Requirements for investigations and enquiries
The rightsSpeech[2] assumes that - although no clear obligation to do so can be derived from the law - a company then has internal Investigations / Inquiries if there are concrete indications of a violation of the rules, even if these indications are not the result of the regular, accompanying monitoring from the compliance function's area of responsibility. If the compliance function detects breaches of rules in the course of its regulatory activities, a corresponding investigation must be initiated without doubt so as not to call into question the purpose of the compliance function per se.
Summary and outlook
A sense of proportion is required when setting up, implementing and operating compliance management systems. Cost aspects on the one hand and the question of organisational proportionality as well as internal acceptance are weighty arguments for implementing not what is possible, but what is necessary in the area of the compliance function. The permissible exhaustion of the entrepreneurial discretion should therefore also take place at this point.
However, this leeway should not obscure the fact that the issue of implementing a compliance management system is a business imperative, because the mere absence of such a compliance function can already give rise to the personal criminal and civil liability of the company management.
Dealing with a compliance management system is complex and requires a number of different disciplines. On the one hand, a legal perspective is necessary, but - viewed in isolation - it is not sufficient. Violations of rules can occur anywhere in a company. Therefore, profound knowledge of organisational structures as well as of the interaction of functions and processes is indispensable in order to identify and define the requirements for an adequate compliance management system in the context of the company-specific risk landscape; on this basis, the right measures for setting up and implementing the CMS are then derived and implemented. In addition, knowledge and experience with other management systems are essential., such as risk or quality management systems, This is advantageous in order to ensure the necessary dovetailing of the systems in the company.
[1] OLG DÜSSELDORF, 12.11.1998
[2] BGH, 8.10.1984 - II ZR 175/83, WiJ - Journal of the Economic Criminal Law Association, 03-2012, 09.07.2012.
About the author
Eckart Achauer, studied law and business administration, postgraduate studies to become a Master of Business Administration (MBA). In-service training to become a European Quality Manager (DGQ), a mediator specialising in business mediation and a Certified Compliance Manager (TÜV).
He worked for around 10 years in the international insurance industry in the management of a Swiss insurance group in various functions (claims department, sales, assistance) before moving into management and business consulting in 1997.
As a consultant and managing director of various consulting companies, Mr Achauer has specialised thematically in organisational and process optimisation as well as in the development and implementation of management systems - quality management, risk and compliance management.
At Senator Executive Search Partners, Mr Achauer is responsible for the area of compliance management. Within the scope of compliance audits, he analyses their organisational "compliance fitness", he sensitises and trains the management, executives and employees and supports the companies in setting up and implementing individual compliance management systems. In doing so, he always takes into account the specific risk situation of the companies. Due to his many years of experience as a manager and consultant, he is very familiar with the entrepreneurial challenges from practice.