The fact that companies must have a compliance management system is largely undisputed today. Crucial in this context is the question of the type and scope of the compliance function.
In principle, the goals of a compliance function in a company are clearly defined: on the one hand, compliance violations (from within the company) should be prevented in order to avert damage (material damage as well as damage to reputation) from the company. On the other hand, the compliance function should also minimise, if not prevent, the personal - criminal and civil - liability of the management.
Since the topic of compliance has gained a great deal of media attention and numerous corporate scandals have increasingly raised the awareness of an increasingly critical public, the question of setting up and implementing compliance management systems (CMS) is also being discussed in circles that previously did not feel addressed.
Risk landscape and risk strategy
In every company - regardless of industry, products and business model - there are risks that can be realised and thus cause damage to the company. In the course of globalisation and internationalisation, regulatory requirements have increased. Some sectors are particularly affected. One example is the energy industry, which has to deal with a flood of new laws in connection with significant market changes. But also the regulatory frenzy within companies, especially in corporate groups, is constantly increasing, so that internal guidelines also have to be observed to a greater extent.
With the increasing number of regulations, the risk of unknowinglyviolating legal, normative and internal requirements increases. The intentional violation remains unaffected by this.
Not every risk has critical or existential consequences when it materialises. Against this background, the determination of the risk landscape and the risk strategy are an essential basis for the future development of the compliance management system. The first step is to identify the risks; this results in the risk landscape (which risks exist in which business context). In a second step, the risks are assessed with quantification of possible damage and estimation of the probability of occurrence. In a third step, the risks are prioritised and assigned to a strategic handling (as a rule, a distinction is made in risk strategy between risk avoidance, risk minimisation, risk transfer and risk assumption). Low risks are often borne by the company itself, while risks with high losses are transferred to third parties (e.g. insurance). In the case of non-transferable risks, the company tries to minimise or even avoid them through appropriate measures.
Obligation to establish a compliance function
Every manager is well advised to protect his company - and himself - against risks arising from compliance violations. This is usually done through a specific risk management system (CMS). But to what extent is there an obligation to set up such a compliance function?
The opinion on this is anything but uniform. Explicit legal obligations only exist in individual cases, such as § 33 WpHG[1] and § 25a KWG[2]. The aforementioned provisions explicitly require the introduction of compliance functions, whereby companies that provide investment services or financial services are affected here.
Proponents assume that there is a general obligation to introduce a compliance function. This results from a holistic view of existing legal provisions such as §§ 76, 91 II, 93 I AktG or §§ 35, 41, 43, 85 GmbHG (legally standardised management function of the management)[3].
An obligation to introduce a compliance function can also be derived from the provisions of the OWiG (sections 3, 9, 130 OWiG)[4].
Finally, the German Corporate Governance Code (GCGC) requires the executive board to ensure compliance with the statutory provisions and the company's internal guidelines and to work towards their observance by the group companies[5].
Critics do not share this opinion. The main argument is that - with the exception of the aforementioned provisions of the WpHG and KWG as well as the supplementary provision of § 64a VAG[6] - there are no explicit statutory regulations. If the legislator had wanted compliance functions, of whatever kind, to be mandatory, it would have included this in relevant statutory regulations.
The interpretation of the German Stock Corporation Act (AktG) and the German Limited Liability Companies Act (GmbHG) to the effect that this implies an obligation to implement a compliance function is also considered excessive.
Finally, the GCGC is also rejected as a legal basis, as it has the character of a recommendation and is therefore not legally binding. Moreover, it only applies to listed companies and therefore does not take into account all other companies.
All of the above arguments are valid and justified. Nevertheless, they lose their effect before the question of whether members of management want to expose themselves to the risk of civil and criminal liability due to a lack of compliance management.
The compliance management system must fit the company
In answering this question, the first simple observation is that there are no specific legal or normative requirements for a compliance management system. In this respect, every company management is basically free to choose the functional and organisational structures for the compliance function in its company. Notwithstanding this, there are a number of aspects that are helpful to take into account when setting up the CMS and that can - directly and indirectly - have implications for the design of the CMS. Finally, such a function ties up human and material resources and thus represents a not inconsiderable cost factor.
The compliance function can only develop its desired effect effectively if it is integrated as a management system into the overall company organisation. It is therefore necessary to install a system that is suitable for the respective company. This requires at least:
- Assignment of personnel
A personnel assignment must be made for the topic of compliance, i.e. the relevant responsibility must be assigned to individual persons. In small companies this can be done in personnel union with other functions (e.g. controlling), large companies employ their own compliance officers for this purpose. Outsourcing to a specialised consultant is also conceivable. - Organisational anchoring
The compliance function must be organisationally anchored in the company. This aspect also depends on the size and structure of the company: from a staff unit to a separate compliance department, all variants are represented in practice. However the organisational anchoring takes place, it is important that the compliance function does not represent an isolated solution. It is essential to ensure that there is close integration with other management systems (quality management, risk management, etc.). - Definition of tasks
The definition of the tasks of the compliance function has two dimensions. On the one hand, the concrete operational tasks must be described (e.g. advising the management as well as other bodies in the company, developing and implementing internal regulations, training employees as well as controlling and detecting compliance violations). On the other hand, care must be taken that the tasks of the compliance function are suitable to ensure the fulfilment of the duties of the company management (organisational, control and investigation duties) - after all, this is the delegation of supervisory tasks and the interplay of delegation act, selection decision and monitoring of the delegate that is relevant in this context. - Monitoring, control and reporting
A compliance function requires monitoring and control. This is usually done through a reporting system, the extended scope of which also includes the performance of internal and external audits.
The CMS must be individually tailored to the company, taking into account its specific requirements and concerns as well as its individual risk landscape. In this respect, it is indispensable to carry out a careful analysis of the decisive parameters before setting up or expanding a CMS.
[1] In Section 33 of the German Securities Trading Act (WpHG), the legislator has imposed special organisational obligations on securities trading companies (establishment of an independent compliance function)
[2] § 25a KWG (German Banking Act): An institution must have a proper business organisation that ensures compliance with the legal provisions to be observed by the institution and the business necessities (excerpt)
[3] Section 91 (2) AktG (German Stock Corporation Act), for example, stipulates that the executive board must take appropriate measures, in particular set up a monitoring system. The same applies to the GmbH.
[4] According to § 9 OWiG (Administrative Offences Act), the "ownership" of the company within the meaning of the OWiG is attributed to the persons acting directly. In practice, liability for organisational culpability under the OWiG does not fall on the company itself, but on the management level.
[5] No. 4.1.3 DCGK (German Corporate Governance Code)
[6] Section 64 of the Insurance Supervision Act (VAG) is not relevant here.
The 2nd blog post will deal with corporate practice and the resulting requirements.
About the author
Eckart Achauer, studied law and business administration, postgraduate studies to become a Master of Business Administration (MBA). In-service training to become a European Quality Manager (DGQ), a mediator specialising in business mediation and a Certified Compliance Manager (TÜV).
He worked for around 10 years in the international insurance industry in the management of a Swiss insurance group in various functions (claims department, sales, assistance) before moving into management and business consulting in 1997.
As a consultant and managing director of various consulting companies, Mr Achauer has specialised thematically in organisational and process optimisation as well as in the development and implementation of management systems - quality management, risk and compliance management.
At Senator Executive Search Partners, Mr Achauer is responsible for the area of compliance management. Within the scope of compliance audits, he analyses their organisational "compliance fitness", he sensitises and trains the management, executives and employees and supports the companies in setting up and implementing individual compliance management systems. In doing so, he always takes into account the specific risk situation of the companies. Due to his many years of experience as a manager and consultant, he is very familiar with the entrepreneurial challenges from practice.
