Nowadays, it is widely accepted that companies must have a compliance management system in place. The decisive factor in this context is the nature and scope of the compliance function.
The objectives of a compliance function in a company are clearly defined: on the one hand, compliance violations (within the company) should be prevented in order to avert damage (material damage and damage to reputation) to the company. On the other hand, the compliance function should also minimize, if not prevent, the personal criminal and civil liability of management.
Since the topic of compliance has gained a lot of media attention and numerous corporate scandals have become increasingly apparent to an increasingly critical public, the question of establishing and implementing compliance management systems (CMS) is now also being discussed in circles that previously did not feel affected.
Risk landscape and risk strategy
Every company—regardless of industry, products, or business model—faces risks that can materialize and cause damage to the company. Regulatory requirements have increased in the wake of globalization and internationalization. Some industries are particularly affected by this. One example is the energy industry, which is struggling with a flood of new laws in connection with significant market changes. But the regulatory frenzy within companies, especially in large corporations, is also steadily increasing, meaning that more and more internal guidelines must be observed.
With the increasing number of regulations, there is a growing risk ofunwittinglyviolating legal, normative, and internal requirements. This does not apply to intentional violations.
Not every risk has critical or existential consequences when it materializes. Against this backdrop, determining the risk landscape and risk strategy is an essential basis for the future shape of the compliance management system. The first step is to identify the risks; this results in the risk landscape (which risks exist in which business context). The second step involves assessing the risks, quantifying the potential damage, and estimating the probability of occurrence. In the third step, the risks are prioritized and assigned to a strategic approach (risk strategies generally distinguish between risk avoidance, risk minimization, risk transfer, and risk acceptance). Low risks are often borne by the company itself, while risks with high damages are transferred to third parties (e.g., insurance). In the case of non-transferable risks, the company attempts to minimize or even avoid them by taking appropriate measures.
Obligation to establish a compliance function
Every manager would be well advised to protect their company—and themselves—against the risks of compliance violations. This is usually done through a specific risk management system (CMS). But to what extent is there an obligation to establish such a compliance function?
Opinions on this matter are far from unanimous. Explicit legal obligations only exist in individual cases, such as Section 33 of the German Securities Trading Act (WpHG).[1] and Section 25a KWG[2]. The aforementioned provisions expressly require the introduction of compliance functions, whereby companies that provide investment services or financial services are affected.
Proponents assume that there is a general obligation to introduce a compliance function. This arises from a holistic view of existing legal provisions such as Sections 76, 91 II, 93 I of the German Stock Corporation Act (AktG) and Sections 35, 41, 43, 85 of the German Limited Liability Companies Act (GmbHG) (legally standardized management function of the management)[3].
The provisions of the OWiG (Sections 3, 9, 130 OWiG) alsoimply anobligation to introduce a compliance function.
Finally, the German Corporate GovernanceCode(DCGK) requires the Management Board to ensure compliance with legal provisions and internal company guidelines and to work toward ensuring that these are observed by the Group companies.
Critics do not share this opinion. Their main argument is that, apart from the aforementioned provisions of the WpHG and KWG and, in addition, the provision of Section 64a VAG[6], there are no explicit legal regulations. If the legislator had wanted compliance functions of any kind to be mandatory, it would have included this in the relevant legal regulations.
The interpretation of the German Stock Corporation Act (AktG) and Limited Liability Companies Act (GmbHG) as implying an obligation to implement a compliance function is also considered excessive.
Finally, the DCGK is also rejected as a legal basis because it is only a recommendation and therefore not legally binding. Furthermore, it applies exclusively to listed stock corporations and does not take other companies into account.
All of the arguments mentioned are valid and justified. However, they lose their impact when faced with the question of whether members of management want to expose themselves to the risk of civil and criminal liability due to a lack of compliance management.
The compliance management system must be suited to the company
The simple answer to this question is that there are no specific legal or normative requirements for a compliance management system. In this respect, every company management is free to choose the functional and organizational structures for the compliance function in their company. Regardless of this, there are a number of aspects that are helpful to consider when setting up a CMS and that can have direct and indirect implications for the design of the CMS. After all, such a function ties up human and material resources and thus represents a not inconsiderable cost factor.
The compliance function can only be effective if it is integrated into the overall corporate organization as a management system. It is therefore necessary to install a system that is suitable for the respective company. This requires at least:
- Personnel assignment
Personnel must be assigned to the area of compliance, i.e., individual persons must be given responsibility for this area. In small companies, this can be done in conjunction with other functions (e.g., controlling), while large companies employ their own compliance officers for this purpose. Outsourcing to a specialized consultant is also a possibility.
organizational anchoring The compliance function must be anchored within the company's organizational structure. This aspect also depends on the size and structure of the company: from a staff unit to a separate compliance department, all variants are represented in practice. Regardless of how it is anchored within the organization, it is important that the compliance function is not an isolated solution. It is essential to ensure that there is close integration with other management systems (quality management, risk management, etc.).
task definition Defining the tasks of the compliance function has two dimensions. On the one hand, the specific operational tasks must be described (e.g., advising management and other departments within the company, developing and implementing internal regulations, training employees, and monitoring and detecting compliance violations). Second, care must be taken to ensure that the tasks of the compliance function are suitable for ensuring that the management fulfills its duties (organizational, control, and investigation duties)—after all, this involves the delegation of supervisory tasks and the interaction between the act of delegation, the selection decision, and the monitoring of the delegate, which is relevant in this context.- Monitoring, control, and reporting
A compliance function requires monitoring and control. This is usually done through a reporting system, which also includes the performance of internal and external audits.
The CMS must be individually tailored to the company, taking into account its specific requirements and concerns as well as its individual risk landscape. In this respect, it is essential to carry out a careful analysis of the key parameters before setting up or expanding a CMS.
[1]In Section 33 of the Securities Trading Act (WpHG), the legislator has imposed special organizational obligations on securities trading companies (establishment of an independent compliance function).
[2]Section 25a KWG (German Banking Act): An institution must have a proper business organization that ensures compliance with the legal provisions to be observed by the institution and with business requirements (excerpt).
[3]Section 91 (2) of the German Stock Corporation Act (AktG), for example, stipulates that the management board must take appropriate measures, in particular to establish a monitoring system. The same applies to limited liability companies (GmbH).
[4]According to Section 9 of the OWiG (German Administrative Offenses Act), the persons directly involved are deemed to be the "owners" of the company within the meaning of the OWiG. In practice, this means that liability for organizational negligence under the OWiG does not fall on the company itself, but on the management level.
[5]No. 4.1.3 DCGK (German Corporate Governance Code)
[6]Section 64 of the Insurance Supervision Act (VAG) is not relevant here.
The second blog post will deal with corporate practice and the resulting requirements.
About the author
Eckart Achauer, studied law and business administration, postgraduate studies leading to a Master of Business Administration (MBA). In-service training as a European Quality Manager (DGQ), mediator specializing in business mediation, and Certified Compliance Manager (TÜV).
He worked for around 10 years in the international insurance industry in various management positions at a Swiss insurance group (claims department, sales, assistance) before moving into management and business consulting in 1997.
As a consultant and managing director of various consulting firms, Mr. Achauer has specialized in organizational and process optimization as well as the development and implementation of management systems—quality management, risk and compliance management.
At Senator Executive Search Partners, Mr. Achauer is responsible for compliance management. As part of compliance audits, he analyzes their organizational "compliance fitness," raises awareness and trains management, executives, and employees, and supports companies in setting up and implementing individual compliance management systems. In doing so, he always takes into account the specific risk situation of the companies. Thanks to his many years of experience as a manager and consultant, he is very familiar with the practical challenges of business.
