The need for companies to have a compliance management system is largely undisputed today. The crucial question in this context is the nature and scope of the compliance function.
In principle, the objectives of a compliance function within a company are clearly defined: first, compliance violations (from within the company) should be prevented in order to avert damage (material damage as well as reputational damage) to the company. Second, the compliance function should also minimize, if not completely prevent, the personal liability of management – both criminal and civil.
Since the topic of compliance has received a lot of media attention and numerous corporate scandals have become more and more apparent to the increasingly critical public, the question of setting up and implementing compliance management systems (CMS) is also being discussed in circles that previously did not feel addressed.
Risk landscape and risk strategy
Every company – regardless of industry, products, and business model – faces risks that can materialize and thus cause damage to the company. With globalization and internationalization, regulatory requirements have increased. Some industries are particularly affected. One example is the energy industry, which is struggling with a flood of new laws in connection with significant market changes. However, the regulatory frenzy within companies, especially within corporations, is also steadily increasing, so internal guidelines must also be observed.
With the increasing number of regulations, the risk of unknowingly violating legal, regulatory, and internal requirements increases. This does not affect intentional violations.
Not every risk will have critical or existential consequences if it occurs. Against this background, determining the risk landscape and risk strategy are an essential basis for the future development of the compliance management system. The first step is to identify the risks; this then results in the risk landscape (which risks exist in which business context). The second step is to assess the risks, quantify potential damage, and estimate the probability of occurrence. In a third step, the risks are prioritized and assigned a strategic management approach (risk strategy generally distinguishes between risk avoidance, risk minimization, risk transfer, and risk assumption). Low risks are often borne by the company itself, while risks with high damage are transferred to third parties (e.g., insurance). In the case of non-transferable risks, the company attempts to minimize or even avoid them through appropriate measures.
Commitment to establishing a compliance function
Every manager is well advised to protect their company—and themselves—against the risks of compliance violations. This is usually done through a specific risk management system (CMS). But to what extent is there an obligation to establish such a compliance function?
Opinions on this matter are far from unanimous. Explicit legal obligations exist only in isolated cases, such as Section 33 of the German Securities Trading Act [1] and Section 25a of the German Banking Act [2] . These provisions explicitly require the introduction of compliance functions, and this applies to companies that provide investment or financial services.
Proponents assume that there is a general obligation to introduce a compliance function. This arises from a holistic consideration of existing legal provisions such as Sections 76, 91 II, 93 I AktG and Sections 35, 41, 43, 85 GmbHG (legally standardized management function) [3] .
An obligation to introduce a compliance function can also be derived from the provisions of the OWiG (§§ 3, 9, 130 OWiG) [4] .
Finally, the German Corporate Governance Code (DCGK) requires the Management Board to ensure compliance with legal provisions and internal company guidelines and to work towards their observance by the group companies [5] .
Critics disagree. Their main argument is that – apart from the aforementioned provisions of the German Securities Trading Act (WpHG) and the German Banking Act (KWG), as well as the supplementary provision of Section 64a of the German Insurance Supervision Act (VAG ) [6] – there are no explicit legal regulations. Had the legislature intended compliance functions, of whatever kind, to be mandatory, it would have included this in the relevant legal regulations.
The interpretation of the AktG and GmbHG to the effect that this creates an obligation to implement a compliance function is also considered excessive.
Finally, the German Corporate Governance Code (GCGC) is also rejected as a legal basis, as it is merely a recommendation and therefore not legally binding. Furthermore, it applies exclusively to listed companies and therefore does not take all other companies into account.
All of the arguments mentioned are valid and justified. However, they lose their impact when considering whether members of management want to expose themselves to the risk of civil and criminal liability due to a lack of compliance management.
The compliance management system must fit the company
The first thing to note about this question is simple: there are no specific legal or regulatory requirements for a compliance management system. Therefore, every company's management is fundamentally free to choose the functional and organizational structures for the compliance function within their company. Nevertheless, there are a number of aspects that are helpful to consider when setting up the CMS and that can have implications – both directly and indirectly – for the design of the CMS. Ultimately, such a function ties up human and material resources and thus represents a significant cost factor.
The compliance function can only achieve its desired effect if it is integrated as a management system into the overall corporate organization. Therefore, a system suitable for the respective company must be installed. This requires at least:
- Personnel allocation
Compliance needs to be assigned to specific individuals, meaning responsibility for it must be assigned to specific individuals. In small companies, this can be done in conjunction with other functions (e.g., controlling), while larger companies employ their own compliance officers. Outsourcing to a specialized consultant is also conceivable. - Organizational anchoring
The compliance function must be organizationally embedded within the company. This aspect also depends on the size and structure of the company: from a staff unit to a dedicated compliance department, all variants are present in practice. Regardless of the organizational anchoring, it is important that the compliance function does not represent an isolated solution. It is essential to ensure close integration with other management systems (quality management, risk management, etc.). - Task definition
Defining the responsibilities of the compliance function has two dimensions. First, the specific operational tasks must be described (e.g., advising management and other departments within the company, developing and implementing internal regulations, training employees, and monitoring and detecting compliance violations). Second, it is important to ensure that the responsibilities of the compliance function are suitable for ensuring the fulfillment of the company management's obligations (organizational, control, and investigation duties) – after all, this involves the delegation of supervisory tasks and the relevant interplay of the act of delegation, the selection decision, and the monitoring of the delegate. - Monitoring, control and reporting
A compliance function requires monitoring and control. This is typically achieved through a reporting system, the extended framework of which also includes the conduct of internal and external audits.
The CMS must be tailored to the company's individual needs and concerns, as well as its unique risk landscape. Therefore, it is essential to conduct a careful analysis of the key parameters before implementing or expanding a CMS.
[1] In Section 33 of the Securities Trading Act (WpHG), the legislator has imposed special organizational obligations on securities trading companies (establishment of an independent compliance function)
[2] Section 25a KWG (German Banking Act): An institution must have a proper business organization that ensures compliance with the legal provisions to be observed by the institution and with business requirements (excerpt)
[3] Section 91 (2) of the German Stock Corporation Act (AktG), for example, stipulates that the management board must take appropriate measures, in particular, establish a monitoring system. The same applies to GmbHs.
[4] According to Section 9 of the Administrative Offenses Act (OWiG), the "ownership" of the company within the meaning of the OWiG is attributed to the directly acting persons. In practice, liability for organizational negligence under the OWiG therefore falls not on the company itself, but on the management level.
[5] No. 4.1.3 DCGK (German Corporate Governance Code)
[6] Section 64 VAG (Insurance Supervision Act) is irrelevant here
The second blog post will deal with corporate practice and the resulting requirements.
About the author
Eckart Achauer, studied law and business administration, postgraduate Master of Business Administration (MBA). In-service training as European Quality Manager (DGQ), mediator specializing in business mediation and Certified Compliance Manager (TÜV).
He worked for around 10 years in the international insurance industry in the management of a Swiss insurance group in various functions (claims department, sales, assistance) before moving into management and business consulting in 1997.
As a consultant and managing director of various consulting companies, Mr. Achauer has specialized in organizational and process optimization as well as in the development and implementation of management systems - quality management, risk and compliance management.
At Senator Executive Search Partners, Mr. Achauer is responsible for compliance management. As part of compliance audits, he analyses their organizational "compliance fitness", raises awareness and trains management, executives and employees and supports companies in setting up and implementing individual compliance management systems. In doing so, he always takes into account the specific risk situation of the company. Thanks to his many years of experience as a manager and consultant, he is very familiar with the business challenges faced in practice.
