REQUIREMENTS FOR COMPANY MANAGEMENT WHEN SETTING UP A COMPLIANCE FUNCTION
A question that repeatedly arises in corporate practice is the scope of discretion in establishing and operating a compliance management system. In this context, a distinction must be made between binding and entrepreneurial decisions by management.
There is no discretion when it comes to compliance with legal provisions. They must be complied with without reservation. These are binding decisions.
When it comes to defining and implementing organizational measures, however, there is certainly scope for discretion. After all, company management usually does not assume the primary responsibility of ensuring compliance with laws and regulations itself, but rather delegates this responsibility to a specific group of people, thereby providing the organizational framework. Even monitoring and control can be delegated to supervisors. In this respect, these are primary management and organizational tasks that fall within the scope of entrepreneurial responsibilities – and for these, there is undoubtedly scope for entrepreneurial discretion.
The following requirements apply when setting up a compliance function:
- Organizational requirements
Liability for legal violations is not strict liability. Liability falls on the company management in person if it fails to take appropriate organizational measures. Case law [1] assumes that management has a duty to create the organizational prerequisites that enable the officer to actually fulfill the obligation to prevent compliance violations. The scope of the duty depends on the size and structure of the company. Case law does not provide any further details on the "how" of a compliance organization, which allows the converse conclusion that it views the establishment and design of a compliance function as an original entrepreneurial task.
In addition to the aforementioned aspects of personnel allocation, organizational anchoring, task definition, and control/monitoring , the key organizational requirements include integration with other management functions within the company. These include, in particular, general risk management, quality management, controlling, and auditing. The form of this integration depends on the organizational structure; however, it is essential that the compliance function does not represent an isolated "island solution."
- Requirements for monitoring and control
Fundamentally, the organization in place (both within the meaning of Section 130 of the Administrative Offenses Act (OWiG) and Section 43 of the Limited Liability Companies Act (GmbHG)) requires appropriate monitoring and control of the individuals assigned to the compliance function. Random checks of employees thus represent a fundamental function of the company's organization.
However, the monitoring and control measures must be practical and reasonable. Where exactly the limits of practicality and reasonableness lie is not clearly defined. However, they are likely to be exceeded if the intensity of monitoring and control is so intense that it effectively approaches the supervisor's own perception of the supervised person's responsibilities. This would de facto undermine the right to delegate tasks.
- Requirements for investigations and research
The lawsspeech[2] assumes that – although no clear obligation to do so can be derived from the law – a company will then internally Investigations / investigations must be initiated if concrete indications of a violation of the rules arise, even if these indications are not the result of regular, ongoing monitoring within the scope of the compliance function's responsibilities. If the compliance function identifies violations of the rules in the course of its regular activities, a corresponding investigation must be initiated without question in order not to call into question the purpose of the compliance function per se.
Summary and outlook
A sense of proportion is required when establishing, implementing, and operating compliance management systems. Cost considerations, on the one hand, and the question of organizational proportionality and internal acceptance, on the other, are important arguments for implementing what is necessary rather than what is possible in the area of compliance. The permissible use of entrepreneurial discretion should therefore also be applied at this point.
However, this scope should not obscure the fact that the implementation of a compliance management system is a corporate imperative, because the mere absence of such a compliance function can give rise to personal criminal and civil liability of the company management.
Dealing with a compliance management system is complex and requires a variety of different specialist disciplines. On the one hand, a legal perspective is necessary, but – viewed in isolation – this is not sufficient. Violations can occur anywhere in a company. Therefore, in-depth knowledge of organizational structures and the interaction of functions and processes is essential to identify and define the requirements for an adequate compliance management system in the context of the company-specific risk landscape. On this basis, the appropriate measures for the development and implementation of the CMS are then derived and implemented. Furthermore, knowledge of and experience with other management systems are essential., such as risk or quality management systems, advantageous in order to ensure the necessary integration of the systems within the company.
[1] OLG DÜSSELDORF, November 12, 1998
[2] Federal Court of Justice, 8 October 1984 – II ZR 175/83, WiJ – Journal of the Economic Criminal Law Association, 03-2012, 09 July 2012
About the author
Eckart Achauer, studied law and business administration, postgraduate Master of Business Administration (MBA). In-service training as European Quality Manager (DGQ), mediator specializing in business mediation and Certified Compliance Manager (TÜV).
He worked for around 10 years in the international insurance industry in the management of a Swiss insurance group in various functions (claims department, sales, assistance) before moving into management and business consulting in 1997.
As a consultant and managing director of various consulting companies, Mr. Achauer has specialized in organizational and process optimization as well as in the development and implementation of management systems - quality management, risk and compliance management.
At Senator Executive Search Partners, Mr. Achauer is responsible for compliance management. As part of compliance audits, he analyses their organizational "compliance fitness", raises awareness and trains management, executives and employees and supports companies in setting up and implementing individual compliance management systems. In doing so, he always takes into account the specific risk situation of the company. Thanks to his many years of experience as a manager and consultant, he is very familiar with the business challenges faced in practice.
