REQUIREMENTS FOR COMPANY MANAGEMENT WHEN ESTABLISHING A COMPLIANCE FUNCTION
One question that repeatedly arises in corporate practice is that of the scope for discretion in establishing and operating a compliance management system. Here, a distinction must be made between binding and entrepreneurial decisions made by company management.
There is no room for discretion when it comes to complying with legal requirements. These must be complied with without exception. These are binding decisions.
However, there is certainly room for discretion when it comes to defining and implementing organizational measures. After all, company management does not usually consider ensuring compliance with laws and regulations to be its primary task, but delegates this to a specific group of people and specifies the organizational framework. Even monitoring and control can be delegated to supervisors. In this respect, these are primary management and organizational tasks that fall within the scope of entrepreneurial tasks—and there is undoubtedly room for entrepreneurial discretion in this regard.
The following requirements apply when establishing a compliance function:
- Organizational requirements
Liability for legal violations is not strict liability. Liability lies with the company management in person if it fails to take appropriate organizational measures. Case law[1]assumes that company management has a duty to create the organizational conditions necessary for the representative to actually fulfill their duty to prevent compliance violations. The scope of this duty is related to the size and structure of the company. Case law does not provide any further details on the "how" of a compliance organization, which allows the reverse conclusion to be drawn that it sees the establishment and design of a compliance function as an original entrepreneurial task.
In addition to the aspects already mentioned, such as personnel allocation, organizational anchoring, task definition, andcontrol/monitoring, one of the key organizational requirements is integration with other management functions within the company. These include, in particular, general risk management, quality management, controlling, and auditing. The form this integration takes depends on the organizational structure; however, it is essential that the compliance function is not an isolated "stand-alone solution."
- Requirements for monitoring and control
In principle, the organization employed (both within the meaning of Section 130 OWiG and Section 43 GmbHG) requires appropriate monitoring and control of the persons to whom the tasks of the compliance function are assigned. Random checks on employees are therefore a fundamental basic function of the operational organization.
However, the monitoring and control measures must be practicable and reasonable. The exact limits of practicability and reasonableness are not clearly defined. However, they are likely to be exceeded if the intensity of monitoring and control is so high that it effectively amounts to the supervisor taking over the tasks of the supervised entity. This would effectively nullify the right to delegate tasks.
- Requirements for investigations and inquiries
The lawsspeech[2] assumes that—although no clear obligation to do so can be derived from the law—a company must then implement internal Investigations / inquiries must be initiated if there are concrete indications of a violation of the rules, even if these indications are not the result of regular, ongoing monitoring within the scope of the compliance function. If the compliance function identifies violations of the rules in the course of its regular activities, an investigation must undoubtedly be initiated in order not to call into question the meaning and purpose of the compliance function per se.
Summary and outlook
Sound judgment is required when setting up, implementing, and operating compliance management systems. Cost considerations on the one hand and the question of organizational proportionality and internal acceptance on the other are weighty arguments in favor of implementing not what is possible, but what is necessary in the area of compliance. The permissible use of entrepreneurial discretion should therefore also be exercised at this point.
However, this leeway should not obscure the fact that implementing a compliance management system is a business necessity, as the mere absence of such a compliance function can already give rise to personal criminal and civil liability on the part of the company management.
Dealing with a compliance management system is complex and requires a variety of different specialist disciplines. On the one hand, a legal perspective is necessary, but this alone is not sufficient. Rule violations can occur anywhere in a company. Therefore, in-depth knowledge of organizational structures and the interaction of functions and processes is essential in order to identify and define the requirements for an adequate compliance management system in the context of the company-specific risk landscape. On this basis, the right measures for setting up and implementing the CMS are then derived and implemented. In addition, knowledge and experience with other management systems are required., such as risk or quality management systems, advantageous in order to ensure the necessary integration of systems within the company.
[1] Higher Regional Court of Düsseldorf, November 12, 1998
[2] Federal Court of Justice, October 8, 1984 – II ZR 175/83, WiJ – Journal of the Economic Criminal Law Association, March 2012, July 9, 2012
About the author
Eckart Achauer, studied law and business administration, postgraduate studies leading to a Master of Business Administration (MBA). In-service training as a European Quality Manager (DGQ), mediator specializing in business mediation, and Certified Compliance Manager (TÜV).
He worked for around 10 years in the international insurance industry in various management positions at a Swiss insurance group (claims department, sales, assistance) before moving into management and business consulting in 1997.
As a consultant and managing director of various consulting firms, Mr. Achauer has specialized in organizational and process optimization as well as the development and implementation of management systems—quality management, risk and compliance management.
At Senator Executive Search Partners, Mr. Achauer is responsible for compliance management. As part of compliance audits, he analyzes their organizational "compliance fitness," raises awareness and trains management, executives, and employees, and supports companies in setting up and implementing individual compliance management systems. In doing so, he always takes into account the specific risk situation of the companies. Thanks to his many years of experience as a manager and consultant, he is very familiar with the practical challenges of business.
