REQUIREMENTS FOR COMPANY MANAGEMENT WHEN SETTING UP A COMPLIANCE FUNCTION
One question that arises time and again in corporate practice is the question of the scope for discretion when setting up and operating a compliance management system. A distinction must be made here between binding and entrepreneurial decisions by the company management.
There is no room for discretion in complying with statutory provisions. These must be complied with without any ifs or buts. These are binding decisions.
On the other hand, there is certainly room for discretion when it comes to defining and implementing organizational measures. After all, company management does not usually take on the task of ensuring compliance with laws and regulations as an original task itself, but delegates this to a specific group of people and provides the organizational framework. Even monitoring and control can be delegated to supervisors. In this respect, these are original management and organizational tasks that fall within the scope of entrepreneurial tasks - and there is undoubtedly entrepreneurial discretion for these.
The following requirements apply to the establishment of a compliance function:
- Organizational requirements
Liability for breaches of the law is not strict liability. Liability applies to the company management in person if it fails to take suitable organizational measures. Case law[1] assumes that the company management has a duty to create the organizational conditions to ensure that the agent can actually fulfil the duty to avoid compliance violations. The scope of the duty is related to the size and structure of the company. The case law does not provide any further details on the "how" of a compliance organization, which allows the reverse conclusion that it sees the establishment and design of a compliance function as an original entrepreneurial task.
In addition to the aforementioned aspects of personnel allocation, organizational anchoring, task definition and control/supervision, the main organizational requirements include integration with other management functions within the company. These include, in particular, general risk management, quality management, controlling and auditing. The form in which this integration takes place depends on the organizational structure; however, it is essential that the compliance function is not an isolated "island solution".
- Monitoring and control requirements
In principle, the organization used (both within the meaning of Section 130 OWiG and Section 43 GmbHG) requires suitable monitoring and control of the persons to whom the tasks of the compliance function are assigned. Random checks on employees are therefore a fundamental basic function of the company organization.
However, the monitoring and control measures must be practicable and reasonable. Where exactly the limits of practicability and reasonableness are to be seen is not clearly defined. However, they are likely to be exceeded if the intensity of monitoring and control is so high that it comes close to the supervisor actually performing the supervisee's tasks themselves. This would de facto undermine the right to delegate tasks.
- Requirements for investigations and inquiries
The rightsspeech[2] assumes that - although no clear obligation to do so can be derived from the law - a company must have internal Examinations / investigations if there are concrete indications of a breach of rules, even if these indications are not the result of regular, accompanying monitoring from the compliance function's area of responsibility. If the compliance function identifies breaches of rules in the course of its regulatory activities, a corresponding investigation must be initiated without doubt so as not to call into question the purpose of the compliance function per se.
Summary and outlook
A sense of proportion is required when setting up, implementing and operating compliance management systems. Cost aspects on the one hand and the question of organizational proportionality and internal acceptance on the other are weighty arguments for implementing not what is possible, but what is necessary in the area of the compliance function. The permissible exhaustion of entrepreneurial discretion should therefore also take place at this point.
However, this leeway should not obscure the fact that the implementation of a compliance management system is a business imperative, as the mere absence of such a compliance function can give rise to personal criminal and civil liability on the part of the company management.
Dealing with a compliance management system is complex and requires a number of different specialist disciplines. On the one hand, a legal perspective is required, but this is not sufficient when viewed in isolation. Breaches of the rules can occur anywhere in the company. Therefore, in-depth knowledge of organizational structures and the interaction of functions and processes is essential in order to identify and define the requirements for an adequate compliance management system in the context of the company-specific risk landscape. The right measures for the structure and implementation of the CMS are then derived and implemented on this basis. In addition, knowledge of and experience with other management systems, such as risk or quality management systems, This is an advantage in order to ensure the necessary interlinking of systems within the company.
[1] OLG DÜSSELDORF, 12.11.1998
[2] BGH, 8.10.1984 - II ZR 175/83, WiJ - Journal der Wirtschaftsstrafrechtlichen Vereinigung, 03-2012, 09.07.2012
About the author
Eckart Achauer, studied law and business administration, postgraduate Master of Business Administration (MBA). In-service training as European Quality Manager (DGQ), mediator specializing in business mediation and Certified Compliance Manager (TÜV).
He worked for around 10 years in the international insurance industry in the management of a Swiss insurance group in various functions (claims department, sales, assistance) before moving into management and business consulting in 1997.
As a consultant and managing director of various consulting companies, Mr. Achauer has specialized in organizational and process optimization as well as in the development and implementation of management systems - quality management, risk and compliance management.
At Senator Executive Search Partners, Mr. Achauer is responsible for compliance management. As part of compliance audits, he analyses their organizational "compliance fitness", raises awareness and trains management, executives and employees and supports companies in setting up and implementing individual compliance management systems. In doing so, he always takes into account the specific risk situation of the company. Thanks to his many years of experience as a manager and consultant, he is very familiar with the business challenges faced in practice.
