Definition and Relevance of Compliance
The term compliance or the adjective compliant mean in relation to organizations as much as compliance with regulations, law and order by organizations and their employees. Compliance or compliance management based on it describes a documented and actively lived structure of internal rules and guidelines as well as their monitoring. People make mistakes and bypass rules. Whether out of ignorance, unconsciously, consciously or intentionally usually plays a subordinate role. The consequences for the organizations can range from annoying to life-threatening. Compliance should generally play a major role in all types of organizations: A functioning compliance organization can help to reduce civil and criminal law risks. In addition, many clients, especially from the public sector, require proof of sustainable compliance management.
Goals and tasks of compliance
The primary goal of compliance is to represent the organization honestly and seriously on the market. Measures must be defined and implemented to prevent violations. A functioning compliance structure in the organization protects them from rule violations and the resulting direct or indirect negative effects on the organization. The task of compliance is therefore to define, communicate and monitor suitable processes in order to work in accordance with the rules, i.e. compliant.
Risk areas of compliance
If organizations violate laws, specific regulations, internal guidelines or prescribed best practices, this results in compliance risks: legal sanctions, financial losses, damage to reputation and image The most obvious and widespread compliance violations include:
- labor law violations
- Privacy Breaches
- Export Control Violations
- money laundering
- IT security breaches
- Antitrust Violations
- market manipulation
- Employment Law
- occupational safety
- criminal law
- environmental Protection
- customs regulations
- product liability
Several types of compliance
Under the general term of compliance (also: corporate compliance) there are many sub-disciplines that are assigned to the respective department. Typical examples of this
- Legal compliance: general legal regulations, adaptation to and compliance with national and international laws.
- Financial compliance: observance of rules in the financial area, eg AktG to prevent money laundering, theft, corruption.
- IT compliance: primarily through the rules of the GDPR
- Tax compliance: mainly based on tax laws, to avoid tax evasion and avoidance.
- Social compliance: legal and ethical-social standards
- corporate codes of conduct
In Germany, paragraphs §§ 9, 30 and 130 of the Law on Administrative Offenses (OWiG) directly regulate , §§ 91, 93 AktG and § 43 GmbHG indirectly the obligation that companies may not commit any rule violations. In general, however, each organization is free to design its compliance structure. In practice, however, the following standards have prevailed, which many compliance officers follow to have their compliance management systems checked:
- ISO 37001
- German IDW PS 980 (Institute of Public Accountants)
The definition of internal rules and guidelines are core elements of functioning compliance systems. In addition to legal standards, organizational guidelines define what is expected of employees in compliance-relevant situations. There is no general definition, but typical policy content includes concrete, everyday examples and their sanctions:
- Dealing eg with invitations, gifts and other personal advantages
- behavior towards competitors,
- rules on equal treatment,
- consequences of compliance violations,
- general behavioral requirements.
compliance management system
A compliance management system (CMS) supports the specific design of a compliance structure. It briefly summarizes all measures, structures and processes that are suitable for preventing, detecting, or reacting to violations. It thus serves to ensure traceable adherence to or restoration of compliance. A CMS is not necessarily a system solution in the IT sense with automated processes, but rather a documented set of rules that is recognized and lived by all members of the organization, A comprehensive, active, ideally certified CMS can also have legal advantages: if violations are identified and sanctioned, the operation of a CMS can have a mitigating effect on the sentence or negate intent and recklessness.
Components of the CMS
According to German IDW PS 980 and to ISO 19600, the basic elements of a CMS include:
- Compliance culture: naming, exemplifying and obviously taking compliance seriously
- Compliance goals and scope: Definition, documentation and communication of the same
- Compliance organization: Defined and implemented roles and responsibilities, structural and process organization
- Compliance risks: Documented and assessed risk overview
- Compliance program: The core of the CMS with principles and measures to limit compliance risks and rule violations
- Compliance communication: Appropriate communication to affected persons inside and outside the organization
- Compliance monitoring and improvement: Monitoring and implementation of identified need for action, e.g. through internal audits
- crisis management
Requirements for a CMS
Certifiable compliance management systems are to be introduced, documented, implemented and maintained. The necessary measures derived from this include:
- Defining processes to be followed
- Ensuring the availability of required resources and information
- Monitoring, measurement, and analysis of all relevant processes
As a quasi-standard, ISO 19600 contains some requirements for a functional and sustainable compliance management system:
- Risk analysis / evaluation of compliance risks: Identification of all compliance threats in the context of value-adding activities of a company
- Analysis of the legal environment of the company
- Identification of resulting compliance obligations
- Overview of activities in the company with possible or given risk potential
- Overview of high-risk areas
- Deviation analysis processes: Detecting and checking the results of activities or sequences of activities that are outside of the defined tolerance range.
- Processes for dealing with exceptional situations: processes for clarification and damage limitation
- Escalation processes: Resolution of non-compliance situations that have already arisen and prevention of impending ones
- control measures
- systematic measures based on the risk analysis, eg code of conduct with instructions and internal regulations.
- Transparent communication among each other
- Transparent communication of rules and behavior.
- Control of all relevant activities
- Regular testing and updating of the CMS.
Compliance in the company
The legal organizational and supervisory obligation and thus also the responsibility for the establishment, maintenance, evaluation, and constant improvement of the CMS lies with the “management” of an organization. It has the explicit task of defining internal responsibilities and powers and appointing a compliance officer. It must be possible for him to carry out his compliance tasks independently; conflicts of interest must be ruled out. In addition, a direct reporting option to the management level should be ensured. The compliance officer is responsible for operational compliance within the organization. It also regulates the flow of information relevant to compliance within the organization. There is no conventional professional training for the Compliance Officer. The skill profile often provides extensive commercial or industrial operating experience as well as knowledge in the legal field.
If there are sufficient suspicions of a compliance violation, the organization initiates a compliance procedure as an internal investigation procedure. A representative of the organization – often the compliance officer – follows up and consolidates all information from witnesses. If the violation is verified as real and punishable during the compliance process, the case is handed over to the public prosecutor’s office. In addition to criminal sanctions against the perpetrator of the violation, the organization can also dismiss, downgrade and subject to recourse.
Opportunities and limits of compliance
Dealing with compliance alone often leads to previously unknown risks being recognized and measures being taken. In addition, compliance also regularly ensures a kind of self-cleansing effect to question one’s own values and procedures. The constant checking and updating of the CMS also ensure that this is also ensured over time and that the organization knows how to defend itself against legal, moral, and ethical violations. However, compliance must be demonstrated by the top of the organization. Managers at all levels are responsible here as role models for their employees. Violations are more serious when they are made public by external institutions such as the media. Politics, the automotive industry, the financial sector and professional sports have also shown in the recent past that, in addition to financial sanctions, image damage can also have a massive impact on the success of the organization.
implementation of compliance
For compliance to work in an organization, all employees and those responsible must know and meet compliance requirements. Compliance management standards form the guidelines, and above all it is the task of the managers to set an example of compliance. A functioning compliance management system is based on defined responsibilities within the organization:
- Documented management decision for a compliance management system
- setting appropriate targets
- Provision of appropriate resources
Challenges in implementing compliance
As with almost every organizational change project: Open or silent resistance is to be expected when introducing or expanding a compliance management system. The organization management is responsible for the pioneering role during implementation, because compliance has a lot to do with communication and understanding. It is the management’s explicit task to convey to the workforce the importance of compliance requirements and their fulfillment and to set an example. It must also communicate the expectation that compliance requirements will be met. A culture of fear in which violations are not named and errors are not reported is to be avoided. Above all, the consequences of deliberate concealment should be clearly highlighted. On the contrary, employees and those responsible must be motivated to adopt an open error culture, in which violations are clearly identified and sanctioned, but above all solutions are sought. The provision of a contact point/hotline for anonymous inquiries and tips can significantly reduce the inhibition threshold for contacting. Compliance in all its details is an expert topic. Experience has shown that the implementation of a compliance management system will not work without objective, neutral external support, especially for organizations that are taking the first steps on this path. The consultants from Firnkorn and Stortz can support you with decades of experience and advise you on the development and expansion of an appropriate compliance management system as a whole, or in the sub-disciplines of our IT security or digital transformation consulting .
Your contact at Firnkorn & Stortz on the subject of compliance
Firnkorn + Stortz GmbH