The evolution compliance

With the exception of the financial sector, German law does not know any legal norms that oblige the management of a (capital) company to implement systematic compliance measures and to establish a compliance organisation or function.

With the new auditing standard 980 of the Institute of German Certified Public Accountants (IDW PS 980), there is now at least an initial collection of requirements for compliance management, which provides an overview of criteria to be observed, but is not legally binding. The German Corporate Governance Index (German: DCGK), which in its section 4.1.3 requires the executive board of a corporation to observe applicable law (compliance), only has the character of a recommendation.

In German company law, especially in stock corporation law, there are nevertheless central points of contact for the compliance discussion. First of all, there are two provisions that constitute a kind of general clause for the executive board's duties of conduct. Section 76 AktG regulates the executive board's duty of management. This also includes the duty to exercise due diligence in the management of the company as required by section 93 of the German Stock Corporation Act (AktG), which also concerns the legally compliant conduct of the company and its employees. Thus, a duty of care applies regardless of the sector, which is also extended to the supervisory body, the supervisory board (section 116 AktG). In order to fulfil this duty of care, structures and processes are needed to ensure that the company and its employees act in accordance with the law.

Depending on the business model, however, there is a multitude of laws, guidelines and standards to be observed for this task, which have a corresponding influence on the design of a compliance organisation.

In contrast to other industries, there are very detailed compliance requirements for the financial sector. Section 25a of the German Banking Act (German: KWG), for example, requires credit institutions to set up a proper organisation to comply with the legal provisions they must observe. With § 64 German Insulance Supervision Law, acomparable regulation also applies to insurance companies. Section 33 WPHG imposes just such organisational obligations on securities service companies.

In connection with the direct and indirect legal requirements for corporate compliance, it is imperative to consider the liability of corporate bodies. Management boards and now also supervisory boards can be held liable under civil and criminal law. In particular, the liability issues for supervisory boards have changed. With the entry into force of the German Accounting Law Modernisation Act (BilMoG), the scope of duties of supervisory boards of German corporations was further specified and, among other things, the duty was imposed on them to monitor the effectiveness of the internal control system (ICS) and risk management. If individual members of the supervisory board culpably neglect this duty, they may be liable to pay damages to the company.

Compliance management can only achieve its full effectiveness and efficiency if it is tailored to the risks associated with the company's business model. The basis of a suitable and company-specific compliance organisation is therefore the identification of the relevant risks threatening the company (scoping). Accordingly, the methodical procedure for identifying and assessing the risks in the company must be designed. After the risks have been identified, they must be evaluated according to the company's internal target standard. This assessment results in the package of measures necessary to manage and control the risks. Since the introduction of the German Accounting Law Modernisation Act (German: BilMoG), companies are increasingly adopting holistic approaches to risk management that no longer separate business and compliance risks. The Sarbanes Oxley Act (SOX) as international legislation as well as the introduction of the BilMoG in Germany created a change from the fact that compliance risks had been little or sometimes not at all in the focus of risk managers until then.

The result of the scoping process usually shows how complex the subject area of compliance is and the extent of the interdisciplinary demands it places on functionaries. There is an observable trend to no longer consider compliance in isolation, but to see it consistently in connection with risk management. This results not only in the merging of interlocking processes, but also in the design of a resource-saving matrix organisation. The advantage of the matrix organisation is that the necessary activities can be flexibly distributed, thus creating a justifiable expense even for smaller companies. An essential advantage of such an organisational form is the possible recourse to already existing processes and process owners as well as the underlying structural and procedural organisations.

This results in the possibility to fall back on existing structures, which has the advantage that compliance is perceived in the form of a process network and not as an isolated process. The perception of the importance of compliance in the company is essential for the decision of the organisational design.

Compliance sees itself as active risk prevention in the company. In addition to many individual organisational measures that compliance management requires, it demands a compliance culture that is broadly anchored in the company and actually lived by both the management and the workforce. The essential prevention aspect is to build such a compliance culture.

This culture is created by developing the intrinsic motivation of employees to build and maintain a positive attitude towards the ethical management principles of the company. This results in a value system that creates the conditions for legally compliant behaviour and forms the basis for a compliance system. This system must be suitable for ensuring extensive immunity against conduct detrimental to the company in the broadest sense. In this sense, the company's managers are called upon. The task of the executives is to make an outstanding contribution to a functioning and sustainable compliance in the company by communicating the values, norms and virtues of a prevention-oriented compliance culture to their employees at all levels and maintaining them permanently. This process must be accompanied by strategically elaborated communication.

If you currently (as of 28.10.21) enter the term compliance in Google, you will receive over 814 million hits. This gives an idea of the quantity of comments on this term and the prominent role compliance now plays.

The art is to grasp the broad spectrum of this topic and to implement it in such a way that it is tailored to the respective company and its individual culture. Indispensable for this is the identification of all risks of the business model at all levels and the evaluation of these risks within the framework of a company-internal target standard. Risk management is carried out by introducing countermeasures, which in turn are controlled by the management within the framework of a functioning internal control system (ICS). The proof of effectiveness is essential here. This should demonstrate and prove the effectiveness of the control as well as the countermeasures. The management of the company plays a major role in a functioning compliance. Compliance will always remain a challenge. The legal framework conditions will continue to develop both nationally and internationally, regardless of the industry, and will also require constant adjustments to the compliance organisation.