Compliance
Compliance
June 11, 2024
Compliance means adherence to regulations or adherence to rules. In the corporate context, compliance refers to the measures taken to ensure that business is conducted with integrity and in compliance with the law and that employees behave accordingly. As a rule, this refers to compliance with the law, i.e. external rules, on the one hand, and compliance with internal rules for integrity and honesty on the other. The most important of these measures is the creation of an internal system of rules and guidelines. In principle, companies have a broad scope here and can organise their compliance management system relatively freely. However, the system should define the policy, objectives and processes for achieving the objectives.
Although setting up such a system is costly for companies, it also leads to greater legal certainty, competitive advantages over rivals and positive advertising effects. In addition, reliable corporate structures strengthen the trust of employees.
Legal regulations
In principle, all companies as participants in business and legal transactions must comply with the applicable laws and other regulations. However, there are special laws and regulations in which compliance requirements are specifically regulated.
The German Corporate Governance Code (GCGC) contains all the key statutory regulations on the management and supervision of listed companies in Germany as well as recommendations for responsible corporate governance based on domestic and international standards. In accordance with Section 161 of the German Stock Corporation Act (AktG), the Management Board and Supervisory Board of all listed companies in Germany are obliged to issue an annual declaration of compliance with the recommendations of the GCGC. The GCGC is not a law, but was drawn up by a commission and is regularly reviewed by it; it merely provides information on the current legal situation and makes additional recommendations.
The EU Directive on the protection of persons who report breaches of Union law and the corresponding German implementing act, the Whistleblower Protection Act (HinSchG), which has applied to all companies with at least 50 employees since 1 January 2024, contain minimum requirements for the protection of whistleblowers.
Other laws contain further individual regulations concerning compliance in companies, such as Section 91 (2) AktG, Section 80 of the German Securities Trading Act, Section 25a of the German Banking Act, Section 123 of the German Act against Restraints of Competition, Section 242 of the German Civil Code (BGB), which regulates the principle of good faith, or Section 43 of the German Limited Liability Companies Act (GmbHG) on the diligence of a prudent businessman.
Compliance measures
The most important measure in the context of compliance in companies is the development of an internal set of rules and guidelines for all employees. These include, for example, a code of conduct, value management guidelines and rules to prevent corruption and money laundering.
Managers must then ensure that employees are sufficiently aware of these internal rules and are encouraged to report any violations and errors. After all, such reports are ultimately the most important instrument for avoiding violations and acting in a compliant and honest manner as a company, also in order to reduce liability risks. The measures therefore also include the establishment of a communication and reporting system for employees and external parties in order to be able to detect violations.
If there is a works council in the company, a works agreement can be concluded on the internal regulations. Under labour law, compliance rules can be enforced within the scope of the employer's right to issue instructions. In most cases, codes of conduct and internal regulations contain information on labour law sanctions, such as warnings [LINK], in the event of breaches of duty.
The second particularly important measure is the establishment of a compliance structure. This consists of three units: Firstly, a risk profile must be created, i.e. risks must be analysed regularly. The recognised risks form the basis for the measures to be taken to help prevent them. Risk potential generally lies in the following areas in particular:
- Labour law, such as the Working Hours Act, the Minimum Wage Act and regulations on bogus self-employment
- anti-discrimination
- Corruption and associated criminal offences
- Confidentiality, secrecy and data protection
- Unfair competition
- Tax law
In addition, the setting of objectives and goals (scoping) is of great importance. The relevance of the identified risks is assessed, a company-specific target benchmark is defined and suitable measures are developed on this basis. The organisational structure also makes a significant contribution to a functioning compliance management system. The authorised representatives and functionaries must be appointed, duties delegated and processes coordinated and controlled. Within this framework, a responsible person is appointed as the central point of contact for compliance issues and, if necessary, a committee is also set up in which the company's responsible persons are also active.
The measures depend on the size and structure of the company, the sector and business area, the individual risks and the mechanisms already in place.
Certification
In principle, it is possible to have the compliance management system certified. However, such certification leads to the applicability of a larger number of requirements that the system must fulfil. The basis for certification can be, for example, the ISO 37001 standard or the IDW audit standard (PS) 980.
According to ISO 37001, mandatory components of the compliance management system are risk assessment, compliance policy, training and communication, performance evaluation and compliance obligations.
In the risk assessment, the specific risks existing in the company must be identified, analysed and evaluated. This must be regularly reviewed and adapted to changes. The assessment must be documented and this documentation must be retained.
Compliance policy comprises the overarching principles and obligations required for compliance in the company, i.e. in particular the application, context, scope and principles of the compliance management system. Employees must receive appropriate and regular training on this policy.
The performance evaluation concerns the monitoring of whether the objectives are being achieved, whereby the parameters to be evaluated as well as the timing and procedure for the evaluation must be defined. If necessary, it is advisable to develop units for an equalised assessment. These results are also subject to documentation, which must be retained.
Within the entire company, i.e. from the management level to the individual departments and employees, the individual compliance obligations resulting from the general compliance requirements must be derived and their impact on day-to-day work must be assessed and finally integrated into the specific processes and procedures.
Compliance culture
Compliance culture refers to the fundamental attitudes and values, ethical principles and behaviours conveyed by the company management (also referred to as ‘tone from the top’). As a rule, they form the basis of the compliance management system and are written down in the internal rules and regulations.
Most important in this context, however, is the communication of these principles, especially to employees, e.g. through training and campaigns, in order to reduce any reservations, create confidence in dealing with the rules and ensure their implementation. Every employee should understand and internalise the principles, rules, responsibilities and measures and also know where to look if they have any doubts. Any uncertainty among employees or negative effects on the climate in the company should be avoided by providing comprehensive information tailored to the culture to ensure that the rules are comprehensible and that employees can identify with the objectives and principles. By communicating the compliance culture, the importance of adherence to rules within the company is emphasised to all employees and business partners.