Home » Compliance Management

Compliance Management

Compliance

Unrestricted inducements worth millions of Euros to promote a business proposition were tax-deductible – at least until 1999, this was possible under certain conditions in Germany. Since then, laws have changed significantly. Today, even small amounts are seen as problematic by compliance. The term “compliance” is a frequently used terminology in the corporate environment. What is compliance?

What is Compliance Management?

For a company, it is crucial to adhere to legal requirements (such as laws) and internal guidelines (Code of Conduct). Legal provision on administrative and ciminal offences may result in significant fines (i.e. up to 10 million Euros –section 30 , OWiG or at least twice the generated revenue from the offence Art. 59 DIR (EU) 2015/849).

The goal is to detect possible violations early and proactively mitigate potential risks (such as damages and liability) for the company. This rule-compliant behavior is referred to as the “duty of compliance”.

Compliance violation -an example

An sales employee has advanced unrealized revenues from the upcoming year to surpass their current sales targets and receive a substantial bonus payment. A colleague utilizes the company’s whistleblowing program and reports this case to the compliance officer. Upon investigation, the compliance officer determines that this approach could potentially constitute fraudulent activity to the detriment of the company.

In addition to the legal requirements, compliance management also encompasses internal rules, such as company guidelines. A typical example is gifts and entertainment procedures. Even a pen can be deemed as bribery (after all, such a writing instrument can cost significantly over €1,000), subject to circumstances.

Complying with legal requirements is especially relevant for senior management and shareholders, as they can be made personally liable for breaches.

In addition to financial damages (fines, penalties, or sanctions), a compliance violation can also lead to reputation damage, which can significantly harm the company.

What is a Compliance Management System (CMS)?

compliance system

Legal requirements and internal guidelines within a company are usually numerous and subject to constant change. It is therefore important to act in accordance with legal requirements and to monitor legal changes on an ongoing basis. This requires a systematic approach. A compliance management system is the logical response to this problem. Various standards exist to ensure a structured approach for compliance management systems, such as ISO 37301:2021 (2014 to 2021: ISO 19600).

Components of a CMS

Compliance management systems vary depending on the requirements. For example, they may include whistleblowing systems, allowing employees and others to submit reports and report misconduct digitally. An approval system is also conceivable, where gifts are declared and authorized.

Typically, a compliance management system is a digital solution.

Method of operation

What are the processes within the Compliance Management System? It is about gaining an overview of all process areas within the company, which internal and external requirements need to be met, what risks may exist, what is the likelihood of their occurrence and what impact they would have on the company. In general, the processes can be roughly divided into three sections:

  • Identification of compliance risks
  • Assessment of compliance risks
  • Monitoring of significant legal risks

Step 1: Identification of compliance risks

Every entrepreneur carries a certain entrepreneurial risk since the outcome of decisions is unpredictable. Misconduct by employees can also lead to risks (corporate misconduct). To assess risks, it is important to gain an overview of the risk potentials from within and outside the company, including the significant legal risks relevant to the company. Important areas include:

For this reason, the initial risk assessment is carried out with a Compliance Risk Assessment. In this process, a compliance consultant systematically examines the mentioned areas. This includes detailed questionnaires and often interviews with employees from different areas, as they are familiar with the company’s everyday operations and handling of relevant issues.

This assessment often forms the basis for a Compliance Management System. An annual assessment can also be useful to document the current state within the company.

Setting the right priorities

To effectively establish structures, it is important to understand the areas and priorities. Every company is different, and a company in the financial sector may have different priorities than a company in the healthcare or construction industry.

A Compliance Risk Assessment examines the potential risks and provides an opportunity to set appropriate priorities. This brings us to the second step.

Step 2: Assessment of Compliance Risk

Once the risks from different areas in Step One are known, the assessment and evaluation of these risks take place. This involves balancing competitiveness on one side and avoiding damages that could severely harm the company on the other side. These may include:

  • Fines / Penalties
  • Non-financial penalties, such as imprisonment
  • Government sanctions
  • Reputation risks
  • Risks to life and limb

Qualitative and quantitative evaluation of risks

According to which system can such an assessment be made? This can be done quantitatively, whereby the probability of occurrence and the possible damage in euros are put into relation. Frequently relevant topics in the evaluation are, for example:

  • (Very) high probability of occurrence and (very) high damage
  • Moderate probability of occurrence, (very) high damage
  • (Very) high probability of occurrence, moderate damage
Damage lowMedium damageHigh damageVery high damage
Risk low
Medium risk
High risk
Very high risk

In qualitative risk assessment, we take a step further and classify risks into risk categories. These categories are predefined based on specific rules, considering the material operational and legal risks identified.

Risk assessment as a potential liability reduction

A professionally conducted risk assessment (compliance risk assessment) and a comprehensive compliance structure demonstrate the company management’s commitment to meeting legislative requirements. This can reduce liability in the event of a compliance-related incident.

Step 3: Monitoring of significant legal risks

In an ideal scenario, eliminating all corporate risks would be desirable. However, in reality, the number of risks is too vast, and complete monitoring is neither feasible nor desirable. Hence, the third step involves identifying the primary legal risks and continuously monitoring them (monitoring).

Monitoring significant legal risks is a fundamental aspect of further developing an effective compliance organization.

Ongoing and progressive monitoring of the legal landscape enables a company to adapt to evolving legal conditions. Current topics include the Whistleblower Directive, amendments to the Money Laundering Act, and regulations related to international law and sanctions.

Example: Gasturbines SE exports gas turbines and spare parts worldwide, including to countries in the former Soviet Union. With a robust monitoring system in place to oversee major legal risks, the company discovers that, due to the current geopolitical situation, target countries of its customers, such as the Russian Federation, are subjected to financial sanctions. Consequently, it can prevent the export of goods to “banned” countries, avoiding penalties and ensuring it doesn’t end up on sanctions lists for aiding and abetting.

Compliance culture in companies

Having a compliance manager and corresponding guidelines doesn’t guarantee lawful actions. Compliance must be ingrained throughout the entire company. Management can assign significant importance to this topic and communicate it to employees, leading by example (“tone from the top”). When management supports this aspect, it raises awareness among all individuals involved. Regular collaborative workshops on compliance further contribute to cultivating awareness of the compliance issue.

International Compliance Management

international flags

The requirements for compliant behavior are similar in many countries, yet the specifics of compliance management often vary internationally. This is particularly crucial for companies operating in multiple countries, as having a holistic perspective is essential.

At Riscreen, we specialize in cross-border compliance management and, through our day-to-day work, we understand the necessary measures for operating in compliance with global regulations.

Riscreen provides guidance on the following compliance topics:

  • Organization
  • Communication
  • Management
  • Audits
  • Processes
  • Compliance Software Consulting
  • Compliance Software Development

External service providers for compliance management

Outsourcing compliance management and entrusting it to an external specialist, known as “compliance outsourcing,” often makes sense, as it offers several advantages:

  • Complete focus and attention
  • Extensive expertise
  • Full cost control
  • No expenses for additional training
  • No conflicts of interest
  • Flexible cancellation option
  • Readily available substitution
  • Impartiality
  • Independence
  • Scalability

Latest compliance topics