Compliance (Business Administration)

from Wikipedia, the free encyclopedia

Compliance is the economic and jurisprudential euphemism for the adherence to the rules (including regulatory compliance ) of companies , ie compliance with laws, regulations and voluntary codes . The totality of the principles and measures of a company to comply with certain rules and thus to avoid rule violations is referred to by the “ Government Commission on the German Corporate Governance Code ” as the “ Compliance Management System ” ( IDW PS 980 Item 6).


The German Corporate Governance Code (DCGK) defines compliance as the responsibility of the Board of Management to comply with statutory provisions and internal company guidelines.

"The term compliance stands for the observance of legal provisions, regulatory standards and the fulfillment of further, essential and usually ethical standards and requirements set by the company itself."

- Eberhard Krügler

In the case of credit institutions, the focus is in particular on compliance with the provisions of the Securities Trading Act .

Compliance with the rules as a requirement for companies

The need for companies to adhere to legal regulations arises from the principle that laws - including legal entities - must be complied with. Businesses and business managers are on the paragraphs of §§ 9, 30 and 130 Offenses Act required (OWiG), responsible for ensuring that the company publish any breaches of the law take place. If appropriate organizational and supervisory measures are not taken, management and the company itself can be sentenced to penalties if the company violates the law. If an employee of the company is thus liable to prosecution through corruption , the company is not only threatened with civil law suits by the business partner whose employees have been bribed. Rather, the company must also expect that administrative offense proceedings will be initiated against the company or against the company's management because the organizational and supervisory duties have not been fulfilled.

A sanction according to Sections 130, 30 OWiG is not necessarily limited to the sole proprietorship, but can also be directed against the group parent company in individual cases, although the act of bribery (or other criminal offense) takes place in the sphere of the subsidiary. In addition, a large number of statutory provisions regulate the company's immediate duties and responsibilities, which the company must comply with and which, in the event of non-compliance, may threaten the company with severe penalties (e.g. for cartel violations). An obligation to ensure compliance also arises from §§ 91, 93 AktG - and § 43 GmbHG to avert economic damage to the company.

The British anti- corruption law Bribery Act 2010 contains the world's most stringent requirements for specific compliance measures in companies (as of 2011) .

Consequences of breaking the rules

Failure to comply with rules can result in corporate penalties, fines, profit skimming, or the forfeiture of profit made by violating the law. These direct losses are increased by additional external and internal costs for proceedings, claims for damages and reversals.

Compliance culture

The basic attitudes and behaviors that are conveyed by company management are referred to as compliance culture. The compliance culture is intended to convey to all those involved in the company, as well as to customers and suppliers of the company, the importance that the company attaches to observing rules, and thus promote the willingness of all those involved to behave in accordance with the rules. Compliance culture is often referred to as the basis of the CMS. In many cases, the compliance culture is laid down in special guidelines or codes of conduct (e.g. " Mission Statement " or "Code of Conduct") and also published on the company's intranet or Internet site .

In addition to such “official” communications, an effective compliance culture requires above all a reflection of the principles in the actual actions and behavior of all company managers at all management levels. Values ​​can only be conveyed credibly if they are also clearly lived by those who convey them.

Concrete rules e.g. B. to avoid corruption and cartel agreements , compliance with data protection and equal treatment requirements , compliance with regulations on product safety and occupational health and safety are sometimes also seen as part of the compliance culture, but are more part of the specific compliance program. The same applies to control structures such as B. Hotlines ( whistleblowing hotline) that are set up within the company or with external contact persons, and where rule violations can be reported.


Goals of compliance

Minimizing risk, increasing efficiency and increasing effectiveness are the primary goals of compliance. In this context, the figure illustrates the economic effects of the strategic use of compliance measures.

Compliance processes

The establishment of business processes is necessary for the implementation of the operational compliance activities . These processes are support processes , ie the compliance processes relate to the support and risk-oriented control of the original business processes in the company.

Risk analysis processes
Such sub-processes serve to identify threats and dangers in the context of the company's value-adding activities.
Deviation analysis processes
Such processes are triggered if the actual value of an activity or a sequence of activities is outside the defined tolerance range around the target value.
Processes for dealing with exceptional situations
The focus is on the (potential) occurrence of serious events with considerable critical relevance for the company. It is important to be prepared for such cases with pre-structured target processes for the purpose of clarification and damage limitation.
Processes of escalation
The subject of escalation processes is the resolution of non-compliance situations that have already arisen and the prevention of feared non-compliance situations. The goal of these processes is to escalate critical activities. This means that such activities are made transparent and promptly submitted to a responsible body for making regulatory decisions.

Certification of the compliance management system

The "Standard for Compliance Management Systems" (TR CMS 101: 2011) is aimed at organizations such as companies, authorities and non-governmental organizations (NGOs) and describes the elements that make up a functional and effective compliance management system. It was published by TÜV Rheinland and replaced in 2015 by the new version "Standard for Compliance Management Systems" (TR CMS 101: 2015) and supplemented by the compliance guidelines (TR CMS 100: 2015). It shows which verifiable measures have to be taken in order to systematically set up, maintain, monitor and continuously improve a compliance organization. This serves the goal of being able to achieve all relevant compliance requirements. The TR CMS 101: 2011 standard thus also serves as a benchmark for the certification of an existing compliance management system. It does not require the creation of certain structures or functions for the fulfillment of compliance, but only requires a systematic approach and the implementation of certain (minimum) elements. According to the standard, compliance management systems do not have to be designed uniformly, but can expressly take into account the specifics of the organization - such as size, structure, activities, products, specific risks, etc. Organizations thus have a high degree of flexibility in implementing their compliance management system.

Comparable to the standards for quality management systems (ISO 9001: 2008) or for risk management systems (ONR 49001: 2004), the TR CMS 101: 2011 standard contains statements about the definition of compliance responsibilities, the provision of resources, the implementation of audits and the necessity continuous improvement. It also lists the specific characteristics that an effective compliance management system that is independent of individuals must have. In terms of a holistic view of compliance, the standard also takes into account the aspects of “ organizational culture ” and “communication”.

The TR CMS 101: 2011 standard is structured as follows:

scope of application
The standard TR CMS 101: 2011 is applicable nationally and internationally for all organizations.
Goals of the compliance management system
According to the standard, the aim of every compliance management system is to systematically create the prerequisites in the organization so that violations of compliance requirements are avoided or made significantly more difficult and violations that have occurred can be recognized and dealt with.
contains definitions of important compliance terms that are used in the TR CMS 101: 2011 standard.
Compliance management system
In order for the requirements of the standard to be met, a company must introduce, document, implement and maintain a systematic compliance organization, i.e. a compliance management system. The following measures are necessary for this:
  • The processes to be followed are to be defined.
  • The availability of the necessary resources and information must be ensured and
  • the processes are to be monitored, measured and analyzed.
It is important to document the compliance management system itself and its components, such as audit results, corrective measures, etc., in order to ensure that the system is maintained and functional regardless of person. The handling of this documentation, for example releases, updates, distribution, retention requirements, must also be specified.
Responsibility of the management
In accordance with the statutory organizational and supervisory duties, one focus of the standard is on the special responsibility of the "management" for the establishment, maintenance, evaluation and continuous improvement of the compliance management system. It is the task of the management to define the internal responsibilities and authorities and to appoint a compliance officer. It is not specified at which management level this representative should be located. The creation of your own new compliance office is also not required. However, the compliance officer must be able to carry out his compliance tasks independently. Inherent conflicts of interest due to the simultaneous assignment of other tasks must be ruled out. In addition, direct reporting to management should be ensured. The management is responsible for conveying to employees the importance of compliance requirements and their fulfillment. She is expressly required to make a commitment to creating a compliance culture. It should also express its expectation that the compliance requirements will actually be met. As part of its supervisory duties, the management itself regularly evaluates the compliance management system. It also ensures compliance with its information and reporting obligations vis-à-vis the internal supervisory bodies.
Management of resources
represents the obligations for the identification and provision of resources that are required for an effective compliance management system. The training needs should be systematically determined; necessary training is to be carried out. The effectiveness of the measures taken must be regularly assessed.
Compliance processes and implementation
In Chapter 7, "Compliance Processes and Implementation", the TR CMS 101: 2011 standard describes the compliance-specific topics of the organization. Systematic risk analyzes (so-called “compliance risk assessments”) are required. The applicable compliance rules must be systematically analyzed, identified, documented and updated and communicated to those affected. Workflows should be designed so that compliance requirements can be met without any problems. Conflicts of interest must be identified and, if possible, organizationally excluded. All compliance-relevant incidents must be documented.
System monitoring, analysis and improvement
Like other system standards, the TR CMS 101: 2011 standard emphasizes the importance of continuous system monitoring and analysis as the basis for a continuous improvement process. Defined processes are required for monitoring, analyzing and improving this system. The standard expressly mentions internal audits based on a planned audit program, monitoring measures and the obligation to implement the findings with the aim of improving the system.

Thanks to its cross-organizational and systematic approach, it is possible to have the compliance management system of an organization certified by an independent third party based on the TR CMS 101: 2011 standard. The certification typically takes place in two stages:

  • Stage 1 of the certification audit clarifies the ability to be certified. A check is carried out to determine whether the certification requirements are fundamentally met, i.e. whether the compliance management system and its elements are documented (so-called "document audit"), whether a compliance officer has been appointed and whether system assessments have been carried out by management.
  • In stage 2 of the certification audit, all elements of a compliance management system are checked on the basis of random samples. The auditors then write a report on the audit carried out. In the event of a positive result, the certification body of the certifier issues the certificate on the recommendation of the auditors. This is valid for three years. Annual surveillance audits take place during this period.

As part of a pre-audit, the certifiability can optionally be tested in advance. Upstream “compliance assessments” are also often recommended, which can be carried out by the organization itself and which are offered by TÜV Rheinland under “Compliance Care”.

Examination of compliance management systems

The auditing standard for the proper implementation of the audit of compliance management systems of the Institut der Wirtschaftsprüfer Deutschlands e. V. defines the professional opinion of the German auditors, which requirements are to be placed on the acceptance, planning and implementation of such audits. In addition, the standard defines, for the first time, general structural requirements for a CMS without requiring specific measures or processes.

CMS section
A check of the CMS of a company carried out according to this standard always relates to clearly delimited CMS sub-areas. These are to be defined by the company on the basis of a higher-level risk assessment. These are the regulations to be complied with, to which the company must pay particular attention to ensure compliance. The selection will be made regularly based on risk, i. In other words, separate CMS will be installed for compliance sub-areas where there is either a particularly high risk of compliance violations occurring or where compliance violations can have particularly serious consequences. The audit assignment must clearly delimit the CMS sub-area to be tested. A delimitation is usually made according to exactly to be named legal areas or also according to the company organization, z. B. the audit assignment can only refer to relevant anti-corruption provisions in purchasing or only consider business activities in individual countries. The auditor will essentially examine the process for delimiting the sub-area within the scope of his audit to determine whether the definition of the sub-area is misleading.
CMS description
The test is based on a description of the compliance management system to be prepared by the company for the selected sub-area (CMS description). This description should give a comprehensive and understandable picture of the CMS. The CMS description must address all seven basic elements of a CMS and must not contain any material misstatements, inadequate generalizations or unbalanced and distorted representations that could mislead the report recipients.
On the basis of the CMS description, the auditor checks the CMS with the aim of making a statement as to whether
  • the statements contained in the CMS description about the principles and measures of the CMS are adequately presented in all essential matters,
  • the principles and measures presented are suitable in accordance with the CMS principles applied, both to identify risks for material violations of the relevant rules of the delimited sub-area in good time and to prevent such rule violations and were actually implemented,
  • and were effectively performed during the review period.
Adequate security
The test is aimed exclusively at the system and its suitability to prevent violations or at least to make them more difficult with sufficient certainty or to recognize violations that occur anyway and ensure an appropriate response. The test is not aimed at uncovering violations itself.
Adequate security does not mean absolute security, since such absolute security cannot be achieved by any system with appropriate means. Every CMS has system-immanent limits, which can mean that violations can occur despite an effective system or that violations are not discovered promptly. This already results from the fact that people mistakenly use the system incorrectly or can also circumvent it through considerable criminal energy. Section 130 of the Law on Administrative Offenses therefore also speaks of the obligation to make violations more difficult.
Proof of effectiveness
A CMS test according to the IDW PS 980 test standard offers a very high level of certainty that a reliable overall statement can be made about the suitability and effectiveness of the CMS.
Companies and those responsible for the company receive an instrument that provides them with reliable information on whether the CMS that has been set up was appropriate and effective. On the other hand, the audit report can also serve to prove to third parties that such a system was actually set up and effective during the audit period. In this way, in the event that a compliance violation is discovered at a later point in time during the audit period, evidence can be provided that the company fulfilled its duty of proper supervision and that the violation occurred despite an effective CMS and not due to the lack of one effective CMS.

See also


Individual evidence

  1. ^ Nicola Ohrtmann, Rolf Stober: Compliance: manual for public administration . Kohlhammer Verlag, 2015, ISBN 978-3-17-028791-4 ( [accessed June 7, 2018]).
  2. Institut der Wirtschaftsprüfer in Deutschland Audit standard 980 Principles of proper auditing of compliance management systems Source: WPg Supplement 2/2011, p. 78 ff., FN-IDW 4/2011, p. 203 ff. Ml
  3. Federal Ministry of Justice and Consumer Protection : Announcement of the German Corporate Governance Code in the version of June 24, 2014, ( BAnz AT 09/30/2014 B1 , 4.1.3).
  4. a b c Compliance - a topic with many facets . In: Environment magazine. Issue 7/8 2011, page 50.
  5. Munich Higher Regional Court (3rd Criminal Senate), decision of September 23, 2014 - Az. 3 Ws 599/14, 3 Ws 600/14 with reference to Caracas: Responsibility in international corporate structures according to Section 130 OWiG - Using the example of bribery that is unpunished abroad in business dealings, Nomos Verlag, Baden-Baden 2014, ISBN 978-3-8487-0992-2 .
  6. Jörg Tüllner: Great Britain is tightening the pace in the fight against corruption with the “Bribery Act” ( Memento from April 12, 2013 in the Internet Archive ) pwc Germany, 2011.
  7. PDF at .
  8. Brochure available from TÜV Media GmbH, .