Com­pli­ance: guidelines for compliant corporate behaviour

Law-abiding and ethically correct conduct should be only natural in companies. However, recent incidents have proven that this is not the case. On the contrary, com­pli­ance remains a constant topic of dispute. After all, companies do not just operate for them­selves; their business activ­it­ies affect numerous interest groups. Not only cor­por­a­tions, but also SMEs are under pressure to define what these values are and adhere to them. In view of the complex discourse, the first question that arises is: What exactly does com­pli­ance mean?

The term "com­pli­ance", which is fre­quently used in business ad­min­is­tra­tion and law, ori­gin­ated in the US financial system, but is now used in prac­tic­ally all in­dus­tries and economic sectors. It’s basically about companies and their employees complying with the rules. In the past, this primarily meant complying with laws.

Today, however, the concept of com­pli­ance has long been much more broadly defined: In addition to main­tain­ing legality, the concept now also includes re­cog­nising standards and guidelines customary in the industry. Even more important, however, is com­mit­ting to its own set of values, with which a company imposes strict ethical rules on its internal and external conduct.

But why is com­pli­ance so important? What is behind the concept of com­pli­ance and what are the goals of a company that is committed to it?

From a purely business point of view, a com­mit­ment to com­pli­ance has primarily strategic mo­tiv­a­tions: Just like normal citizens, companies that are so-called legal entities must comply with existing national and in­ter­na­tion­al laws. The Companies Act 2006 is the main piece of le­gis­la­tion governing company law in the UK. This detailed Act helps companies adhere to gov­ern­ment reg­u­la­tions.

If efforts are not made to comply with these reg­u­la­tions, those involved run the risk of being punished with sanctions such as fines, profit skimming, or even im­pris­on­ment. In addition, there are internal and external con­sequences and costs that may be incurred by the offending company, such as personnel con­sequences or claims for damages by customers and business partners. However, these sanctions are not limited to a single company, but can affect the entire parent company of the group. In cases like this, insurance does not offer any pro­tec­tion.

The main objective of com­pli­ance is therefore to avoid or quickly identify criminal behaviour and to react ap­pro­pri­ately to it in order to minimise any economic risk that might result. Although de­lib­er­ate breaches of rules cannot be prevented in this way, the existence of com­pli­ance measures can, however, lead to a reduction in the liability of managers. However, whether an internal control system is taken into account to reduce penalties always depends on the in­di­vidu­al case.

A well-known example of a com­pli­ance violation is the emissions scandal that has pre­oc­cu­pied the media, industry and politics since September 2015: Volk­swa­gen admitted that it had been using an illegal shutdown system in its diesel vehicles to ma­nip­u­late nitrogen oxide levels and thus cir­cum­vent ap­plic­able emission standards - a de­lib­er­ate breach of the law ordered by man­age­ment. This pro­gram­ming software was used in about eleven million cars worldwide. Since then, the company has been the focus of con­tinu­ous public attention: company CEO Martin Win­ter­korn resigned from his position, possibly facing 25 years of in­car­cer­a­tion. Politi­cians are focusing more on vehicle man­u­fac­tur­ers; the auto­mot­ive industry con­sequently sees itself in a serious crisis; numerous criminal and civil in­vest­ig­a­tions are underway.

Volk­swa­gen announced plans in April 2016 to spend around £14 billion rec­ti­fy­ing the emissions issues as well as refitting all the affected vehicles after they’d been recalled. In total the whole scandal cost the company around £23 billion.

An expanding public discourse on corporate social re­spons­ib­il­ity has led to an ethical component being added to the concept of com­pli­ance. Stake­hold­ers - i.e. relevant interest groups such as customers, employees and residents in the vicinity of factory fa­cil­it­ies - expect companies not only to comply with rules for the sake of the company, but also to adhere to industry-standard virtues and moral values. Companies should therefore not appear merely as economic figures, but above all as corporate citizens in the sense of corporate social re­spons­ib­il­ity.

What is con­sidered socially re­spons­ible is, to a certain extent, pre-defined by generally accepted reg­u­lat­ory bodies and codes. In many cases, es­pe­cially in sensitive in­dus­tries such as energy and chemicals, the company is expected to follow its own set of values that pro­act­ively and directly address potential conflicts of interest with in­di­vidu­al stake­hold­ers. A company whose business activ­it­ies have eco­lo­gic­al im­plic­a­tions must therefore also com­mu­nic­ate its en­vir­on­ment­al and sus­tain­ab­il­ity standards well and face up to criticism. This has a positive effect on their cred­ib­il­ity and business re­la­tion­ships.

Even if an en­tre­pren­eur is in­ter­ested in com­pli­ance as a matter of principle, com­mit­ting them­selves to corporate social re­spons­ib­il­ity also makes sense from a purely economic point of view. Apart from penalties, vi­ol­a­tions of rules can also have a number of non-financial con­sequences. This par­tic­u­larly refers to the loss of repu­ta­tion and trust among business partners and customers. Even if the ac­cus­a­tions later turn out to be false, the repu­ta­tion­al damage can be enormous.

In the case of proven ma­nip­u­la­tion by Volk­swa­gen, a simple apology by the executive board was not enough to appease the public dis­pleas­ure that followed the rev­el­a­tions. The fact that the diesel vehicles sold between 2008 and 2015 could be re­spons­ible for around 1,200 premature deaths due to air pollution, according to an MIT study, poured ad­di­tion­al oil into the fire of criticism. The scandal thus once again sparked the long-term dis­cus­sion about the traffic policies, which is now putting the auto­mot­ive industry under ad­di­tion­al pressure to act.

A com­pli­ance man­age­ment system (CMS) is needed to implement and enforce com­pli­ance within the company. This system ensures com­pli­ance with all guidelines and enables rule vi­ol­a­tions to be quickly detected. The aim of this CMS is to implement and maintain a trans­par­ent, un­am­bigu­ous, and clearly un­der­stand­able com­pli­ance culture.

Due to the variety of topics and areas of interest that the concept of com­pli­ance can affect, however, de­vel­op­ing a CMS is not an easy un­der­tak­ing. Even medium-sized companies often lack the necessary know-how for a project like this. Depending on the industry, company size, and type as well as the or­gan­isa­tion­al structure, there will be in­di­vidu­al re­quire­ments for the im­ple­ment­a­tion, so therefore there is no generally ap­plic­able procedure. Nev­er­the­less, the following is a rough ex­plan­a­tion of the most important steps.

Every CMS starts with company man­age­ment com­mit­ting to com­pli­ance and defining a term that is in­di­vidu­ally tailored to the company. This is the only way to ensure that all those re­spons­ible pull together and avoid mis­un­der­stand­ings about the nature and scope of the project. How serious the man­age­ment team is about this com­mit­ment can already be seen from how much personnel capacity and budget they are prepared to spare. An effective com­pli­ance team should consist of experts from all de­part­ments of a company (e.g. personnel man­age­ment, financial ad­min­is­tra­tion, legal de­part­ment). Only in this way is it possible to identify and cover all con­ceiv­able areas of interest and risk in the company.

Ad­di­tion­al external expertise can be obtained from lawyers, tax con­sult­ants, and man­age­ment con­sult­ants. It is also legally necessary and advisable to involve the works council in all decision-making processes. For example, it needs to be decided whether existing em­ploy­ment contracts or operating agree­ments need to be changed. A realistic timetable and a clearly defined dis­tri­bu­tion of roles (including a competent team leader) can help to keep costs man­age­able and achieve a timely result.

The team’s main task is to carry out an analysis of the current situation. It could be that the company already has (at least rudi­ment­ary) com­pli­ance struc­tures, in the form of "unwritten rules" that apply among employees. On the basis of this pre-eval­u­ation, the target state is then defined: Which measures and mech­an­isms must be sup­ple­men­ted, modified, or com­pletely recreated in order to do justice to the company’s com­pli­ance concept? It is worth­while identi­fy­ing the civil society in­ter­faces that the company has to deal with in its day-to-day business.

It could even be worth­while to hire a com­pli­ance solutions company, which could co­ordin­ate pro­ced­ures and activ­it­ies according to the current com­pli­ance reg­u­la­tions and re­quire­ments. These companies work together with employees and teach them how to insert com­pli­ance into the internal workplace culture and also come with these benefits:

• Ensuring com­pli­ance with all state and federal laws
• Main­tain­ing a firm ethical standing ground
• Trans­par­ent reporting pro­ced­ures
• Well-defined processes that increase ef­fi­ciency
• Reduced potential for lawsuits and other legal problems
• More efficient audit processes

And even more.

There are numerous com­pli­ance policy patterns on the internet, but there is no general re­quire­ment for the content and structure. Instead, it is re­com­men­ded to adapt all rules exactly to the in­di­vidu­al needs and cir­cum­stances in the en­ter­prise.

One possible structure could be the following:

1. General rules of conduct
2. Specific issues (e.g. gifts to business partners, behaviour towards com­pet­it­ors, equal treatment of employees)
3. Contact persons and form­al­it­ies for reporting in­fringe­ments
4. Doc­u­ment­a­tion mech­an­isms for in­fringe­ments
5. Sanctions (e.g. reminder/caution, transfer, (extra)ordinary ter­min­a­tion, salary reduction, com­pens­a­tion, police reports)

Once completed, the com­pli­ance guidelines must be openly com­mu­nic­ated through­out the company. This is done by means of news­let­ters, pub­lic­a­tions on the intranet, and in­form­a­tion­al events. Regular training sessions must be held to sensitise all those involved in the company (including con­trac­tu­al partners and suppliers) to the new com­pli­ance culture. It is also essential for all employees to be bound by their em­ploy­ment contracts by means of ap­pro­pri­ate sup­ple­ment­ary clauses.

Many companies also decide to place a reduced version of their com­pli­ance policy on their website in the form of a "Code of Conduct" or "Mission Statement". Being so trans­par­ent can strengthen the trust of customers and business partners and attract ap­plic­ants in the context of employer branding. The most important thing, however, is that managers always set a good example and exemplify the com­pli­ance culture both in­tern­ally and ex­tern­ally.

Although the main re­spons­ib­il­ity and full liability for com­pli­ance lies with the company man­age­ment, this re­spons­ib­il­ity can be given to a single chief com­pli­ance officer, an entire com­pli­ance team, or a com­pli­ance solutions company can take over the work (as mentioned above).

These are then re­spons­ible for the following tasks, among others:

• Im­ple­ment­ing the CMS
• Or­gan­ising training courses
• Con­tinu­ous quality control
• Con­duct­ing employee surveys
• Mon­it­or­ing le­gis­lat­ive changes
• Adapting, expending, and further de­vel­op­ing the CMS if necessary
• Doc­u­ment­ing in­fringe­ments
• Regular reporting to man­age­ment

Such a complex task requires competent and assertive personnel, which is why par­tic­u­lar care is required in re­cruit­ing. The com­pli­ance officer does not ne­ces­sar­ily have to be at the highest man­age­ment level, but should have a direct, con­sist­ent and the shortest possible com­mu­nic­a­tion con­nec­tion in order to be able to work ef­fect­ively. This is the only way to ensure that com­pli­ance efforts are fruitful in the end.

The benefits and goals of com­pli­ance measures are obvious in light of existing laws and corporate social re­spons­ib­il­ity. However, this does little to change the fact that the concept has a rather dubious repu­ta­tion in some man­age­ment circles - chal­len­ging proven practices and therefore hampering business activity.

Many find the main problem to be in the inherent com­plex­ity and change­ab­il­ity of the concept of com­pli­ance. Companies, es­pe­cially global players, face a veritable flood of national, in­ter­na­tion­al, and industry-specific rules and pro­hib­i­tions. In addition, topics are con­stantly changing. As a result, com­pre­hens­ive com­pli­ance man­age­ment systems are often only found in large cor­por­a­tions, while the topic is often of secondary im­port­ance in small and medium-sized companies.

This makes it all the more important (and urgent) to ensure all those re­spons­ible in the company comply with the rules and to appoint a trained and ex­per­i­enced com­pli­ance officer who is up to the chal­lenges of the job de­scrip­tion.

Please note the legal dis­claim­er relating to this article.