Compliance Management
Episode 2: “Who am I – and if so, how many?”[1]

Criminal conduct is ubiquitous, permeating all societies, social classes, and organizations. Companies – and above all, management – must face up to this reality. As part of their obligation to follow the law, management must ensure that the company is organized and supervised in such a way that no violations of the law occur. To this end, management should set up a compliance organization capable of handling the risks involved.[2]

Compliance Responsibles

You have assumed compliance responsibilities. Or you’re a Compliance Officer. Or Compliance Manager. Or Compliance Specialist. Or…

Congratulations – you are now deemed to be “the compliance organization”.
But don’t jump to conclusions quite yet: In principle, management retains its responsibility for compliance and cannot simply “delegate away” this responsibility to a compliance officer. However, it is entitled to delegate specific tasks. In this case, the compliance organization then establishes a compliance management system (“CMS”).

If you are taking on compliance responsibilities, make sure your job description includes this mission – namely, the development and implementation of a CMS. The following should not show up in your job description (I have seen something like that before): “The Compliance Officer is responsible for ensuring that no criminal acts are committed within the company.” You can’t promise that to anyone. Keep in mind – “ubiquity”. However, you can take systematic measures which make criminal behavior within the company much more difficult, and react professionally to violations.

Areas of Responsibility

Which subjects are currently considered part of compliance? There is no general answer to this question. In principle, the answer depends on the business activities of the company, and specific arrangements in individual cases.

Typical subject areas include:

  • Antibribery & corruption, fraud and embezzlement, money laun-dering, illegal employment, other offenses
  • Antitrust law, competition law
  • Trade secrets, data protection, IT security
  • Human rights, sustainability, environmental protection
  • Financial reporting, tax law
  • Workplace safety, product safety

Lists like this can be expanded almost indefinitely, since so many laws and regulations apply. Instead of getting overwhelmed by the details of individual requirements, it is better to work with more general subject areas. Also check to see if these areas may already be covered by other departments. Do you have an IT department that works intensively on IT security? Does your customs department carry out sanctions-list screenings? Has your finance department ever heard of the Money Laundering Act – and does it understand your company’s obligations under that law? In this case, fine – leave well enough alone. However, make sure to create a written overview (coordinated with the respective departments and with management) which compliance areas are already in good hands, with whom, and for what reason. Coordinate carefully, especially where responsibilities overlap. All too often each one of two departments thinks that the other is handling a certain issue – and thus, at the end of the day, no one feels responsible.

Once you have identified “your” subject areas, you’ll need to go into more detail.
Which individual areas are included? What laws and other rules do you have to keep in mind? By now (at the very latest), you’ll be glad if your list of areas of responsibility doesn’t get too long.[3]

Your allies

Find allies. Valuable partners for compliance officers can be found, for example, in the legal, finance/controlling, HR, IT and internal audit departments. Seek regular input, also from workers’ council (if applicable in your country). A Compliance Committee can also help to bring different departments together regularly (every four to eight weeks or so) under a unified compliance agenda, enabling responsible parties to share information across departments and reach decisions quickly.

It is also essential to have strong partners in business, for example in sales or marketing, who not only understand the importance of compliance, but also promote it to serve their own interests. The core idea must be: Compliance is not the responsibility (or even the “problem”) of the compliance officer, but of the entire company. Only a vision this deep-rooted can enable you to use multiplier effects for compliance topics in the company, and split up compliance issues and apply them to the level of the day-to-day business, thus making it easier for those responsible to actually understand and follow the rules.

Don’t just define your tasks in “to-do lists”, but rather plan them carefully in advance as projects. Coordinate priorities and resources with management. When searching for project-related resources, rely on your “allies” or even departments that are not yet very committed to compliance issues – in fact, target precisely these departments – and involve them intensively. Always explain why compliance should not be considered an obstacle to day-to-day operations, but rather offers real added value. This will bring you a step closer to your goal of ensuring that employees outside the core compliance team also recognize the importance of compliance and anchor this attitude within the organization.

Remember: How do you eat an elephant? Piece by piece!

What’s Next

The next episode will continue with the most important foundation of your CMS, namely “risk analysis and assessment”.

If you are unsure how to set up and run your compliance project successfully, please feel free to contact me.

[1] Freely adapted from the title of a book by philosopher Richard David Precht (“Who am I – and if so, how many? A philosophical journey”, Munich, 2007.
[2] See also the landmark decision of the Munich regional court in Germany, in which the court ordered former Siemens board member H.-J. Neubürger to pay Siemens € 15 million to compensate the company for his fail-ure to establish an adequate compliance organization.
[3] You’ll also find that your mission will expand and diversify no matter what, imposing more and more demands. This may well increase uncertainty, at least initially. You can think of this as a variant of the Dunning-Kruger Effect, accord-ing to which ignorance often leads to more self-confidence than knowledge when performing complex tasks (such as playing chess or driving a car).