Compliance: guidelines for compliant corporate behavior

Law-abiding and ethically correct conduct should be only natural in companies. However, recent incidents have proven that this is not the case. On the contrary, compliance remains a constant topic of dispute. After all, companies do not just operate for themselves; their business activities affect numerous interest groups. Not only corporations, but also SMEs are therefore under pressure to define what these values are and adhere to them. In view of the complex discourse, the first question that arises is: What exactly does compliance mean?

The term "compliance", which is frequently used in business administration and law, originated in the US financial system, but is now used in practically all industries and economic sectors. It’s basically about companies and their employees complying with the rules. In the past, this primarily meant complying with laws.

Today, however, the concept of compliance has long been much more broadly defined: In addition to maintaining legality, the concept now also includes recognizing standards and guidelines customary in the industry. Even more important, however, is committing to its own set of values, with which a company imposes strict ethical rules on its internal and external conduct.

But why is compliance so important? What is behind the concept of compliance and what are the goals of a company that is committed to it?

From a purely business point of view, a commitment to compliance has primarily strategic motivations: Just like normal citizens, companies that are so-called legal entities must comply with existing national and international laws. In October 2006, the U.S. Small Business Administration re-launched Business.USA.gov, which provides a single point of access to government services and information to help companies adhere to government regulations.

If efforts are not made to comply with these regulations, those involved run the risk of being punished with sanctions such as fines, profit skimming, or even imprisonment. In addition, there are internal and external consequences and costs that may be incurred by the offending company, such as personnel consequences or claims for damages by customers and business partners. However, these sanctions are not limited to a single company, but can affect the entire parent company of the group. In cases like this, insurance does not offer any protection.

The main objective of compliance is therefore to avoid or quickly identify criminal behavior and to react appropriately to it in order to minimize any economic risk that might result. Although deliberate breaches of rules cannot be prevented in this way, the existence of compliance measures can, however, lead to a reduction in the liability of managers. However, whether an internal control system is taken into account to reduce penalties always depends on the individual case.

A well-known example of a compliance violation is the emissions scandal that has preoccupied the media, industry and politics since September 2015: Volkswagen admitted that it had been using an illegal shutdown system in its diesel vehicles to manipulate nitrogen oxide levels and thus circumvent applicable emission standards - a deliberate breach of the law ordered by management. This programming software was used in about eleven million cars worldwide, 600,000 of which were in the United States. Since then, the company has been the focus of continuous public attention: company CEO Martin Winterkorn resigned from his position, possibly facing 25 years of incarceration. Politicians are focusing more on vehicle manufacturers; the automotive industry consequently sees itself in a serious crisis; numerous criminal and civil investigations are underway.

Volkswagen announced plans in April 2016 to spend around $18 billion rectifying the emissions issues as well as refitting all the affected vehicles after they’d been recalled. In total the whole scandal cost the company around $29 billion.

An expanding public discourse on corporate social responsibility has led to an ethical component being added to the concept of compliance. Stakeholders - i.e. relevant interest groups such as customers, employees and residents in the vicinity of factory facilities - expect companies not only to comply with rules for the sake of the company, but also to adhere to industry-standard virtues and moral values. Companies should therefore not appear merely as economic figures, but above all as corporate citizens in the sense of corporate social responsibility.

What is considered socially responsible is, to a certain extent, pre-defined by generally accepted regulatory bodies and codes. In many cases, especially in sensitive industries such as energy and chemicals, the company is expected to follow its own set of values that proactively and directly address potential conflicts of interest with individual stakeholders. A company whose business activities have ecological implications must therefore also communicate its environmental and sustainability standards well and face up to criticism. This has a positive effect on their credibility and business relationships.

Even if an entrepreneur is interested in compliance as a matter of principle, committing themselves to corporate social responsibility also makes sense from a purely economic point of view. Apart from penalties, violations of rules can also have a number of non-financial consequences. This particularly refers to the loss of reputation and trust among business partners and customers. Even if the accusations later turn out to be false, the reputational damage can be enormous.

In the case of proven manipulation by Volkswagen, a simple apology by the executive board was not enough to appease the public displeasure that followed the revelations. The fact that the diesel vehicles sold between 2008 and 2015 could be responsible for around 1,200 premature deaths due to air pollution, according to an MIT study, poured additional oil into the fire of criticism. The scandal thus once again sparked the long-term discussion about the traffic policies, which is now putting the automotive industry under additional pressure to act.

A compliance management system (CMS) is needed to implement and enforce compliance within the company. This system ensures compliance with all guidelines and enables rule violations to be quickly detected. The aim of this CMS is to implement and maintain a transparent, unambiguous, and clearly understandable compliance culture.

Due to the variety of topics and areas of interest that the concept of compliance can affect, however, developing a CMS is not an easy undertaking. Even medium-sized companies often lack the necessary know-how for a project like this. Depending on the industry, company size, and type as well as the organizational structure, there will be individual requirements for the implementation, so therefore there is no generally applicable procedure. Nevertheless, the following is a rough explanation of the most important steps.

Every CMS starts with company management committing to compliance and defining a term that is individually tailored to the company. This is the only way to ensure that all those responsible pull together and avoid misunderstandings about the nature and scope of the project. How serious the management team is about this commitment can already be seen from how much personnel capacity and budget they are prepared to spare. An effective compliance team should consist of experts from all departments of a company (e.g. personnel management, financial administration, legal department). Only in this way is it possible to identify and cover all conceivable areas of interest and risk in the company.

Additional external expertise can be obtained from lawyers, tax consultants, and management consultants. It is also legally necessary and advisable to involve the works council in all decision-making processes. For example, it needs to be decided whether existing employment contracts or operating agreements need to be changed. A realistic timetable and a clearly defined distribution of roles (including a competent team leader) can help to keep costs manageable and achieve a timely result.

The team’s main task is to carry out an analysis of the current situation. It could be that the company already has (at least rudimentary) compliance structures, in the form of "unwritten rules" that apply among employees. On the basis of this pre-evaluation, the target state is then defined: Which measures and mechanisms must be supplemented, modified, or completely recreated in order to do justice to the company’s compliance concept? It is worthwhile identifying the civil society interfaces that the company has to deal with in its day-to-day business.

It could even be worthwhile to hire a compliance solutions company, which could coordinate procedures and activities according to the current compliance regulations and requirements. These companies work together with employees and teach them how to insert compliance into the internal workplace culture and also come with these benefits:

• Ensuring compliance with all state and federal laws
• Maintaining a firm ethical standing ground
• Transparent reporting procedures
• Well-defined processes that increase efficiency
• Reduced potential for lawsuits and other legal problems
• More efficient audit processes

And even more.

There are numerous compliance policy patterns on the internet, but there is no general requirement for the content and structure. Instead, it is recommended to adapt all rules exactly to the individual needs and circumstances in the enterprise.

One possible structure could be the following:

1. General rules of conduct
2. Specific issues (e.g. gifts to business partners, behavior towards competitors, equal treatment of employees)
3. Contact persons and formalities for reporting infringements
4. Documentation mechanisms for infringements
5. Sanctions (e.g. reminder/caution, transfer, (extra)ordinary termination, salary reduction, compensation, police reports)

Once completed, the compliance guidelines must be openly communicated throughout the company. This is done by means of newsletters, publications on the intranet, and informational events. Regular training sessions must be held to sensitize all those involved in the company (including contractual partners and suppliers) to the new compliance culture. It is also essential for all employees to be bound by their employment contracts by means of appropriate supplementary clauses.

Many companies also decide to place a reduced version of their compliance policy on their website in the form of a "Code of Conduct" or "Mission Statement". Being so transparent can strengthen the trust of customers and business partners and attract applicants in the context of employer branding. The most important thing, however, is that managers always set a good example and exemplify the compliance culture both internally and externally.

Although the main responsibility and full liability for compliance lies with the company management, this responsibility can be given to a single chief compliance officer, an entire compliance team, or a compliance solutions company can take over the work (as mentioned above).

These are then responsible for the following tasks, among others:

• Implementing the CMS
• Organizing training courses
• Continuous quality control
• Conducting employee surveys
• Monitoring legislative changes
• Adapting, expending, and further developing the CMS if necessary
• Documenting infringements
• Regular reporting to management

Such a complex task requires competent and assertive personnel, which is why particular care is required in recruiting. The compliance officer does not necessarily have to be at the highest management level, but should have a direct, consistent and the shortest possible communication connection in order to be able to work effectively. This is the only way to ensure that compliance efforts are fruitful in the end.

The benefits and goals of compliance measures are obvious in light of existing laws and corporate social responsibility. However, this does little to change the fact that the concept has a rather dubious reputation in some management circles - challenging proven practices and therefore hampering business activity.

Many find the main problem to be in the inherent complexity and changeability of the concept of compliance. Companies, especially global players, face a veritable flood of national, international, and industry-specific rules and prohibitions. In addition, topics are constantly changing. As a result, comprehensive compliance management systems are often only found in large corporations, while the topic is often of secondary importance in small and medium-sized companies.

This makes it all the more important (and urgent) to ensure all those responsible in the company comply with the rules and to appoint a trained and experienced compliance officer who is up to the challenges of the job description.

Click here for important legal disclaimers.