Introduction

In the last 10 years following the big compliance cases at Siemens and MAN, most companies in Germany have implemented and enforced compliance programmes. Compliance officers, compliance committees, helplines, hospitality guidelines and other compliance elements have become important standard tools to ensure that employees know both what they are and what they are not allowed to do. This is necessary because Germany has tightened its legal compliance framework. Stricter laws have been passed and public prosecutors, antitrust authorities and other agencies have significantly stepped up their investigatory activities in the past few years.

A representative study with international research institute IPSOS took a closer look at how larger companies tackle the issue of compliance. Interviews were held with compliance officers in companies with more than 500 employees – from larger medium-sized companies to major corporations. Meanwhile, whether out of ethical conviction or as a mere nuisance, compliance organisations have become standard in most German companies and this trend also holds sway in smaller companies. However, the survey demonstrates that there is still much to be done in bigger companies. Recent compliance cases which received wide press coverage have shown this in a drastic way.

Potential for improvement

Numerous companies have enhanced their human resources and financial compliance resources in the past few years. The lion's share of interviewees are well positioned in the process. Nevertheless, many compliance officers still see significant potential for improvement. The introduction of a true compliance culture is seen as the greatest challenge because internal compliance targets must be met in everyday practice; otherwise, compliance not only is ineffective, but actually poses a threat. If, despite compliance arrangements, major breaches of law occur, public prosecutors and courts will quickly gain the impression that compliance programmes exist only on paper. This can result in stricter company and management liability.

Compliance departments

In most companies, compliance issues are dealt with primarily by the legal department or controlling department. Risk management and auditing frequently assume compliance tasks. It is no surprise that only three out of 10 companies have their own compliance department. There is no obligation to set up a central compliance department, as organisational structure is at the management's discretion. Many companies choose a decentralised compliance organisation for cost and practicability reasons.

Surprisingly, in 30% of companies surveyed, compliance issues are handled by the purchasing and distribution departments. Whether compliance checks can be carried out optimally within the framework of a double function such as this appears doubtful. By way of illustration, a sales director whose variable remuneration depends solely on turnover may, in case of doubt, be more inclined to wave through a critical deal than to block it.

Companies frequently buy in external specialist support – depending on the compliance issue, the consultancy rate is around 80%. Whereas some companies wish to remain on the safe side by engaging external expertise when it comes to critical compliance issues. However, a lot of medium-sized companies simply do not have the capacity to respond directly to all compliance questions.

Risk evaluation

According to the survey, central compliance issues (ie, combating antitrust and corruption) tend to play a subordinate role in small and medium-sized enterprises (SMEs). Data protection, on the other hand, is deemed to be the most important compliance issue. Despite the fact that data protection is accorded a significant role, especially in Germany, this outcome shows that SMEs in particular tend to underestimate antitrust and corruption risks. This perception can have a fatal affect – anti-competitive or corrupt behaviour entails the highest liability risks, especially for SMEs. Recent years have seen cartel authorities and public prosecutors' offices investigate offences in these areas in a particularly systematic way and impose substantial sanctions. By contrast, these fields of risk are more realistically assessed at major corporations. At these companies, antitrust and anti-corruption issues are high on the agenda. Data protection and product liability make it to places three and four.

Business partner compliance

In general, many companies appear unhappy about regulatory overreach by the state and impending bureaucratisation of company processes. However, for more than half of the participants, compliance is not just a reaction to state action. Half of the company executives surveyed consider it important to demonstrate to their business partners that they have their own compliance system. This is congruent with the experience of compliance lawyers. Many major corporations require that their business partners set up appropriate compliance systems. For smaller companies in particular, this can be a difficult challenge. If they are unable to meet these demands, they may lose out on contracts from potential customers.

Overlapping segments rarely utilised

An internal control system exists in eight out of 10 of the companies surveyed. In 43% of the companies, no exact figures were available on the relationship between internal control systems and compliance. A lot of companies thereby miss out on efficient tie-ins between organisational divisions and use of existing resources.

Compliance standard

Most companies have a standard repertoire of compliance instruments consisting of internal guidelines and control processes. Eight out of 10 have a general code of conduct or department-specific conduct policies (eg, an anti-corruption policy). However, only half have implemented an internal training programme and there is a backlog in this area. Regular training is essential when it comes to preventing criminal offences, because only a minority of employees are regularly concerned with written guidelines. Moreover, experience shows that the distribution of guidelines and a one-off training course do not lead to the desired outcomes. Compliance management is not a one-hit wonder, but a continuous process.

Employees' compliance awareness is seen by compliance officers as improvable. They are less critical when it comes to taking a hard look at their management – 88% rate management's awareness as high. When asked about the willingness of management to support and even promote compliance issues, the evaluation is less positive and practice confirms this. Consistent implementation of compliance measures is often the stumbling block.

Internal investigations

If unlawful conduct is suspected, company management is generally obliged to investigate the matter. Consequently, the vast majority of interviewees stated that clear responsibilities for internal investigations have been established in their company. More than half had already carried out an investigation of this kind, and fewer than half of suspicious cases involving internal capacities were used for the investigation. In most cases, external consultants were called in. However, only 6% of interviewees stated that they were comprehensively prepared for a company crisis and believed that there is plenty of room for improvement.

Comment

The survey confirms observations in practice. Admittedly, compliance has arrived in major companies, but a lot remains to be done. This is true particularly in terms of professionalising compliance management, preparing for crisis cases and sustainably sensitising employees to create a real compliance environment.

For further information on this topic please contact Florian Block or Tobias Teicke at CMS Hasche Sigle by telephone (+49 89 23807 264) or email (florian.block@cms-hs.com or tobias.teicke@cms-hs.com). The CMS Hasche Sigle website can be accessed at www.cms-hs.com.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.