Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

Corporate risk and compliance management is gaining ever more importance in Germany. The trend started in the late 1990s, when corruption of foreign officials became a criminal offence, fuelled by cases where the European Commission imposed massive antitrust fines and by the German Federal Court ruling that supervisory boards are obliged to assert and claim damage compensation from management board members if damage for the company results from an infringement of their duty of care.

Compliance management was believed to have reached its peak in Germany following the Siemens corruption scandal of 2006. In reality, as recent cases show, a peak has not yet been reached (see question 18). Nowadays, the main drivers are as follows. Firstly, financial industry regulation, which develops risk and compliance management concepts that are also implemented in other industries and in the public sector. Secondly, the commitment of tax and law enforcement authorities, high-volume damage claims as well as civil and criminal court rulings give reason to introduce and improve corporate risk and compliance management systems.

As fines and claims for damages have been causing losses of billions of euros in several cases because of violations of antitrust laws, capital market obligations or anti-corruption laws, this has attracted not only the attention of investors and the media in Germany but also of large companies and led to the introduction of comprehensive risk management and compliance structures. Today, the trend towards introducing systematic corporate risk and compliance management systems is also extending into German Mittelstand (medium-sized companies), particularly as the legal requirements are not predominantly differentiated according to company size.

It is important to note that corporate risk and compliance management is also of fundamental personal importance to management and supervisory board members and responsible employees, since they may personally be held liable - not only for violations of the laws (eg, anti-corruption legislation) but also for infringements of duty of care regarding proper risk and compliance management (eg, insufficient measures to prevent infringement of laws and failure to react when evidence for weaknesses in the systems arises). This in turn may result in damage claims, criminal prosecution and administrative fines against them.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

The following legal provisions may be regarded as important rules addressing corporate risk and compliance management:

  • Each member of the board of directors of a stock corporation is subject to the duty of legality, according to which due care includes both personal compliance with laws and taking care of the company’s compliance with laws and internal directives (common understanding based on sections 76 and 93 German Stock Corporation Act). Managers of companies of other legal forms, for example, limited liability companies, are also legally responsible for ensuring that the represented company complies with laws.
  • Risk management is a specific duty for the management board of a stock corporation pursuant to section 91 paragraph 2 German Stock Corporation Act: the board must take appropriate measures - in particular, setting up a monitoring system so that developments that threaten the company’s existence are detected at an early stage.
  • Inadequate supervision by the board of directors or company owner to prevent legal violations by employees of the company can be punished with massive fines against both the responsible manager and the company (sections 30 and 130 German Act on Regulatory Offences).
  • Entities in the banking, financial services and insurance sectors are required to set up and maintain risk management and compliance functions in accordance with specific legal requirements.
  • The German Corporate Governance Code (DCGK) contains certain recommendations regarding compliance governance for listed companies (see question 8).

Apart from the financial industry for which specific legal requirements exist, corporate law deliberately leaves open the organisational measures necessary to fulfil the compliance obligation. Each individual company is left to decide on the concrete structure governing all its compliance processes and systems and, subject to due examination and preparation, this decision lies within the entrepreneurial discretion of the board of directors.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

The Institute of Public Auditors in Germany have published an audit standard for voluntary audits of compliance systems (IDW PS 980). It serves as a non-governmental benchmark for examining compliance management processes. This auditing standard serves to orient responsible persons regarding the proper structure of a content management system and its examination. An audit will provide additional assurance as to the adequacy and effectiveness of the principles and measures introduced in the company for the purpose of preventively ensuring proper compliance with laws. At the same time, a corporate body documents that it has had the compliance system checked in accordance with its responsibilities.

One must note that the guidelines are nonbinding and that the board of directors has rather broad discretion in weighing the specific risks of the entity they represent and how to address them.


Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

All undertakings

Generally, German law does not provide for specific rules as regards risk and compliance governance. Most larger undertakings implement a risk and compliance structure that reflects adequate governance obligations. However, which rules will be implemented depends on the specific case. Save the individual situation, best practice comprises the following (see also question 9):

  • Typically, German companies have a management board and a separate supervisory board. Such two-board structure is mandatory for a German stock corporation, and most European companies also provide a two-board structure. A limited liability company must have a supervisory board if it has more than 500 employees. It is advisable to design a risk and compliance management system in such a way that there is direct access to the supervisory board for the heads of risk and compliance management. This will improve the effectiveness of such a system, in particular because of the possibility of prompt and uninfluenced reporting to the supervisory board, namely, the persons that control the management.
  • The independence of the risk and compliance management system is also a decisive factor for a sound corporate compliance defence (see also question 17). This independence can be ensured, for example, by agreeing on longer employer-side notice periods with regard to the head of risk or compliance. Also, a fixed remuneration of the compliance officer, which is not dependent on the prosperity of the respective monitored area, contributes to the integrity of the system.
  • Finally, a compliance system must always be equipped with sufficient effective powers and resources to effectively prevent violations. Examples include random and unannounced business process reviews, document controls, email checks (save the data protection and privacy rules), or the introduction of regular reporting obligations to the supervisory board. Last but not least, monitoring by documenting the implementation of measures also plays an important role.

Stock-listed companies

German companies listed on the regulated stock market are subject to risk and compliance ‘governance’ obligations pursuant to the DCGK. Actually, such listed companies are required to provide a declaration of (non-)conformity regarding the obedience of the recommendations of the Code. If a recommendation is not being applied, the company needs to disclose and explain this in the annual declaration of conformity (‘comply or explain’). The largest listed companies in Germany typically obey all recommendations as they represent best practice. The Code states that compliance is a task of the management board and defines it as compliance with legal and internal provisions (section 4.1.3 DCGK). The Code further states that the management board should submit information on risk management and compliance to the supervisory board (section 3.4 DCGK). In addition, the Code recommends a regular exchange between the chairman of the supervisory board and the chairman of the board of directors on matters relating to risk assessment, risk management and compliance (section 5.2 DCGK), and that the supervisory board establishes an audit committee to supervise the effectiveness of the risk management and compliance systems (section 5.3.2 DCGK).

Regulated financial institutions

Financial institutions and other regulated undertakings in the financial industry are subject to specific risk and compliance governance obligations (see question 9, as regards regulated financial institutions).

What are the key risk and compliance management obligations of undertakings?

All undertakings

There is no standard set of obligations that must be implemented. Therefore, the implementation of a risk and compliance management system is a business decision of the board of directors. After due diligence, acting within the scope of a careful decision and without any conflict of interests, the board is free to decide on adequate measures without having to fear damage claims (‘business judgment rule’, section 93 German Stock Corporation Act). This general concept is also applicable to undertakings of other legal forms.

As a general practical approach, save an individual analysis and a set-up of customised rules, a risk and compliance management system is typically characterised by three core attributes:

  • Assessment of the key risk areas in the company, addressing the risks through internal rules and living an integrity culture - including the board of directors and the supervisory board (‘tone from the top’) and also the employees - as well as adequate training and counselling. Thus, systematic misbehaviour can be ruled out.
  • Immediate reaction by the responsible manager or board member or members as soon as there is evidence for individual misconduct or non-functioning of the systems; adequate reactions against lawbreakers and responsible supervisors.
  • Proportionality: the system must be appropriate for the particular company and its risks (ie, individually tailored in scope, breadth and depth of regulation). It must not lead to risk-aversion or excessive, inappropriate formality.

As regards certain types of risks, typically the following areas are being addressed (alphabetical list): anti-corruption, anti-money laundering, antitrust, capital market issuer obligations (eg, ad hoc notices), data protection, employment, environmental protection, IT, product safety, tax, third parties and work protection.

Regulated financial institutions

Financial institutions and other regulated undertakings in the financial industry are subject to detailed risk and compliance management obligations set forth by BaFin in the Circular MaRisk. Even though this framework is legally not binding, undertakings de facto are obliged to adopt the rules as key risk and compliance management obligations. Pursuant to MaRisk, each institution shall have a risk control function in place that is responsible for independently monitoring and reporting risks. The risk control function shall be segregated organisationally, up to and including the management board level, from the organisational units that are responsible for initiating or concluding transactions. In particular, the risk control function shall meet the following requirements:

  • support the management board in all risk policy issues, in deciding and implementing the risk strategy and evolving a risk limitation system;
  • carry out the risk inventory and draw up the overall risk profile;
  • support the management board in developing and improving the risk management and risk control processes;
  • develop and improve a system of risk ratios and a procedure for the early detection of risks;
  • monitor the institution’s risk situation and internal capital adequacy as well as compliance with the risk limits in place on an ongoing basis;
  • draw up the regular risk reports for the management board; and
  • assume responsibility for the processes for passing on material risk-related ad hoc information promptly to the management board, the responsible officers and, where applicable, the internal audit function.

Further key requirements are that the staff of the risk control function shall be granted independence and all necessary means to perform their tasks. The head of the risk control function shall be involved in important risk policy decisions of the management board. Certain powers and independence are required for the head of risk control.

In particular, the compliance function should meet the following requirements:

  • Each institution should have a compliance function in place in order to counteract the risks that may arise from non-compliance with legal rules and regulations. The compliance function should ensure the implementation of effective procedures for complying with the legal rules and regulations that are material to the institution, and of corresponding controls. The compliance function should additionally support and advise the management board with regard to complying with these legal rules and regulations.
  • The compliance function should regularly identify the material legal rules and regulations, non-compliance with which might jeopardise the institution’s assets, in the light of risk factors. The compliance function should be, in general, directly subordinate to and report to the management board. It may also be linked to other control units. It may also be assisted by other functions and units in the performance of its duties.
  • The institution shall appoint a compliance officer who is responsible for carrying out the compliance function tasks. Depending on the nature, scale, complexity and riskiness of the business activities, as well as on the institution’s size, the compliance officer may in exceptional cases be a member of the management board. Compliance function staff shall be granted sufficient powers and unrestricted access to all information needed to perform their tasks. They shall be notified of instructions and decisions of the management board that are material to the compliance function. The compliance function staff shall be notified in due time of material amendments of the rules that are intended to ensure compliance with the material legal rules and regulations. The compliance function shall report to the management board on its activities at least once a year and on an ad hoc basis. Such reports shall address the appropriateness and effectiveness of the rules that are intended to ensure compliance with the material legal rules and regulations. The reports shall also cover information on potential deficits and on remedial measures. In addition, these reports shall be passed on to the supervisory board and the internal audit function.

The supervisory board shall be notified if the compliance officer or the head of the risk control function is replaced.