A frequent experience in our customer projects is that our medium-sized customers react to the topic of compliance with the critical question: “And who is going to do that? Of course, a medium-sized company does not have the same resources as a group of companies, where a compliance department with several members deals with the topic. Nevertheless, the same legal framework conditions apply to SMEs and group companies.
Multiple crises, international interdependencies, challenging political developments. The risks for companies tend to increase. The business world is increasingly difficult to assess, more dynamic and more complex. Compliance has become an important basis for SMEs to safeguard the company, protect it from potential risks and thus create a foundation for the long-term success of the company. Good compliance can protect the company in the best possible way and indicate emerging crises and problems at an early stage. For effective implementation of compliance management, it is particularly important in medium-sized companies to use resources wisely and to sensitise everyone in the company to the issue. All too often, compliance is still perceived as a secondary task and the risks that actually exist are massively underestimated.
Compliance with laws, internal guidelines and ethical standards ensures that employees in the company behave in accordance with the rules and that corporate values are lived. In this way, compliance can reduce liability risks for the executive board, the management and the possibly existing supervisory board, protect the company’s own assets, secure access to sales markets and avoid damage to its reputation.
However, compliance is not only a legal obligation, but also a fundamental prerequisite for the trust of customers, investors and society as a whole.
An essential and long-term benefit of successful compliance is an increase in reputation and strong customer loyalty.
“We know our guys!”. Do we? Recognising and avoiding risks in good time
A mistake made out of ignorance or carelessness, or even deliberate damage to the company: the range of reasons for compliance violations is immense, and many companies are familiar with such situations, even if they rarely talk about them. In companies where a compliance violation occurs, it is often not an isolated incident. Violations occur where compliance is not lived and consequently a stable compliance culture and structural integrity are lacking. This can have serious consequences for a company.
Every company has an individual number of potential dangers and thus relevant challenges.
But how can these risks be addressed? These risks are manifold and occur in very different areas depending on the business model. Examples include:
- Dangers of white-collar crime such as money laundering or corruption and taking advantage of others.
- Labour law risks, for example in the area of occupational health and safety, the recording of working hours or in equal treatment issues, discrimination and harassment at the workplace.
- Requirements under the Whistleblower Protection Act, such as the duty of confidentiality or independent investigations
- Environmental and sustainability requirements, such as waste management, nature conservation or sustainability reporting
- Corporate due diligence to avoid human rights violations in supply chains and compliance with standards or supply chain transparency
- Inaccurate accounting resulting in accounting and tax returns
Of course, the focus here varies from company to company: For a mechanical engineering company, other compliance issues are relevant than for a service company. A company can minimise its compliance risks by analysing its potential dangers and establishing preventive measures. Compliance risks, rules and measures are systematised through compliance management. Compliance management aims to ensure that all laws, regulations and ethical standards relevant to the company are adhered to. To develop a suitable compliance management system, the first step is a structural analysis. Here we look together with the management: Where in the company do we have risks of violating regulations? How are we organised to protect the assets of the company? How should we assess these risks in terms of probability of occurrence and damage potential? Once specific compliance risks have been identified and assessed with regard to the respective corporate divisions, suitable measures can be found. The compliance risks form the basis for an effective alignment of the compliance measures in the company and the implementation of a risk management. For this purpose, a solid compliance basis is developed according to certification standards.
Appropriate and transparent: The CMS in SMEs
A compliance management system is anchored in the company in order to protect the company, management and acting persons from criminal or civil liability, to reduce the risks of financial losses or damage to the company’s image or ideally to avoid them. There is no explicit case law in Germany on what a compliance management system should look like. This is decided by the management. This decision is a discretionary decision (business judgement rule), in which individual risks and the goals of the company must be taken into account. Thus, various national and international standards for compliance management systems are recommended. According to the IDW auditing standard 980, a CMS should have the important basic elements: Compliance culture, objectives, risks, programme, organisation, communication, monitoring and improvement.
With ISO 37301, an active management standard was developed, which THE MAK`ED TEAM often takes as a basis when developing a compliance management system. ISO 37301 includes the requirements to ensure that a company can establish, implement and maintain an effective CMS. The main points include:
- Plan: Compliance risks are systematically identified, assessed and managed, roles and responsibilities are defined.
- Implement: The management level ensures that the CMS is implemented in the company with sufficient resources and support. It creates an awareness of the issue with appropriate communication and training and manages compliance measures.
- Check: Implement internal controls and continuous improvement to ensure the effectiveness of the CMS.
- Act: Compliance management is continuously improved and compliance cases are dealt with.
We systematically implement the development of the compliance management system
- define the target picture: In the first step, the current situation in the company is outlined and the target image of the CMS is agreed with the executive board and, if applicable, the supervisory board. The requirements for this are derived from the company’s business model and value chain. 2.
- draw up a roadmap: The analysis of the existing compliance management, the structural analysis and the identification of legal requirements and other regulations form the basis. 3.
- develop a concept: In this step, various methods are selected for the implementation and monitoring of processes as well as for the monitoring and control of risks.
- implementation: In this step, the implementation takes place by adapting the organisation of the compliance structures. Processes are adapted, training and education are carried out and the monitoring of effectiveness is established.
The mere existence of compliance rules and measures is not enough to implement effective compliance in a company. Compliance must be lived. This requires a living compliance culture.
Which wind blows in the company? The compliance culture
A compliance culture looks different in every company. As with compliance management as a whole, many individual factors play a role, such as size, industry, corporate strategy, cultural and economic contexts or location. There are many possible levers for building a lively, long-term and resilient compliance culture.
What is the value system in the company? What is the prevailing “spirit”? Which convictions exist, are lived and exemplified? The role model function of the company management has a great influence on the compliance culture. How seriously are rules taken? Do they turn a blind eye to unfair business practices in favour of a strong competitive situation? Or is even a lucrative contract consistently rejected if the potential client does not meet ethical standards? The “tone from the top” has an enormous influence on the compliance culture. Management should demonstrate integrity and responsibility at all levels and actively and visibly model what they expect from the workforce in terms of standards of conduct. Consequently, it should be made clear that non-compliant behaviour will not be tolerated, and that compliant behaviour will be rewarded, for example when it comes to promotions.
Transparent and clear communication plays a major role in communicating corporate values, compliance-relevant rules and principles of conduct. Topics such as ethics and integrity have the desired effect when they are not only dealt with in a legal context but are communicated as credible corporate values. Content that is communicated with practical examples is memorable. With a whistleblower system, employees should be able to communicate easily and anonymously observed and identified problems, compliance risks, misconduct or grievances within the company. Today, an authentic compliance culture is no longer a “nice to have”, but a prerequisite for a functioning compliance management system.
THE MAK`ED TEAM defines with the right sense of proportion how compliance management can be effectively implemented in your company. Our compliance experts know how to strike a balance between the fulfilment of obligations and a positive corporate culture in medium-sized companies. We support medium-sized companies in the successful development and implementation of a compliance management system that suitably and pragmatically fulfils all company-specific requirements.