Compliance Management System: Tips & guidance

Rule-compliant behaviour is an important pillar for every company. Compliance means that companies abide by laws and self-imposed rules in order to avoid legal violations, liability and image damage. It therefore impacts all areas of the organisation.

The compliance management system comprises all measures, structures and processes that a company or an organisation establishes to ensure compliance with the rules and law.

In Germany, for example, the The Deutscher Corporate Governance Kode (German Corporate Governance Code) only provides very general guidelines for the design of a compliance management system. By contrast, there are already more detailed recommendations in other countries about the elements such a system should include. For example, the recommendations of the US Department of Justice (DOJ) – and the explanations in the U.S. Foreign Corrupt Practices Act can be used as guidelines. The British Bribery Act also defines the key principles for successful compliance.

The most important elements of a compliance management system include:

Compliance-risk analysis:

This is the starting point for every compliance programme. Risks are recorded and analysed here in order to build a compliance programme explicitly tailored to the company on the basis of the results.

Compliance programme:

An interplay of tools and processes that ensure your company adheres to rules and laws. It covers compliance with external regulations (laws and guidelines) as well as internal standards and directives. Digital tools can be used to detect violations and identify risks. Processes are also defined in the compliance programme for the internal and external handling of violations. Several foundations must be laid for the compliance programme:

Compliance culture and communication:

Ensure that integrity is an integral part of the company culture. In this way, corporate ethics and legal requirements are not empty items on a checklist, but rather compliance culture in action. Set an example for the entire company from the top down (“Tone from the Top”) and make sure that everyone from the executive to the technical specialist understands why a compliance programme is important.

Compliance guidelines:

If you have not already done so, define internal guidelines that provide your employees with instructions about behaviour in the workplace. This will also make the voluntary commitments the company is imposing on itself transparent to employees. The instructions can vary depending on the business sector, but the most important include a code of conduct, a data protection policy, requirements for health and safety at work, the regulation of working hours, absences and holidays, guidelines on equal opportunities and the use of social media.

Compliance objectives:

Clearly define the purpose of the compliance programme and what it should cover. This not only serves for open and transparent internal communication that contributes to the culture of compliance. In the event of a breach, it can also help the authorities examine whether a company’s compliance programme is sufficient and this can result in a mitigating effect on any punishment.

Compliance organisation:

Define personnel responsibilities. The overall responsibility for compliance lies with the management. However, it is advisable to set up a compliance department reporting to a compliance officer. The department needs the necessary resources (budget, staff, training, software and tools) to ensure the establishment of compliance throughout the company.

Compliance business partner audits:

It is not only internally that a risk analysis must be carried out – compliance and liability risks can also arise for your company through business partners. Therefore, also check business relationships and define guidelines for cooperation based on the results.

Compliance monitoring and improvement:

To ensure the success of the compliance programme, you should regularly review and improve it. This is because new national and international guidelines or internal requirements may necessitate additional review processes. Overall, it is advisable to regularly check the system for weaknesses or overlooked risks. Monitoring and auditing are made easier by:

• A compliance training concept: Conduct regular employee training sessions tailored to the target group. In many areas, e-learning is sufficient, in which, for example, rules for gifts and invitations are explained. For sensitive areas such as sales or finance, as well as for managers, it is worthwhile having department-specific training and classroom training. This should be refreshed regularly.
• The introduction of a whistleblower protection system: Set up a tip system for employees in which they can point out grievances. Anonymous reporting functions increase the chances of receiving valuable reports. Even though the EU Whistleblowing Directive and its implementation into national law has been delayed in many EU member states, it makes whistleblower protection systems mandatory for companies with 250 or more employees. Companies with 50 to 249 employees have a transition period up to 2023.
• Use a compliance management tool: Software facilitates your compliance management by bundling all important workflows on a digital platform – from the whistleblower system to the approval manager where gifts and invitations are given the green light.

When introducing a compliance management system, it helps to keep a few basic rules in mind:

• Clarify fundamental questions: Find out whether you need a compliance management system from a legal point of view, what content it should cover and how it should be designed. It is also of course important to ensure it will function properly.
• Clearly define the field of activity: Compliance officers cannot simply take over or replace certain aspects of the legal department. Therefore, areas of responsibility have to be clearly defined while reporting lines should be implemented to make your compliance management transparent and understandable.
• Basic awareness instead of paragraph riding: It is not the task of employees to know every single legal paragraph. Formulate the guidelines concisely and comprehensibly enough to create basic awareness of compliance.
• Process integration: Embed compliance processes into your business processes – for example, by noting requirements for accepting gifts and invitations on the forms used for this purpose. Integrate the compliance department as a point of contact that can provide information on compliance issues.
• Regular exchange: Good compliance management is not only the result of constantly issuing new guidelines, but also of an exchange with employees about training, everyday processes, etc. This will give you an insight into whether the rules are being observed. It also provides information on whether compliance is accepted in the company and how specifications or guidelines affect practical implementation. Exchanges with industry organisations and legal experts can also help your company to define practical tips and best practices.
• Leverage internal resources: When designing and rolling out compliance measures, it helps to exchange ideas with internal departments. Your communication experts help with the right approach to employees (with guidelines, for example), IT establishes the technical framework for e-learning training, the legal department reviews critical issues. Do not forget to involve the organisation’s works council.
• Transparency and documentation: Transparent handling of critical issues or violations quickly takes away from their explosive nature. Combined with comprehensive documentation, you also protect your company in the event that audits are carried out after a violation.
• Measure effects: Short, regular surveys among employees give you a picture of the acceptance of your compliance measures. In this way, you can measure effects and improve or fine-tune aspects of the programme if necessary.

To make the work of compliance officers and compliance departments easier, software that bundles processes in a central location helps. Whether compliance software is worthwhile for a company depends above all on the respective individual compliance requirements. Different industries have regulations of varying complexity, and these have the potential to change frequently depending on the sector in question.

The more complex the compliance requirements in an industry, the more worthwhile software becomes. This is particularly true when ensuring compliance within a company threatens to distract from the core business. Trustworthiness can also be increased with the help of compliance software because banks or business partners may make their commitment dependent on the existence of a compliance structure.

Depending on how many areas need to be covered, only individual modules can be used instead of an entire compliance management system. It is important that the individual applications can be flexibly adapted to the company’s needs. A team of qualified consultants at the software provider helps with integration and operation – but above all – tools and software should be intuitive for employees to use.

With the help of a digital platform, employees in the compliance department can create reports and lists without much effort in order to regularly check compliance work, carry out risk analyses and adjust the programme where necessary.

A digital compliance management system ensures complete and audit-proof documentation of all information, guidelines and documents. In this way, the company’s compliance work becomes transparent and traceable – an important circumstance in the event that a violation does occur and compliance measures are audited by the authorities. In addition, the audit-proof documentation protects against recourse claims.