Regulatory compliance

Compliance and adherence to the rules (even regulatory compliance ) is in the business jargon, the term for compliance with laws and regulations in business, but also of voluntary codes. The set of principles and measures of a company to comply with certain rules and thus to avoid rule violations in a company is called a Compliance Management System (IDW PS 980 Tz.6 ).

Definition

The German Corporate Governance Code (the Code ) defines compliance as the in the responsibility of compliance with statutory requirements and internal company policies.

" The term compliance is the compliance with laws, regulatory standards and fulfillment of other major and usually by the company set ethical standards and requirements. "

For credit institutions, the term "compliance" often concentrated used for the special provisions of the German Securities Trading Act.

Request to the Compliance

The need for legal compliance by companies, it follows from the principle that laws - are observed - even by legal persons. Businesses and business leaders are ( OWiG ) called on the § § 9, 30, and 130 misdemeanor law, to ensure that the company carried out no violation of laws. If appropriate organizational and supervisory measures are not taken, the management and the company can not be sentenced to penalties even if it has come from the company to violations of the law. Power is thus an employee of the company punishable by corruption, so threaten the company not only civil actions of the business partner, whose employees were bribed. Rather, the company must expect that against the company or against the company's management, a misdemeanor procedure shall be initiated, because has not complied with the organizational and supervisory duties. In addition, regulate a variety of statutory provisions immediate duties and responsibilities of the company has to comply with this and in non-compliance with the undertaking may be sensitive penalties threatening (eg of antitrust violations ). A duty to ensure compliance thus also results from § § 91, 93 AktG and § 43 Limited Liability Companies Act for the prevention of economic damage to the company.

Ensuring compliance

The non-compliance of rules can lead to corporate penalties, fines, income levy or the decline of the profit generated by the violation of law. These direct losses are increased by additional external and internal costs of proceedings, damages claims and reversals.

In an observation period of two years every other business enterprises a study of economic crime was concerned. With a high number of unreported cases of total loss of discovered infringements to more than 6 billion euros annually. Compliance is defined according to the internationally recognized risk management framework COSO as one of three areas of enterprise risk management.

The entirety of the set up in business activities and processes to ensure compliance are referred to the Institute of Public Auditors in Germany in IDW Auditing Standard PS 980 as a compliance management system ( CMS). The IDW points for the design of such a CMS on generally accepted frameworks (eg COSO ERM). On the basis of different frameworks, the IDW has identified seven basic elements of a CMS in its default:

• Compliance Culture
• Compliance objectives
• Compliance risks
• Compliance Program
• Compliance Organization
• Compliance Communication and Information
• Compliance monitoring and improvement

By which organized a CMS and can be described.

Purpose of a CMS is to provide reasonable assurance that risks for major rule violations are detected early and those rule violations are prevented. Since even an appropriate CMS can never prevent all violations, it also has nevertheless swiftly identify and communicate within the company so that appropriate responses can be taken on the violation any violations.

Compliance Culture

As a compliance culture are the fundamental attitudes and behaviors that are mediated by the management, referred to ( " tone at the top "). The compliance culture is to communicate to all its stakeholders as well as customers and suppliers of the company the importance that attaches to the company's compliance with rules, and thus all participants increase their willingness to regelkonformem behavior. Compliance is frequently referred to as a base culture of the CMS. In many cases the compliance culture in specific guidelines or codes of conduct (eg: " Mission Statement " or "Code of Conduct " ) held and also published in the company's intranet or Internet site.

An effective compliance culture requires but in addition to such "official" communications above all a reflection of the principles in actual behavior and appearance of all company leaders at all levels of management. Values ​​can only be credibly conveyed when they are too recognizable lived by the referring agents themselves.

Specific rules, for example, to avoid corruption and cartel agreements, the observance of regulations on data protection and equal treatment, respect of rules on product safety and labor protection, are sometimes regarded as part of the compliance culture, but are rather the specific compliance program. The same applies for control structures such as hotlines ( whistleblowing hotline) that are set up in-house or by external contacts, and in which violations may be reported.

Objectives

Minimize risk, increase efficiency and effectiveness are the primary goals of compliance. The figure illustrates in this context, the economic effects of the strategic use of compliance measures. Of interest is the finding that in 50 percent of the target, a reference to identity management is evident.

Compliance processes

For the purpose of providing compliance activities, the establishment of specific processes is required. It is in these processes so-called metaprocesses, ie the compliance processes relating to the support and risk-based control of the original business processes in the company. The following significant compliance processes are outlined.

• Processes of risk analysis: These sub-processes are used to identify threats and dangers in the context of value-creating activities of the company.
• Processes of variance analysis: Such processes are triggered, if the realized actual value of an activity or sequence of activities outside the defined tolerance range around the nominal value.
• Processes of dealing with exceptional situations: In the center is the (potential) arrival of serious events with a large critical relevance for the company. It is important to be prepared for such cases with pre-structured target processes for the purpose of education and harm reduction.
• Processes of escalation: the subject of escalation processes is the resolution of any existing and preventing feared Direction non- compliance situations. The goal of these processes is to escalate critical activities. This means that such activities should be made transparent and timely manner by a responsible authority carried forward to meeting regulatory decisions mandatory.

Certification of Compliance Management System

TÜV Rheinland has published the "Standard for Compliance Management Systems" ( CMS TR 101:2011 ) on March 30, 2011. The standard is aimed at organizations such as companies, government agencies and non-governmental organizations (NGOs ) and describes the elements that make up a functioning and effective compliance management system. He shows what verifiable measures must be taken to systematically establish a compliance organization, maintain, monitor and constantly improve. This serves the purpose of being able to reach all relevant compliance requirements. The default CMS TR 101:2011 thus serves both as a benchmark for certification of an existing compliance management system. It does not require the creation of specific structures or functions for the fulfillment of compliance, but only requires a systematic approach and the implementation of certain (minimum) elements. According to the standard compliance management systems must be designed not uniform, but can express the peculiarities of the organization - take into account - such as size, structure, activities, products, specific risks etc.. Organizations thus have a high degree of flexibility in implementing its compliance management system.

Comparable to the standards for quality management systems (ISO 9001:2008 ) or for risk management systems ( ONR 49001:2004 ), the standard TR 101:2011 CMS contains statements about defining compliance responsibilities, the provision of resources, the conduct of audits and the need of continuous improvement. In addition, it lists the specific features which must have an effective and independent of individuals Compliance Management System. In terms of a holistic view of compliance taken into account, the standard also the aspects of " organizational culture " and " communication ".

The standard TR 101:2011 CMS is divided into the following eight chapters:

Scope: The standard TR 101:2011 CMS is nationally and internationally applicable to all organizations.

Objectives of the Compliance Management System: The objective of each compliance management system, it is according to the standard, systematically to create the conditions in the organization that breaches of compliance requirements can be avoided or significantly more difficult and can be detected and treated violations occurred.

Terms: Chapter 3 contains definitions of important compliance terms that are used in the standard CMS TR 101:2011.

Compliance Management System: In order for the requirements of the standards can be met, an entity must have a systematic compliance organization, that is, to introduce a compliance management system, document, implement and maintain. The following measures are necessary:

• The mandatory processes are defined.
• The availability of the necessary resources and information is secure and
• The processes to monitor, measure and analyze.

It is important to document the compliance management system itself and its components, such as audit results, corrective actions, etc., to ensure a person-independent maintenance and operation of the system. The handling of this documentation, for example, releases, updates, distribution, storage obligations must be determined.

Responsibility of management: In accordance with the statutory organizational and supervisory duties a focus of the standard is on the special responsibility of the " conduit " for the establishment, maintenance, evaluation and continuous improvement of the compliance management system. It is the responsibility of management to determine the internal responsibilities and powers and to appoint a compliance officer. Is not specified, shall be based on what management level that agent. Also creating its own new Compliance site is not required. However, it must be possible for the compliance officers to perform its compliance responsibilities independently. Inherent conflicts of interest due to the simultaneous allocation of other tasks must be excluded. In addition, it should be ensured to the line level direct report option. The Committee is responsible to convey the importance of compliance requirements and their fulfillment of the employees. From it is specifically required to make a commitment to the creation of a compliance culture. Furthermore, they should bring their expectation expressed that the compliance requirements are respected in practice. As part of its oversight responsibilities, the line itself takes regular assessments of the compliance management system. It also ensures compliance with its information and reporting requirements of the internal supervisory bodies.

Management of Resources: Chapter 6 presents the requirements for identifying and providing resources that are required for an effective compliance management system. The training needs to be systematically determined; required training shall be given. The effectiveness of the measures taken must be assessed regularly.

Compliance processes and implementation: See Chapter 7, "Compliance processes and implementation ", the default CMS TR 101:2011 describes the specific compliance issues of the organization. It calls for systematic risk analysis ( so-called " Compliance Risk Assessments "). The applicable compliance rules must be analyzed systematically identified, documented and updated and communicated to the person concerned. Procedures should be designed so that compliance requirements can be easily met. Conflicts of interest must be identified and excluded organization wherever possible. All compliance-related incidents must be documented.

System monitoring, analysis and improvement: Like other system standards emphasizes the standard CMS TR 101:2011 the importance of a continuous system monitoring and analysis as the basis for a continuous improvement process. Required are defined processes for monitoring, analysis and improvement of this system. The standard explicitly mentions internal audits on the basis of a planned audit program, monitoring measures and the obligation to implement the findings with the aim to improve the system.

Through his cross-organizational and systematic approach, it is possible to certify the compliance management system of an organization by an independent third party on the basis of the standard CMS TR 101:2011. The certification typically takes place in two stages:

• Level 1 certification audit clarifies the certification ability. In this case, a check is made whether the certification conditions are in principle, that is, whether the compliance management system and its elements are documented (so-called " audit documents " ), whether a compliance controller had been named and whether system evaluations were made by the management.
• In stage 2 of the certification audit review of all elements of a Compliance Management System based on sampling takes place. The auditors then prepare a report on the subsequent audit. In the case of a positive finding, the certification body of the certifier issued the certificate on the recommendation of the auditors. This is valid for three years. During this period, annual surveillance audits take place.

As part of a pre-audit can optionally be pre- tested the certifiability. Often also recommend upstream " compliance self -assessments " that can be carried out by the organization itself and offered some of TÜV Rheinland under "Compliance Care."

Independent verification of the suitability, adequacy and effective implementation of compliance management systems

The Institute of Public Auditors in Germany eV has released after several months of consultation of the profession and intensive discussions both of Compliance Officer in companies as well as lawyers and university teachers in early 2010 a draft audit standards to ensure the due conduct of the examination of compliance management systems and provided general discussion. Submitted as part of the comment period by companies and others interested in comments and suggestions were taken into account by IDW in the publication of final standards on 11 March 2011. The standard defines the occupational view of the German auditors, what requirements must be met by adoption, planning and execution of such tests. In addition, the standard also defines first general structural requirements for a CMS without demand concrete actions or processes.

• The statements contained in the CMS description of the illustrated principles and measures of the CMS are adequately presented in all material respects,
• The principles and measures in accordance with the applied are presented properly CMS principles, with reasonable certainty both risks for significant violations to identify the relevant rules of the defined subregions legal term as well as to prevent such violations of the rules and were actually set up,
• And were carried out effectively during the audit period.