Compliance: Observing legal requirements in enterprises
Sound compliance supports the observation of legislation and rules in business. According to a survey by LexisNexis (in German only), 86 percent of Austrian enterprises covered currently use compliance management systems (CMSs).
But what does compliance actually mean? Why do you need it? Who benefits from it? How does a compliance management system work? And: What do standards have to do with all that?
Austrian Standards offers a broad range of products and solutions in the field of compliance: from current standards to independendent certification (in German only) and on to comprehensive trainings (in German only). Therefore, we have asked the compliance experts Martin Eckel (Taylor Wessing) and Kristof Wabl (PwC) to clarify a few key questions for you.
What does compliance mean? What does compliance stand for?
Simply put, "compliance" stands for the observance of rules and legislation.
In concrete terms, this means that organizations and their employees have to observe applicable legislation – for example, antitrust law – as well as internal rules with regard to ethical standards (for example, respectful conduct at work). By means of compliance management, enterprises can make sure that both the top management as well as employees follow those rules. Hence, compliance is a tool for ensuring law-abiding behaviour and high ethical standards in enterprises.
Relevant literature on Compliance is available in the Webshop of Austrian Standards.
Here you can find relevant standards collections, literature and quick infos!
Why do you need Compliance Management?
Compliance management serves to control various risks, such as corruption and data protection as well as risks related to violations of antitrust and labour law. Under the Austrian Corporate Criminal Liability Act (Verbandsverantwortlichkeitsgesetz) a company is held liable for acts of its employees unless it has taken compliance measures. Thus, compliance serves to avoid fines, claims for damages or other legal consequences. In addition, enterprises try to strenghten their reputation by their compliant, ethical conduct in order to attract customers.
In practice, there are usually two legal reasons why compliance management is needed:
- to ensure that employees act lawfully.
- to make sure that – in case of non-compliance – enterprises are not punished or at least that compliance management is considered as a mitigating factor.
When compliance management systems are introduced, the focus is on defining clear rules and a framework providing guidance within the enterprise. In this process, an important issue is to create continuous attention and awareness of compliance. Much of this should be a matter of course, but still turns out to be difficult and complex during implementation.
Who is concerned by Compliance?
Actually, compliance concerns everybody. In all companies – even in the smallest ones – violations of rules may occur. Whether it makes sense to implement a comprehensive compliance management system (CMS) depends on several factors, for example:
- economic sector
- potential risk
- company size
- corporate culture
- probability of non-compliance
In practice, most of the companies using professional compliance systems are active in industry, banking/finance and insurance as well as in the public sector – according to a study by LexisNexis in 2021. These systems include preventive meausures, such as awareness raising, information and training of employees on the one hand, but also ensure that internal corporate processes are monitored, on the other hand.
Compliance Management SystemS
In a well-functioning compliance management system, small and big cogwheels intermesh optimally.
What is required for a well-functioning Compliance Management System (CMS)?
To function well, a compliance management system, first of all, needs an appropriate compliance culture within an enterprise. The required culture should be shaped at the top of the enterprise. Accordingly, the "tone from the top" is considered essential especially at the start the introduction of a CMS. The board and management have to demonstrate their sincere commitment to the implementation and use of the CMS. Compliance management, however, will only truly succeed if it is understood as forming part of the management tasks at each and every level of a company.
Then, a clear structure needs to be set up systematically: At the start of a CMS, a risk analysis has to be performed. It is to highlight the legal requirements that are of particular relevance to the enterprise. Along the dimensions of "likelihood of occurence" vs. "extent of loss", a matrix is drawn up that identifies the risks that need to be addressed by the enterprise (high likelihood of occurrence + high losses = urgent need for action).
The type of risks depend on the economic sector: For a paint producer, for example, environmental regulations will be more important than for an insurance company in risk assessment. The "classic" risks to be addressed in compliance management are the fields of corruption, antitrust law, money laundering (in German only) data protection, violation of maximum working hours and safety at work.
On the basis of this analysis, measures are developed, for example compliance guidelines are drawn up and employees are made aware of various issues in trainings. Success factors are the use of clear and simple language as well as regular awareness games and the inclusion of compliance targets in employee performance reviews. Subsequently, the measures are regularly checked – be it by external consultants and auditors or in internal audits (e.g. by means of online checklists). Building on these audits, the measures are adapted and revised. To function well, a CMS needs to be provided with appropriate financial and other resources – just like other projects.
Issues such the hiring of new employees, the establishment of a process for a whistleblowing system and the investigation of non-compliance cases are taken into account in a well-functioning CMS. Specific requirements for implementation are laid down, for instance in ISO 37301.
There are many myths surrounding the implementation of compliance management systems. However, it is a fact that compliance can give you a competitive edge, is also relevant for SMEs and is not just costly.
Three myths about the implementation of CMSs in practice
Compliance always slows down everything!
In general, regulatory developments cannot be stopped and compliance officers frequently are the first ones to draw attention to these developments. At any rate, the targeted empowerment of the compliance function can result in a competitive edge.
Compliance is not for SMEs but only for large corporations!
Compliance is relevant for all enterprises because each company is exposed to risks. The extent to which legal requirements and industry standards apply, of course, depends on the size of the organization, but this does not do away with the need for compliance.
Compliance is expensive!
"If you think compliance is expensive, try non-compliance." Nothing needs to be added to this statement of former US Deputy Attorney General Paul McNulty.
What are compliance guidelines?
Compliance guidelines summarize the essential dos and dont's that enterprises deal with in the context of compliance. They describe in a clear and comprehensible manner how employees have to act – for example, in dealing with customers and business partners.
These guidelines form part of the code of conduct. In approximately 10 to 15 chapters, they address the key compliance issues for a company. Examples of these issues may be:
- Respectful interaction with colleagues (non-discrimination)
- Ethical conduct
- Fight against fraud
- Business confidentiality
- Environmental responsibility
Example: Code of Conduct
While the Code of Conduct of a trading company may highlight that "Fair competition is of great importance to our enterprise," the compliance guidelines will address this issue in greater detail so that it can be applied in practice, for instance by means of the following statements:
- Price-fixing arrangements with competitors are forbidden.
- Exclusive territorial arrangements with competitors are forbidden.
- Contacts with the employees of competitors are permitted at exhibitions or events; however, business information must not be exchanged.
What is a Compliance Management System?
A compliance management system comprises all elements contributing to abidance by rules and legislation in an enterprise. In structural terms, a risk analysis is performed before a compliance management system is set up: This analysis identifies the legal requirements that are particularly relevant for the enterprise. If it produces paints – as in the example mentioned above –, environmental regulations will have more significance in the risk assessment than for an insurance company.
Based on the analysis, measures are drawn up, e.g. compliance guidelines are drafted and training is organized to raise the employees' awareness of various issues. Subsequentily, the measures introduced are checked regularly – by external consultants and auditors or by an internal audit service (using online checklists). In line with the results of those audits, the measures are adjusted and revised as appropriate.
Furthermore, adequate financial and other resources have to be provided for the CMS – in particular, under the new ISO 37301 (e.g. is there a compliance officer, are there regular e-learning programmes, etc.).
What is the benefit of this System?
The benefit of a compliance management system is that it establishes a framework providing guidance. The enterprise undertakes not only to observe certain rules, but also raises awareness of potential risks within the organization and gives clear instructions on how to proceed. Moreover, compliance mitigates penalites and can help reduce fines.
Example: Gifts given to exert improper influence
An employee of a company is offered a valuable gift by a business partner with the aim of influencing the recipient. If the company has a compliance management system, there is a clear reference value for the recipient prohibiting the acceptance of valuable gifts. Thereby, the employee is protected, given good arguments and does not get into an awkward position. Thus, compliance management systems do not only protectb the company, but also individuals.
Which problems arise in the context of compliance in practice?
There is a great variety of challenges faced by compliance officers in practice. "In all companies, the common denominator is the continuous change in compliance risks and increasing regulation. Constant change requires not only great flexibility and efficiency of systems, personnel and processes but also elevated diversity in handling different issues. Additionally, the digitization of processes and compliance activities is on the agenda," explains Mag. Martin Eckel, LL.M.
Kristof Wabl higlights the main task of compliance officers: "They have to present complex and difficult issues in a clear and simple way. If core messages do not come across to the employees, you can hardly speak of efficiency and compliance as they are not supported by all the stakeholders." External standards, such as certification according to ISO standards, can help here as comparability and measurability come to the fore. Even though there are more and more indicators measuring the performance of enterprises, compliance still has to catch up in this respect.
Compliance frequently still faces problems in practice, such as:
- Acceptance by employees: Compliance must be the established practice at all hierarchical levels. Otherwise employees will not adopt new behaviours improving compliance.
- Bad habits: Certain sectors, ranging from the automotive industry to ski rentals, still engage in price fixing.
- Change: "We've always done it like that" – compliance also has to do with change management.
- Recognizing its relevance: Especially for small and medium-sized enterprises, non-compliance may threaten their survival. A fine running into millions can be devastating for an SME.
- Disadvantages for first movers: Being the first company of an industry that establishes a compliance management system makes life more difficult at first. Competitors without compliance management may gain an advantage in the short term but in the long term, a compliance management system guarantees success in the international business world.
- Awareness: The biggest challenge is to maintain a high level of attention for compliance within an organization. Therefore, compliance trainings should be practice-oriented and gripping. A hint: It is worth using short, succinct messages or captivating presentation concepts (e.g. compliance cartoons).
What is the legal basis of Compliance?
The legal basis of compliance derives from the compliance risks identified for the organization. Anti-corruption and antitrust law, data protection, cyber-security, money laundering, respect of maximum working hours and safety at work frequently are among the relevant subjects. Building on them, compliance management puts a special focus on certain laws and regulations.
Example – New legislation, Whistleblower Directive
The Whistleblower Directive provides that all enterprises with 50 employees or more have to set up an internal reporting channel by the end of 2021. In the context of the EU Directive on the protection of persons who report breaches of Union law, the question is who should receive such reports? This shows that compliance has to proceed prudently. There is not just a single blueprint that can be applied to all companies. A listed corporation will implement the Whistleblower Directive not in the same way as a small craft business.
What is a Plan-Do-Check-Act cycle? What is a Deming circle or A deming wheel?
The plan-do-check-act (PDCA) cycle is a method developed by the physicist Walter Shewhart and actually comes from quality management. "Deming circle" is another term for the PDCA cycle. Both terms describe an iterative approach: First comes planning, followed by the implementation of measures, then the measures are checked and finally, actions are taken. The PDCA cycle is well-established in quality management, but it is also used in compliance management.
Example – PDCA cycle and GDPR:
The compliance officer checks which legal provisions are of particular relevance for the company (Plan) and, in the risk analysis, draws the conclusion that data protection breaches involve a high risk. Appropriate measures are taken (Do), e.g. compliance guidelines are drawn up and the employees' awareness is raised through training. The situation and measures are reviewed regularly (Check): In 2018, the likelihood of data protection breaches was as high as today, but the maximum fine was EUR 25,000 (in Austria) in 2018, whereas nowadays the fine amounts to up to 4 percent of total revenues so that potential losses are higher. In the PDCA cycle, the compliance officer adjusts the compliance measures to this legal development (Act).
Standards & Compliance Management Systems
Two key ISO standards take compliance management systems to the next level.
What do standards have to do with compliance?
A lot. The essential requirements for compliance are, of course, laid down by legislation and legal frameworks. However, standards lay the foundation for setting up a compliance management system in an enterprise.
There are two key ISO standards that focus on compliance management systems:
- ISO 37301 deals with compliance management systems in general.
- ISO 37001 is more specialized and describes the structure of an anti-bribery management system. Hence, ISO 37001 is particularly important for enterprises in frequent contact with puglic authorities and agencies because the corruption risk is considered to be particularly high in this case.
In addition, the draft of ISO 37002 on whistleblowing management systems is to be considered. ISO 37301 and ISO 37001 also provide that it has to be possible to report misconduct in enterprises and organizations.
Compliance requirements, such as transparency and trust, are increasingly required for sustained participation in markets in international business. With a view to a globalized market, enterprises want and have to bring their compliance management system in line with internationally recognized standards as far as possible.
Martin Eckel (Taylor Wessing) and Kristof Wabl (PwC) are not only recognized compliance experts, but also contribute to steadily making compliance more professional in enterprises by giving lectures and serving as auditors with Austrian Standards.
Certification of Compliance Management Systems
Certification of compliance management systems under ISO 37301 and/or ISO 37001 is a smart move.
How does Certification work (certification process)?
Austrian Standards offers enterprises to have their compliance management system certified under the international standards ISO 37301 "Compliance Management Systems" (in German only) and ISO 37001 "Anti-Bribery Management Systems" (in German only).
Step by step, towards certification:
- Define the scope of your CMS
- Level 1 audit – verification of certification readiness
- Level 2 audit – on-site/remote certification audit
- Issueing of the certificate – valid for 3 years
- Surveillance audits after 12 and 24 months
- Re-certification after 3 years
Certification by Austrian Standards stands for high-level legal expertise, long-standing compliance experiences as well as neutrality and impartiality.
How do I benefit from certification?
The demand for the certification of compliance management systems has increased significantly.
A certificate according to ISO 37301 and/or ISO 37001 means that your enterprise has a lasting proof of the effectiveness of its compliance management system.
- Certification strengthens your position in competition.
- It is a third-party proof of the effectiveness of your compliance management system.
- It reduces the risk of criminal proceedings for your organization and its bodies.
- Certification protects and safeguards the reputation of your organization.
General information on compliance certification is accessible here (in German only).
What is the benefit of accreditation?
The selection of an accredited certification body offers advantages:
- Certification by an accredited body makes certificates comparable and recognized internationally.
- These certificates facilitate market access for enterprises and enjoy greater acceptance.
- They improve the trust of stakeholders.
Especially in crises, it is vital to take the right steps swiftly and carefully. In this respect, our certification body can provide even better support now. Since 26 June 2020 Austrian Standards has been officially accredited for ISO 37001 "Anti-bribery management systems". Thus, our customers can obtain an internationally recognized certificate for their anti-bribery management system. This offers not only advantages in competition at home and abroad, but also facilitates participation in calls for tender.
What should I bear in Mind when selecting a certification body?
When selecting a certification body you should check whether it is accredited. This raises both objectivity and the credibility of your management system.
Furthermore, you should pay attention to the specialization of the certification body and the high competence of the auditors deployed.
Read here why Austrian Standards is a suitable partner for your certification.
Which elements form part of a Compliance Management System?
The elements of a compliance management system include:
- A compliance officer with clearly defined tasks.
- Involvement of stakeholders (stakeholder engagement).
- Compliance guidelines as guidance for employees.
- Regular, mandatory compliance training for employees.
- A whistleblowing system, for example as defined in ISO 37002 "Whistleblowing management systems – Guidelines".
- Improvement elements, monitoring and surveillance.
CERTIFIED BY AUSTRIAN STANDARDS
Always a step ahead of your competitors: Get a certificate for your enterprise.
You want to know more about certification in the field of compliance?
Click here to learn more about certification (in German only)!