of the Management Board of a stock corporation.
As part of its duty of legality, the management must ensure that the company is organized and supervised in such a way that no violations of the law occur, for example bribery payments. The management only fulfils this obligation if it ensures that the company has a compliance organization that is geared towards loss prevention and risk control. If this is not done, the management puts itself at considerable risk of liability.
Section 91 of the German Stock Corporation Act (AktG) requires stock corporations to set up a compliance management system (CMS). However, there is no corresponding provision for GmbHs under Section 91 AktG. However, depending on the size, complexity and corporate structure, the due diligence standard of this provision can also be applied to GmbHs.
For the company management, the question therefore arises as to how legally compliant action can be ensured through a compliance organization. The requirements for a company-specific compliance program depend on the size, type and risk susceptibility of the individual business transactions. ISO 19600, for example, can be used to set up a compliance system. This is a standard for the establishment of compliance management systems. It was developed to provide internationally uniform guidelines for designing a CMS.
The aim of setting up a compliance organization is to prevent legal violations or infringements by employees due to ignorance of the legal framework. A CMS should cover the following topics:
Compliance culture
Agreement on basic values within the company. Clear message from the top of the company ("tone from the top").
Compliance goals
Definition of objectives to be achieved with the compliance system.
Compliance risks
The risks, i.e. the possible violations that could lead to a failure to meet compliance targets, must be identified.
Compliance program
Principles and measures for limiting compliance risks and for behavior in the event of identified violations.
Compliance organization
Definition of cases and responsibilities; structural and procedural organization.
Compliance communication
Employees and, where applicable, third parties are informed about the compliance program and their roles and responsibilities. The communication channels within the company for reporting risks and violations are defined. External communication includes communication to the public and media, but also behavior towards business partners (e.g. suppliers).
Compliance monitoring and improvement
As this is a "living system", the appropriateness and effectiveness of the compliance system must be monitored on an ongoing basis. Weaknesses and deficiencies must be eliminated. The compliance system must be continuously developed. The introduction of a CMS is therefore not a one-off event but a continuous process.