DE | EN
suchen
03rd May 2023

_compliance basics: discovering risks and strengthening trust

compliance basics: discovering risks and strengthening trust. Dr. Thomas Wülfing / Foto: Jan Northoff
Dr. Thomas Wülfing / Foto: Jan Northoff
compliance basics: discovering risks and strengthening trust. Dr. Benjamin Knebel
Dr. Benjamin Knebel

How can you ensure that laws and regulations are implemented in a company? In complex systems, this question is not easy to answer. Compliance tries to answer it with three catchwords: Prevent, Detect, Respond. By setting up a neutral complaints system, firstly, misconduct should be detected, secondly, the actors should be motivated to comply with the rules and, thirdly, procedurally transparent sanctions should be defined.

Compliance on everyone's lips 

Currently, four major legislative proposals of the Federal Government are dealing with compliance:

a. The first is the General Data Protection Regulation (DSGV), which now regulates how personal data will be handled uniformly throughout Europe. To ensure that it does not remain just a target, measures are necessary that identify risks and promote implementation.

b. The same applies to the Supply Chain Due Dilligence Act (LfKG), according to which German companies are liable for human and environmental rights violations by their suppliers. Here, too, the detection of risks and a whistleblower system are indispensable.

c. Within the framework of the Money Laundering Act (GwG), due diligence obligations in dealing with risk countries and suspicious transactions are tightened. Not only actors directly involved in transactions are obligated, but also lawyers, tax advisors and auditors, among others. The reference to due diligence and the associated assessment of risks is nothing other than a compliance mechanism.

d. Finally, the Whistleblower Protection Act (HinSchG) coming in 2023 makes it explicit once again that establishing an anonymous "grievance box" can and should effectively contribute to uncovering breaches of rules in companies. It serves to implement the EU Whistleblower Directive.

What is risk analysis (due diligence)?

Risk analysis is a regular process that requires continuous development. Regular operation means that the analysis is not one-off and static but that a structured approach is initiated according to previously defined objectives. More than a one-time analysis is required, as the risks and the initial conditions change continuously. What is needed is, therefore:

  • firstly, a normative framework, i.e. a clear picture of the assets worth protecting.
  • Secondly, risks can be identified in the specific areas threatening the defined norms.
  • Thirdly, identified risks can be assessed according to how severe or irreparable the damage could be, how likely the damage is to occur, how close to the core area the damage could occur, who the affected parties are, and how much influence can be exerted.

For the risk analysis, it is first necessary to get a clear picture of one's business and its business partners and second to define values (Code of Conduct).

Code of Conduct (CoC)

The Code of Conduct or Mission Statement is the target or, in a sense, the drawer in which one searches for possible risks. The example of Supply Chain Due Diligence Act clearly illustrates this. This law has set itself to avoid human rights violations and environmental pollution. This does not remain abstract but is filled out concretely. Child labour, forced labour, discrimination, freedom of expression and political rights violations, violence and interference with physical integrity are to be avoided. The waste of energy should be reduced, etc. 

Within this value framework, risks can now be specifically sought. For example, if a company wants to produce a peanut bar, the stakes could be summarised as follows:

- First, it is clear that peanuts are an agricultural product produced in warm countries such as Iran or the USA. - Secondly, it is clear that peanuts require much water, and pesticides may be used. 

- In agriculture, there could also be risks for employees. In Iran, there could be risks of exploitation of Pakistani refugees. 

- There could be risks in low wages and lack of protective clothing. 

Concrete fields of action can thus be identified from an abstract values framework.

Complaining: whistleblower system

Once risks and thus fields of action have been defined, it is a matter of preventing damage (prevent), detecting grievances (detect) or eliminating them (respond). An essential instrument for prevention and remedy can be a whistleblower system. An anonymous "complaint box" should ensure transparency and enable those affected or informants to complain effectively. As a result, such a mechanism should, on the one hand, ensure that grievances are discovered and proactively addressed. 

On the other hand, managers could also benefit from this check and balance by strengthening confidence in their competence. In addition to traditional complaint mechanisms such as a hotline or a contact form on a website, a neutral and/or external ombudsperson, an arbitration board, or a compliance officer could also help to achieve the goals set by the management.

Contact

Dr. Thomas Wülfing, Partner, Specialist Lawyer for Commercial and Corporate Law

wuelfing@clayston.com

Dr. Benjamin Knebel, Lawyer Associate

knebel@clayston.com

‹ Compliance

Category