Compliance in small and medium-sized companies – recognizing risks, responsibility, and scope for action, part I

The general duty of legality (allgemeine Legalitätspflicht) and the organizational responsibility (Organisationspflicht) of a company´​s management oblige the management to implement an effective CMS. The management has no discretion in deciding whether to establish a CMS.

Whereas the specific design of a CMS, is at the discretion of the company's management. The management must make a so-called forecast decision, i. e., it must assess which measures are appropriate to ensure the effectiveness of the compliance system, considering the individual risk situation and structure of the company. Within this discretionary scope, the management is required to carefully collect all relevant information and make an appropriate decision on this basis.

If this decision is properly prepared and made in the best interests of the company, the protection of the so-called business judgment rule applies. This rule protects the management from personal liability, provided that it does not violate legal obligations or the diligence of a conscientious manager.

However, this protection does not apply if the chosen compliance structure is clearly unsuitable. This is the case, for example, if a CMS exists only formally but is not actually implemented, or if it does not adequately address the specific risks of the company. In such cases, personal liability on the part of the management cannot be ruled out.

In addition to preventing legal violations and reputational damage, reducing such liability risk is one of the main objectives to be achieved by establishing a CMS. Especially in medium-sized companies, where decision-making processes are often shorter and structures leaner, a violation of legal requirements can quickly have serious consequences. An effective CMS is therefore not only a protective mechanism, but also a strategic tool for ensuring a sustainable corporate governance.

In order for companies to effectively avoid violations, the management must be well informed about which legal requirements must be complied with. The legal requirements vary depending on the size of the company, industry, and business model, and must therefore be determined individually for each company. In addition, the requirements established by case law must also be considered. The courts emphasize in their judgments an obligation to actively manage compliance and, in the so-called Siemens/Neubürger judgment of the Munich Regional Court in 2013, the court confirmed the obligation for executive boards to set up a CMS, with damages payable in the event of non-compliance.

Since the obligation to establish a CMS applies not only to board members of a stock corporation but also to managing directors (e. g., of a GmbH), it is important that managing directors are aware of their specific role in the context of compliance. In companies with only one managing director, the responsibility lies with that managing director. In companies with several managing directors, however, the principle of joint responsibility (Gesamtverantwortung) applies. This means that all members of the management are jointly responsible, obliged and liable for fulfilling the compliance obligations. This responsibility results from the classification of compliance as part of the general management and organizational duty (allgemeine Leitungs- und Organisationspflicht) and applies regardless of the legal form of the company.

The joint responsibility of the management includes the three main areas of responsibility: the organization, monitoring, and control of the CMS. If there is a breach of duty in one of these areas, this can lead to personal liability on the part of the management. For managing directors, liability under Section 43 (2) GmbHG (German Limited Liability Companies Act) is particularly relevant, which is based on a culpable breach of duty that has caused damage to the company.

In this context, the question arises as to whether a managing director can transfer his or her responsibility for compliance in its entirety to someone else and thereby even avoid possible liability.

Although it is not possible to transfer the responsibility for compliance completely to other managing directors or departments –​ the joint responsibility for compliance remains – a partial delegation of tasks within the compliance organization is permissible and even necessary in larger companies. A distinction is made between vertical and horizontal delegation. Vertical delegation refers to the transfer of tasks to subordinate, qualified departments such as the legal or compliance department. In this case, the management must ensure in particular that suitable persons are selected, properly trained, and equipped with the necessary resources and powers of intervention. A direct reporting line and the possibility of escalation to senior management are also of great importance here. Horizontal delegation, on the other hand, occurs when tasks are assigned to individual managing directors. They are then obliged to implement the compliance concept decided upon by the overall management and, if necessary, to specify it in more detail. However, the other managing directors remain obliged to monitor the implementation and to intervene in the event of evident breaches of duty.

Compliance in small and medium-sized companies is much more than just fulfilling formal requirements. In addition to the objective of preventing legal violations and minimizing liability risks, the establishment of a CMS serves in particular to protect the company's reputation and to establish a responsible and sustainable corporate governance. The management holds a key role in this regard. On the one hand, it is legally obliged to establish an effective CMS tailored to the respective company and its risks, but on the other hand, it has discretion regarding its specific design.

A fundamental basis for the implementation and design of a CMS is a thorough analysis of potential compliance risks. How this can be achieved in practice, particularly in medium-sized companies, will be examined in more detail in the second part of this article in the next issue of this newsletter.