Compliance in SMEs – recognising risks, responsibility and scope for action, part II

When designing a CMS, it is advisable to follow generally accepted frameworks such as ISO 37301:2021 or other guidelines for designing a CMS (such as the standards and guidelines of the German Institute for Compliance, hereinafter "DICO"). Based on these frameworks, the Institute of Public Auditors' Auditing Standard 980 n.F. (9/2022) outlines a CMS along the following elements:

Within the framework of compliance culture, the "tone at the top" and thus the basic attitude of management is defined as the perception of compliance throughout the company.

Compliance objectives are defined on the basis of relevant rules and corporate objectives and serve as a benchmark for risk assessment.

Compliance risks are identified, assessed and documented in a systematic risk analysis.

A compliance program based on this comprises general and specific measures for risk mitigation.

This program is run within a compliance organization with clearly defined roles and responsibilities.

Clear communication structures (compliance communication) enable the reporting of violations and promote transparency.

Finally, continuous monitoring and improvement ensure the effectiveness and regular adaptation of the CMS.

To ensure the effectiveness of a CMS, it is essential to adapt the system to the respective strategy of the company as well as to internal and external circumstances. Through a systematic analysis that also takes into account the business areas, structure and processes within a company, compliance risks can be appropriately assessed and prioritized. Only such a comprehensive analysis enables the establishment of an effective organization, effective risk management measures and communication tailored to the target audience. At the same time, this allows for feedback to the objectives of the CMS and complements them. In practical implementation, this is ideally achieved through a structured analysis of the various areas of law and subsequent identification of specific risks.

​In the classic risk assessment process, risks applicable to the company are formulated within the framework of (vertical) risk identification using various methods.

This is followed by a risk assessment with regard to the probability of occurrence and the impact of the risk should it occur.

It is advisable to limit this approach to relevant areas of law:

In this (horizontal) analysis, a qualitative assessment is carried out on the basis of a detailed catalogue of legal areas. The assessment is based on criteria such as relevance to the business model, enforcement by the regulatory environment, potential financial damage or (criminal) legal relevance. Areas of law that, according to this analysis, have an "aggregated score", i.e. an increased level of risk, above a defined threshold are included in the more in-depth vertical risk analysis as defined areas (e.g. corruption, money laundering, antitrust law). Concepts for this type of horizontal analysis are provided, for example, by DICO.

Ideally, this analysis should not be carried out "behind closed doors" by the compliance officer, but should involve operational department (e.g. purchasing, production, sales) and other "second line" functions such as the legal department. This exercise should also be repeated regularly and on an ad hoc basis in the event of significant legal or regulatory changes.

If specific risks are identified, assessed and assigned control measures for these defined areas, it is advisable to follow the general guidelines of the risk management system implemented in the company. In this way, overlap with other risk categories (e.g. risks covered by the legal department) can be avoided and consolidation with the rest of the company's risk portfolio facilitated.

For the practical management and documentation of risk-reducing measures, it is also advisable to record the measures taken in a risk control matrix. This matrix not only shows the causal relationship between risk and measure, but also records responsibilities and the intervals between controls, as well as the manner in which the controls are to be documented. Here, too, it is advisable to follow the guidelines of the company's overarching internal control system. Ideally, this will achieve integration of the three governance systems (CMS, risk management system and internal control system).

Part I of this article discussed the legal obligation of management to establish an effective CMS tailored to the company.

A CMS is more than just a set of rules – it is a control cockpit for legally compliant and responsible action. The structured inclusion and exclusion of relevant areas of law and associated risks provides a solid basis for the further development of the CMS.

The integration with existing management systems within the company, such as risk management or the internal control system, is not an academic exercise. It reflects the responsible and effective use of available resources.

This means that not only compliance officers and general counsels, but all relevant organizational units of the company are involved in the process of identifying, assessing and treating risks. If this process is carried out regularly, reactively and well documented, the management receives an up-to-date – and easily verifiable – picture of the risk situation at all times and can make informed decisions.