The German Corporate Governance Code presents essential regulations for the management and supervision of German listed companies. It contains, in the form of recommendations and suggestions, standards for good and responsible Corporate Governance. With regard to Corporate Compliance, in Section 4.1.3 the Code stipulates: "The management board ensures that all provisions of law and the company's internal policies are complied with, and endeavours to achieve their compliance by the group entities (compliance). It shall also institute appropriate measures reflecting the company's risk situation and disclose the main features of those measures. Employees shall be given the opportunity to report, in a protected manner, suspected breaches of the law within the company, third parties should also be given this opportunity."
In a Keynote Speech at the German Institute for Compliance in summer 2016, Rolf Raum, presiding judge of the first criminal senate of the German Federal Supreme Court, summarised the requirements for an adequate Compliance Management System (CMS). First, pursuant to the principle 'tone from the top', the organisation's general ethical climate should be established by its senior management and be felt by the employees as a result. Creating such an environment by having a 'tone at the top' helps prevent fraud and other unethical practices. Second, a whistleblowing system or ombudsman is an indispensable component of a CMS. Finally, it is important that misconduct and noncompliance shall be penalised.
As best practice guidelines, "The Ethics & Compliance Initiative" (ECI) issued a Report "Measuring the Impact of Ethics and Compliance Programs" (ECI Report). The report lists the following objectives for companies to strive towards:
- Leaders are expected and incentivized to personally act with integrity.
- Values and standards are clearly communicated.
- Leaders create an environment where employees are empowered to raise concerns.
- All employees are expected to act in line with company values and are held accountable if they do not.
- Employees are provided guidance and support for handling key risk areas.
- Disciplinary action is consistently taken against violators.
- Investigations are objective, consistent and fair to all parties.
- The organization provides broad and varied avenues for reporting.
- The organization appropriately discloses wrongdoing with authorities.
- Key risk areas are identified through a robust assessment process.
In the landmark Siemens/Neubürger judgement, the District Court Munich addressed in detail the requirements for a compliant organization, as well as the related obligations of the management board. The management board's responsibility in the event of suspected compliance cases coming to light can be described as a 'threefold obligation'. First, the obligation to clarify the case (detect). Second, the obligation to put an end to unlawful behaviour. Third, the obligation to impose appropriate sanctions in response to violations that have been discovered.
In Germany, executive and supervisory board members oftentimes appoint law firms as outside counsel to conduct internal investigations as part of the overall Compliance Management System (CMS) once there is reasonable suspicion of corporate or individual misconduct. The wide repertoire of an internal investigation covers document review, email screening, interrogation of employees, the implementation of an amnesty programme, etc. Subsequent to the investigation, the executive board takes care of optimising the CMS so that similar noncompliance events are prevented in the future.
Audit reports from certified public accountants review the appropriateness and efficiency of the CMS. In Germany, such CMS audits are conducted on the basis of the standard IDW 980 issued by the Institute of Public Auditors (IDW). On the basis of this standard, the auditor reviews the CMS to establish: (i) if it is suitable to detect significant noncompliance events; and (ii) if it can prevent such noncompliant conduct from occuring (assessment of appropriateness), as well as if the CMS has been effective over the course of a specified period of time (effectiveness review). Particular fields of compliance covered by the audit report are the subject of the auditor's engagement letter (e.g. anti-bribery, cartel or anti-money laundering (AML) compliance). In addition, the geographical country scope of the audit needs to be defined. So far, mainly listed companies and large private corporations in Germany have appointed auditors to review their CMS.
Executive board members and supervisory board members can become targets of recourse litigation by the company for an insufficient CMS leading to financial losses due to administrative penalties and costly internal investigations. The German Federal Supreme Court assesses the adequacy of a CMS on a case-by-case basis (ex-ante approach), and adherence to the IDW or ISO standards is not necessarily a 'carte blanche' for executive board members' defence in litigation. However, the observance of the IDW standard can contribute significantly to defence, in particular with regard to the required documentation.
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2019. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.