In order to identify compliance risks and subsequently address them, they must be assigned to the company’s divisions. To do this, a risk matrix should be created with the company’s corresponding risk areas. This is an iterative process.
Compliance risk definition
Compliance risks are risks arising from illegal or dishonest acts or omissions. They can lead to Penalties, fines or other government sanctions, risks to life and limb, an increased reputational risk or a significant risk to assets lead.
The cause is the intentional or negligent violation of law, standards or even voluntary agreements. Consequences include bribery, antitrust violations, embezzlement, and data protection mishaps. This applies not only to large companies, but equally to medium-sized businesses. In 2020, the Federal Criminal Police Office conducted a second edition of the research on the topic of ” internal perpetrators in companies” that had already been carried out in 2017. This showed that “the entire breadth of company-damaging offenses” are committed by “internal perpetrators.” However, the BKA also warns against “unconscious” perpetrator behavior when maintaining social contacts.
The risk analysis forms the basis for preventive measures to minimize identified compliance risks. For the analysis, it makes sense to conduct a survey of employees and freelancers, whereby practical experience is important, e.g. technology, computer experts or customer service. They know best what mistakes can happen in everyday business and what consequences they have. It is also best to ask employees what suggestions they have for improvement and offer a reward for ideas that can be implemented.
Knowledge of laws as well as mandatory and voluntary standards is required to assess and classify risks. When doing business abroad, the law in the countries concerned must be taken into account. Such analyses are also particularly important in the case of company successions, acquisitions or mergers. It is not only necessary to analyze technical risks, but also legal ones.
According to the Pluspedia definition, a compliance matrix is literally translated as a compliance table. It can be used to check the extent to which specified criteria are met. Compliance aspects should never be considered in isolation, but should be integrated into the matrix for the company and the existing operating processes. As a suitable solution, experts recommend networking governance, the internal control system and the risk & compliance management systems in terms of information and methodology as well as in terms of processes and organization.
Another option is to set up a risk-control matrix (RKM) that describes the objectives for ongoing processes and their control and takes into account the main risks. The matrix should list who is responsible for each area and which external control body verifies that the objectives have been achieved. The latter can then also add the results of its controls to the table.
Compliance is always the responsibility of management. The latter must be a positive role model and, in cooperation with all departmental management, draw up guidelines with practical instructions for risk management, as well as giving instructions against intentional or negligent behavior that leads to misconduct.
In larger operations, it makes sense to establish a dedicated compliance department. This department must cooperate with all other departments and assign their tasks to them, as well as implement appropriate suggestions for improvement from employees. The tasks include at least the following important components:
Regular information and training of employees about criminal practices.
- An effective internal control system
- Regular accounting audits, preferably always by external consultants
- Signature arrangements for two persons and an independent control authority
- Never have invoicing and accounting done by one person, but separate the two functions
- Regular analysis of vulnerable areas
- Contact point or platform for whistleblowers
Various organizations offer a code as a basis for legally correct conduct; the following are important for Germany.
German Corporate Governance Code (DCGK): This contains essential legal regulations for the management and supervision of German listed companies and contains internationally and nationally recognized standards on responsible corporate governance in the form of recommendations and suggestions.