Successful Compliance

1.2.2Responsibility of organisations at the national level

In Austria, the criminal liability for legal entities is governed by the Act on the Responsibility of Associations (VbVG), which entered into force on 1 January 2006[14] and is applicable to all intentional and unintentional criminal acts which are liable to result in criminal proceedings. Only recognised religious societies performing pastoral activities[15] and governmental institutions[16] are exempt from criminal liability. An offence must have been committed by a ‘decision-maker’ or by an employee, either to the benefit of the legal entity or in violation of an obligation that is applicable to the legal entity. The legal entity is, in principle, only liable for offences committed by its employees if the employee has acted wilfully or with gross negligence and if a decision-maker has, while disregarding due and reasonable care, enabled or substantially facilitated commission of the act through the omission of substantial technical, organisational or personnel measures designed to prevent such acts. The prosecution of the natural person who committed the offence is not a prerequisite for liability of legal entities. Fines are limited to a maximum total amount of EUR 1.8 million and are calculated according to daily rates, the amount of which depends on the income situation of the legal person. Compensation can also be imposed as an additional sanction.

1.2.3Responsibility for compliance in Austria

In Austria – as in Germany – there is no set of regulations, mandatory for all organisations, governing or requiring the introduction of a compliance management system. In Austria, in accordance with § 18 WAG, only organisations that are subject to the Securities Supervision Act are obliged to introduce a compliance organisation.[17] The Austrian Code of Corporate Governance (compliance with which is voluntary) states that the board of directors (of listed companies) must take appropriate measures to ensure compliance with laws that are relevant to the company (ACCG, IV.15). The audit committee of the governing body must monitor the effectiveness of the internal control system and the risk management system (ACCG, V.40).[18]

Due diligence by a prudent, conscientious manager, as required in § 76 paragraph 1 AktG[19] and § 25 paragraph 1 GmbHG[20], contains an implicit duty to supervise and control compliance with laws. Pursuant to § 82 AktG and § 22 paragraph 1 GmbHG, the board of directors (company management) must ensure that, as well as a proper accounting system, an internal control system corresponding to the requirements of the company is in place. Similar obligations are derived from the Act on Cooperatives (§ 22(1) GenG).[21]

1.3COMPLIANCE AS A TOOL OF STRATEGIC MANAGEMENT

In a management system, all elements (structures and processes) that interact with each other are understood to have been set up in order to allow an organisation to achieve its set goals. As strategy in general is defined as any plan intended to implement the mission or vision of an organisation, management systems form part of strategic management.[22] The following chapter gives an overview of the development of management systems in general and of compliance management systems in particular and enables the classification of a CMS in accordance with ISO 19600 in theory and practise.

1.3.1Definition of management systems

A decisive factor for the current approach to system-oriented management, also used as basis for the ISO 19600, are developments in theory and practise in the USA and in Germany, which differ from one another through their varying approaches to the topic.

The history of business administration in Germany dates back to the founding of business colleges at the end of the 19th century in Germany, Austria and Switzerland. The systematisation of existing knowledge soon gained importance alongside the teaching of language skills and technological knowledge. For the purposes of differentiating business administration from economics the definition of the object of research is a subject that continues to be intensively discussed to the present day. Initially, the object of research focused mainly on trade activities. Over the time they were supplemented by research on manufacturing companies (industry) and to private households. The content development of business administration in the beginning focused on accounting and on questions surrounding origination of costs and financing. These sub-areas were expanded to include the study of sales, production and organisational issues.[23] During the reconstruction period following the Second World War, attention focused on the short-term planning of financial flows. The 1960s saw the beginnings of the development of long-term planning based on past results, with profit forecasts for periods lying further ahead in the future. The 1973 oil crisis and increasing global political instability made it clear that this approach was no longer sufficient. What was required was an analysis of the external context of the organisation in order to identify future risks and opportunities which could (potentially) influence the ability of an organisation to realise this goals. Thus in order to complement business budgeting, the concept of strategic management, which had been developed primarily in the USA, increasingly came to be applied in Germany and in Europe as a whole.[24]

In the USA, the concept of strategic management can be traced back to Frederick Winslow Taylor (1856-1915) in the early 20th century. In contrast to German business administration, which established its own science of economics, Taylor – whose background was in engineering – was interested in the development of a concept for actual management. Of primary importance in this were issues of the enhancement of production capacity (e.g. workplace design, remuneration systems) and not (yet) tasks associated with the overall running of a business. Management theory still expounded by practitioners such as business leaders and consultants changed as a consequence of the creation of rules and principles on the issues of cooperation and employee leadership. The introduction of findings from other fields such as mathematics, physics, sociology and technology and, ultimately, the rise of computers created a – still – practise-oriented system theory of management.[25] The founder, and one of the most important exponents, of this theory, is regarded as Peter F. Drucker (1909-2005), who studied the company management and working methods of General Motors in 1943.[26] In his book “Concept of the Corporation”, Drucker describes the corporation as an institution (one of many in a society) set up for the purpose of organising human (inter)actions in order to achieve a business objective. A decisive factor in the resolving of associated problems is company management and the company policy that it chooses, as well as the established procedures for implementing this policy.[27] Corporations (like all other organisations) cannot survive if they are dependent on one individual or a small number of persons. The establishment of a system that – based on values and principles – regulates the achievement of objectives requires interaction between managers and employees. This regulation should not take the form of a rigid plan, but has to have the flexibility to provide the necessary adjustment of individual steps to enable the achievement of objectives.[28] Increasing knowledge of the importance of external influences on the possibilities and capabilities of a company to achieve its goals led to the development of strategic management. The opportunities and risks arising from the business environment have been analysed, as well as the own strengths and weaknesses of an organisation. The results form the basis for the definition of goals and the development of a strategy on how these goals can be reached. Practical experience resulted in an understanding that the successful implementation of strategic measures requires their acceptance by the members of the organisation. From this point of view the so-called soft facts – such as structure and process organisation, human resources, corporate culture and the storage and dissemination of information – gained independent strategic importance.[29]

In summary, it should be noted that both approaches make a significant contribution to the development and management of organisations. System-oriented management theory deriving from practical experience provides the tools for the implementation and management of constantly changing requirements, while business administration contributes through a planning concept that provides a firm basis for a sound decision-­making process.

Viewing organisations as systems provides some reality-based features that apply to all organisations regardless of size, organisational form or task.[30] Firstly, when considering an organisation – taking into account biology or ecology – as a system it is clear that all of its elements form an interactive structure and an intervention in one place can have an impact elsewhere. Organisations must therefore be considered in their entirety. All system components (structures, processes, employees, customers, etc.) must be taken into consideration when enacting measures. Secondly, organisations are not static constructs, but dynamic systems characterised by (continuous) changes. Changes are determined, on the one hand, by conditions within the organisation itself and caused, on the other, by external influences. It follows that organisations – as part of a network of economic, legal and social relations – are open systems. The final feature of a systemic consideration of organisations is their complexity.[31] This should not, however, be seen as an unavoidable evil, as it is precisely this large number of parameters that enables organisations to adapt to requirements in the first place and thus maintain their viability.

The task and role of management systems is to make complex systems manageable by coordinating the actions of (many) people towards a goal.[32] Management systems create a framework for the uniform, goal-oriented alignment of an organisation through the design of structures, rules and procedures and the continuous monitoring and improvement of all activities. A CMS in accordance with ISO 19600 follows from this approach. The allocation of tasks and responsibilities for an organisation’s compliance – as a structural element – is supported by the integration of compliance measures into existing procedures, processes, etc.

1.3.2Compliance Management Systems

Management systems create a framework for the uniform, goal-oriented alignment of an organisation through the design of structures, rules and procedures and the continuous monitoring and improvement of all activities. As shown below, both national and international legal systems contain provisions that organisations have an (implicit) duty to supervise and control their activities to ensure compliance with the law. With some exceptions, however, there are no regulations on how these governing and control measures are to be designed. In particular, there is no statutory regulation applicable to all organisations that require the introduction of a compliance management system (CMS).

On an international level, compliance management systems have been developed in the financial sector to combat money laundering.[33] This is also the case in Austria. Organisations that are subject to the Securities Act are obliged, in accordance with § 18 of the Securities Supervision Act (WAG), to permanently employ a compliance function charged with monitoring and performing regular appraisals of the adequacy of prescribed procedures and the implementation of measures to address any shortcomings. In the context of anti-corruption provisions the standard for compliance management systems is set in the USA and the UK. In both countries, an adequate and effective compliance and ethics program can affect prosecution, albeit to varying degrees.

The US Foreign Corrupt Practises Act (FCPA)[34] of 1977 was the world’s first anti-corruption law which introduced the concepts of corporate liability, liability for third parties and extraterritorial jurisdiction for corruption offences. The FCPA is increasingly being enforced with virtually global jurisdiction and is therefore highly relevant to all organisations whose activities can be seen in the context of the United States. The US Department of Justice (DOJ)[35] and the US Securities and Exchange Commission (SEC)[36] are entrusted with enforcement measures and can take the adequacy of a compliance ­programme into account when sentencing.

The principle of corporate liability for corrupt conduct by members of the company management, by employees, agents or subsidiaries acting on behalf of a company was introduced in the UK by the UK Bribery Act of 2010.[37] The UK Bribery Act provides for similar global jurisdiction to that in the FCPA. However, in contrast to the FCPA, the UK Bribery Act gives organisations the possibility of protecting themselves from prosecution if they can prove that they have put appropriate measures in place within their organisation to prevent bribery.

Many recognised international institutions have published principles for anti-corruption compliance programmes and/or individual elements thereof. A good summary can be found in the “Anti-corruption Ethics and Compliance Handbook for Business” published in 2013 by the OECD in cooperation with the UNODC and the World Bank.[38] In this context, probably the oldest rules drawn up to combat corruption are those issued by the International Chamber of Commerce (ICC) in 1977[39] (currently published in their 5th edition, 2011). As the ICC maintains one of the most prestigious international courts of arbitration, these rules are of considerable importance to companies operating in international trade.

1.4DISTINCTION BETWEEN CORPORATE GOVERNANCE – ICS – RMS – CMS

In the broader sense, corporate governance is understood as the totality of all circumstances that ensure proper business management that is aligned towards sustainable, long-term value creation in the interests of all stakeholders.[40] The following describes three institutions that are regarded as instruments for an efficient and effective governance structure: internal control system (ICS), risk management system (RMS) and compliance management system (CMS).

1.4.1Corporate governance

The term “corporate governance” goes back to the time when ownership of companies was separated from its management and so the need occurred to protect the interests of investors against management acting in its own interest. As far back as the 18th century, Adam Smith extensively discussed the problems of how the division of labour might be guided and controlled in an increasingly large business. Managers can inflict financial damage on shareholders through, for example, insufficient efforts in search of business opportunities, or the absence of necessary modernisation, through the arrangement of high-risk transactions or insufficiently elaborated investments or the lack of control of activities within the company. With the separation of assets and control of the company from its ownership, it became necessary to set rules to ensure that the managers (agents) entrusted with the running of the company acted in the interests of the owners (principals).[41] This principal/agent problem[42] formed the basis for the initially narrow definition of corporate governance as a means of dividing responsibilities and roles between institutions in a company in order to ensure that the capital providers (= owners) receive the expected returns.[43]

A broader perspective of corporate governance evolved from the understanding that a business can be understood as a network of contracts, which internally shapes the company itself and externally regulates the relationship with shareholders.[44] The term is expanded in relation to several factors: First of all with regard to the participants, because the interests of not only owners and managers, but also of a further group of people (= stakeholders) are also taken into account. These include customers, employees, suppliers and external investors. Secondly, the main focus is not on financial damage caused to the owners, but the protection of the rights and legitimate interests of all stakeholders. Corporate governance can thus be understood as a higher-level control framework, which regulates the exchange relationships within an organisation, on the one hand, and the exchange relationships with the organisation’s environment, on the other.[45] Due to the diversity of organisations there are, essentially, no uniform regulations on elements of organisational structure or process organisation. Governance structures must be adapted to the individual situation of the organisation in order to support the achievement of organisation’s goals. A variety of institutions that are regarded as instruments of an efficient and effective governance structure, such as an internal control system (ICS), risk management system (RMS) and compliance management system (CMS) has evolved in practise, and subsequently in legislation.

1.4.2Internal control system (ICS)

An ICS is defined as all principles, methods and measures introduced and agreed within an organisation that are used to secure the assets and the regularity, accuracy and reliability of internal and external reporting, as well as compliance with prescribed business policies.[46] In order to ensure the effectiveness and profitability of business, an ICS should cover all key business processes.

The term ICS goes back to a study published in 1992 by the Committee of Sponsoring Organisations of the Treadway Commission (COSO)[47]. The ‘internal control system’ described in this study helped to define corporate governance terms more precisely and back them with specific measures. In order to properly classify this approach, one must take into consideration the fact that the word ‘control’ denotes not only controls in the sense of checks, but also measures that have been put in place to achieve certain results. It is therefore advisable to consider an ICS as a whole of its two parts: an internal steering system and an internal monitoring system.[48]

COSO defines three objectives of an ICS: (i) the effectiveness and efficiency of business processes (operations), (ii) the reliability of financial reporting and (iii) compliance with valid laws and regulations. The term ‘internal control’ is defined as the sum of all institutions that are required to ensure the achievement of these three categories of objectives (1. Dimension). Institutions are divided into five components: control environment, risk assessment, control activities (in the sense of management), information and communication, and monitoring (2. Dimension). The three categories of objectives and all five components are applied at both the corporate level as well as to all areas and/or activities of an organisation (3. Dimension). A graphic representation of the three dimensions is given in Figure 1. The components of the second dimension are explained in more detail below.[49]

FIGURE 1

COSO INTERNAL CONTROL – INTEGRATED FRAMEWORK[50]

Control environment – the control environment encompasses the basis of the organisation as expressed in the influences and values that govern behaviour, the structures that allocate and reflect responsibilities and the processes that govern the coordination of tasks. All these parameters must be designed so as to support the achievement of strategic objectives. The willingness to take risks as an element of the internal environment is expressed through both quantitative and qualitative objectives and restrictions and subsequently acts as a measurement parameter for acceptable risk in risk assessment.

Risk assessment – identified risks are evaluated by determining the probability of their occurrence and the potential extent of damage caused. Control measures are taken to address residual risks following the application of risk transfer measures (e.g. insurance).

Control measures – regulations, guidelines and procedures (such as separation of duties, spot checks, etc.) are implemented to ensure proper business operation, proper accounting and observance of rules (compliance) that are relevant to the organisation.

Information and communication – knowledge of all essential process steps allows employees to carry out their responsibilities and to contribute to the efficient management of operations, proper accounting and compliance with all (statutory) requirements.

Monitoring – all measures taken must be monitored regularly and, if necessary, improved. The functioning and adequacy of the ICS must be audited by an independent body.

1.4.3Risk management system (RMS)[51]

As part of an ICS and the second instrument of an efficient and effective governance structure, risk management aims to identify opportunities and risks at an early stage and to assess how they may affect the achievement of corporate objectives (from the point of view of strategy, operations, accounting and compliance). These findings support decision-making for future-oriented planning and are incorporated into risk management.

Event identification – all internal and external events are to be identified that affect the achievement of an organisation’s objectives. These influences can be of both a positive (opportunity) and negative (risk) nature.

Risk assessment – identified potential risks are consolidated in a risk catalogue and analysed and evaluated according to their probability of occurrence and their impact. Risks are then prioritised based on the results of such evaluation in order to develop targeted measures to manage them.

Risk management – risks can be avoided through the omission of a business activity. In all other cases measures must be put in place to reduce risk, either by controls or by transfer (e.g. insurance).

1.4.4Compliance management system (CMS)

The third instrument of an efficient and effective governance structure, a compliance management system, is designed to ensure compliance with statutory, regulatory or voluntary obligations in the conduct of business. The non-observance of compliance obligations is to be prevented by taking appropriate measures. Violations must be identified in time and actions taken to rectify the situation. Improvements and adjustments to the CMS prevent repetitions of violations and restore the organisation’s compliance in relation to the performance of its activities.

In conclusion, it should be noted that ICS, RMS and CMS are instruments for the effective and efficient management of organisations. They are not isolated from one another, nor should they be considered as such. CMS supports the management of compliance risks, thus making it a part of RMS. The determination of those obligations, compliance with which must be ensured through a CMS and its measures, derives from the risk assessment of these compliance obligations. Risk management principles thus form part of an effective CMS. Ensuring compliance – as an organisational goal – is in turn a core element of an ICS. The appropriateness of the ICS results from its alignment to the overall risk situation of an organisation thereby completing the circle between ISC, RMS and CMS.