compliance management

Insights

New: Revision of the German Corporate Governance Code – Increased demands on Compliance Management Systems

The Government Commission German Corporate Governance Code decided on amendments of the Code that address Compliance Management Systems for the first time as follows: Establishment of a CMS | Disclosure of the main features of the CMS | Establishment of a whistle-blower system for employees and third parties

New: Revision of the German Corporate Governance Code – Increased demands on Compliance Management Systems

On February 7, 2017, the Government Commission German Corporate Governance Code (the “Commission”) decided on several modifications of the Code (hereinafter “GCGC” or the “Code”). For the first time, the Code explicitly requires the establishment of a Compliance Management System (CMS) and amends Section 4.1.3 GCGC significantly by recommending:

•  Establishment of a CMS
•  Disclosure of the main features of the CMS
•  Establishment of a whistle-blower system for employees and third parties

 

1. Establishment of a CMS

Section 4.1.3 sentence 1 GCGC already referred to the responsibility of the Executive Board to ensure compliance with statutory regulations and company guidelines prior to the revision. This shows that the Commission undoubtedly recognizes compliance duties resulting from the principle of legality (“Legalitätsprinzip”).

The new Section 4.1.3 sentence 2 GCGC now provides that the Executive Board shall take appropriate measures based on the risk situation of the company (Compliance Management System) and shall disclose the main features of such system.

The wording “shall” shows that the establishment of a CMS is not required by law, but is a mere recommendation by the Commission. However, on the basis of the “Comply-or-Explain” principle under Section 161 subsection 1 sentence 1 AktG, companies have to explain when deviating from a Commission’s recommendation and publish such explanation on the company’s website (Section 161 subsection 2 AktG). This explanation requirement might lead to a “de facto” obligation to implement such CMS as it can be expected that management boards do not want to explain why they have decided not to comply with the CMS recommendation.

It remains unclear whether the recommendation comprises the whole group of companies (“Konzern”). However, in view of the wording of Section 4.1.3 sentence 1 GCGC that refers to the whole group of companies, this may be assumed when reading both sentences together.

2. Structure of the CMS

With respect to the structure of the CMS, the Code remains vague – the CMS should be appropriate and based on the company’s legal risks. This abstract approach is in accordance with the common view, that there is no “one-size-fits-all” CMS. Rather, every CMS must be preceded by a detailed risk assessment. Such risk assessment is a precondition in order to identify “red flags” (especially legal risks) and to subsequently address and control them by means of tailored compliance measures.

3. Disclosure of the main features of the CMS

Furthermore, the Code stipulates that the main features of the CMS shall be disclosed. In this regard, the Code intentionally leaves the choice of media to the Executive Board. A disclosure on the company’s website or in the Corporate Governance Report (according to subsection 3.10 GCGC) are two of the conceivable options.

4. Establishment of a whistle-blower system for employees

Section 4.1.3 sentence 3 GCGC stipulates the establishment of a whistle-blower system:

“Employees shall be granted the opportunity to report statutory violations in a secure and proper way; also third parties should be granted such reporting opportunity.”

This provision for the first time includes the recommendation to set up a protected information system (whistle-blower system) for employees. Most companies already have a more or less substantial CMS. However, numerous companies forego the establishment of a whistle-blower system (also known as “Whistleblower Hotline”) so far, as it leads to further data protection, labor law and organizational implications (e.g. IT infrastructure). Moreover, anonymous hints need to be investigated, which in turn implicates further effort. Even though the recommendation for a whistle-blower system may be very surprising for some, it is worth its weight in gold, because only a living compliance organization (this might include inter alia a whistle-blower system) can result in avoidance of liability (note: monetary fines due to compliance violations are in most cases based on Sections 30, 130 OWiG or Section 81 GWB).

5. Establishment of a whistle-blower system for third parties

Furthermore, the Commission suggests the establishment of a whistle-blower system for third parties. According to the Code’s expectation, third parties should also be granted the opportunity to report irregular practices or suspected cases. As this is only a suggestion (“should”), there is no need to execute a compliance or non-conformance statement according to Section 161 subsection 1 AktG if such system is not introduced.

6. Implications on Corporate Compliance Practice

The Code is considered as a commitment of good corporate governance and primarily addresses German listed companies and companies with access to capital markets according to Section 161 subsection 1 sentence 2 AktG. However, the practice shows that market standards – also for other legal entities – have been created due to the Code’s guidelines and their implementation. The development of market standards can also be expected for the implementation, content and range of influence of a CMS.

We are pleased to provide you with more detailed information on the implications of the Code’s revision and to assist you in case of questions concerning your own CMS.

Did you find this useful?