What is compliance?
The term compliance originates from the business and legal “adherence to rules” of companies in order to comply with laws, guidelines and voluntary codes. Principles and measures to avoid breaches of rules is referred to by the Government Commission “German Corporate Governance Code (DCGK)” as a compliance management system and describes the responsibility of management or the Executive Board to comply with legal provisions and internal company guidelines.
“The term compliance stands for adherence to legal requirements, regulatory standards and fulfillment of other essential ethical standards and requirements, usually set by the company itself.”
– Eberhard Krügler
The diversity of meanings in relation to compliance.
Compliance thus understands all measures and processes for adherence to all legal framework conditions. The following regulations are involved in detail.
- Legal framework
- Contractual framework
Compliance with legal regulations by companies is based on paragraphs 9, 30 and 130 of the Law on Administrative Offenses OWiG, according to which laws must also be complied with by legal entities and companies must ensure that no violations of the law occur. If organizational and supervisory measures are not taken, the company management and also the company itself can be sentenced to penalties. The sanctioning according to §§ 130, 30 OWiG is not necessarily limited to the individual company and can also be directed against group companies, although the punishable violation takes place in the sphere of the subsidiary.
A large number of statutory provisions govern direct duties and responsibilities of the company, non-compliance with which may subject the company to penalties. An obligation to ensure compliance with the rules also arises from §§ 91, 93 AktG – as well as § 43 GmbHG to avert economic damage to the company. Any non-compliance with the rules can lead to corporate penalties, fines, profit skimming or the forfeiture of the profit generated by the breach of the law. These direct losses are compounded by additional external and internal costs of litigation, damage claims and reversals. Legal compliance is mandatory to ensure the survival and continued existence of any business.
In addition to the legal framework conditions, all rights and obligations defined by contracts also fall under the compliance term. In particular, the contractual obligations arising from software licenses often entail unimagined complexity. In large companies, this results in an unmanageable diversity of IT systems across different business units and business areas, which cannot be easily monitored and controlled centrally. Responsibility for compliance with these contractual obligations is not clearly delineated in most companies.
For comprehensive compliance management, companies need specialist or product-specific, legal and licensing core competencies, which would ideally have to be brought together in one person, one department or one competence team. In addition, it would have to be defined what powers such an authority should have. This question is essential for the organizational structure of a control mechanism.
Contractual rules include:
- Industry-specific standards and process regulations
- Contractual SLA
- Product and service specifications
- Operating agreements
General standards and industry-specific standards.
Everyone knows ISO 9001, which is valid across all industries. For most companies, this standard represents the minimum requirements of the compliance management system in order to be perceived as a trustworthy supplier on the market. In addition, there are industry-specific variations, which specify or selectively tighten the requirements on the company for the introduction, maintenance, control and documentation of the specific processes. In simple terms, this means that all certified companies undertake to introduce a structured quality and process management system.
These standards serve as the lowest common denominator to ensure fair competition between market participants and to track compliance risk management. In addition, a minimum standard is defined for product, service and process quality, which also extends to documentation obligations. Compliance management systems form the basis for a successful market presence and are therefore a basic requirement for successful companies.
A list of all current, industry-specific regulations and standards can be found here:
To comply with these rules and standards, it is advantageous to have compliance management software that both documents the process in detail and defines responsibilities and regulates measures for remedying and avoiding deficiencies and deviations. The following points are required to achieve and ensure sustainable ISO compliance:
- Clearly structured responsibilities and competencies
- Catalogs of measures
- A documentation solution
- A sophisticated process management
- Quality culture among all process participants down to store floor level
Product and Service Specifications (SLA).
Product specifications are contractual service descriptions and are therefore also subject to the umbrella term of compliance. The customer has contractual claims to delivery of the services defined in the product or service description. In this paragraph, we therefore talk primarily about quality management, quality assurance and process quality. How can quality be measured and how can consistent and stable product quality be achieved?
Each individual work step can be specified by a detailed work instruction and each product, subproduct or component can be tested and accepted against the given specifications. The secret to success here lies in a smart and efficient quality management system that is geared towards optimum usability on the store floor. The corresponding tooling should be able to be integrated seamlessly into the workflows and, if possible, should not generate any additional work for testing and documentation. The inclusion of all stakeholders in the overall process represents a decisive added value here, since ultimately information and accountability processes must also be integrated in the course of documentation as part of quality management.
In the end, the person responsible for quality is usually not directly involved in the production process, which is precisely why it should be ensured that data-based insights into every single process step are possible. At the same time, such data-based insights enable a continuous improvement process (CIP) and higher customer satisfaction and contribute to a true quality culture in the long term.
Operating agreements & ethical codes of conduct.
In the context of co-determination, works agreements and, if applicable, a code of conduct drawn up by the company are also among the regulations affected by compliance. Works agreements generally contain agreements that have been negotiated by the works council and management and are binding for all or some of the employees. These agreements often cover topics such as time recording, overtime regulations, breaks, special payments or voluntary additional benefits. The works council or the employee him/herself is responsible for monitoring compliance with the regulations. It is not uncommon that only the management or specific departments, such as the HR department, have insight into the actual processes and data.
A very exciting aspect around compliance is license agreements, which are a basic building block of any software solution. License agreements include:
- The scope of use of the software (how many users are allowed to use the software)
- The rights of use (who is the owner, processor and user of the data)
- The function of the solution (purpose and functionality of the solution)
- 3rd party usage rights (to what extent interface connections are feasible)
Other contractual agreements (e.g. cooperations, partnerships, etc.)
Many companies work closely with partner companies or cooperation partners to make the most of sales potential or to increase the reach of products and services. Corresponding contracts primarily regulate responsibility, data sovereignty, remuneration and are usually supplemented by a target agreement. But the question of compliance is usually treated only superficially and stepmotherly. In principle, a cooperation or partnership agreement also represents a contractual regulation, compliance with which must be monitored and continuously audited by a management system.
Compliance includes a broad diversity of rules to be followed, which are perceived by companies in varying degrees of importance. The focus is on legal regulations, ISO 9001 or related standards for the structure and process documentation of the quality management system, and other relevant industry-specific quality standards. Non-compliance with the individual rules has very different consequences and side effects for the success of the company:
- Legal violations can jeopardize the continued existence of the company
- Breaches of contract, e.g. SLAs and product quality deficiencies, damage reputation
- Ethical and internal violations undermine employee satisfaction
- Violations of license agreements usually remain undetected, but carry an enormous risk of fines and even the loss of essential software solutions and possibly the data from historically grown process chains.
In the end, the company management decides which voluntary and contractual rules the company wishes to commit itself to and what importance sustainable process quality has in the various areas. In all cases, compliance management is required to monitor the implementation of and adherence to the rules, to initiate measures in the event of violations and to conduct regular audits. Without corresponding competencies and authority, compliance with rules depends on the daily form of the employees or the level of the general quality culture in the company.