Successful Compliance E-Book

Imprint

e-Pub only:

ISBN 978-3-85402-414-9

2nd revised edition 2021

Also available in German language:

ISBN 978-3-85402-412-5

e-Pub ISBN 9783-85402-413-2

This work is protected by copyright.

All rights reserved.

Copying, Printing, duplication, photographing or recording on any other media or data medium, even if only used in ex-tracts shall be permissible only based upon explicit written consent on the part of Austrian Standards plus GmbH. The author is responsible for the translation (from the original German edition) and proof reading. Despite of thorough editing no responsibility can be taken for the correctness of the data given in the book. The author and the publisher cannot be held liable.

© Austrian Standards plus GmbH, Vienna 2021

Austrian Standards plus GmbH is an enterprise of Austrian Standards International.

AUSTRIAN STANDARDS PLUS GMBH

1020 Vienna, Heinestraße 38

T +43 1 213 00-300

F +43 1 213 00-355

E [email protected]

www.austrian-standards.at/fachliteratur

PROJECT COORDINATION

Gertraud Reznicek

COVERPHOTO

©iStock.com/Alexander Bedrin

GRAPHICAL DESIGN

Martin Aschauer

Content

Abbreviations

Foreword

1 Basic principles and general framework

1.1 Definition of the term ‘compliance’

1.2 Legal framework for compliance in organizations

1.2.1 Responsibility of organizations in the international arena

1.2.2 Responsibility of organizations at the national level

1.2.3 Responsibility for compliance in Austria

1.3 Compliance as a tool of strategic management

1.3.1 Definition of management systems

1.3.2 Compliance Management Systems

1.4 Distinction between governance – ICS – RMS – CMS

1.4.1 Corporate governance

1.4.2 Internal control system (ICS)

1.4.3 Risk management system (RMS)

1.4.4 Compliance management system (CMS)

1.5 Positioning of ISO 37301 as a best-practices approach

2 A CMS in accordance with ISO 37301 at a glance

2.1 Standardization of management systems in accordance with ISO

2.1.1 Management system standards according to ISO High Level Structure (HLS)

2.1.2 Integrated management system

2.1.3 ISO 37001 Anti-bribery management system

2.2 The principle of continuous improvement - PDCA cycle

2.2.1 Principle of continuous improvement of ISO Management System Standards (MSS)

2.2.2 ISO 37301 represented in the PDCA cycle

2.3 Change management as a management tool for the implementation of ISO 37301

2.3.1 Definition of change management

2.3.2 Factors influencing change management processes

2.3.3 Leading Change – The 8-Step Model by John Kotter

3 Requirements of ISO 37301 – compliance management systems

3.1 Introduction

3.2 Area of application of the ISO 37301

3.3 Terms and definitions in accordance with ISO 37301

3.4 Context of the organization

3.4.1 Understanding the organization and its context

3.4.2 Understanding the needs and expectations of interested parties

3.4.3 Determining the scope of the compliance management systems

3.4.4 Compliance management system

3.4.5 Compliance obligations

3.4.6 Compliance risk assessment

3.5 Leadership

3.5.1 Leadership and commitment

3.5.2 Compliance policy

3.5.3 Roles, responsibilities and authorities

3.6 Planning

3.6.1 Actions to address compliance risks

3.6.2 Compliance objectives and planning to achieve them

3.6.3 Planning of changes

3.7 Support

3.7.1 Resources

3.7.2 Competence

3.7.3 Awareness

3.7.4 Communication

3.7.5 Documented information

3.8 Operation

3.8.1 Operational planning and control

3.8.2 Establishing controls and procedures

3.8.3 Raising concern

3.8.4 Investigation

3.9 Performance evaluation

3.9.1 Monitoring, measurement, analysis and evaluation

3.9.2 Internal Audits

3.9.3 Management review

3.10 Improvement

3.10.1 Continual improvement

3.10.2 Nonconformity, non-compliance and corrective measures

4 Guide for small and medium-sized enterprises (SMEs)

4.1 Compliance-relevant characteristics of SMEs

4.2 Implementation and configuration of compliance management in the SME sector

4.3 Conclusion

5 External review and certification

5.1 External audits of compliance management systems

5.1.1 Basic consideration

5.1.2 Audit process

5.2 Certification of a CMS

5.3 Certification process within the framework of ISO

6 Advanced concepts

6.1 Organizational culture as a management tool

6.1.1 Influences on organizational cultures

6.1.2 Characteristics of organizational cultures

6.1.3 The cultural model according to Schein

6.1.4 Effect and function of organizational cultures

6.1.5 Measurement of organizational cultures – the model by Denison

6.1.6 Organizational culture and a CMS in accordance with ISO 37301

6.2 Risk management

6.2.1 Risk management systems at a glance

6.2.2 ERM – a holistic, organization-wide risk management system

6.2.3 ISO 31000 Risk Management

6.2.4 Risk management and a CMS in accordance with ISO 37301

7 Summary and outlook

Bibliography

The author

List of figures

Figure 1COSO Internal Control – Integrated Framework

Figure 2ISO 37301 in the Deming cycle of continuous improvement

Figure 3Phase diagram of changes according to Lewin

Figure 4Promotors and destructors according to Ladwig/Domsch

Figure 5Common symptoms of resistance according to Doppler/Lauterburg

Figure 6Selected areas of action for resistance according to Reiss

Figure 78-step model for changes according to Kotter

Figure 8PESTLE analysis of the external context

Figure 9Interested parties / Stakeholders

Figure 10Stakeholder Influence/Interest-Matrix

Figure 11Example Risk Matrix

Figure 12Level and characteristics of a code of conduct

Figure 13Value orientation of the CMS according to Grüninger

Figure 14Compliance in support of organizational objectives

Figure 15Tools for implementing the compliance policy

Figure 16Components of the capacity to act

Figure 17The Fraud Triangle and approaches to prevention according to Grüninger

Figure 18DMAIC cycle of continuous improvement

Figure 19Overview of means of communication according to Mast/Maletzke

Figure 20Sequence of a monitoring procedure

Figure 21Approaches to compliance management according to Saitz/Tempel/Brühl

Figure 22Audit process in accordance with ISO/IEC 17021

Figure 23Cultural box model according to Thomas

Figure 24Cultural levels according to Schein

Figure 25Organizational cultures according to Denison

Figure 26Corporate culture and effectiveness

Figure 27Building-blocks of a risk management system

Figure 28COSO ERM Framework

Figure 29Risk matrix and risk appetite

Figure 30Risk management process ISO 31000:2018

List of tables

Table 1Requirements for an effective CMS vs. ISO 37301

Table 2US-DOJ Guideline for Evaluation of Corporate Compliance Programs vs. ISO 37301

Table 3World Bank Group Integrity Compliance Guidelines vs. ISO 37301

Table 4Comparison of the HLS structure in different ISO MSS - overview

Table 5Comparison of the HLS structure in different ISO MSS - Chapter 8 Operation

Table 6Guideline to the UK Bribery 2010 Act vs. ISO 37301

Table 7ICC Rules on Combating Corruption vs. ISO 37301

Table 8Requirements for an effective ABMS vs. ISO 37001

Table 9Comparison of ISO 37301 vs. ISO 37001 based on the HLS structure of ISO MSS

Table 10Comparison of ISO 37301 vs. ISO 37001 - Chapter 8 Operation

Table 11Internal determinants of an organisation according HuczynskiBuchanan

Table 12Probability scale

Table 13Example risk map

Table 14Indicators for CMS objectives according to Johnson/Søreide

Table 15Examples of information and communication needs according to Bruhn

Table 16Classification of means of communication according to Vahs/Weiand

Table 17EU definition of SME

Table 18Types of system audits

Table 19Examples of key risk indicators (KRI)

Abbreviations

ACCG

Austrian Code of Corporate Governance

AG

Joint Stock Company (Aktiengesellschaft)

AktG

Stock corporation law (Aktiengesetz)

ArbVG

Labour Constitution Act (Arbeitsverfassungsgesetz)

AS

Australia

BGBl

Austrian Federal Law Gazette (Bundesgesetzblatt)

BWG

Banking Law (Bankwesengesetz)

BSI

British Standards Institution

CMS

Compliance Management System

COSO

Committee of Sponsoring Organizations of the Treadway Commission

DOJ

United States Department of Justice

DMAIC

Define-Measure-Analyse-Improve-Control

DSG

Data Protection Law (Datenschutzgesetz)

DSK

Data Protection Commission (Datenschutzkommission)

e.g.

for example

etc.

et cetera

EU

European Union

ERM

Enterprise Risk Management

ERP

Enterprise Resource Planning

EUR

Euro

FATF

Financial Action Task Force

FCPA

United States Foreign Corrupt Practices Act

FMA

Financial Market Authorisation (Finanzmarktaufsicht)

FSGM

Federal Sentencing Guidelines Manual

GARP

Global Association of Risk Professionals

GenG

Act on Cooperatives (Genossenschaftsgesetz)

GmbHG

Law on Limited Liability Company

(Gesetz über die Gesellschaft mit beschränkter Haftung)

HLS

High Level Structure

ICC

International Chamber of Commerce

ICS

Internal Control System

IEC

International Electrotechnical Commission

ILO

International Labour Organization

ISO

International Organization for Standardization

IT

Information Technology

JTC

Joint Technical Committee

JTCG

Joint Technical Coordinating Group

KPI

Key Performance Indicator

KRI

Key Risk Indicator

MS

Management System

MMS

Management System Standard

NATO

North Atlantic Treaty Organization

NZS

New Zealand

OECD

Organisation for Economic Cooperation and Development

OGH

Supreme Court (Oberster Gerichtshof)

OWiG

Administrative Offenses Act (Gesetz über Ordnungswidrigkeiten)

PACI

Partnering Against Corruption Initiative

PDCA

Plan-Do-Check-Act

RM

Risk Management

RMS

Risk Management System

SAI

Social Accountability International

SCGM

Sentencing Guidelines Manual

SEC

United States Securities and Exchange Commission

SME

Small and Medium Sized Company

SOX

Sarbanes-Oxley Act

TMB

Technical Management Board

VAG

Insurance Supervision Act (Versicherungsaufsichtsgesetz)

VbVG

Corporate Liability Law (Verbandsverantwortlichkeitsgesetz)

UN

United Nations (Vereinte Nationen)

UNODC

United Nations Office on Drugs and Crime

UK

United Kingdom

US, USA

United States

vs.

versus

WAG

Risikomanagement-System

WBG

Securities Supervision Act (Wertpapieraufsichtsgesetz)

The World Bank Group

United States Securities and Exchange Commission

sog.

sogenannt

SOX

Sarbanes-Oxley Act

TC

Technical Committee

TMB

Technical Management Board

u.a.

unter anderem

VAG

Versicherungsaufsichtsgesetz

VbVG

Verbandsverantwortlichkeitsgesetz

vgl.

vergleiche

UGB

Unternehmensgesetzbuch

UN

United Nations (Vereinte Nationen)

UNODC

United Nations Office on Drugs and Crime

UK

United Kingdom

USA, US

United States

usw.

und so weiter

u.U.

unter Umständen

uvm.

und vieles mehr

WAG

Wertpapieraufsichtsgesetz

WBG

The World Bank Group

z.B.

zum Beispiel

Foreword

Compliance management involves the standardized identification of obligations and their systematic translation to the organization’s everyday operations. The development of structures and activities and their integration into existing procedures and processes reduces the risk of noncompliant behavior in the conduct of business. However, a compliance management system (CMS) must offer more. The frequently used argument that the costs of such a system are less than the costs of non-compliance cannot stand up. To be accepted, compliance measures must be closely linked to effectiveness and efficiency and must not be perceived as bureaucratic obstacles. Compliance is therefore not a mere duty to be performed to avert negative consequences for an organization, but rather contributes to the improvement of business operations. This book contributes to this and supports organizations of all kinds in using compliance measures to increase the effectiveness and efficiency of the entire organizational control.

ISO 37301:2021 “Compliance management systems – Requirements with guidance for use” was developed by users for users and claims to be a best-practise approach for a globally unified guideline for the development, implementation, maintenance and continuous improvement of a CMS. The extent to which individual elements are implemented must, in accordance with the principle of appropriateness, be matched to the particular characteristics of the organization. The standard is therefore applicable to all types of organizations – irrespective of their size, sector, and type of business or legal form.

This commentary explains all elements of ISO 37301 and provides numerous practical tips for a phased implementation approach. When a holistic approach is taken, a CMS in accordance with ISO 37301 becomes a key tool in strategic management. This book aims to provide a scientific basis for practical implementation, coupled with decades of experience in building and managing complex systems.

Like the previous ISO 37301 standard, ISO 37301 is based on a uniform template of ISO management system standards (as well as ISO 37001 Anti-bribery management systems) and can, therefore, be implemented in an integrated manner. In this sense, ones hopes that ISO 37301 will prove itself – not least because of the global awareness and acceptance of ISO standards – as an international benchmark for appropriately implementing and embedding compliance in organizations of all types.

To all readers I wish that they will obtain many useful ideas and benefits that are relevant to their work in practise. I look forward to receiving any comments, feedback and suggestions at [email protected]!

Vienna, December 2021

Barbara Neiger

1Basic principles and general framework

1 Basic principles and general framework

The basic principles and general framework for a compliance management system (CMS) in accordance with ISO 37301 are presented in five chapters. First, the meaning of the term ‘compliance’ in the context of this practical commentary must be clarified: the fulfilment of obligations which are binding to an organization due to mandatory regulations and obligations that have been voluntarily entered into by the organization. Chapter 1.2 describes the legal framework for compliance in organizations based on national and international regulations on the (criminal) responsibility of organizations for non-compliant actions on the part of their personnel. The obligation of management to set up a CMS that is tailored to the organization’s individual situation is based on its general duty to perform due diligence as a responsible businessman. As outlined in chapter 1.3, a CMS, as a strategic management tool, should utilize a planned approach to ensure that obligations relevant to the organization are complied with in the conduct of activities. The avoidance of compliance violations or mitigation of their negative impact supports the achievement of an organization’s objectives. The definition of a CMS in respect of corporate governance and other management tools such as internal control systems (ICS) and risk management systems (RMS) is then discussed in chapter 1.4. Chapter 1.5 gives an overview of the positioning of ISO 37301 as a nonpartisan best practice instrument to ensure effective compliance management in organizations.

1.1 Definition of the term ‘compliance’

The term ‘compliance’ is derived from the verb ‘to comply with something’ (to fulfill or adhere to something)[1], and in the context of this manual means the observance of rules by an organization – that is, those rules that are binding for the organization due to statutory or regulatory provisions, as well as those to whose compliance the organization has voluntarily submitted.

Under this definition, compliance requires first only that all obligations are met. This is nothing new and is a self-evident principle in states governed by the rule of law.[2] However, compliance also includes the issue of how organizations ensure that their executive bodies and personnel comply with rules. As part of their duty of care and supervision, prudent managers are responsible for ensuring that the people working for the organizations comply with relevant obligations in their day-to-day business, such as statutory, regulatory or supervisory regulations, industry guidelines and internal company guidelines or contracts and binding two (or multilateral) agreements.

The obligation to comply with relevant statutory, regulatory or supervisory regulations applies to all organizations. Also compliance with industry regulations and internal policies is not an end but is in the interest of the organization. All organizations, irrespective of their legal form, size or field of activity, have only limited resources at their disposal. These must be deployed as efficiently and effectively as possible. It is not correct to argue that the requirement for such economic actions applies only to for-profit organizations. Non-profit organizations, too, have limited resources at their disposal, which must be deployed to achieve the best possible result. Negative financial consequences of non-compliance, in the form of penalties and fines, certainly do not fall within the definition of the ‘best possible result’.

1.2 Legal framework for compliance in organizations

In Anglo-Saxon law (common law in the UK, the USA and in other countries) there is no fundamental difference between natural and legal persons (legal entities). In codified legal systems (such as in continental European countries) another principle historically applies, namely: Societas delinquere non potest - legal persons cannot commit a crime.[3] It was only the developments in the last 20 years that led to the fact that responsibility for legal persons in this legal system was specifically established in continental European countries.[4] Numerous intergovernmental legislative acts both inside and outside the EU obligate member states and treaty states to provide for the liability of legal entities for certain crimes.

The first legislative act within the EU to provide for such an obligation is the Second Protocol to the Convention on the Protection of the European Communities’ Financial Interests,[5] which requires the criminal liability of organizations if fraud, corruption or money-laundering has been committed for their benefit by persons acting either alone or as part of the legal entity’s organization. Organizations must be made responsible if a lack of supervision or control has made the act possible. In addition to the Second Protocol, there are numerous other legislative acts providing for the liability of legal entities for approximately one hundred criminal offences (e.g. property-related offences such as fraud, embezzlement, misappropriation of subsidies or collusion in procurement procedures; corruption and environmental offences; offences in copyright law, stock exchange law, financial criminal law or the law on unfair competition).[6]

Among legislative acts outside the EU, the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions of 1997 is to be mentioned. The responsibility of legal entities is further governed by three conventions of the European Council (Protection of the Environment, 1998; Prevention of Cyber Crime, 2001; Counterterrorism, 2005). To combat money laundering, FATF recommendations require effective, proportionate and deterrent sanctions against legal entities[7]. Finally, the UN Conventions for the Suppression of the Financing of Terrorism (2000)[8] and against Corruption (2005)[9] contain further requirements for the criminal or the administrative liability of legal entities.

1.2.1 Responsibility of organizations in the international arena

Most European countries and numerous countries outside the EU have implemented the responsibility of legal entities in their legal systems. In continental Europe, a distinction is made between purely criminal, purely administrative or mixed models[10], while Anglo-Saxon countries such as the UK, Ireland or Cyprus know no administrative criminal law. In some countries (e.g. France, Italy, Switzerland, Hungary, and Poland), the state and its regional authorities are entirely exempt from liability. In some countries (France, Netherlands, Croatia, UK), such a restriction applies only to official activities. The liability of publicly owned companies is not limited in principle. In most countries, the liability of legal entities covers all, and in some countries, only a few offences restricted to those governed by international agreements (e.g. in Spain, Italy, Malta, Brazil, China, India). In some countries, the accountability of liability requires that the act was carried out to the benefit of, on behalf of, in the name of or in the interests of the legal entity (e.g. Germany, France, Italy, Poland and Slovenia). In some countries (e.g. Switzerland, the UK), a mere connection with the business activity of the legal entity is sufficient for the establishment of corporate liability. In most states (e.g. Germany, France, Netherlands, Italy, Poland and Hungary), a legal entity may be held accountable for offences committed by a subordinate employee only in connection with a lack of control or supervision by a person in a leading position. In some countries (Belgium, Switzerland, Romania), an act committed by any person working for a legal entity is sufficient to trigger corporate liability. Almost all jurisdictions make provision for the punishment of the legal entity in addition to that of the natural person. In Belgium, insofar as a natural person did not act knowingly or willfully that entity (natural person or legal entity) that bears the greatest guilt is the one liable for punishment.

1.2.2 Responsibility of organizations at the national level

In Austria, the criminal liability for legal entities is governed by the Act on the Responsibility of Associations (VbVG), which entered into force on 1 January 2006[11] and is applicable to all intentional and unintentional criminal acts which are liable to result in criminal proceedings. Only recognized religious societies performing pastoral activities[12] and governmental institutions[13] are exempt from criminal liability. An offence must have been committed by a ‘decision-maker’ or by an employee, either to the benefit of the legal entity or in violation of an obligation that is applicable to the legal entity. The legal entity is, in principle, only liable for offences committed by its employees if the employee has acted willfully or with gross negligence and if a decision-maker has, while disregarding due and reasonable care, enabled or substantially facilitated commission of the act through the omission of substantial technical, organizational or personnel measures designed to prevent such acts. The prosecution of the natural person who committed the offence is not a prerequisite for liability of legal entities. Fines are limited to a maximum total amount of EUR 1.8 million and are calculated according to daily rates, the amount of which depends on the income situation of the legal person. Compensation can also be imposed as an additional sanction.

In Switzerland, the criminal liability of legal persons is regulated in Article 102 of the Swiss Criminal Code (StGB). A general criminal liability exists if the offence has been committed during commercial activities and the offence cannot be assigned to a specific person due to the company’s inadequate organization. Primary liability applies to a limited number of serious criminal offences, including money laundering, bribery of Swiss and foreign officials and the financing of terrorism that the company has not taken adequate organizational measures to prevent, regardless of whether this criminal offence can be attributed to a specific person.[14]

In Germany, the Criminal Code applies only to individuals – not to companies. Companies can be held liable under civil law in accordance with the Administrative Offences Code (OWiG)[15]. Fines are limited to EUR 10 million. The confiscation of all economic benefits acquired by, for example, bribery is not subject to any limits.[16] In June 2020, the German Federal Ministry of Justice and Consumer Protection released a draft law entitled Law on the sanctioning of offences related to associations (Association Sanctions Act – VerSanG) for comment.[17] The draft law provides for the criminal liability of companies and obliges law enforcement authorities to investigate and prosecute companies accordingly.

1.2.3 Responsibility for compliance in Austria

In Austria – as in Germany and in Switzerland – there is no set of regulations, mandatory for all organizations, governing or requiring the introduction of a compliance management system. In Austria, in accordance with § 18 WAG, only organizations that are subject to the Securities Supervision Act are obliged to introduce a compliance organization.[18] The Austrian Code of Corporate Governance (compliance with which is voluntary) states that the board of directors (of listed companies) must take appropriate measures to ensure compliance with laws that are relevant to the company (ACCG, IV.15). The audit committee of the governing body must monitor the effectiveness of the internal control system and the risk management system (ACCG, V.40).[19]

Due diligence by a prudent, conscientious manager, as required in § 76 paragraph 1 AktG[20] and § 25 paragraph 1 GmbHG[21], contains an implicit duty to supervise and control compliance with laws. Pursuant to § 82 AktG and § 22 paragraph 1 GmbHG, the board of directors (company management) must ensure that, as well as a proper accounting system, an internal control system corresponding to the requirements of the company is in place. Similar obligations are derived from the Act on Cooperatives (§ 22(1) GenG).[22]

1.3 Compliance as a tool of strategic management

A management system is understood to mean all interacting elements (structures as static and processes as dynamic elements) that are applied to enable an organization to achieve the objectives it has set. As strategy in general is defined as any plan to implement the objectives of an organization, management systems form part of strategic management.[23] The following chapter gives an overview of the development of management systems in general and of compliance management systems and enables the classification of a CMS in accordance with ISO 37301 in such context.

1.3.1 Definition of management systems

A decisive factor for the current approach to system-oriented management, also used as basis for the ISO 37301, are developments in theory and practice in the USA and in Germany, which differ from one another through their varying approaches to the topic.

The history of business administration in Germany dates to the founding of business colleges at the end of the 19th century in Germany, Austria and Switzerland. The systematization of existing knowledge soon gained importance alongside the teaching of language skills and technological knowledge. For the purposes of differentiating business administration from economics the definition of the object of research is a subject that continues to be intensively discussed to the present day. Initially, the object of research focused mainly on trade activities. Over the time they were supplemented by research on manufacturing companies (industry) and to private households. The content development of business administration in the beginning focused on accounting and on questions surrounding origination of costs and financing. These sub-areas were expanded to include the study of sales, production and organizational issues.[24] During the reconstruction period following the Second World War, attention focused on the short-term planning of financial flows. The 1960s saw the beginnings of the development of long-term planning based on past results, with profit forecasts for periods lying further ahead in the future. The 1973 oil crisis and increasing global political instability made it clear that this approach was no longer sufficient. What was required was an analysis of the external context of the organization to identify future risks and opportunities which could (potentially) influence the ability of an organization to realize this objective. To complement business budgeting, the concept of strategic management, which had been developed primarily in the USA, increasingly came to be applied in Germany and in Europe as a whole.[25]

In the USA, the concept of strategic management can be traced back to Frederick Winslow Taylor (1856-1915) in the early 20th century. In contrast to German business administration, which established its own science of economics, Taylor – whose background was in engineering – was interested in the development of a concept for actual management. Of primary importance in this were issues of the enhancement of production capacity (e.g. workplace design, remuneration systems) and not (yet) tasks associated with the overall running of a business. Management theory still expounded by practitioners such as business leaders and consultants changed because of the creation of rules and principles on the issues of cooperation and employee leadership. The introduction of findings from other fields such as mathematics, physics, sociology and technology and, ultimately, the rise of computers created a – still – practice-oriented system theory of management.[26] The founder, and one of the most important exponents, of this theory, is regarded as Peter F. Drucker (1909-2005), who studied the company management and working methods of General Motors in 1943.[27] In his book “Concept of the Corporation”, Drucker describes the corporation as an institution (one of many in a society) set up for the purpose of organizing human (inter)actions in order to achieve a business objective. A decisive factor in the resolving of associated problems is company management and the company policy that it chooses, as well as the established procedures for implementing this policy.[28] Corporations (like all other organizations) cannot survive if they are dependent on one individual or a small number of persons. The establishment of a system that – based on values and principles – regulates the achievement of objectives requires interaction between managers and personnel. This regulation should not take the form of a rigid plan but must have the flexibility to provide the necessary adjustment of individual steps to enable the achievement of objectives.[29] Increasing knowledge of the importance of external influences on the possibilities and capabilities of a company to achieve its objectives led to the development of strategic management. The opportunities and risks arising from the business environment have been analyzed, as well as the own strengths and weaknesses of an organization. The results form the basis for the definition of objectives and the development of a strategy on how these objectives can be reached. Practical experience resulted in an understanding that the successful implementation of strategic measures requires their acceptance by the members of the organization. From this point of view the so-called soft facts – such as structure and process organization, human resources, corporate culture and the storage and dissemination of information – gained independent strategic importance.[30]

In summary, it should be noted that both approaches make a significant contribution to the development and management of organizations. System-oriented management theory deriving from practical experience provides the tools for the implementation and management of constantly changing requirements, while business administration contributes through a planning concept that provides a firm basis for a sound decision-making process.

Viewing organizations as systems provides certain features that apply to all organizations regardless of size, organizational form or task.[31] Firstly, when considering an organization as a system – considering biology or ecology – all its elements form an interactive structure. An intervention in one place can have an impact elsewhere. Organizations must therefore be considered in their entirety. All system components (structures, processes, personnel, customers, etc.) must be taken into consideration when enacting measures. Secondly, organizations are not static constructs, but dynamic systems characterized by (continuous) changes. Changes are determined, on the one hand, by conditions within the organization itself and caused, on the other, by external influences. It follows that organizations – as part of a network of economic, legal and social relations – are open systems. The final feature of a systemic consideration of organizations is their complexity.[32] This should not, however, be seen as an unavoidable evil, as it is precisely this large number of parameters that enables organizations to adapt to requirements in the first place and thus maintain their viability.

The task and role of management systems is to make complex systems manageable by coordinating the actions of (many) people towards an objective.[33] Management systems create a framework for the uniform, objective-oriented alignment of an organization through the design of structures, rules and procedures and the continuous monitoring and improvement of all activities. A CMS in accordance with ISO 37301 follows from this approach. The allocation of tasks and responsibilities for an organization’s compliance – as a structural or static element – is supported by the integration of compliance measures into existing procedures, processes, etc. (as the dynamic element).

1.3.2 Compliance Management Systems

Management systems create a framework for the uniform, objective-oriented alignment of an organization through the design of structures, rules and procedures and the continuous monitoring and improvement of all activities. National and international legal systems contain provisions that organizations have an (implicit) duty to supervise and control their activities to ensure compliance with the law. With some exceptions, however, there are no regulations on how these governing and control measures are to be designed. There is no statutory regulation applicable to all organizations that require the introduction of a compliance management system (CMS).

On an international level, compliance management systems have been developed in the financial sector to combat money laundering.[34] This is also the case in Austria. Organizations that are subject to the Securities Act are obliged, in accordance with § 18 of the Securities Supervision Act (WAG), to permanently employ a compliance function charged with monitoring and performing regular appraisals of the adequacy of prescribed procedures and the implementation of measures to address any shortcomings. In the context of anti-corruption provisions the first benchmarks for compliance management systems are set in the USA and the UK. In both countries, an adequate and effective compliance and ethics program can affect prosecution, albeit to varying degrees. In recent years, numerous states have implemented criminal liability for legal persons within their legal systems. The prerequisite is often that the organization was negligent at the time of the prosecution, i.e., the organization had not previously set up and implemented any proper and appropriate measures to significantly reduce the risk of such offences occurring.[35]

1.4 Distinction between governance – ICS – RMS – CMS

In the broader sense, governance is understood as the entirety of all instruments that support the achievement and objectives of an organization ensure proper business management that is aligned towards sustainable, long-term value creation in the interests of all stakeholders.[36] This includes all processes that determine how important decisions are made in an organization, how performance is provided and how control is exercised.[37] The following describes three institutions that are regarded as instruments for an efficient and effective governance structure: internal control system (ICS), risk management system (RMS) and compliance management system (CMS).

1.4.1 Corporate governance

The term “corporate governance” goes back to the time when ownership of companies was separated from its management and so the need occurred to protect the interests of investors against management acting in its own interest. As far back as the 18th century, Adam Smith extensively discussed the problems of how the division of labor might be guided and controlled in an increasingly large business. Managers can inflict financial damage on shareholders through, for example, insufficient efforts in search of business opportunities, or the absence of necessary modernization, through the arrangement of high-risk transactions or insufficiently elaborated investments or the lack of control of activities within the company. With the separation of assets and control of the company from its ownership, it became necessary to set rules to ensure that the managers (agents) entrusted with the running of the company acted in the interests of the owners (principals).[38] This principal/agent problem[39] formed the basis for the initially narrow definition of corporate governance as a means of dividing responsibilities and roles between institutions in a company in order to ensure that the capital providers (= owners) receive the expected returns.[40]

A broader perspective of corporate governance evolved from the understanding that a business can be understood as a network of contracts, which internally shapes the company itself and externally regulates the relationship with shareholders.[41] The term is expanded in relation to several factors: First of all with regard to the participants, because the interests of not only owners and managers, but also of a further group of people (= stakeholders) are also taken into account. These include customers, personnel, suppliers and external investors. Secondly, the focus is not on financial damage caused to the owners, but the protection of the rights and legitimate interests of all stakeholders. Corporate governance can thus be understood as a higher-level control framework, which regulates the exchange relationships within an organization, on the one hand, and the exchange relationships with the organization’s environment, on the other.[42] Due to the diversity of organizations there are, essentially, no uniform regulations on elements of organizational structure or process organization. Governance structures must be adapted to the individual situation of the organization to support the achievement of organization’s objectives. A variety of institutions that are regarded as instruments of an efficient and effective governance structure, such as an internal control system (ICS), risk management system (RMS) and compliance management system (CMS) has evolved in practice, and subsequently in legislation.

1.4.2 Internal control system (ICS)

An ICS is defined as all principles, methods and measures introduced and agreed within an organization that are used to secure the assets and the regularity, accuracy and reliability of internal and external reporting, as well as compliance with prescribed business policies.[43] In order to ensure the effectiveness and profitability of business, an ICS should cover all key business processes.

The term ICS goes back to a study published in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)[44]. The ‘internal control system’ described in this study helped to define corporate governance terms more precisely and back them with specific measures. To properly classify this approach, one must take into consideration the fact that the word ‘control’ denotes not only controls in the sense of checks, but also measures that have been put in place to achieve certain results. It is therefore advisable to consider an ICS of its two parts: an internal steering system and an internal monitoring system.[45]

COSO defines three business objectives of an ICS: (i) the effectiveness and efficiency of business processes (operations), (ii) the reliability of financial reporting and (iii) compliance with valid laws and regulations. The term ‘internal control’ is defined as the sum of all instruments that are required to ensure the achievement of these three categories of objectives (1. Dimension). Instruments are divided into five components: control environment, risk assessment, control activities (in the sense of management), information and communication, and monitoring (2. Dimension). The three categories of objectives and all five instruments are applied at both the corporate level as well as to all areas and/or activities of an organization (3. Dimension). A graphic representation of the three dimensions is given in Figure 1. The components of the second dimension are explained in more detail below.[46]

Figure 1

COSO Internal Control – Integrated Framework[47]

Control environment – the control environment encompasses the basis of the organization as expressed in (i) the influences and values that govern behavior, (ii) the structures that allocate and reflect responsibilities and (iii) the processes that govern the coordination of tasks. All these parameters must be designed to support the achievement of business objectives. The willingness to take risks as an element of the internal environment is expressed through both quantitative and qualitative objectives and restrictions and subsequently acts as a measurement parameter for acceptable risk in risk assessment.

Risk assessment – identified risks are evaluated by determining the probability of their occurrence and the potential extent of damage caused. Control measures are taken to address residual risks following the application of risk transfer measures (e.g. insurance).

Control measures – regulations, guidelines and procedures (such as separation of duties, spot checks, etc.) are implemented to ensure proper business operation, proper accounting and observance of rules (compliance) that are relevant to the organization.

Information and communication – knowledge of all essential process steps allows personnel to carry out their responsibilities and to contribute to the efficient management of operations, proper accounting and compliance with all (statutory) requirements.

Monitoring – all measures taken must be monitored regularly and, if necessary, improved. The functioning and adequacy of the ICS must be audited by an independent body.

1.4.3 Risk management system (RMS)[48]

As part of an ICS and the second instrument of an efficient and effective governance structure, risk management aims to identify opportunities and risks at an early stage and to assess how they may affect the achievement of corporate objectives (from the point of view of strategy, operations, accounting and compliance). These findings support decision-making for future-oriented planning and are incorporated into risk management.

+Event identification – all internal and external events are to be identified that affect the achievement of an organization’s objectives. These influences can be of both a positive (opportunity) and negative (risk) nature.

+Risk assessment – identified potential risks are consolidated in a risk catalogue and analyzed and evaluated according to their probability of occurrence and their impact. Risks are then prioritized based on the results of such evaluation to develop targeted measures to manage them.

+Risk management – risks can be avoided through the omission of a business activity. In all other cases measures must be put in place to reduce risk, either by controls or by transfer (e.g. insurance).

1.4.4 Compliance management system (CMS)

The third instrument of an efficient and effective governance structure, a compliance management system, is designed to ensure compliance with statutory, regulatory or voluntary obligations in the conduct of business. The non-observance of compliance obligations is to be prevented by taking appropriate measures. Violations must be identified in time and actions taken to rectify the situation. Improvements and adjustments to the CMS prevent repetitions of violations and restore the organization’s compliance in relation to the performance of its activities.

In conclusion, it should be noted that ICS, RMS and CMS are instruments for the effective and efficient management of organizations. They are not isolated from one another, nor should they be considered as such. CMS supports the management of compliance risks, thus making it a part of RMS. The determination of those obligations, compliance with which must be ensured through a CMS and its measures, derives from the risk assessment of these compliance obligations. Risk management principles thus form part of an effective CMS. Ensuring compliance – as an organizational objective – is in turn a core element of an ICS. The appropriateness of the ICS results from its alignment to the overall risk situation of an organization thereby completing the circle between ISC, RMS and CMS.

1.5 Positioning of ISO 37301 as a best-practices approach

Compliance management systems were first developed in the financial sector to combat money laundering. Since it was founded in 1989, the Financial Action Task Force (FATF) has been regarded as the driving force for the establishment of standards in the fight against money laundering and the financing of terrorism. Since their first appearance in 1990, FATF’s regularly updated 40 Recommendations[49] have served as the basis for both national and international regulations. For selected risk areas (money laundering, financial transactions, or the fight against corruption), local or regional guidelines are in place for compliance programs to ensure compliance with the relevant regulations. Due to their global importance, the three systems were presented in a more detailed form. All requirements contained in the guidelines are – repeatedly for the most part – covered by elements of ISO 37301. However, there is a danger of several compliance management systems existing side-by-side within an organization, leading to a loss of effectiveness and efficiency and placing a burden on the performance of business transactions.

Due to the system-oriented approach, multiple compliance obligations can be combined in a CMS according to ISO 37301.Compliant behavior is supported within the organization while at the same time increasing efficiency through the appropriate allocation of resources. Thus, compliance management supports sustainable business development.

In Austria, the criminal responsibility of organizations (associations) is regulated by the Association Responsibility Act.[50] An association is responsible for an offence committed by an employee if, among other things, essential technical, organizational or personnel measures to prevent the offence have been neglected. There are no explanations or generally applicable guidelines as to what is meant by “essential technical, organizational or personnel measures”. The Swiss Criminal Code provides for a similar regulation on the criminal responsibility of organizations (§102(2) StGB).[51] A company will be punished if it has not taken all necessary and reasonable organizational precautions to prevent the offence in question. There are no explanations or a generally applicable guideline on “required and reasonable organizational precautions”. The German Association Sanctions Act[52], which is part of the proposed legislation, provides that a penalty for associations can be imposed if the offence could have been prevented or made significantly more difficult through appropriate precautions, e.g. such measures as organization, selection, guidance and supervision. The law does not provide explanations on “reasonable measures” (a guideline on applying them is also currently not available).

In all three laws (Austria, Switzerland and Germany), a lack of organization is a prerequisite for the entity to be punished. The severity and extent of the lack of organizational measures, or vice versa, the appropriateness and effectiveness of measures and precautions, are to be considered when assessing the penalty. In all three countries, the anti-money laundering regulations contain fundamental provisions on introducing a compliance organization.[53] Beyond these industry-specific regulations, there are no generally applicable regulations that provide for or pre-scribe the establishment of a CMS.

At the international level, regulations have been established in some countries that define the requirements for effective compliance measures. The assessment of the effectiveness of these measures can, influence the assessment of the penalty. Proof that an organization has taken the necessary care to prevent the crime can, on the other hand, be a protection against criminal prosecution. Table 1 shows three examples in which requirements for the elements of an effective compliance organization are determined. Their effectiveness is considered when deciding on criminal prosecution and/or the degree of punishment.

Table 1

Requirements for an effective CMS vs. ISO 37301[54]

ISO 37301

Italy

Spain

US DOJ

Section 4Context of the organization

2.a Risk assessment

1. Risk assessment

I.A. Risk Assessment

1.d Proactive vigilance

Section 5 Leadership

1.a Commitment by top management

1. Commitment and actions by top management

II.A. Commitment by Senior & Middle Management

1.a Involvement of governing body

2. Compliance function

II.B. Autonomy & Resources

2.e Sanctions

5. Sanctions

Section 6 Planning

2. Appropriate procedures

I.B. Policies & Procedures

Section 7Support

2.b Training

3. Training

I.C. Training

2.c Adequate resources

5. Sanctions

II.C. Incentives and Discipline Measures

2.e Sanctions

Section 8Operation

2.b Internal procedures

3. Financial controls

I.B. Policies & Procedures

2.d Whistleblowing

4. Whistleblowing

I.D. Confidential Reporting Structure

I.D. Investigation Process

I.E. Third Party Management

I.F. Mergers & Acquisitions

III.B. Investigation of Misconduct

Section 9 Performance evaluation

6. Control of implementation

III.A. Periodic Testing & Review

Section 10 Improvement

III.A. Continuous Improvement

III.B. Investigation of Misconduct

According to Italian Legislative Decree No. 231 (2001), an organization can be exempted from liability if, among other things, it proves that effective and specific internal compliance measures have been taken. The amendment to the Spanish Criminal Code (2015) established the exemption from criminal liability for legal persons that can demonstrate effective implementation of a crime prevention or compliance program.

The Principles of Federal Prosecution of Business Organizations[55] in the Justice Manual of the US Department of Justice (DOJ) describe specific factors to consider when investigating businesses. These factors include implementing and improving an effective compliance program at the time of the offence and at the time of the procedural decision. The US Department of Justice Criminal Division Guidance on the Evaluation of Corporate Compliance Programs (June 2020) is designed to help prosecutors assess these factors.

Table 2

US-DOJ Guideline for Evaluation of Corporate Compliance Programs vs. ISO 37301[56]

US Department of Justice Criminal Division

Elements ISO 37301

Evaluation of Corporate Compliance Programs / June 2020

Chapter

I. Is the Corporate’s Compliance Program Well Designed?

I.A.

Risk assessment

4.1 Organization and its context, 4.6 Compliance risks; 7.2.2 Employment process

I.B.

Policies and Procedures

6. Planning; 8.1. – 8.10 Operations/anti-bribery measures; 9.1-9.3 Monitoring

I.C.

Training and communication

7.1 Competence, 7.2 Training, 7.3 Awareness, 7.4 Communication

I.D.

Confidential Reporting Structure and Investigation Process

8.3 Raising concern; 8.4 Investigation process

I.E.

Third Party Management

8.1 Outsourced processes

I.F.

Mergers and Acquisitions (M&A)

8.2 Due diligence, 8.3 Non-financial controls

II. Is the Corporate’s Compliance Program Adequately Resources and Empowered to Function Effectively?

II.A

Commitment of Senior and Minor Middle Management

5.1 Leadership and commitment, 5.2 Compliance policy, 5.3 Management responsibilities

II.B.

Autonomy and Resources

5.3 Compliance function; 7.1 Resources

II.C.

Incentives and Disciplinary Measures

7.3 Awareness

III. Does Corporate’s Compliance Program Work in Practice?

III.A

Continuous Improvement, Periodic Testing, and Review

9.1 Monitoring, 9.2 Internal audit, 9.4 Management review; 10.2 Continual improvement

III.B.

Investigation of Wrongdoing

8.4 Investigation processes

III.C.

Analysis and Rectification of Underlying Misconduct

8.4 Investigation processes; 10.1 Continual improvement

Due to the large number of business relationships with companies in the world’s largest economy, the consideration of the elements shown in Table 2 can be important when measuring the effectiveness of a CMS. However, it may not always be appropriate to use the guideline of a single national institution as a benchmark. The compatibility of the requirements of the DOJ guidance with the requirements of ISO 37301 can, therefore, be illustrated in two ways. In Table 1, the requirements of ISO 37301 were compared with those of the DOJ guideline. Table 2 shows which requirements of ISO 37301 meet those of the DOJ guideline. The DOJ guideline is not only applied – as is sometimes wrongly assumed – to offences of corruption. The assessment of the effectiveness of a corporate compliance program can concern all relevant compliance obligations of that organization.[57]

ISO standards are developed by users for users in an international context. This approach enables ISO standards to be positioned as impartial, best-practice instruments. Due to similar far-reaching importance as the DOJ guidelines for assessing the effectiveness of a compliance program, the elements of the World Bank Group’s Integrity Compliance Guidelines for an effective compliance program are presented in Table 3 below and compared with the elements of ISO 37301.

Table 3

World Bank Group Integrity Compliance Guidelines vs. ISO 37301[58]

The World Bank Group

Elements ISO 37301

The Integrity Compliance Guidelines

Chapter

1

Prohibition of Misconduct

5.2 Compliance policy

2

Responsibility

5.1 Leadership, 5.3 Roles & responsibilities

3

Program Initiation, Risk Assessment, and Review

4.6 Bribery risk assessment; 6 Planning; 9 Performance Review

4

Internal Policies

5.3.4 Anti-bribery function, 7.1 Resources

5

Policies Re: Business Partners

8.2 Due diligence, 8.5 Non-controlled business partners

6

Internal Controls

8.1 Operational controls

7

Training & Communication

7.1/2 Competence and training, 7.4 Communication

8

Incentives

7.4 Awareness

9

Reporting

8.3 Raising concern

10

Remediate of Misconduct

8.4 Investigation

11

Collective Action

4.2 Interested parties