CMS Compliance Barometer Representative Study with German Companies

Transcription

1 CMS Compliance Barometer 2015 Representative Study with German Companies October 2015

2 Table of Contents Introduction 3 Methodology 4 Summary 4 Organisation 6 Risks and external challenges 9 Instruments 11 Internal challenges 13 CMS Compliance Index 15 Your contact partners 15

3 Introduction The focus is more and more on the legally, economically and ethically correct conduct of companies, management and employees. Lawmakers and authorities, business partners and stakeholders, media and the public assume that violations of laws and directives are prevented as efficiently as possible and impose severe sanctions if it comes to the worst. The liability risk in business has continuously increased over the past years and thus most companies meanwhile consider a structured compliance organisation an indispensable component of responsible corporate governance. Particularly in major companies, compliance officers significantly contribute to liability risks being identified and minimised. This trend will also catch on downstream, targeting mid-sized companies. Particularly frequently there, but also still in some major companies compliance is sometimes still regarded as a tedious duty. Consequently, the willingness to invest more in this important topic is low on the relevant boards and managements be it with regard to the necessary anchoring in people s minds and management s setting an example or with regard to resources and risk prevention. And yet there is the risk of manifold legal, economic and reputation-damaging consequences in the case of non-compliance. Most companies usually still have to manage a difficult balancing act between adequate compliance efforts on the one hand, and limited financial and human resources, on the other. In this very heterogeneous compliance environment, the following issues are raised: What instruments are stateof-the-art and customary nowadays? What are the current challenges from the perspective of the parties concerned? How far have German companies already come in terms of professionalisation? With the CMS Compliance Barometer now being published for the first time, we would like to contribute to examining the development status of compliance in Germany. We are deliberately looking exclusively at major companies with at least 500 on the payroll they are more under public scrutiny and more frequently have to deal with regulatory issues. With respect to companies of this size, the development of compliance can be regarded quasi seismographically and as a prime mover for the whole economy. Since many surveys and studies have so far either been focusing on SMEs or dealing with major companies in a manner that is little in the way of being representative, this is our contribution to closing a statistical gap. The CMS Compliance Barome ter, to be newly issued each year, will in the future enable us to recognise important trends, derive developments and determine effects. In this connection, from now on the CMS Compliance Index also will be measuring the penetration and professionalisation of the major German companies with regard to compliance as a whole and will be able to identify a trend at a glance because we wish not only to document the current standard but also to show potential for improvement and to help to prevent any undesirable developments. We hope that we will be able to give you insights that are also helpful for your work and look forward to receiving suggestions for the study and your very personal view of the development of compliance. Dr Harald W. Potinecke Dr Tobias Teicke Florian Block 3

4 Methodology The study is based on computerised B2B telephone interviews with 175 compliance officers in major German companies from the sectors industry, real estate, automotive, trade, ICT, healthcare and finance / insurance. The anonymous interviews by the Ipsos market research institution were conducted from 19 November to 10 December 2014 and from 19 May to 9 June In both periods, the interviews were based on a structured questionnaire comprising 30 questions and dealing with the topics of organisation, risks / challenges, instruments and culture. Every executive capable of commenting on the entirety of the instruments and processes implemented in the major company for the purpose of ensuring compliance was classified as a compliance officer. The population encompassed some 5,700 legally independent major companies in Germany of all turnover and employee size classes; an almost completely proportional random sample quoted according to the seven sectors was used. Any company with more than 500 employees is defined as a major company by the study. In addition, a further distinction was made between companies with up to 999 employees, companies with up to 4,999 employees and companies more than 5,000 employees and between companies with different turnover rates. The study therefore deals with both large mid-size companies and also classic major corporations. The study provides a representative overall picture for all major companies doing business in Germany. Summary Compliance has meanwhile become increasingly firmly established in major German companies. Nearly 50 per cent of the companies have enhanced their human and financial compliance resources over the past number of years and in doing so have established formal and cultural standards. The majority of company managers definitely consider themselves appropriately positioned to effectively prevent operational violations of law. Nevertheless: The common perception is that there is a lot that can be done even better. Many of those interviewed still see potential for improvement, particularly in terms of compliance culture. The CMS Compliance Index that condenses the findings, shows a value of 64 out of 100 possible points. Compliance organisation still developing In many cases, compliance officers come from different company divisions. Mostly, they work in legal affairs, controlling, risk management or audit departments. Still, it is striking that often the existing internal resources are not being adequately leveraged and in many cases existing departments are not or not sufficiently dovetailed. For many of those interviewed, compliance is still not the main professional task. Not even one-third of the interviewed companies have established an independent compliance department. What is clear in this connection 4 CMS Compliance Barometer 2015

5 is that precisely at SMEs their limited resources often do not allow for the employment of full-time compliance officers and that a decentralised compliance organisation with its integral approach can definitely be an advantage. But in the individual case, control deficits can also arise if operative risk business and compliance responsibilities are not managed in a clearly separate way. Furthermore, a widespread practice is to obtain external professional support depending on the compliance topic, the advice quota is at up to 80 per cent. Right risk focus in SMEs? When it comes to assessing risks, the medium-sized businesses come up with the biggest surprises: While the central compliance topics of fighting cartels and corruption play a rather subordinate role for them, data privacy protection is at the forefront of the compliance topics. Thus many SMEs appear to not always correctly set the priorities as regards content and to underestimate the risks. Admittedly, also data privacy protection plays an increasingly important role, but companies and employees face even existence-threatening penalties for unfair and corrupt conduct. By contrast, these high-risk areas are more realistically assessed at big corporations. Stricter requirements imposed by government and economy When it comes to the biggest challenges, there is largely consensus among the interviewees. The compliance officers put increasing regulation and the standard of liability, ratcheted up by authorities and jurisprudence, at the top of the list. In fact, the compliance requirements set by special acts and the augmented investigative zeal of some authorities are steadily increasing. However, it is not only governmental bodies that are exerting compliance pressure. Half of the participants in the study consider it important or even very important to be able to demonstrate to business partners that they have their own compliance system. This frequently turns into a precondition for participating in business transactions. Development of a compliance standard Nearly all companies meanwhile have a standard repertoire of compliance instruments. As a rule, it comprises Codes of conduct to set minimum requirements for business conduct Internal control procedures to check compliance with the requirements and Internal investigations to follow up misconduct in cases of suspicion. However, only half of those interviewed offer an internal training programme to impart the conduct requirements. Additionally, it has been shown that at a lot of companies there is still a need to optimise the handling of compliance violations. This primarily concerns comprehensive crisis preparedness in companies and preparedness for unannounced official investigations, for example by drafting plans of procedure. Compliance culture as greatest internal challenge It has meanwhile hit home in many companies that one s own compliance culture is of crucial importance when it comes to preventing violations of law. Accordingly, the majority of interviewees sees raising employees and company management s genuine awareness of the issue as the biggest internal challenge. The interviewees confirm that predominantly the management is already very compliance-conscious. Management s willingness to support compliance issues and also to actually promote them is assessed somewhat less positively by compliance officers. However, the study participants see considerable potential for improving compliance awareness and employee commitment. 5

6 Organisation Nearly 50 per cent of companies have increased their compliance resources In the case of 41 per cent of the interviewees, human and financial compliance resources have remained at the same level in the last few years. Just under half (47 per cent) of the companies have even increased the relevant resources. However, only 42 per cent consider the current situation optimal. Internal capacities often do not suffice to cope with the tasks to be carried out, which is why more than 50 per cent call in external consultant support. Human and financial resources Development Assessment Increased Unchanged Reduced Don t know / no information provided 10% 2% 47% 41% 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 6% 35% 29% 10% 6% 13% 1% 1 = very good = very poor Don t know / no information provided 6 CMS Compliance Barometer 2015

7 On average, seven employees are entrusted with compliance tasks About half of those interviewed stated that the duties of at least one and at most four employees at least also include compliance tasks. At only about one-third of the companies are there more compliance officers. Only just under one-fifth of the interviewed companies even reach a double-digit number of officers. Thus, on average, there are seven employees who are entrusted, inter alia, with compliance tasks in major German companies Number of compliance officers 53% 14% 17% 15% This can, but need not be a full-time job. About half of the employees dealing with compliance issues have a qualification in business economics; one-third of them are members of the legal profession. Other professions (such as engineering or banking) remain exceptional cases. Only three out of ten companies have their own compliance department In most companies, primarily the legal affairs department or the controlling department is responsible for compliance. One-third of the companies have assigned compliance tasks also to the risk management department, the audit department or to general business operations such as purchasing, marketing or distribution. An independent compliance department, however, exists only at 28 per cent of the companies. Even among the big corporations with more than 5,000 employees, so far only about 50 per cent have decided to set up a compliance department. Consequently, compliance is often not the main task of employees who deal with it. This is not really surprising because there is no duty to establish a central compliance department. The organisational structure is at the discretion of the management. Many companies choose a decentralised compliance organisation also for cost and practicability reasons. At both SMEs and large corporations, compliance tasks are thus often assigned to various departments. 1 to 4 5 to 9 10 and more Don t know / no information provided Rounding differences cause the total not to be 100% 7

8 Departments with compliance officers Legal department Controlling Risk management Auditing General business operations, e.g. purchasing, marketing, sales Compliance department Management HR department Quality management Finance department Other Don t know / no information provided 55% 44% 33% 32% 30% 28% 7% 5% 4% 2% 10% 4% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% On average, compliance departments have five employees If there is an independent compliance department, on average about five employees work there. At two-thirds, the department consists of a maximum of four employees. And in only one in ten companies, is there a double digit number of compliance employees. Thus, the compliance department normally comprises a small group of persons, allowing fast action and reaction. Compliance function in purchasing or distribution department? It is interesting that in 30 per cent of the companies, compliance officers at the same time also work in the purchasing and distribution departments. This shows the many different ways in which compliance functions can be organised in corporate practice. A decentralised compliance approach can certainly also have advantages. Whether compliance checks can be carried out optimally within the framework of a double function like this appears at least doubtful. In the individual case, this ultimately depends on the set-up. 8 CMS Compliance Barometer 2015

9 Risks and external challenges When asked about the greatest compliance risk, on average most of the interviewees (22 per cent) replied that most attention would have to be given to data privacy protection. Product liability (19 per cent) and corruption (16 per cent) followed in second place and third place, then labour law (14 per cent) and anti-trust law (11 per cent). Money laundering, foreign trade and industrial espionage hardly figured in the perception of the interviewees. The greatest compliance risks 80% 70% 60% The most important The second most important The third most important 50% 40% 30% 20% 10% 0% 26% 22% 16% 19% 14% 14% 20% 16% 17% 14% 9% 8% 11% 7% 6% 6% 7% 6% 3% 5% 5% 2% 2% 2% 1% 1% 3% Data privacy protection, e.g. passing on of personal data Product liability Corruption Labour law, black market labour, work safety Anti-trust violations Foreign trade Money laundering Industrial espionage Other Right focus in SMEs? Data protection s high priority is based above all on the assessment of major SMEs (500 to 999 employees or turnover lower than EUR 100 million). Even if data protection plays a key role today, this result does suggest that the SMEs, in particular, apparently tend to underestimate competition/anti-trust and corruption risks, despite the fact that unfair and corrupt conduct poses the greatest liability risks which in some cases even threaten the existence of the company, especially concerning SMEs. Recent years have shown that the cartel authorities and public prosecutor s offices prosecute offences in these areas particularly systematically and impose substantial sanctions. If, for example, a contract is awarded because of the payment of bribes, the company risks not only having to pay a fine of up to EUR 10 million, but also having the profit gained through the contract skimmed off. When companies become larger, the relevant areas of risk are assessed differently. Concerning above all companies with more than 5,000 on the payroll or a turnover of at least EUR 1 billion, the liability-prone risk areas of antitrust and corruption laws are at the top of the agenda. Among these companies, data protection and product liability only make it to places three and four. 9

10 Risk management is diversified Risk assessment is mainly carried out by the controlling department in companies with fewer than 1,000 employees. In only about one-third of the companies is the legal department responsible or if it exists the compliance department. In companies with more than 5,000 employees, the risk assessment is no longer carried out mainly in the controlling department, but also in the legal, compliance or risk management department. A separate risk management department is relatively rare in all companies, however, and is only found in about one-fourth of the companies having more than 5,000 employees or a turnover of EUR 1 billion and more. Over-regulation remains a constant issue The interviewees largely agree on the most important challenges in organising compliance. Above all, according to the majority, it is necessary to react to governmental regulation. For more than one-third, foreign regulations also play a role. However, two-thirds of the interviewees also acknowledge that the stricter liability standards and requirements imposed by cartel and public prosecution authorities and the courts on compliance management systems constitute one of their major challenges. The most important external challenges Increasing statutory regulation or new laws Special issues, such as the growing importance of data privacy protection, foreign trade legislation and money laundering Stricter liability standards because of court rulings Increasing demands on business partners regarding compliance Foreign compliance regulations Other Don t know / no information provided 78% 70% 64% 56% 38% 1% 6% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Business associates demand proof of compliance systems For more than half of the participants in the study, compliance is not merely a reaction to governmental regulations. The growing requirements of business associates must increasingly be satisfied, which includes above all the demand for a compliance system to be set up. Half of the company executives consider it important or even very important to be able to demonstrate the existence of the company s own compliance system to business partners in Germany. In only one out of ten companies are the executives of the opinion that this is not necessary. Only a quarter of those interviewed considers a systematic organisation of the compliance system and providing related evidence to foreign business associates unnecessary. Compliance systems are thus becoming a prerequisite for participating in foreign trade. 10 CMS Compliance Barometer 2015

11 Instruments There are meanwhile many instruments available for controlling business risks. Only a small percentage (6 per cent) has not taken any action to date. A compliance standard is being developed. Two-thirds of those interviewed assume that their companies are sufficiently armed with instruments that have already been implemented against compliance risks. To be able to perform the necessary tasks, external support is relied on in more than 50 per cent of the cases. The consultancy rate is even 80 per cent with respect to the legal review of compliance issues. Relevant compliance tasks Monitoring adherence to compliance procedures Establishment, development and implementation of compliance procedures and policies Legal review of compliance issues 43% 81% 57% 78% 63% 77% Internal investigations, clarification of suspicious circumstances Conducting and preparing training sessions Deciding on compliance issues, e.g. exercising a veto right to prevent a critical transaction Other None of the above Don t know / no information provided 40% 69% 35% 67% 31% 61% 1% 6% 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Is currently relevant within the company External consultants / advisers are occasionally or always involved 11

12 Codes of conduct and compliance policies are widespread Eight out of ten companies have a general code of conduct or department-specific conduct policies, such as an anticorruption policy. The aim of such documents is to establish a company-wide standard of conduct that is in line with applicable law and can serve as a guiding principle also with respect to difficult issues. Just under half of the companies communicate the content of this compliance culture via an internal training programme; three-quarters of them conduct annual training sessions. There are more frequent training sessions in only one in ten companies. Overlaps are not ideally utilised Eight out of ten companies also have an internal control system (ICS) to facilitate compliance with the rules of conduct. The ICS is part of the compliance system in 21 per cent of the cases. For 37 per cent of those interviewed, on the other hand, compliance is part of ICS. In all, however, 43 per cent could not provide any information concerning the relationship of the two systems within the company. It can therefore be assumed that in almost one out of two companies the existing organisational areas are not efficiently linked and staff and financial capacities are not adequately utilised. In order to best prevent violations of law, one should become aware of the overlaps in the two areas and gear them accordingly. Existing resources could also then be better utilised. Internal investigations are frequently carried out If there is a suspicion of unlawful conduct, the company management is generally obligated to investigate the matter. The vast majority of those interviewed reported that the responsibilities for internal investigations were clearly defined and established. Just over half had already carried out this type of investigation, and in half of the cases only internal capacities were used for the investigation. There was comprehensive crisis management including response plans, guidelines and training sessions in only 25 per cent of the companies, according to those interviewed. However, precisely more complex cases require a systematic crisis prevention system for a fast and effective response. If no such system exists, even minor suspicions can turn into a concrete company crisis. There is still need for action in this respect in the majority of the interviewed companies. Even so, a good two-thirds of those interviewed are at least partially prepared for the tasks to be performed within the framework of an internal investigation. For example, they have distributed competencies and prepared for contact with external advisers and the investigating authorities, as well as the questioning of employees. They have also established procedures for reviewing and evaluating electronic data. Internal leniency rules or amnesty agreements intended to motivate an informant to disclose information in the event of suspicion exist only at six per cent of the interviewed companies, however. Only one per cent of those interviewed are completely unprepared to date. Relationship between ICS and compliance system Development % 37% 43% ICS is allocated to compliance Compliance is allocated to ICS Don t know / no information provided Rounding differences cause the total to exceed 100% 12 CMS Compliance Barometer 2015

13 Internal Challenges In the opinion of those taking part in the study, the fear of further bureaucratisation of business processes is a special challenge that could thwart further compliance activity in the relevant company. Almost 25 per cent of the companies also see the risk that the operative units might not be adequately willing to decide. Compliance culture at the top of the priority list For more than two-thirds of the participants, however, the general compliance culture is considered the main internal challenge, because it is precisely the creation of genuine awareness of employees and also of management that is especially important to prevent violations of law. Working on awareness and acceptance of compliance on a day-to-day basis is thus at the top of the agenda of the interviewed compliance officers, even if the compliance culture in many companies is probably assessed as relatively good: Almost 84 per cent of interviewees consider the compliance culture to be good or at least satisfactory, and just over 8 per cent consider it to be very good. According to those interviewed, completely inadequate conditions do not exist at any of the companies; 4 per cent considered the compliance culture deficient. There is thus still potential for development. The greatest challenges for internal implementation Genuine awareness of / acceptance for compliance (net) Employees / management s genuine awareness of compliance Employees / management s acceptance Slowdown, obstruction or complication of business processes and decisions by compliance procedures Overstepping competencies of other company departments Lack of readiness to make decisions for fear of compliance violations Other None of the above Don t know / no information provided 73% 58% 54% 43% 39% 23% 1% 6% 5% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 13

14 Employees awareness still capable of improvement The majority of interviewees consider the employees to generally have acceptable awareness of compliance issues. But all the same, 21 per cent believe that there are still considerable deficits. Thus, there clearly is still some room for improvement. This view is often shared also by the employees themselves as is shown by a current study of the Würzburg-Schweinfurt University of Applied Sciences. In this study, 23 per cent of 1,000 interviewed employees from companies of different sizes did not even have any idea of what the term compliance meant. Management is still too cautious in terms of implementation The compliance culture in management is clearly better established according to the interviewees: Eighty-eight per cent think that both awareness and commitment have meanwhile reached a very high level there. When asked about the willingness in management to support and even actually promote compliance topics, the judgment of those interviewed is somewhat less positive. Also in this regard, there is thus still potential for optimisation. Employees compliance awareness Management s compliance awareness 100% 90% 8% 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 25% 46% 80% 70% 60% 50% 40% 30% 20% 42% 46% 13% 10% 8% 8% 0% 4% 1 = very good = very poor Don t know / no information provided 14 CMS Compliance Barometer 2015

15 CMS Compliance Index The CMS Compliance Index is calculated as the weighted average of 25 different, prompted variables. At the same time, the fields of organisation, facilities, requisites, precautionary measures and culture of compliance in the companies were taken into account. It thus consolidates the gained insights of the study. In future, the Index like the whole study will be compiled annually and make the development of the annual results comparable. Currently, the Index shows a value of 64 of a possible 100 enumerators. German big corporations have thus increased their awareness regarding the issue of compliance. The need for improvement nevertheless continues to exist. By tightening the set screws, however, further professionalisation and, with that, risk preparedness can ensue. Culture employees Organisation Resources Culture management Need Total index: 64 0 = Compliance does not figure 100 = Compliance permeates the entire economy Prevention / precaution 15

16 Your free online legal information service. A subscription service for legal articles on a variety of topics delivered by . Your expert legal publications online. In-depth international legal research and insights that can be personalised. eguides.cmslegal.com CMS Hasche Sigle is one of the leading commercial law firms. More than 600 lawyers serve their clients in eight major German commercial centres as well as in Brussels, Moscow, Beijing and Shanghai. CMS Hasche Sigle is a member of CMS Legal Services EEIG, a European Economic Interest Grouping that coordinates an organisation of independent law firms. CMS EEIG provides no client services. Such services are solely provided by CMS EEIG s member firms in their respective jurisdictions. CMS EEIG and each of its member firms are separate and legally distinct entities, and no such entity has any authority to bind any other. CMS EEIG and each member firm are liable only for their own acts or omissions and not those of each other. The brand name CMS and the term firm are used to refer to some or all of the member firms or their offices. CMS Germany (October 2015) UMR CMS locations: Aberdeen, Algiers, Amsterdam, Antwerp, Barcelona, Beijing, Belgrade, Berlin, Bratislava, Bristol, Brussels, Bucharest, Budapest, Casablanca, Cologne, Dubai, Duesseldorf, Edinburgh, Frankfurt, Geneva, Glasgow, Hamburg, Istanbul, Kyiv, Leipzig, Lisbon, Ljubljana, London, Luxembourg, Lyon, Madrid, Mexico City, Milan, Moscow, Munich, Muscat, Paris, Podgorica, Prague, Rio de Janeiro, Rome, Sarajevo, Seville, Shanghai, Sofia, Strasbourg, Stuttgart, Tirana, Utrecht, Vienna, Warsaw, Zagreb and Zurich. The sole purpose of this publication is to provide information about specific topics. It makes no claims to completeness and does not constitute legal advice. The information it contains is no substitute for specific legal advice. If you have any queries regarding the issues raised or other legal topics, please get in touch with your usual contact at CMS Hasche Sigle or the publisher of this document. CMS Hasche Sigle Partnerschaft von Rechtsanwälten und Steuerberatern mbb, registered office: Berlin (Charlottenburg District Court, PR 316 B), list of partners: s. website.