What are the factors that make a successful compliance management system and how does a compliance management affect the company´s business?

Table of Contents

Executive Summary

Acknowledgements

Table of Illustrations

List of tables

List of Figures

Table of Abbreviations

1 Introduction
1.1 Purpose
1.2 Issue Context
1.3 Aims and Objectives

2 Literature Review
2.1 Principles of Compliance Management
2.1.1 Definition
2.1.2 Background
2.1.3 Standards
2.1.4 German Standards
2.2 Compliance Management System
2.2.1 Dissociation of Risk Management and Ethics
2.2.2 Implementation
2.2.3 Motivation - Benefits and Costs
2.2.4 Framework
2.2.5 Factors of Success
2.3 Compliance Management System in the Tourism Industry
2.3.1 Tourism Industry
2.3.2 Extension
2.3.3 Framework
2.3.4 BestPractice
2.4 Summary of Literature Review

3 Methodology
3.1 Introduction
3.2 Identifying a Topic (Justification)
3.3 Research Approach
3.4 Formulate a plan
3.5 Techniques and Methods
3.5.1 Collecting Secondary Data
3.5.2 Collecting Primary Data
3.5.3 Research Ethic
3.5.4 Analysing Data and Presenting Findings
3.6 Strengths and Limitations

4 Data Analysis and Interpretation of Findings
4.1 Introduction
4.2 Consultancy firms’ perception of Compliance Management
4.3 Sample Companies
4.3.1 Operator: Hotel Reservation Service
4.3.2 Transportation: Aviation Lufthansa Group
4.3.3 Accommodation: Kempinski Hotels
4.4 Compliance Management of Sample Companies
4.4.1 Importance
4.4.2 Motivation
4.4.3 Implementation
4.4.4 Framework
4.4.5 Factors of Success
4.5 Summary of Primary Research

5 Conclusion and Recommendation
5.1 Conclusion
5.2 Companies Recommendation
5.3 Further Research Recommendation

Appendices

Appendix 1
NOS hospitality standards (NOS, 2011)

Appendix II
Interviews

Appendix III
Declaration of compliance (Original document is only in German) (Lufthansa, 2014 c)

Appendix IV
Project Module Supervisor Contact Sheet

Appendix V
Research Ethics Approval Form

List of References

Executive Summary

This research reports on the current situation of compliance management among business organisations. Compliance management aims to ensure that all participants of a company observe laws and regulations. It is a business process to help the management and the employees to meet requirements and governance guidelines. The following research aims to increase the awareness of compliance management in companies and among the society to decrease business crime and ethical and legal offences. Therefore, the dimension of compliance management is discovered in this work.

The first result is that the extension of the topic compliance management is very low. Mostly, just bigger and international companies have already implemented a compliance management as smaller companies suffer under the high costs of the implementation. Different standards evaluated by various institutions provide orientation on how to do responsible business by complying with these standards. It is suggested that compliance management is to be seen beside risk management and ethics, more, compliance management should be seen as requirement for risk management and ethics. A comment way of implementing a compliance management into the structures of the company's business is proposed. In this context the GRC - Governance-Risk-Compliance - approach is introduced. As the implementation of compliance management is a very costly process, companies need to be motivated by benefits of this process. In this research the avoidable costs and the return on investment are named to be the biggest benefit of compliance management. To get an idea of how a compliance management process might look like, two frameworks are distinguished with the necessary steps that need to be considered. The management and the employees are considered to the most important part of companies. Therefore, also in terms of compliance management the people involved are the source of success.

To narrow the research, its focus is put on the analysis of the tourism industry in Germany. Compared to the generalisation, extreme differences cannot be determined in terms of compliance management. Confirmed is the aspect that the number of big companies implementing a compliance management is higher than the number of small companies.

All these first results are based on existing literature. For a further analysis process a primary research is conducted within the German tourism industry to gain better insight into compliance management. Firstly, subjective consultancy firm's managers working in the field of compliance management are asked to provide information and secondly, three different companies of the tourism industry are analysed in terms of compliance realisation. The findings reflect the results gained from the already existing literature that the topic compliance management is not widely spread and that especially small companies shrink back from the costs.

Based on the results of the research project recommendations are made. Companies have to see the advantages of a compliance management and therefore to see the costs as investments. Furthermore, the importance of the employees and management needs to be taken into account by companies that want to implement a compliance management. Without feeling confident about it, compliance management should not be implemented. In this and also in further researches concerning compliance management, it needs to be highly respected that compliance management is a very sensible topic.

Acknowledgements

By submitting this research project, I will complete my postgraduate study and hopefully gain the MA International Business Management degree. I will finish another stage of my life, which would not have been possible without the advice, support, help and encouragement of some certain people. Therefore I would like to acknowledge these people for their company during my studies in various ways.

First of all I would like to thank my two dissertation supervisors, who supported me throughout different stages of my research project. Thanks to Camila Yamahaki, who gave me wise advice at the beginning of the research project.

Special thanks go to Kirit Patel, for his time and support after he was allocated to me as new supervisor as Camila was no longer associated to the university. He helped me to bring my research project to a good end.

Next I want to thank all the participants of my interviews, who offered time and information to support my research project.

Lastly, I want to say thank you to my family, especially to my parents, who supported me all the time and enabled me to do my master's degree in the U.K, in London. Also thanks to my friends and boyfriend for their support and encouragement during the whole research. A special thanks goes to my best friend Nathalie Schmidt, who helped me the whole time by giving wide advises.

List of tables

Table 2- 1: Important numbers of the German Tourism Industry

List of Figures

Figure 2- 1: Governance, risk management and compliance system

Figure 2- 2: Re-assessing the third-party-relationships due to compliance risks

Figure 2- 3: Return on Investment of a compliance management system

Figure 2- 4: Measurement of an effective compliance management system

Figure 2- 5: Comparison of value added shares of different economic activities

Figure 2- 6: Comparison of total employment shares of different economic activities

Figure 3- 1: Seven-step research process

Figure 3- 2: Research onion

Figure 4- 1: Compliance Implementation

Figure 4- 2: “Where do we want to go?”

Figure 4- 3: Compliance Framework

Table of Abbreviations

Abbildung in dieser Leseprobe nicht enthalten

1 Introduction

1.1 Purpose

The purpose of this research project is to identify the factors that make a successful compliance management and the effect of a compliance management on the company's business. In doing so a special attention is paid to the German tourism industry.

1.2 Issue Context

More and more cases of business crime cause sensation and companies came into bad headlines. This was and still is attributed to faulty internal controls and missing compliance. Based on the rising scandals the topic compliance arose. Compliance shall avoid crime in the business and help to observe ethic standards as well as laws and requirements. Compliance makes it possible, to recognise violations and to react in time. If companies do not react in time, they might have to suffer high punishments like monetary penalty or damage to their image (Harz et al. 2012). Therefore, in the 1990s companies started to implement a compliance management to protect themselves from damages caused by individual and group offending against regulations. The idea of compliance management was embossed by the finance sector especially in terms of corruption, money laundering and insider dealing in the U.S. However, quickly the topic compliance management was no longerjust a topic of the finance service instead of a topic for all companies today. In the U.S. the law SOX (Sarbones-Oxley-Act) was implemented to protect companies and their stakeholders from manipulations of internal and external persons and therefore from punishments (Kharbili et al. 2008). For the reason that in the U.S the implementation of compliance management by the companies was compulsory, and all companies related to U.S companies also have to observe compliance management, the topic spilled over to other countries (Geißler 2004). Therefore, the number of companies that implement compliance regulations in its organization is increasing; also as compliance management is getting more and more important (Bakman 2007). Nevertheless, the costs of implementing a compliance management are very high. Smaller companies can mostly not lift the increasing regulatory weight as well as the attended costs of the regulations. As a result, companies depreciate the importance in relation to the costs of a compliance management (Muckian 2014).

The research question is chosen to firstly generate a better understanding of the meaning of compliance management and secondly to analyse its extension in general and in the specific tourism industry. With the right understanding (requirements, factors of success, motivations) also the importance of compliance management will become clearly. The research project can help to increase the awareness of compliance management in all companies and industries throughout the provided information and findings.

1.3 Aims and Objectives

The dissertation is divided into five main objectives. These objectives are listed in the following:

- Demonstrating the need of compliance management in today's environment in general
- Analysing the extension of compliance management
- Analysing the effect of compliance management on the companies' business (motivation)
- Identifying the factors that make a successful compliance management (requirements)
- Analysing the specific tourism industry in terms of compliance management

To get the findings of the above mentioned objectives, the research is divided into two main research parts. Secondary research was conducted through academic books and journals. As the basics of compliance management is industry comprehensive, general literature could be used. Primary data was conducted through analysis of case studies by homepages, interviews and observations.

The secondary research reflects the main ideas and concepts other authors have already published about the issue compliance management. It informs the reader about the main and most important aspects and helps to understand the analysis in the later part of the research project. The literature review is divided in three parts. The first part describes the origin of the issue compliance management, what this term means and on which standards the concept is based. The second part goes deeper into the issue compliance management and describes the system more detailed, how it can be implemented, what are the benefits of such a system, how does such a system looks like and which factors can increase the success of the system.

As the research issue is more narrowed by a focus on the tourism industry, the third part of the secondary research is an introduction to the specific tourism industry. The tourism industry is described, the understanding and impact of compliance management in the particular industry is analysed and the main numbers of the German tourism industry are given. The summary of the literature review concludes the main discussed ideas and thus introduces the primary research.

The primary research, also called analysis part, comprises information conducted by the researcher themselves. The analysis builds on the last part of the secondary research and aims to analyse compliance management in the tourism industry in more detail. In doing so, the part is divided into two basic perceptions: objective views of consultancy firms on the topic compliance management, and subjective views of companies on themselves in terms of compliance management. Three companies are analysed, which cover the main sectors of the tourism industry.

All findings of the primary research are compared to the findings of the secondary research and the drawn picture of compliance management is brought down to a round figure.

Concluding there is a summary of the main findings of the secondary as well as the primary research. Based on these findings a recommendation is provided for companies' development and their further actions.

2 Literature Review

2.1 Principles of Compliance Management

2.1.1 Definition

To create a consistent understanding of the meaning of compliance management and compliance management system, it is important to give definitions at the beginning of the research project.

According to Loader (2004, pp. 17-18) he defines the role of compliance management as “the task of ensuring that an organisation complies with the rules of any relevant regulatory authority where that organisation carries on business and the responsibility to ensure that the organisation adheres to rules of any exchanges of which it is a member or where it transacts business” and furthermore the role is to “ensure that operations teams have the necessary information and guidance in respect of the regulatory implications that affect them”. Another definition about the meaning of compliance is made by Beasley (2014, p. 31) who states that “regulatory compliance describes the goal that corporations or public agencies aspire to achieve in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations”.

For this research project following definition was developed by the researcher: Compliance management is the task of the leader to ensure that all members as well as third parties of the company conform to the laws, given standards, rules, requirements, contracts and ethics where they carry on business or act in contact to the company. In doing so, the leader has to provide and exemplify the necessary awareness and information to the employees and all other concerned people to comply with the law and regulations.

2.1.2 Background

To understand the dimension of compliance management and its increasing importance in the organizational environment the origin and development of this current topic is analysed next.

The main beginning of compliance management was during the 1990s with large companies addressing risks, ethics and legal issues to avoid breaking the rules (Weaver and Trevino 2001, Bonazzi et al. 2010). This movement of increasing importance of compliance management since the 1990s can be explained by rising scandals at these years, especially in the finance sector. One famous scandal was the falsification of the balance sheet by the big U.S. energy enterprise Enron (Kharbili et al. 2008). Due to this and other scandals, a law called Sarbanes-Oxley-Act (SOX) was designed in the U.S., valid for market-listed incorporate companies, that covers requirements related to the transparency, IT system and ethical issues inside the company which needs to be observed (Kharbili et al. 2008, Geißler 2004). Especially today, with the risk of internet, wireless networks and instant messaging, there is an increasing need for regulations of IT systems inside companies (Von Solms 2005).

Companies, which violate the law, have to suffer either short-term punishments, like high monetary penalty and therefore cost savings or worse long-term punishments, like losing market confidence. The law SOX was implemented to protect companies and their stakeholders from manipulations of internal and external persons and therefore from punishments (Kharbili et al. 2008). But not only U.S. incorporate companies have to observe the SOX regulations, also subcompanies and business partners are concerned of the laws. Due to the fact that not all subcompanies and business partners are located in the U.S., but have to observe the SOX regulations, the issue compliance management also spilled over to other countries, where these companies were located (Kharbili et al. 2008, Geißler 2004).

Beside the legislative andjudicial pressure to comply with given laws, there was also an increasing pressure from the society to act legal and ethical correct and to demonstrate a compliance culture (Weaver and Trevino 2001, Fahey 2007). Furthermore, companies also recognised the importance of compliance management by themselves and therefore implemented a compliance management for their own benefits. One reason is the increasing need to be informed about the own daily business, e.g. production, marketing, sales and finance processes to avoid any illegal actions (MacKessey 2010, Kharbili et al. 2008). Another familiar reason is the need to control the company's risks and therefore to get the chance to lower these risks (Rath 2013, Von Solms 2005).

As it was described before, the number of companies that implement compliance regulations in its organization is increasing (Bakman 2007). According to Kelly (2014) 2,000 to 4,000 new compliance regulations were recently implemented in each organisation. He justifies this trend by the companies’ motivation to demonstrate their seriousness about this issue. However, there is still a difference between big and small companies. More implementations of compliance regulations also mean higher compliance costs. From 2012to 2013 the costs have increased from $26,040 to $43,493 per company. Smaller companies can mostly not lift the increasing regulatory weight as well as the attended costs of the regulations (Muckian 2014). This aspect about the disadvantages of a compliance management is analysed in more detail in the later part of this report.

2.1.3 Standards

It was described that the main origin of compliance regulations lays in the U.S. by the introduction of the law SOX. However, SOX is not the only law that provides standards and regulations for companies and therefore other standards are illustrated in the following. Unfortunately the contents of these standards need to be purchased from the different institutions so that it is not possible to publish the different standard contents in this research project. However, in Appendix I (p. 48-49) it can be found standards from the Organization National Occupational Standards (NOS 2011) that originally are for the hospitality but which are also applicable for other industries and therefore will help to illustrate a picture about what these standards related to compliance cover.

Looking to an international context, the International Organization for Standardization (ISO) is the most famous organization, which provides international standards for companies to do responsible business. However, regulations like the ISO standards are very abstract by nature to ensure independence and flexibility in implementation and adapting to the different business issues and all industries (Kharbili et al. 2008). There is no specific compliance management ISO standard yet (ISO/PC 271 2014), but due to the mentioned abstractness, there are different ISO standards that are suggested by different researchers to be applicable. One possible standard is for the “Information Security Management” (ISO/IEC 27001 2014,

Ramirez 2006) and “will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties” (ISO/IEC 27001 2014). Another standard is the “Information technology - Security techniques” standard (ISO/IEC 17799:2005) which is about an information security management in an organization (Tarantino 2008, Beasly 2014). Close to the ISO/IEC 17799:2005 and also applicable to compliance management are the standards covered in “Information technology - Service management” (ISO/IEC 20000-1 2011, Kharbili et al. 2008) which are “specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS [service management system]” (ISO/IEC 20000-1 2011).

It can be seen that this standards are mostly about the security and thus the protection of the company's business. The requirements of compliance management are also the indemnification of the company's business and therefore are similar to these security standards. By looking at different Industries, some companies differ in how they understand compliance management and therefore which standards they use. This is the result of the different businesses they do and therefore the different emphases they need to set. (Kelly 2014).

2.1.4 German Standards

Beside the international standards of ISO there are also country specific compliance management standards developed by different home institutions/companies. In Germany, the Deutsche Corporate Governance Codex (DCGK) and the TÜV Rheinland are two of these institutions, which developed guidelines for companies related to compliance management. The DCGK published national and international accepted legal regulations for managing and monitoring German market-listed corporations in a good and responsible manner. The company defines compliance as the responsibility of the management for the abidance by law regulations and internal organizational guidelines and that the management works toward this adherence by the company (DCGK 2013). The TÜV Rheinland (Technischer Überwachungsverein = technical monitoring agency) regularly publishes guidelines together with case studies to increase the understanding in companies and furthermore to help companies with the implementation of a compliance management (TR CMS 101 2011). Some other institutes that provide guidelines for compliance managements are the German Institut der Wirtschaftsprüfer (institute of auditor) (IDW PS 980 2011) (Ernst and Young 2011), or the guidelines published in Basel II, which are valid for all countries of the European Union (Kharbili et al. 2008). All existing guidelines and requirements are similar and all want to help the companies to handle the issue compliance management easier by providing standards as orientation.

2.2 Compliance Management System

2.2.1 Dissociation of Risk Management and Ethics

Looking at the parts before, it can be seen that compliance management and risk management are very similar and also ethics issues are closely. The following part intends to help clarifying these three different subjects.

Some companies measure more important to risk management than to compliance management and therefore compliance management won't be realised or will be neglected by cutting the costs. However, compliance management should be less seen as an organizational function (like risk management) than a culture that needs to be implemented and internalized by all participants of the company. For companies it is mostly easier to implement a compliance management when a risk management already exists. In this way a compliance culture can help the risk management by anticipating and avoiding risks (Ho 2009, Rath 2013).

Also ethics are closely related to compliance management. Similar as mentioned above ethics should be seen as one part of compliance management. If a company has already implemented the 'right' ethics in its organization than also compliance will become easier to manage (Kelly 2014). If there is not already an ethically understanding in the company and compliance related to ethical issues will be implemented, employees of the company might follow ethical values just to avoid punishments through the compliance management system but not because of conviction. On the other hand, if ethical values already exist in the company too much compliance in this field might communicate distrust. So a balance of ethics and compliance in companies is necessary and can lead to a development of ethical values in the organization (Weaver and Trevino, 2001).

2.2.2 Implementation

Based on the before discussed dissociation, this part shows how a compliance management beside a risk management and ethics can be implemented into a company's organization.

Most of the theory states that compliance management should be an integrated system and not a separate department or section (Rath 2013). Based on this view, the integrative approach GRC (Governance-Risk-Compliance) was developed. It is an internal framework, which task is to fulfil governance requirements, estimate risks and monitor how the company complies with regulations (Ponemon Institute 2011). This integrated system of three different but similar aspects of a company was created to reduce costs and efforts through synergy effects (Ho 2009). Furthermore, the GRC system helps to response to multi-source, development and complex regulations (Bonazzi et al. 2010). According to Ho (2009, p. 1) the GRC system can be illustrated in a pyramid (see Figure 2-1 blow).

Abbildung in dieser Leseprobe nicht enthalten

Figure 2-1: Governance, risk management and compliance system (Ho 2009, p. 1).

Figure 2-1 above illustrates that according to the GRC approach, compliance should be the basement of developing the company's organization. The Figure above shows the aspect described before that compliance should be developed according to ethics and that compliance are influenced by ethics and also by integrity and the culture of the company. Furthermore, in this Figure it can be seen that risk management is a part of compliance management and it is managed by compliance. On the top of the company is the governance, which acts in the manner of the compliance inside the company (see understanding of DCGK's standards). The whole GRC system is characterised by monitoring, assurance, information and communication processes. One last aspect that can be seen from this Figure is the involvement of third parties. Not only the activities of the own company are important and should be orientated on given compliance to do the right things, also the activities of third parties, which are connected with the company, should comply with the company's rules and constraints and therefore managed in the GRC system.

According to Kelly (2014) this third party risks of complying with the companies rules and constrains is one of the biggest challenges for companies. It is difficult for a company to monitor their third-parties if they have a huge number all over the world. Due to the third-party risk issue, 80% of global companies re-assessing their relationships (joint-venture partners, suppliers, distributors, agents and other partners) with other companies, reviewing their risks or rising their monitoring of third parties (Mont 2014). Five percent of all respondents within a survey of the 'Compliance Week & Deloitte's Compliance Trends Report' answered to decrease their relationships to global business partners and increase the in house activities as a respond to the third party risks (ibid). The whole result of the survey related to the question of re-assessing the third-party relationships due to rising risks in terms of compliance can be seen in Figure 2-2 below.

Abbildung in dieser Leseprobe nicht enthalten

Figure 2- 2: Re-assessing the third-party-relationships due to compliance risks (Mont 2014, p. 42).

2.2.3 Motivation - Benefits and Costs

After analysing the best way of implementing a compliance management system, the big question is, why a company should implement a compliance management system, hence, what are the effects, especially the benefits of a compliance management system that motivate a company of an implementation.

The international bar association Illinois Bankers Association, a global leading organisation for legal practitioners, bar associations and law societies, formulated seven benefits a company can gain with an implemented compliance management system (IBA 2012, p. 5):

- “Save money by averting and fixing compliance problems before they become issues - especially compared to the costs oflater remediation”
- “Demonstrate management’s commitment for a strong compliance culture to your regulators and directors”
- “Establish a strong, positive tone at the beginning of exams and provide a meaningful communication format with examiners during exams”
- “Identify existing risks before your examiners do”
- “Effectively allocate resources to improve operational efficiencies”
- “Provide dynamic procedures for your employees to meet ongoing and new regulatory challenges”
- “Strengthen your [...] business model by accurately knowing your regulatory strengths and weaknesses”.

Like it can be seen from the aspects listed above, some motivations for implementing a compliance management system are only leading indirect to benefits for the company. These motivations rose from the today society’s awareness. Today, there is a “strong sense of ethical (and social) responsibility” and an awareness to “comply with government laws” so that companies want “to do the right thing” (Weber and Wasieleski 2013, p. 614). By following the current awareness of the society, the company’s revenue can indirectly be increased: Within an effective compliance management system, employees might get more satisfied and more productive. Therefore, more customers want to buy the products and services, hence the company might get competitive advantages (LRN 2007). The fact about the possibility to increase the company’s revenue might motivate companies the most to implement a compliance management system (ibid). This described return on investment can be seen in Figure 2-3 below.

Abbildung in dieser Leseprobe nicht enthalten

However, despite the benefits listed above the implementation is accompanied by risks, which are not to be undervalued as otherwise companies will fail the compliance management issue (Marchetti 2011). These risks or better challenges for the company might be that the majority of time has to be spent on remediation and often there is too less time to develop a long term compliance plan. Another reason for a company's failure might be a weak organizational infrastructure, including a weak implementation of the compliance management (ibid). The most important challenge a company needs to take into account are the before mentioned relative high costs of a compliance management and its implementation that arise (Marchetti 2011, Kusserow 2014, Kharbili et al. 2008). The costs of a compliance management system vary in their estimation caused by the industry and the growth of the company. However, a tendency can be seen from different surveys. One survey shows that a company with 1$ billion in revenue has costs of 6$ million of its compliance management. Another survey states that companies with a revenue of 10$ billion carry 10$ million costs of their compliance management system (Steinberg 2011). The costs of a compliance management seem to be very high why lots of companies, especially small companies, shrink from an implementation. But without implementing a compliance management, the revenue might be lower caused in high penalty costs and image damage like it was described before. Hence, according to one study (ibid), a company with a revenue of 1$ billion and one compliance failure had to suffer 81$ million costs.

2.2.4 Framework

The previous parts demonstrated the specific standards and requirements of a compliance management and how a compliance management can be implemented in the company's organization. Now, this part analyses how such an implemented compliance management system, orientated on the given legal standards, might look like and of which parts such a system consists of.

The first part of implementing a compliance management system is to decide, who the responsible person is (Ross 2007). Depending on the industry and growth of the company the person with compliance authority can be the CEO or an extra compliance officer with a position next to the CEO and no other tasks (Mont 2014). Important is that the starting point of compliance communication lies in the top layers of the organization's hierarchy to demonstrate the compliance commitment to the employees, who otherwise won't care about the topic (LRN 2007).

After authorizing one person with the compliance issue, a compliance management process needs to be developed. Rath (2013, p.16) defined a so called “compliance management system lifecycle” which consists of four steps. The first step in this lifecycle is the understanding of legal and other requirements as foundation to comply with them. The second step consists of two parts, firstly identifying the risks and rigorous combined with noncompliance and secondly identifying the strange of the already existing internal controls in the company. After this, the company can develop its compliance controls by using and optimizing its resources to handle first higher risk matters and then lower risk matters. The fourth and last step in the compliance management system lifecycle is to develop and implement a process in the organization to identify and resolve compliance risks within the organization and to observe and check this process and its efficiency (Rath 2013).

Another compliance management process consists of nine steps (Ho 2009, p. 2). The process is similar to Rath's lifecycle process, but is formulated in more detail:

1. “Identification of requirements”
2. “Interpretation of requirements and impact analysis”
3. “Scope determination”
4. “Data collection and identification of compliance issue(s)”
5. “Risk analysis”
6. “Implementation of appropriate action(s) for compliance issue(s)”
7. “Reporting and monitoring”
8. “Continuous improvement”.

The first two steps of this process are equal to the first lifecycle step: Understanding the legal and other requirements with which a company has to comply. “Scope determination” deals with the filtering of the general requirements to the relevant requirements for the particular company to simplify their implementation (ibid). Step four deals with analysis of the company to identify compliance issues and gaps. “Risk analysis” deals with identifying and prioritize risk issues/persons/domains in the company and also taking control mechanism into account (ibid). Step six and seven of this process are like step four in the lifecycle system and are about implementing a developed compliance process and observing this process as well as analyse and communicate the results. The last step of this process is more than the last step of the lifecycle and is very important. As the issue compliance is very complex and regulations are changing over the time, it is important to continuously improve the compliance management process inside the company. Furthermore, companies can learn from each other and other countries and therefore get better in their compliance processes (Ho 2009).

Due to the fact that the second described process above is a more detailed process, this one should be followed by companies to ensure a complete compliance management system that cannot fail because of missing steps. To demonstrate the implementation of such a working compliance management system to stakeholders, the above mentioned organisations, which formulate the compliance standards, also check companies’ compliance management systems and certificate them if the system is proofed to be effective (TÜV Rheinland 2014). However, more important and more meaningful than such a certification is that the company promote their compliance in different reports and hence shows their seriousness about this issue to the different stakeholders (Dodds and Joppe 2005).

2.2.5 Factors of Success

The research project already discussed possible ways of implementing a compliance management. In the part before, different steps of a compliance management system were analysed. A company should follow these steps to ensure compliance within the company. However, there are also some factors which should be taken into account to ensure that the compliance management system is successful. The below listed factors are not compulsory, but the more factors will be realised, the more successful the company might be. In this context, the used word successful is equal to the word and meaning of effective (Macri 2010).

One factor that can help to create a more successful system is the importance also to look at other companies/countries and their realisation of a compliance management system to get suggestions for one self and to avoid an insular system (Mont 2014, Deloitte 2014). Another factor is the aspect of proactive and reactive compliance activities. Proactive activities are dealing with prevention and early detection, and eliminate or minimise compliance risks in a short time. Reactive compliance activities are dealing with consumer feedback and the risks after a longer time, when they have gotten to the company's notice. Despite most companies mostly focus on reactive activities, both activities are important for a successful compliance management system (Rath 2013). Also, if there is no ranking list of the factors listed in this part, the employees of a company are a crucial, even the most important element for a successful compliance management. Therefore it is very important to brief and train all concerned persons (Ho 2009). Furthermore, the top-down approach of the communication (from the leading positions to the employees) is very important, as this is the only possibility to create a compliance culture (ibid). This aspect is accompanied by a good leadership style. Good leadership means amongst others, to be able to create a compliance culture and on the same time a workplace that is characterised by self-regulations. Within this business culture the management is furthermore able to influence the employee's behaviour and thinking in the way the compliance management system will work successful (Hu et al. 2012). According to Kharbili et al. (2008, pp. 6-8) they single out eight main requirements of a compliance management system that derived from the risks and challenges analysed before and which should be implemented to be successful:

- “Change management”: should be changeable, propagating and within a scope
- “Traceability & Accountability”: documentation of all actions and used resources and their reason
- “Complexity”: dealing with different domains and purposes
- “Efficiency”: policies need to help achieving the business goals
- “Cost”: costs have to be reduced
- “Enforceability”: policies and business processes need to be compliant
- “Scalability”: managing the complexity of general regulations
- “Impact Analysis”: knowing that changing policies or business goals has repercussions.

After listing a few factors that might be important for a successful compliance management system, the question is how to measure success. Deloitte asked in a survey different companies of their way to measure a successful compliance management system. The results can be seen in Figure 2-4 below, which shows that the most popular way of checking the success of a compliance management system are internal audits and hotline calls. If these are getting less, it can be interpreted that the compliance management system is successful. The in Figure 2-4 used term program is used equal to the term system (Deloitte 2014).

How do you measure compliance program effectiveness?

Analysis of internal audit findings Hodine call analysis Completion rates for required compliance trainng Disposition of nternal investigations Analysis of self-assessment results Feedback from employee ethics surveys Comparisons to competitors or similar organizations independent evaluations by outude counsel and/or consultants

Analysis of regulatory reviews Exception rates in compliance testing activities Sue of regulatory fines or penalties

Figure 2- 4: Measurement of an effective compliance management system (Deloitte 2014, p. 1).

2.3 Compliance Management System in the Tourism Industry

2.3.1 Tourism Industry

This last section of the literature review analyses the compliance management in the specific tourism industry.

Over the time tourism has changed a lot. As earlier traveling was the result of trade, exchange of goods and commerce, later the idea of pleasure travel became more and more famous. The development of modern transport systems and the introduction of annual paid holiday had supported this idea so that today's understanding of tourism arose (Bhatia 2006).

During the process of traveling, there are different segments involved of which the tourism industry consists. One way to divide the tourism industry is into four main segments, operator, transportation, accommodation and supporting services (in dependence on Frey 2006, Bhatia 2006). Operators are travel agencies and tour operators, which arrange the trip. Types of transportations are rail, air, road and ocean transportations, accommodations are hotels, motels, resorts, inns, villas, apartments, caravans, hostels, houses and so on and supporting services are incoming agencies, parks, museums, art galleries, attractions, shows, sport offers, restaurants, bicycles rentals, the nature and so on. The analysis part was conducted in terms of this classification of the tourism industry, whereas the focus was put to the three main sectors operator, transportation and accommodation.

As in the analysis part the German tourism industry is analysed, below in Table 2-1 the tourism economy in Germany is illustrated with the most important numbers.

Abbildung in dieser Leseprobe nicht enthalten

Table 2- 1: Important numbers of the German Tourism Industry (BTW 2012, pp. iii-iv, DTV 2012, p. 4).

[...]