The influence of change management practices on the implementation of Compliance Management Systems in companies

Table of contents

Abstract

Preamble

Table of figures

List of abbreviations

Executive Summary

1 Introduction
1.1 Problem statement
1.2 Objective and research question
1.3 Scientific method
1.4 Organization of the thesis

2 Disambiguation and definitions
2.1 Definitions of Compliance
2.1.1 Compliance
2.1.2 Compliance management
2.1.3 Compliance Management System
2.2 Definitions of change management
2.2.1 Strategic management
2.2.2 Change management
2.2.3 Organizational development
2.2.4 Organization design

3 Theoretical basics and legal aspects for Compliance
3.1 Compliance – theoretical basics
3.2 Legal aspects for Compliance
3.2.1 Germany
3.2.2 USA
3.2.3 United Kingdom
3.3 Organizational forms of Compliance

4 Theoretical basics for change management
4.1 Change management – theoretical basics
4.2 The change management process
4.3 Cultural change in companies

5 Overview about the Compliance activities of selected companies
5.1 Siemens AG
5.2 Linde AG
5.3 MAN SE
5.4 Hochtief AG

6 Empiric part
6.1 Description of the methodic approach
6.2 Results of the expert survey

7 Summary and conclusion
7.1 Résumé
7.2 Recommendations

Appendix

Abstract

This master thesis deals with the impact of change management practices on the implementation or revision of Compliance Management Systems in companies. The main target of the master thesis is, to elaborate on the question: “which implications does the definition of Compliance management as a change management process have”? Derived from that, the Compliance Management Systems of four selected companies have been reviewed. The master thesis also includes a theoretical part in which the basics of the topic have been evaluated. To answer the research question, an online survey with Compliance employees of the selected companies and some other companies has been conducted.

Preamble

This thesis has been formed during the degree program “Master of Business Administration (MBA)” at the Danube-University, department for economic and management sciences, Krems, Austria. Since I have been working in the Compliance area and within the Compliance departments of various big corporations starting from 2008 and due to my personal emphasis on change management during my studies, I have decided to explore a combination of both topics within the master thesis, after consultation with my tutor, Dr. Hubert Lobnig. I would like to thank Dr. Lobnig for his advice during the preparation of the thesis. Also I would like to thank my family for their support during the time of the studies. Special thanks are going to all Compliance experts and (former) colleagues, who have supported the empirical part by way of participating in the online-survey.

Table of figures

Picture 1: Strategic organization of Compliance Management Systems

Picture 2: Strategic Management Process

Picture 3: Extended Compliance organization

Picture 4: Level of changes

Picture 5: Gradualist paradigm

Picture 6: Punctuated equilibrium paradigm

Picture 7: Overview types of change

Picture 8: Kotters 8-step change model

Picture 9: Lewin change management model

Picture 10: Hayes change management process

Picture 11: Three levels of culture

Picture 12: Siemens Compliance Management System

Picture 13: Siemens Compliance organization

Picture 14: Siemens Compliance indicators

Picture 15: MAN Compliance organization

Picture 16: Hochtief Compliance organization

Picture 17: Answers question 4

Picture 18: Answers question 5

Picture 19: Answers question 7

Picture 20: Answers question 10

Picture 21: Answers question 13

Picture 22: Answers question 15

Picture 23: Answers question 16

Picture 24: Answers question 17

Picture 25: Answers question 19

Picture 26: Answers question 24

Picture 27: Answers question 26

Picture 28: Answers question 30

Picture 29: Answers question 32

Picture 30: Answers question 35

Picture 31: Answers question 37

Table of charts

Chart 1: Answers question 29

List of abbreviations

illustration not visible in this excerpt

Executive Summary

Worldwide corruption causes multi-billion dollar amounts of economic damages every year. According to the World Economic Forum (WEF) the estimated costs of corruption amount to more than 5% of the global gross economic performance (2.6 trillion US Dollar) with more than one trillion US Dollar payed bribes per year (World Economic Forum, 2012, Internet). In Germany alone, the estimated damage in 2012 sums up to 250 billion Euros (Dowideit, 2012, Internet).

A respectable amount of companies has implemented Compliance Management Systems and control mechanisms in the meantime or are planning a future implementation (Wulf, 2012, p. 2). Employees and Managers are requested, to abide by the rules (internal and external) and to behave compliant. There is a clear communication from the management, that there is a zero-tolerance-border regarding violations of the rules, and in case of exceedance, the employee has to expect professional and personal consequences. The successful implementation of a Compliance Management System requires particularly also a culture change within the company (Pohlmann, 2008, pp. 77-81).

Change management practices support companies in adapting to altered surrounding conditions and go along with the implementation of new systems. They establish the necessary preconditions for a successful implementation of change management projects. At the same time the handling of personnel issues is also an important topic. During times of change, effective leadership and communication are even more important. A professional change management assists and fosters the cultural change in companies (Hayes, 2010, pp. 140-142).

This Master thesis deals with the impact of change management practices on the implementation or revision of Compliance Management Systems in companies. The main target of the Master thesis is, to elaborate on the question: “which implications does the definition of Compliance management as a change management process have”? Derived from that, the Compliance Management Systems of four selected companies have been reviewed.

The Master thesis also includes a theoretical part in which the basics of the topic have been evaluated. To answer the research question, an online survey with Compliance employees of the selected companies and other companies has been conducted within the forensic part of the thesis.

The explanations within the theoretical part reveal, that nowadays every company, whether small-, medium-sized (SME) or big corporation has to comply with existing domestic and foreign laws, complementary regulations such as voluntary commitments or codes of ethics and additional internal guidelines.

Otherwise the company and its employees are threatened by damages through uncovered and traced contraventions. Imposed punishments range from high penalties to imprisonment for concerned employees of the company. Along with it comes a non-quantifiable reputational damage for the company, which can particularly lead to order-/sales losses. Furthermore there is a possibility, that the company, based on imposed sanctions from the law enforcement agency or other institutions as e.g. the World Bank, will be banned for a certain time from public calls for bids, which than will also lead to a drop of the sales volumes. In the meantime in some cases, there have been additionally filed lawsuits under civil law, against former board members or managing directors of the affected companies.

The implementation of a Compliance Management System requires many changes but mainly a cultural change. To put it into execution, it is reasonable, to use change management methods and to follow the structured change management process. This process provides quasi as a “toolbox” a set of scientific substantiated findings, assistance and tools. Besides that, the research about change processes explores the nature of changes per se and also the particular handling of problems which can become eminent during change processes. The change management practices do for instance also give attention to the employees’ willingness and resistance to change. The handling of personnel issues such as leadership, motivation and interest-group management plays a huge role for a successful project implementation. In addition within the change project, there are measures such as project management, training and especially communication, which provide significant support for the change process.

The results of the online-survey are a detailed confirmation, that the Compliance Management Systems, have been successfully implemented by using change management practices, partly also with the support of external consultants. All Compliance experts have acknowledged, that the Compliance Management System has been implemented successfully und that the change management practices had a positive influence on the implementation of the Compliance Management System. This has also been confirmed by employee surveys, which have been conducted meanwhile.

In summary and relating to the research question, it can be determined, that there are positive effects on the successful implementation or transformation of Compliance Management Systems, when Compliance management is defined as a change management process resp. when change management practices are used though.

1 Introduction

1.1 Problem statement

After in various big international corporations e.g. Enron, WorldCom, Tyco or Siemens, severe business scandals in connection with bribery, falsification of balance sheets, embezzlement or alike have been uncovered, English terms like “Sustainability”, “Governance”, “Integrity” and “Compliance” have been widespread subsequently and have meanwhile found their way also into the German parlance (Stessl, 2012, p. 15).

Worldwide corruption causes multi-billion dollar amounts of economic damages every year. According to the World Economic Forum (WEF) the estimated costs of corruption amount to more than 5% of the global gross economic performance (2.6 billion US Dollar) with more than one billion US Dollar payed bribes per year (World Economic Forum, 2012, Internet). In Germany alone, the estimated damage in 2012 sums up to 250 billion Euros (Dowideit, 2012, Internet).

Since companies basically do have the obligation, to act in accordance with the law in all their business activities, the above mentioned terms are not new inventions, rather it is an intensified trend, which after the United States of America, caused by the first big scandals which emerged there, subsequently also arrived at Europe. Especially for big (stock exchange listed) companies, but also more and more for middle and small-sized companies, there is a need for behavior modification and intensified monitoring due to the introduction or change of laws resp. voluntary commitments of the national economy or its unions (e.g. the US Sarbanes-Oxley-Act (SOA or SOX), the UK Bribery Act, the US Foreign Corrupt Practices Act (FCPA), the German Corporate Governance Codex (GCGC), etc.) and associated feasible fines and penalties in case of violations, but also due to increased public perception and criticism, supported by the work and communication campaigns of organizations such as the Organization for Economic Co-operation and Development (OECD), the United Nations Organization (UNO), Transparency International (TI) and the World Bank (Dorn, 2010, p. 11).

In addition, more and more companies recognize, that a well-functioning Compliance Management System could be a competitive advantage against competitors, because meanwhile, many companies contract new business relationships only with reliable and law-abiding business partners and new dealings are only done after an intensive check of these partners. Thus a positive Compliance culture also advances more and more to an important marketing message outside the companies (Kaszelik, 2010, p. 17).

In the meantime a respectable amount of companies has implemented Compliance Management Systems and control mechanisms or are planning a future implementation (Wulf, 2012, p. 2). Employees and Managers are requested, to abide by the rules (internal and external) and to behave compliant. There is a clear communication from the management, that there is a zero-tolerance-border regarding violations of the rules, and in case of exceedance, the employee has to expect professional and personal consequences. The successful implementation of a Compliance Management System requires particularly also a culture change within the company (Pohlmann, 2008, pp. 77-81).

In a, in this day and age, very fast changing working environment, with global trends like globalization, diversification und fast technological development, companies have a more or less constant demand, to adapt their standard business processes or organizational units resp. the whole organization. Large companies have to continuously adjust their structures, also associated with mergers and acquisitions, joint ventures and delayering. Smaller organizations, e.g. companies within the information technology sector, have to adapt to changing technologies and fast moving market conditions. Due to this reasons, many companies follow standardized change management processes. Change management means, to plan, initiate, realize, reflect and stabilize change processes in companies (Kostka, 2002, p. 9).

Change management practices support companies in adapting to altered surrounding conditions and go along with the implementation of new systems. They establish the necessary preconditions for a successful implementation of change management projects. At the same time the handling of personnel issues is also an important topic. During times of change, effective leadership and communication are even more important. A professional change management assists and fosters the cultural change in companies (Hayes, 2010, pp. 140-142).

Always closely linked with the change management is also the question of the proper organizational design in the context of the organizational development. Organizational development is a system-wide and value-based, collaborative process of applying behavioral knowledge to the adaptation, improvement, and reinforcement of organizational functions (strategies, structures, processes, employees and cultures) that lead to an effective organization (Anderson, 2001, p. xix).

Within the ongoing process of change management, initially the actual situation has to be evaluated with appropriate methods such as the SWOT analysis, the McKinsey 7S Model or a functional analysis (Carnall, 2003, p. 192) and afterwards, predicated on the results, a new suitable organizational design for the affected entities has to be determined and implemented respectively. The diagnosis phase is only one step within the full process of a change management project though. Alongside there are still more process steps which have to be followed and adhered to within the scope of the overall project. Thus after the diagnosis phase e.g. the relevant implementation measures have to be planned and prepared. The next process step thereafter is the implementation of the individual measures (Hayes, 2010, p. 47).

However, there are many other topics e.g. leadership (combined with the necessary knowledge about the various leadership theories and their effectivity), communication (as a key project component) or the future vision and strategy for the company, which play an essential part for the successful realization of a change management project within the whole process. The basis for successful change management projects is the explicit knowledge about the various (organizationally) change management theories and approaches and their application in practice.

But do all affected companies utilize the possibilities of change management processes in the context of the Compliance management resp. especially during the implementation of Compliance Management Systems? How does the utilization or non-utilization of change management processes affect the implementation of Compliance Management Systems? The Master thesis at hand examines the subject and analyzes the respective elements to generate answers to the open questions.

1.2 Objective and research question

The main target of the Master thesis is, to analyze and to illustrate, whether there is a correlation between (the implementation or the change of) Compliance Management Systems and the utilization of change management practices. In doing so, first of all, common theoretical insights are researched, analyzed and described. Furthermore the Compliance activities of selected companies are illustrated, to make a link between the theoretical part and the practical usage. By using an online-survey, evidence shall be obtained, if the usage of change management practices do have an influence on the appliance of Compliance Management Systems in companies.

This Master thesis deals with the following research question:

Which implications does the definition of Compliance management as a change management process have?

1.3 Scientific method

Firstly, the necessary definitions and foundations on the subject of change management and Compliance management are determined by literature research and described in the first chapters. Within this framework, the most important legal aspects and the international character of Compliance are also described. The Compliance activities of selected companies (Siemens, Linde, MAN and Hochtief) are presented and compared by means of internet research and evaluation of further company information, such as Compliance reports, annual reports and sustainability reports. This is intended to provide a practical reference to the theoretical part of the work. Subsequently, expert interviews are conducted and described in the form of an online survey, with employees from the Compliance departments of these, and various employees with Compliance knowledge of other companies, in order to supplement the knowledge gained so far. On the basis of the final evaluations, conclusions and concrete recommendations for action are developed and presented, also based on the expert opinions. The results of the work are thus based on a comprehensive literature research in connection with the results of the expert survey.

1.4 Organization of the thesis

After the introduction in chapter 1 follows the terminology of the most important topic components in chapter 2. In chapter 3 then follows the theoretical description of the Compliance theme, combined with the description of the various options to organize Compliance in companies. Chapter 4 addresses the theoretical knowledge about change management. Chapter 5 gives an overview about the Compliance activities of selected companies. In chapter 6 the design and the results of the online-survey are illustrated. Chapter 7 finally summarizes the most important findings, followed by recommendations for interested readers.

2 Disambiguation and definitions

2.1 Definitions of Compliance

This chapter starts with the explanation and definition of the necessary terms, to foster a better understanding of the thesis during the following sequel.

2.1.1 Compliance

Compliance originates from the English verb „to comply with“, and means that one has to follow the rules. The literature contains many different definitions of the concept of Compliance, which are quite justifiable in the different context. In this way, Compliance can be broadly defined as follows: "Compliance refers to all the formal and informal governance structures of an organization with which its management efficiently and effectively detects and prevents fraudulent actions (fraudulent means in the specialist language, balance sheet manipulations, infidelity, embezzlement and all other acts intentionally carried out to the detriment of the company) by members and agents of this organization. Compliance is an integral part of strategic and operational management and aims at the sustainable, legal, economic and social safeguarding of the existence and the achievement of an organization" (Wieland, et al., eds., 2010, p. 19). In addition, there is a variety of other definitions, which are also much narrower. For the content of this thesis, especially one definition seems to be appropriate: "Compliance is the totality of all arrangements to ensure the legal Compliance of a company, its organs and employees with regard to all legal regulations concerning the company and its activities" (Zimmermann, Wieland, et al., eds., 2004, pp. 200-221).

2.1.2 Compliance management

In view of the aforementioned and, in particular, to the relevant legal requirements, Compliance is therefore a very specific management task, since management generally bears the responsibility for the implementation and adherence to Compliance in an organization. Compliance management is not limited to companies, but is also the responsibility of management in other organizations, such as public authorities, hospitals, universities, etc. The definition of Compliance as a management task ensures that adherence to Compliance is not limited to the work of the legal / Compliance department, Compliance Officer / Compliance manager or the introduction of processes and IT systems, but becomes the task of each manager in his / her respective function. Compliance management is supported by formal (e.g. guidelines and processes) and informal (e.g. company and management culture) structures. On the one hand, Compliance management aims to place the various Compliance activities strategically in an organization's business model, and on the other hand to integrate Compliance into the daily business operations (Wieland, 2010, pp. 19-21).

2.1.3 Compliance Management System

In order to stabilize Compliance management, which is subject to continuous internal and external changes, there is a need for systematization. In the case of Compliance management, there is in principle no difference to other management systems. A management system can be defined as a framework for the structures and processes of an organization, to ensure that it can perform all the necessary tasks to achieve its objectives properly. As a general rule, while discussing about management systems, it can be differentiated between organizational structure (structure) and process organization (processes). In this context, the organizational structure deals with the question how the defined objective can be divided into individual tasks. On the other hand, it must also be able to answer the question, how these individual tasks can be re-structured and combined again, hence how they can be organized. The process organization, on the other hand, must deal with the question of the efficient and effective networking of the processes. In addition, integration into the strategic management of the organization is necessary, since the economic, organizational and social objectives are defined there, which is also the responsibility of the organizational structure and process organization of Compliance management. The following figure shows the process of a strategically oriented structure and process organization of Compliance management. As a result, the Compliance Management System (CMS) (Wieland, 2010, pp. 21-22) results.

Abbildung in dieser Leseprobe nicht enthalten

Picture 1: Strategic organization of Compliance Management Systems

(Source: Own picture, based on Wieland, 2010, p. 22)

A synonym for the term Compliance Management System is often also the term Compliance program. Regardless of the chosen term, the task of a Compliance Management System or Compliance program is to anchor ethical and legally correct behavior in companies or other organizations (Jäger, 2009, p. 83).

2.2 Definitions of change management

2.2.1 Strategic management

Strategic management as an economic discipline has evolved from corporate planning between the 1970s and the early 1980s, after losing confidence in business planning due to the oil crisis and the lack of previously accepted results through company diversification. The increased international competition and the turbulent times have made it difficult for companies to plan investments, product launches and human resources three to five years in advance. The result was a shift from corporate planning to strategy and thus from pure company growth management, to the positioning of companies in their respective markets in relation to competition, with a view to maximize the profit potential. In the 1990s there was then a further shift from the purely external view of the sources of results, to a way of looking at internal resources as the main source of a competitive advantage and thus as a basis for the formulation of a strategy. The main focus was that companies, in contrast to the earlier, when often the same strategies in the market were pursued by different companies, they first identify the extent to which they differ from their competitors and subsequently align their strategy accordingly. This was followed by the developments of the 21st century, when at the beginning of the new millennium, with the bursting of the so-called dotcom bubble, the realization emerged that the developments of the "new economy" did not necessitate a revision of the strategy principles. In the further course of time, over the recession in the years 2008/09 until today, a new way of thinking about the business purpose of a company has developed. Meanwhile, companies are developing their strategies based on new trends such as “Corporate Social Responsibility (CSR)”, “Ethics”, “Sustainability” and “Social Compatibility” (Grant, 2011, pp. 15-16).

One strategy is the different design of activities in order to offer a unique value and to stand out as a company from its competitors (Porter, 1999, p. 51). Strategy is the long-term consideration of how a competitive advantage comes about. A competitive advantage is the ability of a company to achieve higher profits in the long term than the competition (in the longer term means at least more than three periods).

The Strategic Management Process (SMP) is also based on these considerations:

A) Mission statement: long-term strategic direction (vision),
B) Objective: To formulate measurable results, how to implement the mission statement,
C) Strategic analysis: Internal analysis: comparative analysis of the competitiveness of a company (strengths and weaknesses compared to the competition), External analysis: identify the opportunities and dangers of an industry, analyze economic, political, technological and other framework conditions,
D) Strategic decision: results from external and internal analysis, decision-making on how resources are organized and positioned,
E) Strategy Implementation: Organizational Problem; Operational implementation, responsibility, expertise, control systems, decision-making,
F) Competitive advantage: see above.

illustration not visible in this excerpt

Picture 2: Strategic Management Process

(Source: Slideshare, 2016, Internet)

"Strategic management is the process by which managers formulate and implement strategies to achieve peak performance and achieve a continuous competitive advantage" (Duhaime, et al., 2012, p. 1). Strategic management is, in principle, a management task of particular importance for the success of a company. It aims to shape the company's market position and resources so that a company can build and maintain competitive advantages (Hungenberg, 2012, p. 19).

2.2.2 Change management

Change management is a part of strategic management, which has developed dynamically since the 1990s as an independent discipline, especially through research and publications from the North American region. It is about the systematic shaping of changes that are deliberately, purposefully and profoundly affecting the levels of goals, working methods, strategies, structures and / or processes within an organization. Change management refers not only to companies, but also to changes as a generic function for various reasons (e.g. for business reasons, for political reasons or because of a change of leadership), and in different forms (e.g. local, global) in any organization. However, the definition of change management does not include random, accidental, irrelevant or trivial changes. Change management is the method for organizing organizational change projects in a targeted manner, to plan, to shape and to accompany them during the implementation, taking into account the regularity, hence to manage the changes (Schmidt, 2014, p. 14).

2.2.3 Organizational development

Closely linked, but not to be mixed up with the term change management, is the (German) concept of organizational development. As a scientific discipline, organizational development in Europe experienced its first boom in the 1960s, but especially the period between 1970 and 1980, was bringing another boom in organizational development. After the economic upswing of the post-war period, economic growth stagnated. Globalization continued to advance, new markets were to be developed, to produce more cost-effectively and to design new products. New ideas had to be developed in order to adapt the companies to the changed framework conditions. Since the organizational development and the change management are very close to each other, or partly even interrelated, Lewin’s concept of "Unfreeze – Change - Refreeze" also applies to organizational development. Organizational development also refers not only to the pure organization of a company (macro level) but also includes the individuals (micro level) and groups (meso level). Ultimately it is about the change of structures, processes, persons and relations of an organization. "Organizational development as a holistic, management-based process for the organization and modification of organizational units and organizations encompasses all measures of the direct and indirect goal-oriented influencing of structures, processes, persons and relationships that systematically plans, realizes and evaluates an organization" (Becker, 2012, pp. 1-2).

2.2.4 Organization design

The term "Organization design" refers to the various possibilities of organizing organizations and / or the organization of various organizational forms. This, in turn, particularly in the context of the concepts of organizational development and change management already explained, shows that there is also a close connection here. The company's design of the organization is based on its strategy as it is the decision about what the company perceives as a relevant environmental issue and how it wants to position it. This finding then forms the framework for the organizational design. This is followed by the formal organizational structure and the organizational chart of the organization. The number of hierarchical levels, the structuring of the sub-units, the functions and departments are described. However, as it is still a question of status and power, many companies still give too much weight to the structure during design work. This is why, in many cases, too much time is still devoted to organizational design and structural quarrels rather than dealing with the question of the communication culture and its formats. In times of a rapidly changing environment, the formal organizational structure is becoming less and less important, while horizontal and vertical reconciliation processes, appropriate incentive systems, efficient business processes, agile IT solutions and the abilities of the employees play an increasingly important role in the competitiveness of an organization. Different markets with different strategies require a tailor-made organizational architecture with variable solutions (Nagel, 2014, p. 27).

Worley and Lawler are of the opinion that, given the ever-changing business environment, companies today have to be organized differently than before. They even go so far, as to put old (fixed) organizational concepts completely in question. In the past, organizations were rigidly organized to give them stability and effectiveness. Instead, organizations should be set up in such a way that they can be changed at any time or be able to react immediately to changes, as this can be a decisive competitive advantage over other companies (Worley and Lawler, 2006, pp. 33-62). However, according to the fact that most people tend to look for security and stability rather than for constant change (it is here reminiscent of the pyramid of needs according to Maslow, where safety requirements already represent the second level of human needs, see appendix 2) in this respect, the question arises as to how far such organizations will be able to find the "right" employees for the company at all. There may also be differences between sectors, and one can imagine that, for example, internet or other young start-up companies are differently structured and employ other employees than companies in an "old" industry ("old economy") with long business cycles, such as companies who build large plants such as entire power plants, etc. Another aspect, in my view, is the size of organizations, as it becomes harder to organize an organization so flexible that changes are possible at any time in the shortest possible time. Basically, any organization can be modified anyway, it is ultimately only a question of time and effort.

3 Theoretical basics and legal aspects for Compliance

This chapter describes the theoretical presentation of the Compliance issue, together with the presentation of the various organizational possibilities of Compliance within the company.

3.1 Compliance – theoretical basics

The opinions of the specialists differ about the origin of the word Compliance as a concept. While the origin is seen on the one hand from the medical world (Behringer (ed.), 2011, p. 38) and the term is actually used in the medical field under the German term "Therapietreue" (which means Compliance with a medication or adherence to medication), the other side argues the thesis that the term "Compliance" comes originally from banking law. Compliance in banking law, for example, means "all measures which are designed to ensure that managers and managers’ behavior is consistent with the law in the classic risk areas of credit institutions" (Jäger, 2009, p. 25). Although it is not yet clear when the term Compliance has been used for the first time and where it originated (probably both sides are to a certain extent right), it is at least clear that the term Compliance in the business world is now used in different areas and thus in various definitions. For example, there is the term "GMP Compliance" (GMP = Good Manufacturing Practice), which is assigned to the area of ​​quality management and is used there. There is also the term "Regulatory Compliance" which refers to the requirements for the products of a company by international standards (such as ISO standards) and regulations during the licensing and production of medicinal and health products in the pharma & healthcare sector (Reusch, in Behringer (ed.), 2011, p. 215). In the IT world, the term "IT Compliance" is used, which describes the adherence to the legal, company-internal and contractual regulations in the area of ​​the IT landscape (Rath, in Behringer, et al., (eds.), 2011, p. 297). In addition to a large number of further Compliance terms (such as “Export Compliance”, “Tax Compliance”, “Insolvency Compliance”, etc.), there is the very important concept of "Corporate Compliance", which is at issue here and which has its origin in the legal / ethical / business area. The concept took a firm entrance into the legal / business world through the US Federal Sentencing Guidelines, which by a revision in 1991, promised a mitigating penalty if a company implemented a Compliance organization or a Compliance Management System (Behringer (ed.), 2011, p. 38).

“Compliance includes all measures to comply with legal and other rules, which are externally prescribed to the company, and the elaboration of rules that the company has set itself, as well as the measures introduced” (Behringer (ed.), 2011, p. 52).

On the other hand, the term "corporate" in many companies refers to a clearly outlined and defined scope, which is usually represented by a "corporate" approach with an implemented Compliance organization with a firmly defined task area, or by an established Compliance Management System with a firmly defined scope. This extent is individually defined in the company and can contain various topics. In many companies, Compliance mainly covers the issues of anti-corruption and antitrust, but other issues such as data protection and others may also be included. A Compliance Management System must be integrated into the business processes. This is the biggest challenge for the company management as the Compliance Management System is not to be perceived as an additional bureaucracy by the employees as they would otherwise ignore or reject the Compliance requirements and thereby reduce the effectiveness of the Compliance Management System (Moosmayer, 2012, p. 2).

3.2 Legal aspects for Compliance

3.2.1 Germany

In principle, all companies, as legal entities, as well as all natural persons, are obliged to comply with the laws of a country. For a company, a variety of laws can be relevant. Compliance with the laws of a variety of legal areas may therefore be necessary for the operation of a company. Examples include contract law, employment law, competition law, antitrust law, intellectual property law, and others (Jäger, 2009, p. 35). In Germany, there is no single legal basis which obliges a company to implement a Compliance Management System. However, the need for Compliance or the observance of the relevant legal framework results, especially for corporations, but also for partnerships, from the individual regulations of various applicable laws. Thus, directors or members of the management board of corporations are obliged to apply the diligence of a duly and conscientious manager (§ 93 para. 1 AktG or § 43 para. 1 GmbHG) (Behringer, 2011, p. 41). Compliance also has its legal basis based on the provisions of the German Code of Obligations concerning the liability of the supervisory authorities in the company (§§ 130, 9 OWiG) and the liability of the company itself in the event of attributable misconduct by its supervisors in sections 30, 130 and 9 OWiG . In addition, there are further provisions from the German Stock Corporation Act, such as section 91 (2) AktG, which stipulates the obligation to set up a monitoring system for the early detection of dangerous developments for the company's existence. However, the legislator does not regulate the scope and content of the supervisory duty. Rather, it is the task of the company management to determine this in the course of a risk analysis and then to implement the necessary Compliance measures. However, there are already indications in the jurisprudence of what is seen as a quasi-minimum standard in the course of this. These are:

- To take appropriate actions to prevent misbehavior (organizational obligation),
- The introduction of regular controls to show the company that the company's supervisory responsibilities are taken seriously (control obligation),
- And the prosecution of substantiated indications of misconduct (obligation to investigate).

Furthermore, management's commitment to careful business management ultimately results from various other special facts. In this case, for example, the offense law, corporate law, capital market law, administrative law and criminal law can be named, from which individual liability can be attributed to a corresponding liability of the management in the case of infringements. For example, an indirect perpetrator ship could be assumed by the management from the criminal law by virtue of the organizational rule (Jäger, 2009, pp. 36-37).

There are also other legal requirements for specific areas of activity that require the creation of specific Compliance Management Systems. In the financial services sector, for example, in addition to section 33 (1) sentence 1 no. 1 WpHG (organizational obligations) which requires the permanent and effective establishment of a Compliance function, §§ 31 et seq. WpHG (general rules of conduct) the “Bundesanstalt für Finanzdienstleistungsaufsicht” (BaFin) as the responsible supervisory authority has published additional Compliance minimum requirements.

In addition to the legal regulations, there are also other places where the issue of Compliance has now been introduced. In 2007, Compliance was also discussed at several points in the German Corporate Governance Code (Jäger, 2009, p. 30). "The Deutscher Corporate Governance Kodex (German Corporate Governance Code) presents essential statutory regulations for the management and supervision of German listed companies and contains, in the form of recommendations and suggestions, internationally and nationally acknowledged standards for good and responsible corporate governance." (GCGC Homepage, 2017, Internet). The Code is therefore not a law but a self-commitment of the economy to good corporate governance.

However, the legal dimension of Compliance for many German companies and organizations can no longer be limited to national requirements. Many of them are represented internationally with subsidiaries and branches, or export their products and services to other countries, and are therefore also legally subject to foreign jurisdictions (Moosmayer, 2012, pp. 3-6). In this context, the respective laws of the respective country must be observed in a business with or in these countries. Regarding necessary Compliance measures, however, the USA and the United Kingdom must be mentioned, as these two countries have each issued specific laws in this regard. These are specifically the Foreign Corrupt Practices Act (FCPA), the Federal Sentencing Guidelines (Sentencing Commission, 2014, Internet) and the UK Bribery Act (UK Bribery Act, 2014, Internet). As early as 1977, the International Chamber of Commerce (ICC) in Paris issued the first rules for the fight against blackmail and bribery, which were then revised in 1999, 2005 and most recently in 2011, and now expanded by means of further documents and manuals, e.g. ICC Ethics & Compliance Training Manual (ICC, 2014, Internet). These rules have no legal character, but they are intended to help companies that want to take action against corruption.

In 1997, the Organization for Economic Cooperation and Development (OECD) also adopted a convention with its member countries, in which the bribery of foreign officials is criminalized in international business transactions (OECD Convention, 2014, Internet). In 1999, also corporate governance principles were introduced, which were revised once more in 2004 due to various corporate scandals. The principles contain recommendations on high quality standards for accounting and auditing, on the independence of the Supervisory Board members and on the duty of the Supervisory Board to act in the best interest of the company and its shareholders. In addition, protection is required for whistleblowers. These recommendations have no legal character, but should also help to combat corruption (OECD Principles, 2014, Internet).

3.2.2 USA

The US Foreign Corrupt Practices Act (FCPA) has been a criminal offense to the bribery of foreign ministers and related inaccurate accounting practices since its introduction, which took place in 1977, and is thus one of the most important foundations for necessary Compliance measures within the US and for foreign companies which do business in the US or are listed at the American stock exchange. In the United States, there is also the possibility to convict companies whose authorized employees, within the scope of their employment relationships, commit a criminal offense on purpose in order to give the company an advantage. The US Federal Sentencing Guidelines, introduced in 1991 and substantially revised in 2004, also regulate the amount of penalties imposed on natural persons and companies. In the case of penalties against companies, the amount depends significantly on whether the company has implemented an effective Compliance Management System or not. In particular, it is mentioned here that a Compliance Management System is to be oriented to the entire corporate culture and should not consist solely of individual measures. The US Federal Sentencing Guidelines defines in detail what is meant by an effective Compliance Management System. The requirements required by the US Federal Sentencing Guidelines are as follows:

- The introduction of Compliance measures to prevent and detect unlawful acts,
- Overseeing the management of the company through the introduction and effectiveness of a Compliance Management System and ensuring the implementation of the guidelines by all managers,
- The transfer of the responsibility for the Compliance Management System to specific employees who have sufficient resources and powers to fulfill their tasks. The Compliance Officer must be a senior manager,
- Processes that ensure that no law violations or unethical practices can be carried out by employees of which the company knows or could have known,
- Adequate communication measures, in particular training,
- The continuous monitoring of the Compliance measures by periodically checking the effectiveness of the Compliance Management System and adapting to weak points and the implementation of risk assessments,
- (Whistleblower Hotline), a system of (also anonymous) reporting of violations without retaliation,
- The consistent implementation of the program, including disciplinary measures for employees in the event of infringements.

(Moosmayer, 2012, pp. 7-8).

3.2.3 United Kingdom

In 2010 the so-called UK Bribery Act was adopted as a new law in Great Britain and put into force in July 2011. Compared to other anti-corruption laws, however, the UK Bribery Act is not restricted to companies and organizations established in the United Kingdom, but also includes all natural and legal persons engaged in business in Great Britain. This means that pure export transactions are also subject to the UK Bribery Act. In addition, the UK Bribery Act has a worldwide validity, so a perpetrator can be held accountable even if he commits bribery outside Great Britain and has a close connection with Great Britain. In any case, the company is strictly liable for violations by its employees or third parties. Similar to the US Federal Sentencing Guidelines, where an established effective Compliance Management System can influence the amount of penalties, in the UK Bribery Act, the only possible avoidance of corporate liability is the existence of an "adequate" Compliance Management System. In an executive decision, the UK Department of Justice has established six principles for an adequate Compliance Management System. These are:

- The introduction and implementation of clearly formulated processes based on the company risks,
- A commitment of the company management to the fight against corruption and the creation of a corresponding corporate culture,
- An ongoing review of the corruption risk in the company,
- The company-wide implementation of anti-corruption measures and efforts to introduce at significant minority interests,
- Comprehensive internal and external communication, including training,
- The ongoing monitoring and audit of the measures by the executives and report to the relevant supervisory bodies of the company.

(Moosmayer 2012, pp. 10-11, UK Bribery Act, 2014, Internet)

3.3 Organizational forms of Compliance

In order to give each organization an optimal Compliance structure, the different characteristics have to be integrated into the existing hierarchies, processes and systems in accordance with the needs of the organization. Because a Compliance organization can be modularized, a solution that is individually adapted to the requirements of the organization is possible (Jäger, et al., 2009, p. 34). In order to anchor Compliance adequately into an organization, appropriate resources are required, which initially implement the necessary topics within the framework of the Compliance Management System and then deal with the regular implementation and further development. The size and manner of the integration of the Compliance organization into the overall organization depends on various factors. Factors such as the size of the organization, the nature of the business, the industry, the customer structure, the company culture, the employee structure, an international business development and other factors play a role in the future establishment of the Compliance organization. As already described, the management is generally responsible for setting up a Compliance organization. The management (chairman, chief executive officer, managing director, managing director) can, of course, delegate this task to another department or another person in the company, since it may be reasonable that the department and / or person responsible for the compliance organization in the future, has already designed, organized and accompanied its structure. For example, in many companies, the Compliance department is part of the legal department and often reports to the General Counsel or Corporate Legal Counsel (who as an attorney-at-law is a lawyer registered with the Attorneys' Chamber, who works for a non-attorney employer, e.g. a company) (see "Siemens Compliance organization," section 5.1).

[...]