Compliance is on everyone's lips these days, but top managers often find it difficult to understand the term and what it means. Yet compliance means nothing less than "legally compliant, ethically correct behavior" - a matter of course, right?


The meaning of Compliance seems to be quite clear and simple, above all self-explanatory. The responsible people in an organization only need to adhere to all the relevant (legal) rules and act in an ethically correct manner, and compliance is established - what's the problem?

The answer is: the reality is different. Many managers and employees in the company do not know the rules they are supposed to follow. Others do know them, but deliberately do not comply. Some, on the other hand, may not seem to be breaking the rules at first glance, but they are not particularly ethically valuable or hardly justifiable according to today's CSR standards.

Quite a few companies operate in a gray area that sometimes shifts into the light, sometimes into the dark. However, more and more managers are recognizing the need to shed light on this semi-darkness - not least because of the associated liability risks.

Good compliance management creates clarity

Companies therefore need a system that ensures that all (legal) rules are known and adhered to. An effective compliance management system (CMS) creates clarity and legal certainty. It also helps management to establish a corporate culture that it lives by itself and in which violations of any kind are not an option. This corporate culture, figuratively referred to in the United States as "tone at the top," is ultimately also the key to effectively and appropriately imbuing the entire company with the idea of compliance.

Effectively minimizing liability risks with compliance management

Formally ensuring compliance with the rules through an effectively implemented compliance management system makes an essential contribution to avoiding or minimizing liability, and this may be existential for an organization. This applies in particular to the persons actually acting, because depending on the legal system, the persons acting personally or the organization, or in the worst case both, may be prosecuted. These may be accompanied by substantial fines or imprisonment.

Compliance management in case law

The many obligations for management to act lawfully, to ensure that the company does so, and the duty of care to control lawful operation are generally derived from corporate law, although this may vary, depending on the specific legal environment This means that there is a duty of organization and selection with regard to employees. Thus, as a rule, the management of the companyManagement must take precautions to ensure lawful conduct of the organization and its employees. In the event: If the company's management fail to fulfill with these obligations, or do so inadequately, they or the organization may be held liable. This may result in enormous liability risks, which may well run into triple-digit millions or even billions of Euros.

"If the management fails to fulfill its duties or fulfills them inadequately, it can be held liable for this."

Compliance management - Just another management system?

Top management cannot adequately fulfill its duty of control without an appropriate management system. So there is no way around the introduction of a CMS, even from the point of view of case law. At least, this is true for companies that want to be on the safe side when it comes to liability issues resulting from rule violations.

Many companies fear that compliance management means introducing yet another management system. However, there is still a widespread misunderstanding behind this notion, because companies essentially have only one management system! As a rule, the existing management system is based on ISO 9001, into which the requirements of other standards are then integrated.

This is also one of the great advantages of the common basic structure, the so-called High Level Structure (HLS), which all modern ISO management system standards have, including ISO 9001, ISO 14001, ISO 45001, ISO 50001 and ISO 27001, as well as ISO 37301. The HLS makes an integrated management system significantly more efficient, because the integration of requirements from different sets of regulations is now possible right down to the last corner of a company.

The compliance management system as a "brace"

A CMS according to ISO 37301 can also be integrated into the existing management system. It acts like a brace around all compliance topics addressed by other standards. For example, quality management mainly deals with risks arising from product liability, environmental management with risks arising from relevant environmental legislation, and so on.

"All the information and risk analyses from the individual areas are brought together in the CMS, giving the company a secure legal basis for its actions."

All legal issues and risks that have not yet been taken into account, or have been insufficiently taken into account, are recorded, evaluated and managed by the Compliance Management System. An overarching code of values, additional internal controls and adjustments to the risk assessment safeguard the company and the persons acting responsibly. In this respect, risk analysis plays a decisive role.

This involves identifying the points and functions where legal violations are possible that could have the most serious consequences for the company. A safety system must therefore be installed in order to achieve the greatest possible degree of detection. Simply assuming "oh, we don't have that" seems to be of little help - and will also find little understanding from law enforcement or in court.

Compliance - What are the advantages?

  • Valid analysis of compliance risks in your company
  • Systematic compliance with legal regulations
  • Effective reduction of liability risks
  • Improved corporate image


Clear structures ensure that compliance violations can be detected more quickly and that responsibilities are established. In the event of legal proceedings, compliance management will contribute to exculpation. At the very least, it is very likely to lead to a reduction in liability, since all the reasons that speak against or in favor of a defendant are used to determine the penalty range.

fragen-antwort-dqs-fragezeichen auf wuerfeln aus holz auf tisch

We'll be glad to answer your questions

Exciting topic? Contact us.
Without obligation and free of charge.

But one thing must be clear: "Auditing standards" such as ISO 37301 are legal opinions that courts can, and if necessary will, take into account, provided they are in context with the legal violation. However, if there is no CMS in place, this is in itself a breach of duty by the management, which will most likely have an aggravating effect on the penalty. A well-positioned company must deal with the issue of compliance simply because of the management's own need for protection.

We must point out that we are naturally not familiar with every legal system and its various private and criminal law forms. However, it is generally the case that each legal system will prosecute the responsible parties. The compliance management system must then be applied to the respective legal system.

TIP: Read also our blog post Compliance Management in SMESs - Necessary or optional? by Viola Beecken.

Hubert Spahn

Hubert Spahn is a lawyer as well as a product expert for compliance at DQS. Mr. Spahn also contributes his many years of experience as lead auditor for quality management and various industry standards.