Compliance is generally defined as the observance of requirements and laws resulting from various conditions. The term became established in the business world a long time ago. Entrepreneurs and business people have always had to comply with specifications in order to be able to sell their goods. Initially, these specifications were shaped by the behavior of the general public and the businessmen themselves. Compliance in today’s sense is to be found above all after the establishment of trading companies, in which defaults had to be kept, in order to avoid consequences up to the insolvency. On the one hand, compliance serves as protection against damage to a company’s reputation, but on the other hand, it protects against a loss of trust by the customer. For example, a scandal can change the view of a company and reduce trust with economic impairment and damage as a consequence. This creates a risk for resilience and the company.

A recent example is the COVID-19 pandemic. It requires not only companies but also the population to implement measures. Defined rules must be adhered to, such as the duration of a quarantine. But the protection of personnel is also particularly essential in various sectors of the economy with direct customer contact.

Compliance is a task of the companies, which consists of different areas. Financial compliance, security compliance and resilience compliance are just a few examples. A distinction must be made between external and internal compliance. In external compliance the company and the compliance strategy are presented. Here, it is also important to identify the external requirements in order to adapt the strategy to them. But compliance also takes place internally.

Compliance can be divided into the following three components:

    • Legal requirements that must be observed through compliance.
    • Other requirements that the company defines as necessary and sensible in its own compliance strategy.
    • Requirements which the company does not consider necessary

Compliance can and should be related to business continuity management and the IT management system. A good basis for this is provided by DIN ISO 19600, which defines the compliance management system independently of IT. Processes and a risk-based procedure are described for this purpose. This should consist of:

1. a company analysis, identifying the interests of stakeholders and the public. The goal is to build trust.
2. analyzing the origin of compliance and identifying requirements.

Laws can generally be seen as the basis for compliance. However, good companies should still define and comply with additional requirements of their own. This also offers the advantage that if the laws become stricter, the company’s management system does not necessarily have to be adapted, but the compliance requirements are already met. The company is thus one step ahead of the change.

The goal of compliance should not be to protect leading individuals from penalties, but rather the success of the company. To this end, it is important that all requirements are documented. The added value of this is that both the company and the requirements are kept transparent. But also that compliance is not only a final issue of a project or a product development, which causes a failure in case of non-compliance. Instead, a well-documented compliance system should focus on compliance right from the start of a development and project.

Compliance is just as important for smaller companies as it is for larger ones. Compliance must not be ignored in any case. Outside help is available for taxes, corporate law, employee compliance, intellectual property, insurance, privacy, marketing and advertising standards, and industry-specific requirements that must be met. Not only general rules, but also specific regulations can be found in the area and must be observed.

It’s hard to get started, but once the foundation for compliance is laid, you understand the system behind it and know the sources of regulations. With a list of specifications and behaviors, the procedure for complying with them can be standardized within the company. The basis for this is risk management, which is also relevant in business continuity management, IT security and other areas and thus represents the interface to these areas. Once compliance risks are known, they can be recognized in other areas as well. Transferability to other systems is thus given and the overall effort can be reduced.

Good risk management in compliance includes:

1. a risk analysis: risks must be identified and recognized.
2. publication of the compliance strategy, in which the company’s requirements are described.
3. a risk treatment: how the risks from the risk analysis are to be dealt with.
4. a strategy for updating the risks: how the company is kept up to date.

The focus of compliance is to strive for a uniform approach in different areas that identifies new risks and incorporates them into risk management. This is intended to protect the company from damage.

If you also want to protect your company from damage and need support in risk analysis, in setting up your compliance strategy or in selecting suitable measures to reduce risks, please contact us!

An article written by Anna Müller, published on 03 September 2020
Translated by Charlotte Ley