Systemically important - CSR and Compliance Management Systems

Companies must comply with the law. So far so good. However, to ensure that the large number of individuals and processes in a company do not lead to any legal violations in the long term, a company must proceed in a structured manner. It must create an auditable system that is geared towards avoiding violations of laws and internal company requirements - in other words, a Compliance Management System.

If a new law is passed or an existing law is amended which affects the company, a Compliance Management System ensures

• to what extent the regulations give rise to implementation requirements for the company,
• where exactly and how precisely safety ropes are to be tightened within the company so that violations of this new law do not occur and
• to monitor these corresponding safety ropes on a regular basis.

In the area of Corporate Social Responsibility (CSR) in particular, there are more and more new laws, amendments to existing laws and legislative proposals. Much of what has been voluntary for companies is now being set down in statutory form and is therefore becoming mandatory. At the latest then, a company must ensure that it complies with the relevant statutory regulations. Otherwise, there is a risk of considerable liability and fines for the company and its management. Violations of CSR-related laws also entail an increased risk for the reputation of the company.

Of course, many laws, such as criminal law, employment law or competition law, already have an inherent sustainability or CSR core. In the future, however, companies will increasingly be exposed to CSR legislation in a narrower sense. This refers to laws that are linked to the fact that companies have a responsibility for the effects of their operational business activities on society. This development is driven by increased social and political expectations of a sustainable globalised economy. For example, the European Green Deal, under the heading of “Sustainable Finance”, brings with it legislative proposals that impact on a wide range of (economic) areas and which, for example, call for more sustainable corporate governance, supply chain due diligence, extended reporting obligations on non-financial aspects, etc. The aim is to put Europe on a new path towards sustainable and inclusive growth.

Set out below is an overview of new and planned CSR-related regulations:

How do compliance and CSR interact?

With every new legal regulation, a company must always ask itself: How do I ensure using suitable organisational measures that these regulations are not violated from within my company? The mechanisms to achieve this are similar, regardless of what kind of regulation it is. The more risk and process-oriented an existing company Compliance Management System is, the easier it is to adapt the system to legislative initiatives and in this way ensure compliance with new laws - such as those from the area of CSR.

In some cases, (modern) CSR laws - beyond mere requirements or prohibitions - already contain requirements as to which (structural/compliance) measures a company must implement. For example, the Conflict Minerals Regulation requires EU importers of tin, tantalum, tungsten or gold to comply with defined due diligence obligations in the supply chain from 1 January 2021, i.e. obligations with regard to the management system, risk management obligations, the obligation to conduct third-party audits and disclosure obligations. The draft paper on the Supply Chain Act also contains a structural catalogue of obligations, according to which companies are obliged to identify and analyse human rights-related risks, to take appropriate preventive and remedial measures and to review their effectiveness, to establish complaint mechanisms and to report transparently and publicly.

Structural obligations in CSR laws and a Compliance Management System therefore go hand in hand. The existing Compliance Management System supports the successful implementation of the new CSR law in the company. To achieve this, it should have the following core elements:

This process of risk analysis, delineation of responsibilities, documentation, training, reviews and assessments is therefore activated when new regulations are implemented in the company.  

An example:

• Who in the company is responsible for the process? → Responsibility for the monitoring of suppliers in the procurement / purchasing or supply management department as well as responsibility in the compliance department to check whether the desired monitoring of suppliers is carried out properly and makes sense.
• What should the “supplier monitoring” process look like? → Considerations on the content of the supplier check - considerations such as: What types of checks should take place (self-disclosure, self-audit, external audit, audit with certification)? What questions should be asked of suppliers? How often should checks take place? How should this process in turn be checked internally within the company and thus be designed to be audit-proof?
• How must “supplier monitoring” be documented to ensure that it is carried out successfully? → This requires anchoring the processes, e.g. in the procurement guidelines and/or the Supplier Code of Conduct.
• Do staff need to be trained regularly? How? → e. g. Are responsible persons in the procurement department sufficiently trained to recognise problems with suppliers - it must be ensured that staff keep their knowledge up to date.

Various departments have to work together to bring about the “implementation of supplier monitoring” in the company. The compliance department is an essential element. It has to ensure that the mechanisms conceived by Compliance, Legal, Purchasing and CSR/Sustainability actually make sense in practice and function in the long term. However, interfaces resulting from the cooperation of different departments must be strictly delineated from each other in order to avoid “organised irresponsibility”/the volleyball effect. Nevertheless, the areas of CSR and compliance in particular must work hand in hand when it comes to structuring the content of the processes.

We recommend that companies ensure that company-specific compliance risks are identified at an early stage through regular risk analyses and that these can be dealt with effectively. In this way, companies create the necessary preconditions to keep pace with the ever increasing and faster regulatory requirements, especially the already emerging developments in the area of CSR, and to ensure compliance with the resulting duties and requirements.