Compliance violations are a reality, although breaches of the rules are rigorously publicized and cause considerable damage to companies. Benchmarks such as the Compliance on Board Index (CoBI) show a considerable need for improvement in DAX 30 companies and even more so in the MDAX. Against the backdrop of increased criminal prosecution and record penalties, management and supervisory boards are called upon to anchor effective compliance awareness in the company, but relevant standards are of little help here. Before we show how compliance "built-in" is made possible through agile management, this article takes a closer look at the challenges and pitfalls.

Compliance "built-in" so far anything but the norm

The question of the extent to which good compliance is actually anchored in companies was scientifically examined for the first time in the Compliance on Board Index (CoBI) for DAX 30 companies. MDAX companies perform even worse in terms of actual compliance practice (see figure). While the formal structures (e.g. an ombudsperson to whom violations can be reported) can still be rated as satisfactory, there is a considerable backlog in terms of actual "clean" business practices. And this in turn is a question of corporate culture - or more precisely, compliance culture.

Compliance cannot be prescribed

This phenomenon is not new. We are familiar with it from quality management, for example: there are relevant standards against which companies can also be certified, such as ISO 9001 certification. This looks at the processes, but not the actual output of value creation, i.e. products or services. They are therefore by no means a guarantee of actual quality.

Compliance Management System (CMS) - necessary, but not sufficient

We now have a similar situation in the area of compliance: you cannot enforce rule-compliant behavior through regulations. On the contrary, those affected will always find ways and paths to circumvent the rules as long as they are not convinced of their own accord that acting in accordance with the rules corresponds to their understanding of values. But where do we stand today? Many companies have set up compliance management structures - at least to some extent - in accordance with relevant standards such as the ISO 19600 and / or can be audited in accordance with the PS 980 of the Institute of Public Auditors in Germany (IDW) to certify a compliance management system (CMS). Although these approaches - similar to the quality analogy - may be fundamentally expedient, it is by no means proven that a CMS effectively leads to the avoidance of compliance violations. For example, CoBI shows no direct correlation between ISO 19600 or IDW PS 980-certified companies and compliance actually practised.

Looking at the cases of suspected compliance breaches that have been made public in the first quarter of 2018, it is shocking to see how many well-known companies have been affected.
Of course, it is up to the institutions to clarify the actual facts, but experience shows that "where there is smoke, there is usually fire...".

The opposite of compliance "built-in" and its results

Every manager should be aware of the importance of the topic of compliance for at least two reasons and it should be essential for the operational business:

1. Management and supervisory bodies are personally liable for the establishment of a suitable risk management and compliance system. Proof of an effective compliance system has a direct mitigating effect, as the BGH ruling of 09.05.2017 - 1 StR 265/16 shows: It creates an incentive model - as already practiced in France and Spain and now also in Germany - for implementing an effective compliance system, which can have a mitigating effect in the event of compliance incidents. This means that transparency in terms of compliance structure and actual implementation, such as with the Compliance on Board Index (CoBI) can have a mitigating effect in the event of a case.
2. The penalties imposed on the companies can take on devastating dimensions: In the financial sector alone, the penalties imposed since the financial crisis amounted to 321 billion US dollars - so far! This figure illustrates the Impactthat non-compliance can cause. In addition, there are also indirect damages due to Loss of reputation outwards as well as inwards, which are usually of similar, if not greater, scope.

So how can a good culture that promotes compliance be established in the company when compliance budgets are sometimes stagnating or declining?

Compliance is not "business prevention" or "nice to have"

It starts with management to set a good example here - the "tone from the top". All too often, however, the scope of the issue is underestimated at the highest level, because other strategic or operational issues mean that people are not really interested in compliance or are even weary of the topic due to the flood of regulations that came about not least as a result of the financial crisis ten years ago. If you follow the statements of compliance officers closely, you can currently see a decline in resources in the compliance departments of many companies.

Tone from the Top

When eloquent business leaders such as Jamie Dimon (CEO JPMorgan Chase) say "regulation and the cost of compliance are becoming a threat to the American dream" at Bloomberg it is not surprising that compliance cannot become established in the company as a matter of course.

The anchoring of compliance in the corporate culture is strongly influenced by managers having a solid understanding of values that guides their own actions and serves as a role model, from vision and guiding principles to strategic and ultimately operational corporate management. This is precisely where many a management approach that focuses on personal advantage is lacking.

Compliance violations take many forms - but the motives are clear

One example of this is the issue of insider trading, which can be considered insensitive to say the least. One of the most prominent cases from 2017 is the then CEO of Deutsche Börse (he ultimately had to leave the company as a result of this incident). A similar problem arises at Metro, in particular with its Supervisory Board Chairman or the Intel CEO: Opportunistic share (sales) purchases by top managers in close temporal connection to material, non-public company information. Above all, this points to the core of the problem, the subtle but noticeable difference between legality and legitimacy. This balancing act can also be found in other forms and at different management levels: it manifests itself in deliberately looking the other way and not wanting to know when it comes to bribery, corruption, money laundering and the like. In these media-saturated and sometimes fact-ridden times, the legal minimum - compliance - is far from sufficient to prevent (reputational) damage to companies. The unfortunate "peanuts" of a former CEO of Germany's largest bank 23 years ago as well as the unspeakable three seconds of the "Victory" sign of one of his successors over ten years ago are burned into society's long-term memory.
The following therefore applies,

1. a competence of the Sensitivity to legitimacy - also "Crowding in" - where the individual value structure allows room for opportunistic decisions. In this regard, reference should be made to the well-known, large-scale studies by psychologist Dan Ariely ("The honest truth about dishonesty"), who uses the "fudge factor" to illustrate very clearly the influence that the environment has on less than honest behavior.
2. for those who, due to their intrinsic motivation, already have very high expectations of themselves in terms of correctness, a corresponding "Crowding out" effect to AvoidIn other words, they can only act correctly on their own initiative in return for special incentives so as not to put themselves in a worse position than others.

Making a virtue out of necessity!

So we have a Key question achieved: How can an organization and its individuals be successfully actually to achieve a higher compliance rating? Or to put it another way: making a virtue (out of conviction) out of necessity (compliant behavior).

One approach can be found in companies where compliance is automatically anchored as a by-product, so to speak: Agile management (TCI offers an overview of the range of agile approaches, for example in cooperation with the ICC in Seminars and helps companies in their agile transformation, especially according to the market-leading method SAFe).

On closer inspection, these two topics - compliance on the one hand and agility on the other - which are not obviously connected, reveal an almost compelling common logic. In the second part, you can read how implementation can look in concrete terms in order to be crowned with success: Compliance "built-in" through agile management.

Further information

Please feel free to contact the author of this article at any time for further information: Prof. Dr. Stefan Vieweg

• Transformation Consulting International - Managing Partner
• Director of the Institute for Compliance and Corporate Governance (ICC)
• Systemic change manager, coach and trainer (according to TÜV-certified SYMA methodology)
• SAFe trainings of the ICC: SAFe July 05 and 06, 2018 and August 27 and 28, 2018

(Cover image: © flyinger | fotolia.com)