Whether IT, data protection, plant security or CSR, the world of regulations for companies is becoming increasingly complex. How compliance and CSR are interrelated and why an IT infrastructure offers a double safety net.
von Marie-Lucie Linde
Whether standards, laws or regulations, companies are subject to increasingly more regulations. According to the precautionary principle, legal specifications in areas such as data protection, quality, environment and occupational safety (ISO standards) as well as plant safety should provide companies with a clear framework and thereby legal security. At the same time, the complexity of regulations entails considerable uncertainties and additional expenses for operational compliance management.
Sustainability issues – the most prominent example being CSR reporting obligation – are also becoming central compliance issues and are, therefore, becoming more relevant in corporate practice in both management areas. The central question is: How can operational compliance management in all its facets be designed more efficiently and managed professionally?
From crisis to more control
For about 20 years, the economy has been characterised by crisis, above all by the financial crisis in 2008, incidents such as Fukushima and other economic corrupt machinations. Policymakers have responded with increased regulation, including the disclosure of a corporate governance code and reporting on ESG criteria for the financial industry. Compliance – meaning meeting with laws and regulations – has thus established itself as a central management task in corporate practice. Compliance with the so-called “soft laws” in the form of voluntary commitments (e.g. membership in the UN Global Compact) now plays almost as important a role as compliance with the “hard laws” in the form of legal requirements.
At the same time, the megatrend of digitalisation is playing into the cards of compliance management: Digitised processes within the company make it possible to make compliance-relevant queries more decentralised and efficient as well as to facilitate data collection and documentation. In addition, digital solutions enable companies to integrate the relevant content (e.g. legal sources) into the compliance process.
The 1×1 of Compliance Management
Compliance management refers to meeting of a company with the laws, rules and standards1. Companies operate in the area of conflict between “hard law” and “soft law”. The former is existential for operations and, therefore, driven by the principle of risk avoidance. Non-compliance can result in high fines, production stoppages or even the closure of the plant. The second is based on voluntary commitments such as certifications or audits and is often driven by opportunities. By complying with these obligations, companies gain a competitive advantage in the market. In the meantime, even such initially voluntary standards have become a quasi “hard law”, since noncompliance with them can lead to considerable losses in turnover if the contracting authorities “outlist” suppliers or exclude a company from participating in invitations to tender.
As compliance is becoming more and more relevant in management practice, many companies are setting up their own departments with experts. Such departments can be smaller or larger, depending on the complexity of the company and its core business. In practice, it can be observed that the topic is often located in the legal or risk department, since legal know-how is required for the necessary legal compliance and the principle of risk avoidance is in the foreground.
In the context of compliance management, experts often talk about the so-called “compliance lifecycle” that companies go through:
- reform = capture, decide and define/change processes
- comply = legal adhere to requirements and processes
- report = make relevant data transparent
Compliance management is, therefore, about establishing a reliable, recurring process with data collection and test points that can be reported on transparently.
Compliance expert Ulrich Heun gives companies 11 pieces of advice to take with them2:
- Define according to requirements
- Manage without superfluous things
- Pay attention to practicability
- Ensure understanding
- Exemplary compliance from the top-management
- Practical control
- Implement compliance rules and regulations
- Set up whistle-blower systems and ombudsman
- Integration into the operative business
- Avoid the toothless tiger
- Stay agile
CSR and Compliance: What unites and separates them
The institutionalisation and associated professionalisation of CSR management are bringing the two disciplines – CSR and compliance – ever closer together. CSR has also been subject to increasing regulation, which has taken the issue out of the “nice-to-have” corner and placed it in the “licence-to-operate” corner. Above all, the CSR reporting obligation is an example of a “hard law” relevant to sustainability. The implementation of ISO standards on the environment, quality and sustainability, or the commitment to the principles of the UN Global Compact or the Sustainable Development Goals (SDGs), demonstrates the willingness of companies to commit themselves voluntarily to CSR. With their systematic CSR management, companies pursue either the maxim “Keep us out of trouble” or “Make our business better”, but ideally both at the same time. “Many people are now aware that waiting for statutory regulations or self-limiting decisions by associations of key industries will lead straight to a concrete wall and unchecked3“, communication and sustainability expert Dr. Klaus Stallbaum is convinced.
Experts from both management fields emphasise that CSR and compliance can be brought together complementarily under the umbrella of corporate governance. While compliance is a reference system that deals with compliance and integrity in the company and is hung up by the legal department, CSR is primarily an ethical attitude that is operationalised in the company and often hung up as a unit in the communications department or as a field office.
Reinhold Kopp, former minister and partner at Heussen Rechtsanwaltsgesellschaft, recommended to the participants at the German CSR Forum 2014 that…
- the convergence must be filled with concrete content
- a personal value orientation is required in the company
- the resources available in the companies must be adapted to the requirements in the areas of CSR and compliance
- they interact as integrated management systems and must be understood as an integral part of the entire value chain
- regional and global responsibility must also be borne beyond its own borders
- a culture of error should be allowed and lived.
Industrial compliance: Who produces is regulated
Over the years, compliance has become increasingly more extensive and relevant in industrial companies and manufacturing companies with an extensive plant infrastructure. This is referred to as “industrial compliance”, which includes specific topics such as plant and occupational safety as well as environmental and health protection.
For example, manufacturing companies must comply with a number of different laws and standards in their plant operations to ensure that neither people nor the environment are harmed. Here, too, compliance and CSR management are closely linked. Risks must be anticipated, identified, checked, eliminated and finally continuously controlled. Without the appropriate know-how and/or IT infrastructure, it is almost impossible for companies to obtain an up-to-date overview of the relevant legal sources and to establish a reliable process.
The IT infrastructure as a double safety net
For many manufacturing companies, an IT infrastructure is essential. It is not only a matter of being able to guarantee the reliable and transparent documentation of compliance and the process with the help of a software system, it is also a matter of planning forward-looking compliance measures and anticipating the need for action in good time. Software, therefore, makes the compliance process including data acquisition in companies more manageable and minimises the operational risks.
WeSustain is a software provider for industrial compliance in Germany: With the “Enterprise Compliance Management Solution” (short: ECM) WeSustain supports – especially manufacturing companies – in the professionalisation of their compliance management. In addition to the classic compliance relevant aspects, the ECM solution also integrates the ecological and social aspects. The essential four added values of the ECM solution are:
- Legal relevance: The automatically updated legal registers ensure that the company always knows whether it is affected by changes in the laws.
- Legal certainty: Through transparent documentation and data collection along the process as well as automated notifications for responsible employees, companies can proactively control their compliance and reliably manage inspection deadlines.
- Process efficiency: As a central platform, the ECM solution maps the work steps and responsibilities and thus makes the compliance process more efficient.
- Content integration: The ECM solution integrates all the relevant information and legal sources at the corresponding work steps along the entire process.
Software solutions enable companies to build a double safety net in the truest sense of the word: Legal security through software-supported process security.
An outlook: Compliance Management of the Future
Compliance management will certainly become even more complex in the future. It is, therefore, important that companies increasingly rely on digital solutions in order to design processes efficiently. Certainly, advances in the areas of the Internet of Things and artificial intelligence will contribute to the professionalisation and automation of compliance management. Thus, WeSustain has conducted research in the project “EHS-BAI” (Environment, Health & Safety based on artificial intelligence) together with the Osnabrück University of Applied Sciences since February 2018 on the question of whether artificial intelligence can reduce the manual effort and processing times when assessing EHS regulations when operating plants.
Also in the context of RegTech (a merger of “regulatory” and “technology”), companies are currently developing new technologies in close connection with the FinTech debate, e.g. to support efficient compliance management from an IT perspective in the IT banking infrastructure. One of the central questions is: How will digitalisation (e.g. cloud-based services, blockchain or artificial intelligence) affect the legal and regulatory frameworks in the future?
Either way, compliance management will become an integral part of corporate practice, as CSR management has become in the meantime, and a central component of the “licence to operate”.
2 Vgl. https://www.it-daily.net/it-sicherheit/governance-risk-compliance/12281-11-praktische-tipps-fuer-das-compliance-management, 28.05.2019.
3 Vgl. https://www.umweltdialog.de/de/management/Compliance/2018/Warum-Compliance-f-r-CSR-so-wichtig-ist-.php, 29.05.2019.