Prevention instead of reaction: Liability standards for management and executive boards

"We didn't know that" - Especially at management and board level, this statement is no longer a viable defense strategy. The demands placed on company management have become significantly more stringent in recent years - not only socially, but above all legally. Courts have made it clear that corporate responsibility does not just mean reaction, but prevention. Anyone who manages a company is obliged to take suitable organizational measures to ensure compliance with obligations and laws.

An effective compliance management system is no longer a voluntary management tool, but an expression of the organizational and monitoring obligations required by law.

Legality obligation: Personal organizational and supervisory duties of the management
The so-called duty of legality results in a clear obligation for the management: it must ensure that the company acts lawfully and actively take measures to prevent violations of the law by employees. In concrete terms, this means

• Establishing a demonstrably effective compliance management system
• Ongoing monitoring of its effectiveness and adjustment in the event of new or changed risks
• Responding consistently and appropriately to suspicions
• Delegation of tasks exclusively with clear responsibility and effective control
  
  

Inadequate compliance is a breach of duty
The Nuremberg Higher Regional Court puts it in a nutshell in its ruling of March 30, 2022 (12 U 1520/19)

"Adherence to the principle of legality and, accordingly, the establishment of a functioning compliance system is part of the overall responsibility [...]."

According to the court, the establishment of an inadequate compliance system and its inadequate monitoring are equivalent to a breach of duty. And this breach of duty has consequences - both under civil and criminal law: in the worst case, there is a risk of high fines (up to 1 million euros under Section 130 of the German Administrative Offenses Act), personal liability risks and considerable reputational damage for the company.

Effective compliance has an exonerating effect
BGH rulings confirm: An effective CMS mitigates penalties. Today, courts expressly recognize when a companyhas established and further developed an effective compliancemanagement system - even in the aftermath of proceedings. For example, the Federal Court of Justice in its ruling of May 9, 2017 (1 StR 265/16):

"For the assessment of the fine, [...] the extent to which the secondary party [...] has installed an efficient compliance management system, which must be designed to avoid violations of the law, is relevant."

Likewise in the judgment of April 27, 2022 (5 StR 278/21), where a self-initiated self-cleaning process through the introduction of comprehensive compliance measures was considered to mitigate the penalty. This is a clear message: proactive compliance protects.

Responsibility cannot be delegated
The central ruling of the Munich I Regional Court in the much-noticed Siemens case (Ref. 5HK O 1387/10) - makes it clear that it is not only the company as a whole that is responsible, but each individual member of management. No board member or managing director can claim that they did not get through to their management colleagues with their proposals. In this case, they must submit counter-proposals and, if necessary, involve the supervisory board or the shareholders. It is not enough to introduce a compliance structure once. The suitability and functionality of the system must be continuously monitored and adapted- especially in the event of changing risks, international business or new regulatory requirements.

Conclusion: Managing responsibility instead of delegating responsibility
The current legal situation and the relevant case law leave no room for interpretation: responsibility in company management does not end with the formulation of expectations or the introduction of individual measures. The decisive factor is whether responsibility is systematically translated into clear structures, processes and responsibilities and whether these are actually practiced and monitored on a day-to-day basis.

An effective compliance management system creates precisely this framework: It makes responsibility controllable, risks transparent and compliance with rules a shared task of the organization. Management and the Board of Directors therefore do not rely on controls in individual cases, but on a robust system that provides orientation, guides behavior and relieves the burden in an emergency.

Those who assume responsibility must organize it in such a way that it can be effective throughout the company - comprehensible, verifiable and sustainable.