Keep compliance management systems lean

In principle, the risks mentioned cannot be prevented or insured against. Identifying them and developing appropriate measures is not only required by law, but also makes sense for the company. In the event of conspicuous patterns or suspicious reports, an organization must be able to react quickly.

Liability of the Board of Directors
If the organization does nothing or fails to act in a timely manner, the board of directors risks personal liability. If a crime such as money laundering is committed from within the company and there is an investigation or even a conviction, shareholders and creditors may approach the board. Liability risks vary depending on the size of the organization.

No regulations outside the financial sector yet
In Switzerland, there are no specific compliance requirements outside the banking sector. Nevertheless, the law requires that "all reasonable organisational measures" be taken to prevent criminal acts in a company. It must be possible to provide evidence of the measures taken to the public prosecutor in the context of an investigation into violations, if necessary.

Compliance Management System also for SMEs?
At first, an SME does not feel addressed by the topic of white-collar crime. They are familiar with the spectacular cases from the media and make no connection to their own 30-person company.

However, the tortious acts are manifold, so that on closer inspection they are also possible in one's own business. May I accept gifts from suppliers? Have I obtained sufficient comparative offers? Would my supervisor have been able to

"Corruption starts small with relationship management. »

tential customers to the lounge at the sporting event? Corruption starts on a small scale with relationship management. According to an annually published study, however, asset misappropriation is one of the most common violations. (1) These include the theft of assets, fictitious expenditures or the betrayal of trade secrets.

Compliance management issues therefore arise in all companies. The introduction of a compliance management system (CMS) is particularly recommended for medium-sized companies that have a higher risk profile - i.e. if they operate internationally or do business with the public sector. The risk increases when operating in sectors with special regulatory requirements, such as the medical sector, the pharmaceutical industry or the food industry.

Lean through clear focus
Compliance management is therefore also an issue for smaller companies. However, the scope should be reasonable, i.e. proportionate. There are definitely lean ways to maintain a CMS.

The six steps of a CMS (see box) can be streamlined through a systematic approach and a clear focus. A Code of Conduct sets out the behaviour to be adopted in potentially sensitive situations. Employees and managers can follow this code of conduct if they are uncertain. For example, when gifts are presented to them or invitations are extended. As a rule, the existence of a code of conduct is also queried by auditors as a minimum requirement.

Adjusting screw for lean approach
Especially with step 3 - communication and training - the scope of the CMS can be influenced. Instead of training the employees of all business areas in all compliance topics, it is worthwhile to precisely identify the affected target groups: Which topic affects which business area? Does it concern bribery by suppliers? Are the people in sales and management directly affected? The manager does not need to attend this training. With a clear focus on the right target group, resources can be saved.

Best control: the employees
ERP systems serve to control business processes. The multiple-eye principle and the built-in barriers are intended to prevent fraud. Nevertheless, according to a study by the Association of Certified Fraud Examiners, only one percent of cases of professional fraud and abuse are detected by ERP systems. Whistleblowing emerges from the study as the most practical and successful measure. (2)

If an employee observes something conspicuous, this person should be able to report it without incurring any disadvantages. An easy-to-implement solution is the ombudsman's office. Ideally, this should not be staffed by a member of management or the board of directors. It has proven to be useful to appoint an external person - for example from a law firm or the auditing department - for this purpose. For medium-sized and large companies, digital solutions are also practicable that enable anonymous reporting. In Switzerland, around 70 percent of large companies and just under eleven percent of small and medium-sized companies have a corresponding reporting office. (3)

If there is nevertheless a case
If a case occurs, it has to be resolved with a lot of flair. Basically, this requires a cultural change in the company. Whistleblowing systems should not suggest that people are "snitching" on each other. Rather, people help each other so that the company remains unassailable.

If the incident does not turn out to be a misunderstanding and the public prosecutor's office intervenes, cooperation and transparency help. If the public prosecutor's office sees that the risk was recognised but could not be dealt with as a priority - for example due to a lack of resources - it cannot waive a fine, but it can waive stricter criteria.