Compliance: Active risk management is mandatory for SMEs!

CMS mandatory?

German law does not stipulate a general obligation for companies to establish a compliance management system.

However, the requirements and legal regulation of companies have rapidly become increasingly complex in recent years. Monitoring compliance with legal requirements (such as the current Supply Chain Compliance Act) at the company seems to have become almost impossible without a sophisticated CMS, and possibly even with AI support. In view of this, companies of a certain size are essentially forced to implement and monitor a CMS.

At the same time, case law builds on the general due diligence obligations of a prudent businessperson, which stipulates that managing directors must establish a monitoring system at the company to record and monitor risks to the company as a going concern. This is nothing new, given that the corresponding German Federal Court of Justice ruling dates back to 1995 (BGH, decision dated February 20, 1995, Ref: II ZR/9/94).

Therefore, there’s a good reason why active risk management is the duty of the managing director: an efficient CMS reduces liability risks for companies and managers enormously. Moreover, this system also helps to prevent damage to the company’s image and, consequently, further financial losses in the event of liability or to mitigate the consequences of liability. In addition, no few D&O insurers now require clear rules and risk management instruments. This also reflects the power of the actual situation.

Nuremberg Higher Regional Court rules on compliance and personal liability of the managing director

In the case before the Nuremberg Higher Regional Court, a GmbH (limited liability company) sued its managing director for damages, asserting the managing director’s personal liability towards the GmbH pursuant to Section 43 GmbHG. The company had issued fuel cards with a credit limit to customers. An employee was aware that some customers had reached their credit limits and were unable to pay, yet did not withdraw the cards. The GmbH accused the managing director of failing to adequately supervise this employee and, among other things, failing to insist on compliance with the dual control principle.

The court ruled in favor of the company. The company did not have a functioning control and monitoring system in any way shape or form capable of preventing damage of this nature on both a small and large scale.

Delegation is an option

However, it is clear that managing directors can – and must – delegate their duties when it comes to monitoring control systems.

Nevertheless, the right to delegate does not release managing directors from their responsibility and duty of overall supervision (see also the article from December 19!)

Therefore, when managing directors delegate these tasks, they must nevertheless ensure that the tasks are still carried out properly and with due diligence. Consequently, managing directors who delegate duties need to carefully select, guide and monitor the people they delegate to, and be capable of intervening when necessary.

Compliance structures are important in due diligence audits

When considering these issues, it quickly becomes clear that the CMS needs to be thoroughly examined in the context of corporate transactions. Otherwise, the purchaser also risks acquiring the personal liability risks of the previous managing director in transferring these to the new managing director along with the company.

It is not uncommon for D&O insurers to refuse to pay out in precisely these constellations when it comes to the worst. As a consequence, the new managing director is forced to pay for damages arising from breaches of duty that they “only” negligently accepted.