Apps, SaaS, Microservices & Consulting

Can midsize organisations afford “compliance”?

Can midsize organisations afford “compliance”? is the title of a post (in German language) on the web site of an employer’s union.

Our interest for this information stems from aspects going beyond documenting practices in Germany. The material is useful for management because it refrains from quoting normative documents or using jargon, thereby isolating from details and complexity obscuring the topic. Using existing elements (what departments do and what regulation imposes) to scope compliance and performing management reviews of documents resonates well with PDCA and our practice of management systems. The described process could be ahead of the forthcoming ISO/DIS 19600 international standard. Morevover, the imperious necessity of involving responsible individuals reinforces our belief that delegating power is needed in every context where regulation does not require that a defined responsibility be carried by a particular role.

Besides answering a big yes to the title question for organizations employing 50 to 500 people, the post provides further analysis on an example of a manufacturer employing 300 people, performing their own manufacturing and exporting 40% of their turnover.

Instead of analyzing texts formalizing obligations that have to be met, relevant compliance missions are listed for the example midsize organization.

  • Quality insurance
  • Product stewardship
  • Environmental provisions
  • Data protection
  • Export control
  • Provisoins for purchasing
  • Supplier assessment
  • Work safety
  • Monetary transactions
  • Delegation of signatures*
  • Policy on presents
  • Prevention of corruption
  • Competition law abidance
  • Internal controls
  • Training
  • Hotline for whistleblowers / Ombudsman

… other missions specific to the company or to the industry.

After emphacizing that competencies necessary to fulfill these responsibilities cannot be found in a single individual, the author mentions that a single individual would not be practical nor productive, besides creating a cost most midsize organizations cannot bear. Some missions belong by nature to parts of the organization such as quality assurance in the vicinities of production and supplier assessment close to purchasing.

Reponsible roles defined in German law

Some missions are accomplished by mandated responsible individuals (Beauftragter) as stipulated in German law.

These eventually have to exist for waste (Abfall), for facility or site (Betrieb) to exercize employer’s responsibility, for dangerous goods (Gefahrgut) that get shipped, for immisions (pollutant transfer from the atmosphere to a target), safety (Sicherheit), for hazardous incidents (Störfall), for data protection (Datenschutz).

Missions not fulfiled by a department nor by a mandated responsible individual according to German law, will be fulfiled by addressing the following topics:

  • Formulate a compliance policy
  • Craft a code of conduct / code of ethics
  • Prepare training material, in particular about the code of conduct, about corruption prevention and about competition law
  • Benchmark a training platform on the intranet and in-class training
  • Eventually set up the training platform
  • Resource person to supprt sales personnel
  • Resource person to support customers in “mutual recognition of code of conducts”
  • Follow up and/or coordination of internal analysis of cases awakening suspicion
  • Other missions specific to the organization.

This effort represents 1/4 to 1/2 ful-time equivalent. Because management trust is essential to succeed in this function, the person must either be reporting close to management or enjoy unlimited trust from management.

In all cases, a compliance roundtable must convene every 3 months to sustain the momentum of compliance work. Regular exchanges foster shared understanding of current challenges and enable mutual support if a work overload happens in a mission. Minutes of this work provide input for a management review and provide a complete picture of risk factors in the organization.  This could be the basis for a compliance surveillance providing intelligence on compliance activities and visulaizing risk evolution over time.

This incremental implementationton to deploy compliance in the organization makes each midsize organization in Germany able to cope with every essential challenge of compliance. Creating the structure and associcated cost will be driven by efforts necessary to specifically statisfy needs of the organization.

Compared to the internal cost generated by the consequences of a case of medium starkness, the cost of a competent and available business partner for compliance is so immaterial it can be neglected.


* Delegation of signatures is an obligation in German-speaking countries. Regulation to incorporate organizations imposes that a structure of cadres (Mitglied des Kaders) exists to designate persons and amounts allowed to commit to paying on behalf of the organization, alone or in group. Signatures, powers and amounts are registered in the commercial register.

Continuity in compliance