Compliance Management System
In order to set up a successful Compliance Management System (CMS), it is first necessary to identify the potential risk areas within the company. This involves analysing in which business areas, processes and practices there is an increased risk of criminal misconduct. Possible risk indicators for potential criminal offences include conflicts of interest, sham contracts and invoices as well as a lack of control structures. Typical criminal liability risks in Commercial Criminal Law and Corporate Criminal Law arise, for example, due to the criminal offences of fraud, breach of trust, embezzlement as well as bribery and corruption – to name just a few.
Many companies do not have an in-house criminal lawyer and draw on specialized external experts for preventive advice and optimisation of Criminal Compliance. Following the risk analysis, clear guidelines and procedures should be developed to minimise these risks. This can include the introduction of employee training, regular audits and the introduction of an internal whistleblower system. This allows problem areas and potential legal violations to be quickly recognised and reported.
Just as important as the introduction is the ongoing monitoring and adjustment of the aforementioned compliance measures. The compliance management system should therefore not be seen as a one-time-task, but as an ongoing process.
The importance of training and education
An effective Compliance System is only as good as the employees who implement it. Training and external education are therefore of central importance. All employees – from management to entry-level-workers – should be trained in the principles of compliance and the specific criminal offence risks in their respective areas of responsibility. When drafting and implementing compliance guidelines (Code of Conduct) and employee training, it may be advisable to consult a lawyer specialising in criminal law. This can ensure that all relevant legal aspects are taken into account and that the company is optimally protected against legal risks.
In addition to imparting knowledge about criminal law boundaries, corporate culture also plays a central role in employee training. According to the principle of Tone from The Top, company management should clearly communicate the company’s values and emphasise that integrity and legally impeccable behaviour are expected, with no room for negotation. At the same time, there should be clear consequences for misbehaviour.
Internal whistleblower system
Whistleblower systems that allow employees to confidentially report possible misconduct are another key element of a robust Criminal Compliance System. By introducing a whistleblower system, the company not only demonstrates that it takes misconduct seriously, but also provides a protected channel through which information about possible violations of the law can be submitted. Since 2023, companies in Austria with 50 or more employees are obliged to set up an internal whistleblower system under the Whistleblower Protection Act (HSchG). An efficient internal reporting channel also reduces the risk of a whistleblower submitting a report to a so-called external entity – such as the Federal Bureau of Anti-Corruption (BAK) or the Central Public Prosecution Office for Combatting Economic Crimes and Corruption (WKStA).
For a whistleblower system to be effective, the company must ensure that any information received is taken seriously and thoroughly investigated. At the same time, employees must be able to trust that they will not be penalised as a result of a tip and that their information will be treated confidentially. If whistleblowers wish, they should also be given the opportunity to submit an anonymous report. Reports received should be examined with great care and, in particular, checked for their relevance under criminal law. If necessary, an internal investigation should be initiated.