Programa de continuidad | Spanish
Past event
REPORT
The refresher programme taught by professor David Velázquez of ESADE’s Law Department about compliance management systems in companies outlined the main practical issues related to its implementation.
Velázquez reminded the audience that the 2010 reform of Spain’s criminal code, which included the criminal responsibility of legal entities for the first time, has made it more necessary than ever for Spanish companies of any size to have compliance programmes. Act 1/2015 dd March 30 incorporated sweeping modifications according to which the existence of prevention programs entailing a significant reduction in the risk of crimes are a reason for exempting a legal entity of responsibility. It also sets forth in greater detail the mandatory requirements of these programs and the post of the compliance officer.
As the professor explained: ''Seven years after this reform, this matter is crucial for companies, not only because of possible fines but also due to the corporate reputation involved. This year two new developments are being added: UNE 19601 certification and the first resolution of Spain’s National Court dd May 17, according to which companies can be exempted from criminal responsibility during investigations.''
The penal code sets forth mandatory minimum standards for risk prevention models but provides little detail so companies often have doubts about how to implement them. Velázquez pointed out that although compliance management IT is not mandatory, there are many very good ones on sale which can even handle complaints. The implementation of compliance tools makes it possible to pinpoint criminal risks and determine the prevention and control measures best suited to each company, with a personalised analysis depending on the size of the company.
According to the professor, the three cornerstones of a management system are: prevention (risk assessment, review, process implementation, training and communication), detection by means of controls such as channels for complaints, and response in the form of research and remedial and disciplinary actions.
''First of all, the board of directors must be committed and have an agreement with specific actions because commitment and culture of compliance must trickle down from above'', said Velázquez. In the next phase, the company must map the risks, starting with the greatest ones, and state the generic and specific measures to be applied.
Spanish companies deal with this function differently although the most common way is to have a team dedicated to compliance led by a compliance officer. This team usually reports directly to the board of directors or the committees it delegates to.
''The delegated committee must adapt to the reality of the company, although usually this is set forth by one officer from its legal department, one from human resources, one from communication and one from internal control. Because the norm is to report any violation of the code of conduct, I wonder how they can demonstrate that they can take care of issues if the persons chosen are senior officers in the company'', said David Velázquez. He added that this committee must be autonomous as regards its management resources and independent as regards its neutrality, so it should not include anyone from the management committee. It will not pass policies either because it is a supervisory body.
To wind up his talk, the professor pointed out the need to revise international standards and programmes about risk assessment because not all countries deal with it in the same way. It is, therefore, necessary to take into account US Sentencing Guidelines, World Bank Integrity Compliance Guidelines, UK Ministry of Justice Guidance on Adequate Procedure and standards ISO 19600 (2014) and 37001 (2016).
For further information:
esadealumni@esade.edu