Skip to main content
Advanced search


The refresher programme taught by professor David Velázquez of ESADE’s Law Department about compliance management systems in companies outlined the main practical issues related to its implementation.

Velázquez reminded the audience that the 2010 reform of Spain’s criminal code, which included the criminal responsibility of legal entities for the first time, has made it more necessary than ever for Spanish companies of any size to have compliance programmes. Act 1/2015 dd March 30 incorporated sweeping modifications according to which the existence of prevention programs entailing a significant reduction in the risk of crimes are a reason for exempting a legal entity of responsibility. It also sets forth in greater detail the mandatory requirements of these programs and the post of the compliance officer.

As the professor explained: ''Seven years after this reform, this matter is crucial for companies, not only because of possible fines but also due to the corporate reputation involved. This year two new developments are being added: UNE 19601 certification and the first resolution of Spain’s National Court dd May 17, according to which companies can be exempted from criminal responsibility during investigations.''

The penal code sets forth mandatory minimum standards for risk prevention models but provides little detail so companies often have doubts about how to implement them. Velázquez pointed out that although compliance management IT is not mandatory, there are many very good ones on sale which can even handle complaints. The implementation of compliance tools makes it possible to pinpoint criminal risks and determine the prevention and control measures best suited to each company, with a personalised analysis depending on the size of the company.

According to the professor, the three cornerstones of a management system are: prevention (risk assessment, review, process implementation, training and communication), detection by means of controls such as channels for complaints, and response in the form of research and remedial and disciplinary actions.

''First of all, the board of directors must be committed and have an agreement with specific actions because commitment and culture of compliance must trickle down from above'', said Velázquez. In the next phase, the company must map the risks, starting with the greatest ones, and state the generic and specific measures to be applied.

Spanish companies deal with this function differently although the most common way is to have a team dedicated to compliance led by a compliance officer. This team usually reports directly to the board of directors or the committees it delegates to.

''The delegated committee must adapt to the reality of the company, although usually this is set forth by one officer from its legal department, one from human resources, one from communication and one from internal control. Because the norm is to report any violation of the code of conduct, I wonder how they can demonstrate that they can take care of issues if the persons chosen are senior officers in the company'', said David Velázquez. He added that this committee must be autonomous as regards its management resources and independent as regards its neutrality, so it should not include anyone from the management committee. It will not pass policies either because it is a supervisory body.

To wind up his talk, the professor pointed out the need to revise international standards and programmes about risk assessment because not all countries deal with it in the same way. It is, therefore, necessary to take into account US Sentencing Guidelines, World Bank Integrity Compliance Guidelines, UK Ministry of Justice Guidance on Adequate Procedure and standards ISO 19600 (2014) and 37001 (2016). Programme

ESADE Alumni is pleased to invite you to this talk in the law refresher series entitled ''How to implement a compliance management system in a company'' by David Velázquez, senior associate professor of law at ESADE.

Recent years have seen the publication of a variety of guidelines and standards (UNE 19601 Criminal Compl iance Management Systems, Practical Guide to Self-Diagnosis and Reporting on Regulatory Compliance, Good Corporate Governance and the prevention of international transparency corruption) designed to establish guidelines or set criteria for the design and implementation of compliance management systems, in comparison with the vagueness that characterised them previously. Meanwhile, the courts have started to absolve companies of criminal responsibility when they demonstrate an effective compliance system in the realm of judicial inquiries without having to go to court. All this highlights the need to have a clear and precise road map that enable companies to be aware of current national and international standards and apply them.

This conference will outline and discuss the main practical issues related to the implementation of such systems and the day-to-day problems related to their application (ethics committee, complaints channel, computer tools) and how the company must respond to such challenges, which might entail not only major sanctions but also affect its own company image.

Each member may bring a maximum of one guest. For further information:

Language: Spanish

Event resouces. For members only!