1. Starting Point

Despite the many CMS efforts in companies, legal violations, including serious ones, continue to occur. This is usually dismissed with the platitude that even the best CMS cannot prevent all legal violations, and that the law does not require perfect CMS, only reasonable ones. This platitude is convenient, but it falls short: sociologists, criminologists, and lawyers have been studying the actual impact of CMS for quite some time. According to empirical findings, the effectiveness of CMS cannot be proven. Nevertheless, the law requires “effective” CMS, thereby triggering organizational efforts, CMS standards, auditing work, and efforts to avoid liability, thus driving up costs. This article examines the question of how empirical findings affect the legal requirements that can be placed on CMS.

(a) Legal Requirements

As part of the duties of care, executives are often expected to implement Risk Management Systems (RMS), Internal Control Systems (ICS), and Internal Audit Systems (IAS). RMS and ICS also serve the purpose of legal compliance and thus form part of the CMS. Executives are subject to a legal compliance monitoring obligation. Section 91 (3) of the German Stock Corporation Act (AktG) explicitly obliges listed companies to establish an “adequate and effective internal control system and risk management system,” which also encompasses the CMS. According to Principles 4 and 5 of Section A I of the German Corporate Governance Code (DCGK), companies require “an adequate and effective internal control and risk management system. The adequacy and effectiveness of these systems presuppose internal monitoring.”Accordingly, “The Management Board must ensure compliance with statutory provisions and internal guidelines and promote their observance within the company (Compliance). The internal control system and risk management system also include a compliance management system tailored to the company’s risk situation.” A positive and “evidence-based” statement from the management is required here. Additionally, the audit committee or supervisory board must assess the effectiveness of the CMS, declare its effectiveness, and, if applicable, the external auditor is also required to assess and certify its “effectiveness.”

CMS are also affected by reporting obligations: Pursuant to sections 289 (1) and 264 (2) sentence 3 of the German Commercial Code (HGB), management must report on the company’s risks in the management report and related declarations. These include risks resulting from legal violations. DCGK Recommendation A.5 goes further by recommending that the Management Board provide a statement in the management report on key characteristics of the entire ICS and RMS (i.e., including CMS), as well as a statement on the adequacy and effectiveness of these systems.

Supervisory bodies also have due diligence and reporting obligations concerning CMS “effectiveness”: According to section 107 (3) sentence 2 AktG, the supervisory board (or an audit committee) must monitor the “effectiveness” of the ICS, RMS, and IAS. Section 171 (2) AktG requires the supervisory board to report in writing to the general meeting on the results of its audit, including if the audit has been delegated to external auditors or other third parties.

The statutory audit by external auditors also touches on CMS and their effectiveness (sections 317 (2), (1), (4) HGB). In many cases, the auditor receives an additional assignment from the supervisory board. According to section 171 (1) AktG, the auditor must also participate in supervisory board discussions regarding the audit of the annual financial statements and report “on the essential results of the audit.”

(b) “Effectiveness”: The Center of the CMS Gravity Field

The question of CMS effectiveness has multiple layers: Legal violations can lead to liability and unfold across several organizational levels, including obligations under CMS structures. In addition, there is the potential liability for inaccurate reports or statements regarding “effectiveness.” CMS that are certified as “effective” may exempt a company or its officers from liability. In the CMS solar system, everything revolves around “effectiveness.”

(2) What Is “Effectiveness” and Can It Be Determined?

The term “effectiveness” is not defined by lawmakers and originates from business administration. In organizational theory, a distinction is made between effectiveness (achieving a goal) and efficiency (achieving the goal with minimal input). “Effectiveness” in this context refers to the former.

According to the Working Group on External Corporate Accounting (AKEU) and the Working Group on External and Internal Corporate Monitoring (AKEIÜ) of the Schmalenbach Society, a system is deemed “effective” if (1) it is suitable for achieving a specified goal and (2) it does not exhibit “material” weaknesses.[1]

AKEU/AKIEÜ understand “effectiveness” under Section 107 (3) sentence 2 AktG as a minimum requirement, not as an optimal system. This leaves open (a) how high the degree of goal achievement must be and (b) how such achievement is to be measured.

There are many business and association standards aimed at measuring effectiveness. However, according to empirical research, CMS effectiveness cannot be reliably demonstrated or measured. Yet, there is growing evidence that CMS often have no significant impact. Compliance manuals, codes of ethics, compliance departments, regular training, and compliance hotlines have all been shown to be largely ineffective.

Particularly, compliance codes—the most recommended and widely used CMS elements—have been extensively researched empirically. Findings vary: some studies indicate positive effects, while others suggest harm. This is likely due to the nature of legal violations, which often result from unpredictable coincidences of internal conditions and external opportunities.

(3) Standards Rely on Conceptual Analysis

The lack of measurability is reflected in the fact that current standards focus on conceptual models: risks must be (1) identified, (2) assessed, (3) classified, (4) documented, and (5) either accepted or addressed. These standards emphasize completeness and integration into company processes. However, they lack empirical validation. Ultimately, assessments are based on “intuition,” as even the widely used COSO standard openly admits.[2]

(4) Legal Consequences

These empirical insights are acknowledged and criticized in legal literature. Yet they also have concrete legal consequences: Norms that impose burdens require justification, including under constitutional law. They must be suitable and proportionate. If justification is lacking, the rules must be trimmed back.

Accordingly, current standards have no primacy over other forms of “intuition,” especially not over the executives’ own judgment—provided it is based on careful risk analysis, is reasonable ex ante, and respects the principles of proper delegation. Management thus has broad discretion.[3]

Within that discretion, management may also weigh normative considerations, such as the principle of trust, personal responsibility and dignity of employees, proportionality, company culture, probability of occurrence, financial risks, insurance coverage—and last but not least, the cost of further CMS expansion.[4]

Delegation and individual responsibility play a key role here:

• First, the vast majority of employees comply with rules.
• Second, the legal system generally holds individuals responsible for their own actions.
• Third, delegation is vital in a highly specialized and complex industrial society—and even more so in “agile” and participatory organizations.[5]

(5) CMS Overinvestment and Economic Effects

A normative definition of the duty of care must also take into account the cost-benefit ratio of CMS: Management is not allowed to waste corporate resources. This leads to the issue of CMS overinvestment.

In addition, there are macroeconomic concerns: CMS obligations that are uniformly applied and continuously tightened increase corporate risk awareness and aversion without correspondingly encouraging opportunity-seeking behavior. This shifts resources away from innovation and value creation toward risk mitigation—resulting in additional costs at both corporate and societal levels.

(6) Insurance Coverage

Where management justifiably chooses to implement “less CMS,” supplemental insurance may be appropriate. However, under this model, “less CMS” does not constitute a breach of organizational duty per se. Consequently, D&O insurance may offer only limited coverage, and protection must be sought from other types of insurance (e.g., fidelity, personal liability, financial loss insurance).[6]

(7) Risk of Misleading Interpretation Due to IDW Redefinition

According to paragraphs 25 and 60 of the new version of IDW Audit Standard 980 (as of 09/2022), a CMS is “effective” if it is followed “by the affected individuals in accordance with their responsibilities.” Under this logic, cough syrup would be considered “effective” if taken as prescribed—even if it does not relieve the cough.[7]

The standard addresses the question of suitability (goal achievement) only in the context of “adequacy” (see para. A50, 58). This redefinition distorts the concept of effectiveness. Readers of corporate reports on CMS “effectiveness” do not expect this kind of interpretation. This creates liability risks. Annual reports and board declarations should clarify what is meant by “effectiveness.” At minimum, they should contain a disclaimer: there is no absolute protection, and legal violations often result from an unpredictable combination of internal and external factors.[8]

(8) Duties of the Supervisory Board

The supervisory board is not required—nor permitted—to “optimize” CMS or replace management’s judgment with its own. It also cannot insist on standardized CMS.[9]

(9) Conclusion

From a legal standpoint, CMS do not have to comply with standard requirements. The law does not mandate a race toward certified “best practice.” If, as proposed here, time-consuming CMS standards under Section 43 GmbHG and Section 93 AktG are replaced by discretion, trust in employees, and plausible managerial intuition, this may prevent further bureaucratization at the legal application level.[10]

1. Reuter, “Wirksamkeit” von Compliance Management Systemen, ZHR 2025, 433 et seq., 442 et seq.
2. AKEU/AKEIÜ, DB 2009, 1279, 1280; COSO standard.
3. Dreher/Hoffmann, ZGR 2016, 445, 456, 472.
4. Reuter, ZHR 2025, 433 et seq., 449 et seq., 451 et seq.
5. Grundei/Reuter, DB 2024, 2309, 2314.
6. Reuter, ZHR 2025, 433 et seq., 466 et seq.
7. IDW PS 980 n.F. (09/2022), para. 25, 60.
8. Reuter, ibid., 465.
9. Reuter, ibid., 467.
10. Reuter, ibid., 464 et seq.