The compliance risk analysis (CRA) is the basis of an effective compliance management system (CMS). The systematic recording and evaluation of the compliance risks relevant to an organization or a company enables the targeted and therefore resource-efficient definition of risk-reducing measures and internal controls (= compliance program). In other words: without an effective compliance risk analysis, no statement can be made on the appropriateness and effectiveness of a corporate CMS.

The aim of the CRA is to identify, select and realistically assess compliance risks as comprehensively as possible in order to ultimately take adequate and targeted risk-reducing measures. It is therefore the basis for both the “whether” and the “how” of compliance measures.

– In February 2020, the DICO Compliance Risk Analysis Working Group published a standard on compliance risk analysis (S09 – Compliance Risk Analysis (CRA)) aimed at practitioners, in which key requirements, basic elements and examples for a CRA were compiled and structured. The aim is to make it easier for company employees to get to grips with the topic and to provide concrete assistance for practical implementation. Special legal cases and exceptions are not covered. The DICO Standard also does not replace any legal advice that may be required in individual cases.

– The standard is supplemented by the DICO risk catalog, which represents a comprehensive risk universe of possible compliance topics. This compilation of possible legal areas can be the starting point for a company’s relevance analysis. This involves identifying and then prioritizing the relevant topics for the respective company.

The first step for a CRA should be a comprehensive inventory and, if necessary, an initial prioritization of the compliance issues relevant to the respective company. The individual circumstances of the company, such as industry, size and location, should be taken into account,

economic factors. In practice, this inventory is often referred to as a “relevance analysis” or “horizontal risk analysis”. The DICO risk catalog can serve as a starting point for the relevance analysis in order to gain an overview of possible risk areas in the company. This is followed by (vertical) operationalization, i.e. the derivation of specific risk scenarios, their location in business processes and the assessment of compliance risks.

The spectrum of possible legal provisions that can give rise to compliance violations is generally very broad, but not all legal issues are usually equally relevant for all companies. In order to design an effective and efficient CMS, the potential compliance topics that could affect the company (e.g. legal areas such as data protection law, anti-corruption, tax law, etc.) must be identified (inventory) and then evaluated as part of the vertical risk analysis (prioritization).

The relevance analysis (or horizontal risk analysis) should first identify the compliance topic areas in which the company’s business activities are most likely to lead to compliance violations. This consolidates the risk universe based on the company’s business activities and ideally prioritizes the compliance topic areas for the further alignment of compliance activities. In this way, companies ensure that they set up their CMS in line with the company’s individual risk profile.

The relevance analysis thus creates a regulatory framework on the basis of which the clear assignment of risk ownership, i.e. the allocation of roles and tasks, can be defined in order to establish compliance governance.

The DICO risk catalog serves to support companies in the preparation and implementation of their initial or ongoing relevance analysis. It provides an overview of possible relevant compliance topics that is as comprehensive as possible but also sufficiently specific.

The risk catalog can be used by all companies to determine the main compliance risk areas. The risk catalog can be used for an initial assessment and, if necessary, for planning a more detailed compliance risk assessment. This can be particularly helpful for medium-sized companies. The subject areas/risk areas considered to be material should then be sufficiently substantiated in relation to the business model and business processes using risk scenarios.

The risk catalog cannot be considered complete, as there may of course be additional compliance risks in companies, e.g. in specific industries, which must be considered in a risk analysis.

The risk catalog consists of a risk map, which shows groupings and individual compliance topics (honeycombs), as well as an overall presentation. In the overall presentation, the respective compliance topic areas are briefly explained and compliance risk areas are illustrated using examples. The exemplary characteristics serve to illustrate the areas or topics in which compliance risks can materialize. The legal consequences of violations and the main laws are also described.

A distinction is made between the following terms:

– Compliance topic area: In the broadest sense, this refers to legal areas from which legal requirements relevant to a company and the risks of violating these requirements can be derived.

– Compliance risk: This refers to specific risks resulting from non-observance of compliance requirements within a subject area.

The following objectives were of particular importance when compiling and grouping the compliance topics:

– A uniform catalog: The risk catalog should be applicable to a large number of companies regardless of industry and business model. For this reason, industry-specific aspects (e.g. specific regulation for financial services companies or the pharmaceutical industry) have not been included. Nevertheless, due to the corporate context and business model, not all compliance topics will be equally applicable to all companies. Due to the deliberate universality of the risk catalog, it must be adapted, shortened and/or supplemented with additional topics in individual cases. The risk catalog therefore makes no claim to completeness.

– Division into categories and compliance topic areas: For clarity and comprehensibility, the compliance topic areas were grouped into categories, which in practice are relevant for certain areas of the company or represent independent departments within companies. In this way, it should be possible to tailor workshops, interviews and questionnaires for a detailed risk analysis in such a way that employees from each area are asked primarily about the risks relevant to them.

– Definition of governance structures based on the compliance topic areas: Some of the compliance topic areas and exemplary characteristics may be different in different divisions or business processes. The respective risk allocation to areas and processes can also vary depending on the business model in the company. In workshops involving representatives of the affected areas or business processes, “silo assessments” can be avoided and the interaction of risk-increasing or risk-reducing factors from all areas can be taken into account. Accordingly, the risk catalog can also support companies in the analysis and design of governance structures, as many of the compliance topics listed do not typically fall within the remit of the compliance function in practice. Instead, the management and monitoring of compliance risks is assumed by other functional areas as “risk owners” (e.g. environmental or labor law compliance risks). The question of where a risk can occur must be considered separately from this: For example, the compliance department is usually the risk owner for the topic area of “corruption”, whereas the occurrence of corresponding risks is possible in many areas of the company, particularly in sales.

The selection of material laws mentioned includes German, European and international regulations that may actually have direct applicability to companies with business operations in Germany. It does not include foreign regulations that relate exclusively to business operations abroad. The list is only a selection of the key laws and is by no means exhaustive.

Only the “Self-imposed, external standards” honeycomb does not contain any directly applicable laws, but rather sets of rules that companies impose on themselves and thus effectively take on the character of a law for the companies in question.

Up-to-dateness: The risk catalog is updated on an ongoing basis to cover the most important compliance risk areas. These are subject to change. When Risk Catalog 2.0 was created in 2022, the groupings were adjusted to reflect the further development of common terminology. For example, “white-collar crime” became “criminal compliance” and “protection of information” became “IP / IT compliance”. During the revision in 2022 and 2023/2024, topics were added as they have become established as relevant compliance topics in companies and topics that play a subordinate role were deleted. Compliance topics have also been combined. A new addition to the risk catalog is the Sustainability Compliance category with the new honeycombs “Sustainability reporting obligation”, “Greenwashing” and “Human rights” and the shifted honeycombs “Environmental law” and “Self-imposed, external standards”. In the IP / IT compliance category, there is a new honeycomb “Digital law (incl. AI)”.