Gearing up for VerSanG – 4 Steps Towards Compliance

generic image
4 min read


Germany’s proposed corporate sanctions act—VerSanG—represents a major step forward in the country’s efforts to combat white-collar crime. The law, which seeks to strengthen business integrity, will provide a legal basis for authorities to penalize corporate misconduct, while also strengthening incentives around compliance.

Unlike the Administrative Offenses Act or Gesetz über Ordundgswidrigkeiten (OWiG), which currently governs corporate misconduct, VerSanG will not give enforcement authorities the freedom to decide for themselves whether allegations of corporate crime should be investigated. Instead, authorities will be obliged to initiate legal proceedings.

What’s more, fines for corporate crime will now extend beyond the previous limit of €10 million. Under VerSanG, corporations with an average annual turnover of more than €100 million can face penalties of up to 10% of their global annual turnover for offenses.

However, these fines could be significantly lowered if the company in question has strong compliance measures in place and is upfront about reporting offenses and cooperating with enforcement authorities.

While there is still some uncertainty around when the proposed law will be enforced, companies would do well to start preparing now. Building a culture of integrity and compliance will only strengthen trust with customers and stakeholders.

So here are four steps to get started:

1. Understand your compliance risks

Take a close look at the key compliance risks in your organization and industry. They could range from tax evasion and fraud to price-fixing, corruption, and money laundering. By proactively assessing, monitoring, and mitigating these risks, you can better protect your business.

Make sure your risk assessments are data-driven and based on a robust risk methodology. If you’re labeling a risk as high impact or high probability, back it up with quantitative and qualitative data that provides an accurate reflection of your compliance risk landscape.

Understand how your risks influence each other. A compliance risk like fraud could also be a cyber risk, a financial risk, and a reputational risk. Together, these interconnections could amplify risk impact.

As part of your risk assessments, evaluate the cost of potential sanctions and the cost of internal investigations. Having a well-rounded picture of risk can help you make better decisions.

Finally, strengthen risk assessments with techniques like Monte Carlo simulations, which account for multiple possible risk outcomes and probabilities of occurrence. The deeper you understand the risks of corporate crime, the more effectively you can minimize their impact.

2. Boost compliance efforts

Having a strong compliance program can make all the difference to your credibility in the eyes of enforcement authorities. A good guide to building out such a program is ISO 37301. The new standard, which replaces ISO 19600, contains clear specifications on developing, implementing, assessing, maintaining, and improving compliance management systems.

As you expand your compliance program, keep the board updated at every step. Give your compliance function the authority and autonomy it needs to oversee compliance management effectively. And ensure that the scope of the compliance program is comprehensive i.e., it goes beyond financial or legal compliance to address all areas of concern.

Implement a whistleblowing hotline where employees can securely report incidents of misconduct without fear of retribution. The earlier these incidents are caught, the faster their impact can be contained.

Create and update policies to educate employees on what constitutes corporate misconduct. Get the senior leadership involved in communicating and implementing these policies. Employees should understand that their actions will have consequences, and that disciplinary measures will be invoked if they expose the organization to compliance risks.

Once you’ve got your compliance controls in place, monitor and audit them at periodic intervals to ensure they’re working as expected. Regular checks are critical to keeping corporate crime in check.

3. Be prepared for incidents of misconduct

As valuable as compliance programs are, they don’t always provide perfect protection against criminal acts. Things can go wrong, and offenses can sometimes be committed. So, it’s important to be prepared. Have protocols in place to proactively launch internal investigations, alert authorities, and compensate for the damage. This could potentially minimize legal repercussions.

Ensure that your internal investigation processes are streamlined and well-defined ahead of time. Trying to improvise on the spot is not a good idea.

Know who your independent third-party investigator will be. Choose someone you can trust who will be available when you need them to clarify the offense.

Be transparent with enforcement authorities. Keep them updated about the progress of the investigation, and be open to fully cooperate with them.

Most importantly, document everything—from risk assessment findings and compliance controls to audit results, third-party due diligence, investigations, and evidence of wrongdoing. Comprehensive documentation can make all the difference to the outcome of regulatory action.

4. Explore how technology can help

Managing compliance with VerSanG through an ad hoc or manual approach is neither effective nor efficient. You need streamlined and automated processes, as well as complete data visibility to be able to prevent and respond quickly to incidents of misconduct.

MetricStream can help. Our compliance management solution simplifies and strengthens compliance with VerSanG, as well as multiple other regulations through an integrated approach.

With MetricStream, you can:

  • Improve compliance efficiency by prioritizing risks, rationalizing controls, and automating control testing.
  • Make better decisions with a unified, real-time view of the organization’s compliance status.
  • Reduce the cycle time involved in creating policies, aligning them to regulations, and tracking attestations.
  • Stay ahead of regulatory changes with real-time alerts and streamlined change management processes.
  • Improve engagement with regulators across regulatory examinations, meetings, and requests for information.
  • Proactively respond to incidents of misconduct through consistent processes for incident recording, triaging, routing, investigating, tracking, and closure.

For more insights on VerSanG and its implications, watch Decoding VerSanG, The New German Law to Strengthen Integrity in Business.

Jump to Topic
Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.


Related Resources