New requirements under the Swiss Code of Obligations
Following the 29 November 2020 rejection of the popular initiative "For responsible companies - to protect people and the environment" ("Corporate Responsibility Initiative" or "Konzernverantwortungsinitiative"), the Swiss parliament adopted the indirect counter-proposal. After expiry of the referendum period, the new provisions are expected to enter into force on 1 January 2022. The counter-proposal provides for a general reporting obligation as well as topic-specific due diligence obligations and transparency in connection with conflict minerals and child labour (see paragraph ii below for a definition of each). The new reporting obligation will likely apply to companies first in the 2023 financial year.
The legal provisions in the Swiss Code of Obligations for better protection of people and the environment, which parliament adopted as a counter-proposal to the Corporate Responsibility Initiative, provide for two innovations: (i) reporting obligations on non-financial matters (Art. 964bis et seqq. CO); and (ii) due diligence and reporting obligations in the areas of conflict minerals and child labour (Art. 964quinquies et seqq. CO).
The violation of these obligations is punishable by fines of up to CHF 100,000. Unlike the original popular initiative, the new provisions do not contain any further liability rules. Any further liability claims might be governed by general existing legal provisions.
(i) Reporting requirements on non-financial matters
In order to increase transparency, companies are now legally obliged to report on the risks of their business activities in the areas of the environment (especially regarding CO2 emissions standards), social issues, labour issues, human rights and anti-corruption. They must also report the measures they are taking against these risks. If a reporting company does not follow the requirements for these non-financial issues, the report must contain a transparent and founded explanation (i.e. the company must "comply or explain"). In these cases, the legislator assumes that investors and consumers will judge a company's credibility for themselves and turn away from untrustworthy firms.
In order to be subject to this reporting obligation, a company must be a "public interest entity". This includes, in particular, public companies, banks and insurance companies as well as other supervised companies of the financial sector, which, together with any domestic or foreign companies controlled by them, have an annual average of at least 500 full-time employees and a balance sheet total of at least CHF 20 million or a turnover of at least CHF 40 million in two consecutive years.
(ii) Due diligence and reporting obligations in the areas of conflict minerals and child labour
All companies with risks in their supply chains in the sensitive areas of child labour and conflict minerals must now comply with special and far-reaching due diligence obligations, regardless of their size. Conflict minerals include minerals or metals that contain tin, tantalum, tungsten or gold and originate from conflict or high-risk areas. In addition to "failed states", such areas include in particular regions in which armed conflicts prevail or a fragile situation exists after such a conflict. In this context, the Swiss legislator is also following EU recommendations. In the case of child labour, a reasonable suspicion that products or services that are being offered have been produced using child labour is sufficient for the existence of such duties of care.
The new due diligence regulations in Swiss law are largely based on existing EU regulations. The implementation provisions are regulated in the Ordinance on Due Diligence and Transparency for Minerals and Metals from Conflict Areas and Child Labour. The Federal Council has already prepared an initial draft of this ordinance, which was subject to consultation in July 2021. The due diligence obligation includes, among other things, the obligation to introduce a relevant management system and a risk management plan. In the area of minerals and metals, compliance with the due diligence obligation will also be audited by an external expert.
The Ordinance also provides exemptions for due diligence and reporting obligations. Regarding conflict minerals, the regulation determines the annual import and processing quantities for minerals and metals up to which a company is exempt from the obligations. In the area of child labour, the regulation provides exemptions for small and medium-sized enterprises (SMEs) and for companies with low risks in this area. The starting point for the risk assessment is the country of production according to the indication of origin (i.e. the "made in" designation). The UNICEF Children's Rights in the Workplace Index can be consulted for this assessment. In addition, companies that already comply with internationally recognised equivalent regulations are exempt from the obligations.
GRC approach as an industry standard?
Dynamic changes in the regulatory and economic environment present global companies with the unique challenge of developing and implementing a holistic approach to corporate governance from a multitude of mandatory and non-mandatory regulations, creating external and internal policies for stakeholders, and taking into account company-specific opportunities and risks. In response to this initial situation, the GRC approach has become for many companies a coordinated, integrated and holistic compliance and risk management model. The acronym "GRC" stands for Governance, Risk and Compliance, which encompasses the three most important areas of action for responsible and integrity-based corporate governance, which are already closely linked by their nature. The goal of the GRC approach is to intelligently link these three areas. The aim is to create transparency and security for internal and external risks in order to prevent negative economic, legal and even criminal consequences for the company and its reputation. Even if a company already possesses well-developed control and management systems, the existing synergies are often not connected in a meaningful way. With the introduction of a GRC system in the company's business process, the internal functions of risk management, internal control, compliance and internal audit can efficiently use synergies. In this way, redundancies in the processes can be avoided, which usually leads to a saving of costs and staff capacities. At the same time, the uniform approach means that responsibilities can be clearly assigned within the company and different assessments of identical facts and risks by different departments can be avoided. This goes hand in hand with the creation of trust among internal and external addressees. A GRC system that is well adapted to the individual requirements of a company improves risk identification and control. This enables the management of a company to make strategic decisions and take operative measures on the basis of clearer information. Risks are recognised earlier and managed more efficiently.
An industry standard for the interaction of subsystems within the governance structure, which is well-known in the financial industry, is the internationally recognised model of the "three lines of defence". It is based on the principle that the responsibility for risk lies primarily with the accountable person. The model was recently revised by the Institute of Internal Auditors (IIA) and places proactive risk management at the centre of a company's general governance. The first line represents operational management, which is supported and monitored by a second line (i.e. the compliance and legal departments). The third line is the internal audit department. The updated version of the IIA better reflects the fact that in risk-based decision-making, seizing opportunities for the company can be as important as protecting company values.
No standard model fits every company. The design of a GRC system must be adapted to the specific risk profile of a company, which is determined by numerous internal and external factors. As a first step, it is necessary to assess the existing structures, business model and current and future activities of the company, as well as the economic and legal environment in which the company operates. As a second step, this risk assessment leads to the design of a GRC system that is adapted to the company's specific risks and structure.