Compliance management systems & ISO 37301 – Consulting for companies and public authorities

Why professional compliance management is essential today

Companies and public authorities are facing ever-increasing regulatory requirements. Wrong decisions or inadequate structures can quickly lead to significant liability, fines, and reputational risks.

An effective compliance management system (CMS) in accordance with ISO 37301 provides the basis for legally compliant actions, transparent processes, and a resilient organizational culture.

As a law firm specializing in compliance consulting, we support organizations in establishing, developing, and documenting modern compliance structures in a manner that is structured, effective, and practical, and that will stand up to audit scrutiny.

Establishment and further development of compliance structures in accordance with ISO 37301

The ISO 37301 international standard defines the guidelines for modern, effective compliance management systems. It helps organizations to systematically manage risks, clearly define responsibilities, and ensure the effectiveness of internal controls.

Our services

• Development of a complete CMS in accordance with ISO 37301
• Further development of existing compliance systems
• Consulting on integration into existing management systems (e.g., ISO 9001, ISO 27001)
• Creation of guidelines, processes, and control mechanisms
• Support with audit preparation and certification
• Development of governance structures
• Training courses for managers and employees

We develop comprehensive compliance structures for companies and public authorities or, depending on the assignment, also provide services specific to certain areas. Examples include setting up internal export controls (ICP) and integrating export control requirements, or safeguarding against other special risks arising from business activities.

Our focus is on practical effectiveness rather than mere documentation—compliance must work in everyday life, not just during audits.

ISO 37301 readiness analyses

In addition, we offer ISO 37201 readiness analyses to determine the current maturity level of a compliance management system and derive specific recommendations for action.

The analysis includes, among other things:

• Evaluation of CMS structures according to ISO 37301 criteria
• Gap analysis of existing processes,
• Guidelines and roles
• Evaluation of risk analysis methods and governance
• Development of a customized action plan
• Prioritization based on effectiveness and effort

The result: a clearly structured picture of the current system maturity—and a precise, prioritized development roadmap.

Enterprise risk assessments: A holistic view of corporate risks

An effective CMS requires a deep understanding of business risks. We conduct comprehensive enterprise risk assessments that systematically identify and evaluate strategic, operational, and regulatory risks.
Our services:

• Interviews and workshops at management and departmental level
• Identification of strategic, operational, and external risks
• Development of a consolidated risk portfolio
• Evaluation based on valid evaluation and weighting models
• Derivation of a catalog of measures
• Establishment of continuous risk monitoring

The goal is a resilient, transparent, and controllable risk landscape.

Compliance risk analyses: Precise identification of legal risks

We conduct systematic compliance risk analyses that help organizations clearly identify relevant legal and regulatory risks and address them in a prioritized manner. Compliance risk analysis is a basic requirement for an effective compliance management system in accordance with the relevant standards ISO 37301 and IDW PS 980. Depending on the requirements profile, we prepare comprehensive compliance risk analyses or take action on a risk-specific basis (e.g., compliance risk analysis in the area of corruption prevention).

In particular, we analyze:

• regulatory requirements
• operational compliance risks
• accountability structures
• Control, documentation, and communication processes
• internal policy landscape
• existing governance mechanisms

The result: a prioritized risk profile with clear recommendations for action to achieve a sustainable compliance structure.

Reduction of liability risks for management bodies

An effective compliance management system not only protects the company, but also also reduces the liability and insurance risks of management and other executives.

It helps managers to demonstrably fulfill their legal obligations, avoid organizational negligence, and significantly reduce liability and reputational risks. At the same time, it strengthens internal control mechanisms and creates a robust basis for documentation.

A professionally structured CMS also meets the requirements of the German Corporate Governance Code and, for public companies, the public corporate governance codes of the federal states, such as the PCGK North Rhine-Westphalia. This ensures that compliance structures not only meet current expectations for responsible corporate governance from a legal perspective, but also from a governance perspective, and that compliance measures and risk prevention measures can be reported to supervisory bodies—such as the supervisory board—in accordance with their duties and that their proper implementation can be verified.

Transparent and audit-proof compliance measures provide reliable evidence of proper organizational and supervisory structures, particularly in relation to fines and supervisory authorities. This makes it possible to claim reductions in fines or significant reductions under Section 130 of the German Administrative Offenses Act (OWiG) in proceedings for breaches of supervisory duties or organizational deficiencies—a key advantage for management and supervisory bodies.

Why ROSTALSKI Commercial Criminal Law & Compliance?

Our work is characterized by a deep understanding of how complex organizations function—whether they are private companies, public institutions, or internationally networked structures. We understand the unique challenges that arise from diverse responsibilities, interfaces, regulations, and organizational cultures, and we develop solutions that address these real-world conditions.

Our many years of experience in companies and public authorities enable us to combine technical requirements with organizational reality. We focus on standard-compliant, audit-proof implementation in accordance with ISO standards and create systems that meet both the high expectations of supervisory authorities and the daily requirements of practical application. In doing so, we draw on scientifically sound methods, combined with a clear eye for pragmatic, resilient solutions.

A special feature of our work is our strong focus on implementation: we do not deliver abstract concepts, but develop structures, processes, and measures that actually work within the organization, are accepted, and have a lasting effect. Our communication is deliberately clear, understandable, and free of unnecessary management rhetoric—so that everyone involved can understand the requirements and goals and actively support them.

As sought-after experts at leading training providers and speakers on the subject of compliance, we also convey complex topics in a compact, accessible, and concise manner in our consulting services. We empower managers and employees to confidently fulfill their roles in compliance and risk management and to bring the company's structures to life.

Who we work for:

• Small and medium-sized enterprises, especially family businesses
• public administrations & authorities
• regulated industries (especially medical device manufacturers, food industry, defense)
• export-oriented companies of all sizes
• Non-profit organizations, foundations, and public enterprises (especially municipal enterprises)