In the following guest post, Ulrike Binder, a corporate partner in Mayer Brown’s Frankfurt office, Jan Kraayvanger, a partner in Frankfurt office of Mayer Brown’s Litigation & Dispute Resolution practice, Burkhard Fassbach, Legal Counsel to Howden Germany, take a look at recent corporate governance and executive liability developments in Germany. A version of this article previously was published as a White Paper by Mayer Brown written in cooperation with Howden Germany. The original version also contains a chapter about D&O-Insurance in Germany authored by Marcel Armon, CEO Howden Germany, which can be found here. I would like to thank Ulrike, Jan, and Burkhard for allowing me to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ article.



The German Corporate Governance Code presents essential regulations for the management and supervision of German listed companies. It contains, in the form of recommendations and suggestions, standards for good and responsible Corporate Governance. With regard to Corporate Compliance, in Section 4.1.3 the Code stipulates: “The management board ensures that all provisions of law and the company’s internal policies are complied with, and endeavours to achieve their compliance by the group entities (compliance). It shall also institute appropriate measures reflecting the company’s risk situation and disclose the main features of those measures. Employees shall be given the opportunity to report, in a protected manner, suspected breaches of the law within the company, third parties should also be given this opportunity.”


In a Keynote Speech at the German Institute for Compliance in summer 2016, Rolf Raum, presiding judge of the first criminal senate of the German Federal Supreme Court, summarized the requirements for an adequate Compliance Management System (CMS). First, pursuant to the principle ‘tone from the top’, the organisation’s general ethical climate should be established by its senior management and be felt by the employees as a result. Creating such an environment by having a ‘tone at the top’ helps prevent fraud and other unethical practices. Second, a whistleblowing system or ombudsman is an indispensable component of a CMS. Finally, it is important that misconduct and noncompliance shall be penalized.


As best practice guidelines, “The Ethics & Compliance Initiative” (ECI) issued a Report “Measuring the Impact of Ethics and Compliance Programs” (ECI Report). The report lists the following objectives for companies to strive towards:


Leaders are expected and incentivized to personally act with integrity.

Values and standards are clearly communicated.

Leaders create an environment where employees are empowered to raise concerns.

All employees are expected to act in line with company values and are held accountable if they do not.

Employees are provided guidance and support for handling key risk areas.

Disciplinary action is consistently taken against violators.

Investigations are objective, consistent and fair to all parties.

The organization provides broad and varied avenues for reporting.

The organization appropriately discloses wrongdoing with authorities.

Key risk areas are identified through a robust assessment process.


In the landmark Siemens/Neubürger judgement, the District Court Munich addressed in detail the requirements for a compliant organization, as well as the related obligations of the management board. The management board’s responsibility in the event of suspected compliance cases coming to light can be described as a ‘threefold obligation’. First, the obligation to clarify the case (detect). Second, the obligation to put an end to unlawful behaviour. Third, the obligation to impose appropriate sanctions in response to violations that have been discovered.


In Germany, executive and supervisory board members oftentimes appoint law firms as outside counsel to conduct internal investigations as part of the overall Compliance Management System (CMS) once there is reasonable suspicion of corporate or individual misconduct. The wide repertoire of an internal investigation covers document review, email screening, interrogation of employees, the implementation of an amnesty programme, etc. Subsequent to the investigation, the executive board takes care of optimising the CMS so that similar noncompliance events are prevented in the future.


Audit reports from certified public accountants review the appropriateness and efficiency of the CMS. In Germany, such CMS audits are conducted on the basis of the standard IDW 980 issued by the Institute of Public Auditors (IDW). On the basis of this standard, the auditor reviews the CMS to establish: (i) if it is suitable to detect significant noncompliance events; and (ii) if it can prevent such noncompliant conduct from occuring (assessment of appropriateness), as well as if the CMS has been effective over the course of a specified period of time (effectiveness review). Particular fields of compliance covered by the audit report are the subject of the auditor’s engagement letter (e.g. anti-bribery, cartel or anti-money laundering (AML) compliance). In addition, the geographical country scope of the audit needs to be defined. So far, mainly listed companies and large private corporations in Germany have appointed auditors to review their CMS.


Executive board members and supervisory board members can become targets of recourse litigation by the company for an insufficient CMS leading to financial losses due to administrative penalties and costly internal investigations. The German Federal Supreme Court assesses the adequacy of a CMS on a case-by-case basis (ex-ante approach), and adherence to the IDW or ISO standards is not necessarily a ‘carte blanche’ for executive board members’ defence in litigation. However, the observance of the IDW standard can contribute significantly to defence, in particular with regard to the required documentation.


Executive Liability

In the area of management liability, Germany is one of the most litigious countries in the world behind the United States and Australia. In almost no other jurisdiction are the risks for managing directors higher. The dot-com crash and the financial crisis led to a number of spectacular civil and criminal court cases against managers with high public profiles. These developments have arguably caused the courts to interpret the existing laws very strictly and have motivated the legislator to further increase the duties that managing directors  –  but also members of the supervisory board – need to fulfill. In the following report, we will discuss some aspects of German law, which contribute to the high risks managing directors are facing nowadays. We will focus on the liability of board members in stock corporations, so-called AGs, and limited companies, GmbHs.


External liability v. internal liability

A fundamental difference of management liability under German law compared to, for instance, the United States is that, in most cases, damage claims are not brought by third parties like employees or shareholders but by the company itself. In conducting business, the board members owe a duty to the company to employ the care of diligent managers. Board members who violate their duties are jointly and severally liable to the company for any resulting damage. The AG raises its claims against the management board through the supervisory board. Vice versa, claims against members of the supervisory board are to be pursued by the management board. If in a GmbH no supervisory board exists, the company is represented by its shareholders. In AGs, the members of the supervisory board are legally obliged to pursue viable liability claims against the managing directors. If the supervisory board members fail to do so, they can be subject to damage claims themselves. This was stipulated by the Federal Supreme Court in its famous ARAG/ Garmenbeck decision in 1997 and has just recently been confirmed in a decision issued in September 2018 (BGH, judgement dated 18.9.2018, II ZR 152/17).


Full liability

The liability of board members is generally unrestricted. Board members’ private assets are subject to liability for the full damage they have caused, even in cases of only minor or slightly negligent breaches of duty. A single moment of inattention can financially ruin a board member. This is significantly different than the liability of ordinary employees, who enjoy far-reaching limitations of liability. The difference between board members and employees does not always appear fair, in particular if an employee of the parent company is ordered to serve as a managing director in an affiliate as part of his employment, possibly even without additional remuneration. A possible defense for board members may be the ‘business judgment rule’. However, at first, the business judgment rule is only applicable to discretionary business decisions and does not apply to acts or omissions that are required by law. Moreover, the board members may rely on the business judgment rule only if they can demonstrate and prove that they carefully considered the options, took all relevant factors into account and arrived at a decision that appeared to be reasonable at the time.


Burden of proof

This brings us to another important risk factor: the burden of proof. The burden of proof factor heavily plays out in favor of a company that pursues damage claims against its actual or former management. The company only has to show that it suffered damage that was caused by an act or omission of the management. Then it is for the management to prove that it did not breach any duty or at least did not act culpably. This is not an easy task for the board members, in particular if the alleged breach of duty occurred several years ago and the defendants have left the company in the meantime. German civil law does not allow for discovery. While it is accepted that a certain level of disclosure duties exists, scope and preconditions are highly controversial. Therefore, it might be impossible for the former management to obtain the information it requires in order to prove its innocence.


Limitation of liability and settlement

This leads us to the question if, and to what extent, the management can limit its liability. Here, one has to differentiate between AGs and GmbHs. In a GmbH, the managing directors must follow instructions from the shareholders. If the managing  directors act in line with such instructions, they cannot be held liable if the decision turns out to be detrimental to the company. Moreover, in a GmbH, the shareholders are, for the most part, free not to pursue damage claims against the managing directors or to agree on a settlement. Last but not least, the GmbH can agree on limitations of liability with managing directors in their service agreements. It is only the liability for intent that cannot be limited in advance. In contrast, limitations of liability within an AG are hardly permissible. In the service agreement, the liability cannot be limited at all. Even settlements after the damage has occurred can only be concluded under very limited circumstances. Namely, only three years after the claims have arisen and only if such limitiation is approved in the general meeting and no minority whose aggregate holding equals or exceeds 10% of the share capital records an objection. Like in a GmbH, the members of the management  board cannot be held liable if they have acted in line with a lawful resolution of the general meeting. The management board can request the general meeting to resolve certain management decisions. In contrast, the approval of the supervisory board is not sufficient to exclude the management board’s liability. In the light of these risks, it is not surprising that board members regularly request D&O insurance from their company.