º¬Ðß²ÝÉçÇø

The SASAC has mandated central enterprises to establish comprehensive compliance systems by 2025, marking a significant step towards reinforcing the rule of law in China¡¯s state-owned enterprises

The State-owned Assets Supervision and Administration Commission (SASAC) has mandated central enterprises to establish comprehensive and effective compliance management systems by 2025, in line with the Opinions on Further Deepening the Construction of Rule-of-Law Central Enterprises issued in 2021.

Local state-owned assets supervision and administration bodies are therefore required to refer to these opinions to actively promote the rule-of-law construction of their invested enterprises by this year.

Key aspects and points for state-owned enterprises (SOEs) to note regarding compliance are as follows.

Compliance management systems and certification must adhere to both departmental regulations and national standards. The year 2018 marked the ¡°inaugural year of compliance management¡± in China, with the SASAC issuing the Guidelines for Compliance Management of Central Enterprises.

This initiative comprehensively advanced the development of compliance management systems in SOEs, representing a milestone in the evolution of corporate compliance management in China.

2022 was subsequently designated as the ¡°inaugural year of compliance certification¡±, with the SASAC releasing the Measures for Compliance Management of Central Enterprises, setting clear requirements for further deepening compliance management in central enterprises.

Additionally, the State Administration for Market Regulation and the Standardisation Administration of China officially issued GB/T 35770-2022 Compliance Management Systems ¨C Requirements with Guidance for Use, which is equivalent to the International Organisation for Standardisation¡¯s (ISO) 37301: 2021 version.

The release of this standard as the basis for compliance certification signifies that a consensus on compliance has been reached between China and more than 160 member countries of the ISO worldwide.

Some SOEs face significant challenges in building effective compliance management systems due to a lack of top-level design and failure to enforce primary responsibility. According to the author¡¯s research, while some SOEs have established compliance management systems under the guidance of their legal and compliance departments ¨C improving regulations and developing obligation lists, risk lists and process control lists ¨C issues of superficial compliance persist. Compliance risk incidents continue to occur frequently.

Some enterprises only seem to achieve superficial compliance, without a deep understanding of the GB/T 35770-2022 requirements, and fail to integrate legal requirements with business operations using scientific management tools. This is reflected in the following aspects.

First, there is a lack of top-level design to drive compliance management. Under corporate governance mechanisms, the board of directors is tasked with setting strategy, making decisions and managing risks. But in practice, most boards fail to fully perform their risk management duties. They lack a top-level design for promoting compliance management, have not established compliance committees, or have committees that fail to function effectively, resulting in inadequate co-ordination of compliance efforts.

Second, the primary responsibility of the first line of defence in compliance management has not been enforced. According to the principle that those managing business operations must also manage compliance, business and functional departments serve as the first line of defence, responsible for compliance reviews of their operational activities.

In practice, some enterprises fail to enforce this responsibility. This includes a failure to appoint compliance officers within business and functional departments, and a lack of implementation of compliance risk identification and assessment within these departments.

Enterprises should adopt a management-oriented, risk-based approach. As commercial entities, enterprises must align their operational and management activities with profitability goals, using a management-oriented approach to allocate compliance resources efficiently, minimising compliance risk costs while maximising profits.

First, the division of responsibilities between legal compliance departments and business or functional departments must be clearly defined.

The legal compliance department should oversee compliance management, taking the lead in drafting fundamental compliance policies and annual plans, and conducting compliance reviews of regulations, economic contracts and major decisions.

Business and functional departments, as the primary entities responsible for compliance, should establish and improve their internal compliance management systems and processes, identify and assess compliance risks, compile risk lists and response plans, define compliance management roles, and ensure compliance reviews of their operational activities.

Second, a management-oriented approach should be adopted to establish an effective compliance management system. Internal and external experts should jointly analyse the internal and external environments of the enterprise to identify key areas of compliance management.

Based on these key areas, business and functional departments should identify relevant internal and external stakeholders, determine compliance obligations, assess compliance risks and propose control measures.

The legal management department should organise internal and external experts to conduct internal reviews of compliance management, evaluating and refining the completeness, accuracy, and effectiveness of compliance obligation identification, risk assessment and control measures.

The board of directors should conduct management reviews, receive reports on the development of the compliance management system and make decisions on matters such as business models, resource allocation and role assignments related to compliance management.

Compliance certification experts should carry out external reviews for compliance certification, examining the scope of key compliance areas, the accuracy of compliance obligation and risk identification, and the working papers for compliance risk control measures. They should interview the key person in charge of the enterprise, provide recommendations for rectifying non-conformities in compliance certification, suggest improvements to compliance management and complete the compliance certification process.