Regulatory Requirements, ESG Obligations, Whistleblowing Systems, Anti‑Money‑Laundering Prevention and International Supply Chains are noticeably reshaping the risk landscape for companies. For managing directors, executive board members and supervisory board members, criminal liability today arises not only once a formal investigation has begun. The critical point often comes earlier: when responsibilities are unclear, business models remain unexamined, documentation is incomplete, or decisions are taken within legal grey areas.
Criminal Preventive Advisory intervenes precisely at this point. It enables corporate leadership to recognise risks at an early stage, establish robust foundations for decision‑making, and reduce personal liability exposure. Particularly when entrepreneurial decisions must be taken within legal grey areas, early‑stage advice becomes an essential instrument for achieving legal certainty. Those who have the facts, the legal position, responsibilities, possible courses of action and documentation reviewed in a structured manner before making a decision not only reduce the risk of an incorrect decision, but also strengthen later traceability vis‑à‑vis the supervisory board, shareholders, authorities or investigative bodies.
This is not about formal protection for its own sake, but about strategic risk management at the intersection of criminal law, compliance and governance: What is the company permitted to do? Who must take the decision? Which information must be available beforehand? How can legal advice be integrated in a way that legally safeguards decision‑making processes while remaining confidential? And at what point does an organisational deficit turn into a criminal‑law problem – with consequences for management, the executive board and the supervisory board?
1. Legal Framework: Prevention Begins Before Any Suspicion Arises
Criminal preventive advisory forms part of modern Criminal Compliance and Corporate Governance. It combines criminal‑law risk analysis with compliance and risk management and with the practical realities of corporate decision‑making. Legally relevant are, in particular, the duties of corporate leadership regarding proper organisation, supervision and risk control. Where these duties are breached, questions arise concerning directors’ liability, organisational liability, organisational fault and regulatory responsibility under the OWiG.
Particularly sensitive are situations in which corporate officers may hold a position of guarantor. Such a position can mean that not only active conduct, but also wrongful omission becomes criminally relevant. For managing directors and executive board members, this means: anyone who recognises – or must recognise – legally significant risks cannot rely solely on operational units where governance structures, clear responsibilities, control mechanisms or escalation pathways are entirely absent or exist only “on paper”.
Legal Safeguarding Through Opinions and the Privilege of Legal Advice
Another important component is the mistake‑of‑law doctrine under § 17 of the German Criminal Code. A carefully obtained legal opinion can, in individual cases, help document the decision‑making basis and counter the allegation of intentional conduct, or raise the question of an unavoidable mistake of law. What is crucial is that the quality of the opinion, its independence and its integration into the decision‑making process are capable of withstanding later scrutiny by investigative authorities and courts.
Closely connected to this is the question of the advice privilege. Legal professional confidentiality, rights to refuse testimony and protection from seizure can create an important framework of confidentiality. In the corporate context, however, this protection is not without limits. For this reason, the mandate, the purpose of the advice, the form of documentation, the distribution circle and any potential defence relevance must be considered at an early stage. When used correctly, criminal preventive advisory not only improves the substantive basis for decision‑making, but also enhances the company’s later defence capability should scrutinised by authorities or in criminal proceedings.
2. Risk Landscape and Typical Errors in Corporate Practice
Criminal‑law risks rarely arise in isolation. They often develop from a combination of economic pressure, unclear processes and legal uncertainty. Typical risk areas include anti‑corruption, fraud prevention, anti‑money‑laundering, tax obligations, dealings with intermediaries, advisers and distribution partners, ESG‑related risks, as well as supply‑chain due‑diligence obligations.
In practice, certain recurring misconceptions prove remarkably persistent:
- The corporate leadership assumes that compliance is solely the responsibility of the legal department or the compliance officer. In reality, overall responsibility for organisation, resource allocation and control remains at the leadership level.
- Risks are only assessed once a tip‑off, a search or an inquiry from an authority has already occurred. At that point, strategic prevention is often only possible to a very limited extent.
- Legal opinions are obtained too late, too narrowly, or without a reliable clarification of the facts. A legal opinion offers protection only if it is based on complete information and is genuinely incorporated into the decision‑making process.
- Documentation is underestimated as a mere formality – and often even feared. Yet in later investigations, the decisive question is whether risk assessment, information duties, decision‑making paths and control measures are documented in a manner that is comprehensible and traceable.
- Companies often assume that all communication with external counsel is automatically and comprehensively protected. In reality, the protection of confidential advice must be actively ensured — for example through clear mandating, a limited distribution list, clean documentation pathways and secure, access‑restricted storage.
- ESG and supply‑chain risks are treated as purely regulatory issues, even though they can trigger follow‑on criminal‑law risks — for example in cases of corruption, fraud, environmental offences or false statements made to business partners and capital‑market actors.
- Whistleblowing systems are introduced without having thought through — let alone criminal‑law implications of — the associated responsibilities, investigation processes and necessary escalation pathways. This creates a significant risk of later allegations of organisational fault.
The central liability risk often does not stem from a single wrong decision, but from inadequate governance and a fragmented compliance management system. Organisational fault arises where risks are foreseeable, yet no appropriate structures for prevention, clarification and response exist. Especially in cases of recurring indications, “known issues” or well‑known industry risks, the expectation of effective prevention and control measures increases significantly.
Even a commercially defensible decision can become vulnerable under criminal‑law scrutiny if it is taken without sufficient clarification of the facts, without a recognisable legal assessment or without traceable documentation. Criminal‑law preventive advice therefore does not aim to prevent every risky decision, but to make legal boundaries, decision alternatives and remaining risks transparent.
3. Strategische Einordnung: Präventivberatung als Governance‑Instrument
Criminal‑law preventive advice is not a niche topic reserved for crisis situations. It is a governance instrument. Its particular value lies in making entrepreneurial decisions legally robust. Preventive advice does not replace a business decision. But it creates the conditions for corporate bodies to take informed decisions: based on clarified facts, a realistic assessment of criminal‑law risks, documented alternatives and a traceable decision‑making process.
For executive directors, this means assessing criminal‑law risks not only on an ad‑hoc basis, but integrating them systematically into the company‑wide risk management and the overall compliance and governance strategy. This applies in particular to companies with regulated business models, public‑sector exposure, international sales structures, complex shareholdings or sensitive interfaces with public officials, the healthcare sector, energy, infrastructure or public funding.
Tailored Prevention: Mittelstand, ESG and New Regulation
From a governance perspective, the crucial point is that prevention must not remain abstract. A medium‑sized company requires different structures from an international group. While large corporations typically have specialised compliance functions, risks in the Mittelstand often stem from personal proximity, informal decision‑making paths and insufficient documentation. Criminal‑law preventive advice must take this reality into account. Standard policies are not enough if they are not understood, applied and reviewed within the organisation.
The link to ESG is particularly significant. ESG compliance is not limited to sustainability reporting or supply‑chain processes. It touches on questions of risk assessment, control, whistleblowing procedures, documentation and accountability. ESG breaches — for example in the environmental, human‑rights or corruption context — can escalate into criminal allegations against the company and its governing bodies.
Pragal Rechtsanwälte positions compliance explicitly in connection with ESG, AI, internal investigations, criminal due diligence and crisis management. In preventive advisory work, this interplay is applied in a practical and operational way: prevention is effective only when legal, organisational and strategic considerations are aligned — with regard to the requirements arising from criminal law, supervisory law, ESG regulation and internal governance structures.
4. Recommended Actions: What Companies Should Do in Practice
A sound prevention strategy starts with an honest assessment of the current state of affairs. Companies should not ask whether a risk exists in theory, but where it can arise in practice within their own business model. The following measures are particularly useful:
- “Conducting a criminal‑law risk assessment covering the business model, sales structure, third‑party relationships, payment flows, ESG interfaces and interactions with public authorities.
- Clarifying responsibilities, reporting lines and escalation paths, particularly in cases of suspected misconduct, conflicts of interest and critical business decisions.
- Obtaining a precise legal opinion in situations involving legal grey areas, new business models, complex transactions or decision‑making scenarios with potential criminal‑law relevance.
- Structuring legal advice with regard to confidentiality, legal‑professional privilege and future defensibility: clear definition of the mandate, limited communication circles, and careful handling of opinions, minutes and internal notes.
- Introducing a decision‑making process for legal grey areas: clarification of the facts, an initial criminal‑law assessment, review of possible courses of action, escalation to the competent bodies and a documented decision.
- Reviewing existing compliance‑management systems for their effectiveness in addressing criminal‑law risks, rather than merely for formal completeness.
- Preparing for regulatory interventions, internal investigations and crisis communication to ensure that no valuable time is lost in a critical situation.
- Regularly reviewing whether the measures adopted are in fact implemented in day‑to‑day practice (‘effectiveness check’) and whether adjustments are required as a result of new products, markets or regulatory changes.
Company‑specific implementation: mid‑sized businesses vs. corporate groups.
In mid‑sized businesses, the key is to maintain lean structures with clearly assigned responsibilities: unambiguous allocations of duties, a robust minimum level of documentation and simple, binding escalation paths. External criminal‑law preventive advice can function as an outsourced specialist capability, helping to classify risks and support decision‑making without creating unnecessary complexity.
In large companies and corporate groups, the focus is typically on the effectiveness review of existing systems, the management of interfaces between Legal, Compliance, Internal Audit and ESG, as well as on complex third‑party structures. Another decisive factor is the ability to demonstrate compliance to regulators, the supervisory board and the capital market.
In both cases, the principle remains the same: prevention must be proportionate to the company’s size, risk profile and decision‑making structure. ‘One‑size‑fits‑all’ approaches are unconvincing — both internally and in the eyes of investigative authorities.
5. Why Pragal Rechtsanwälte for criminal‑law preventive advice
Pragal Rechtsanwälte combines criminal‑defence experience with expertise in compliance, governance and investigations. This is particularly valuable in preventive advice, as risks are not only identified in the abstract but assessed simultaneously from the perspective of potential future investigations, regulatory evaluation and corporate decision‑making processes. The advice is designed to support management boards, managing directors, supervisory boards and compliance functions in their respective roles.
As a lawyer, certified compliance officer and certified AI‑compliance officer, Kristina Konrad brings many years of in‑house experience from the legal, compliance and corporate‑governance departments of large and mid‑sized companies. Her areas of focus include, among others, the establishment and further development of compliance‑management systems, internal investigations, anti‑corruption measures and the strategic advice of regulated companies. Her particular focus enables preventive advice that integrates current regulatory developments in a practical and business‑oriented manner.
Dr Oliver Pragal is a specialist lawyer for criminal law, a certified compliance officer and has worked for many years in business and tax criminal law, corporate defence, compliance crises and internal investigations. His particular experience in anti‑corruption criminal law and in complex proceedings complements the preventive perspective with the viewpoint of a criminal defence lawyer. As a result, typical investigative strategies, evidentiary considerations and defence experience are incorporated into the preventive structuring of decisions and organisational frameworks from the outset.
For clients, this creates an immediate practical benefit: preventive advice is understood as the strategic support of decisions, organisational structures and risk profiles. Pragal Rechtsanwälte also assists companies in organising, documenting and safeguarding sensitive advisory processes in a way that ensures legal certainty without creating additional risks through careless communication or unclear responsibilities. The interface between prevention, internal investigation and potential corporate defence is taken into account from the outset.
6. Conclusion: Prevention is a leadership responsibility
Criminal‑law preventive advice cannot eliminate every risk. However, it creates legal certainty wherever corporate decisions may become sensitive from a criminal‑law perspective. Its value lies in identifying risks at an early stage, structuring decision‑making processes in a legally robust manner, integrating legal advice confidentially and reliably, and reducing liability risks for companies and their governing bodies. Those who take prevention seriously strengthen not only compliance, but also governance, resilience and corporate capacity to act.
For managing directors, management board members and supervisory board members, this is particularly important: a legally difficult decision is not automatically a breach of duty. It becomes problematic, however, when it is taken without sufficient fact‑finding, without a reliable legal assessment, without clear responsibilities and without comprehensible documentation. This is precisely where criminal‑law preventive advice comes in.”
The key takeaway is clear: criminal‑law risks should be assessed before they develop into an investigation. In that case, prevention is not defensive but an expression of responsible corporate leadership — and a central element of modern corporate governance and ESG‑oriented corporate strategy.
ContactFAQ: Criminal‑law preventive advice
Criminal‑law preventive advice refers to the early legal assessment and management of criminal‑law risks within a company. It includes risk evaluation, legal opinions, compliance structures, training, crisis preparedness and the legal support of critical decisions. The aim is not to provide a ‘full‑coverage insurance policy’, but to create an informed, documented and defensible decision‑making basis for corporate bodies and senior management.
A company should seek criminal‑law preventive advice whenever new business models, international transactions, third‑party risks, corruption or money‑laundering risks, ESG and supply‑chain issues, internal reports, regulatory enquiries or unclear legal situations arise. The introduction or adjustment of whistleblowing systems, ESG reporting structures or AI‑based tools can likewise be a reason for a preventive criminal‑law assessment.
A carefully prepared legal opinion can, in individual cases, provide important protection — particularly in relation to a mistake of law. What matters is the quality of the opinion, the completeness of the factual basis, the independence of the assessment and its genuine consideration in the decision‑making process. A ‘courtesy opinion’ or an opinion based on an incomplete factual foundation, by contrast, entails significant risk — including with regard to personal liability of corporate officers.
Senior management is responsible for ensuring adequate organisation, control and risk management. A lack of clear responsibilities, insufficient controls or ignored internal reports can give rise to personal liability risks. Criminal‑law preventive advice supports senior management in defining, documenting and continuously adapting these organisational and supervisory duties.
Compliance provides the structural framework; preventive advice assesses criminal‑law risks within that framework. Both become effective only in combination: clear rules, realistic processes, documented decisions and a reliable ability to respond in the event of suspicion. In well‑structured organisations, the compliance function, the legal department, ESG officers and external criminal‑law preventive advisers work closely together — without blurring responsibilities.
Whistleblowing systems can serve as early‑warning mechanisms for criminal‑law risks, provided they are set up correctly from both a legal and organisational perspective. What matters is how reports are received, reviewed, documented and escalated. Unclear responsibilities, insufficient protection of whistleblowers or missing response processes can themselves amount to organisational or supervisory deficiencies. Criminal‑law preventive advice helps design whistleblowing systems in a way that meets statutory requirements while also addressing investigative risks.
ESG matters increasingly intersect with areas of potential criminal liability — for example in relation to environmental offences, human‑rights violations in supply chains, corruption risks or misleading sustainability statements. Criminal‑law preventive advice addresses these issues by assessing ESG risks not only from a regulatory perspective but also in terms of potential criminal liability for companies and their officers. This enables governance structures, supply‑chain processes and reporting frameworks to be designed in a way that anticipates and mitigates criminal‑law exposure at an early stage.
Criminal‑law preventive advice ideally takes place before any suspicion arises and focuses on structures, processes and decision‑making foundations. Internal investigations, by contrast, respond to concrete indications or suspicions and examine past conduct. In practice, both areas are closely interconnected: insights from internal investigations feed into preventive measures, while a well‑designed prevention architecture facilitates investigations and can strengthen the organisation’s defensive position. A coordinated strategy avoids gaps between prevention, fact‑finding and potential corporate defence.
