ISO 19600 - Compliance Management Systems Guidelines
All organizations must endeavor to comply with statutory and regulatory requirements that are applicable to them. However, despite trying their best to meet these requirements, organizations may find themselves in trouble: their compliance costs can skyrocket whilst the effectiveness of their compliance management declines, exposing them to legal liability, loss of trust among its stakeholders and public scrutiny.
ISO 19600 can help organizations establish an effective and efficient organization-wide compliance management system. The standard helps the organization understand and adhere to the ever-increasing number of regulatory requirements while acknowledging the fundamental market drives. This alignment of strategic initiatives, objectives and compliance management system helps the organization unleash its full potential, establishing responsibility and accountability within the organization, increasing its effectiveness and reducing costs.
However, compliance management is more than just compliance to laws and regulations. Organizations are required to deal with varying requirements from a number of stakeholders (e.g. customers, community, etc.), industry codes, organizational standards and benchmarks voluntarily chosen by the organization, and last but not least, their own organizational policies and codes. In consequence, ethical codes of conduct are taken seriously as a sign of a healthy corporate governance and socially responsible organization. The standard acknowledges this fact and is written in such a way that helps the organization consider all of their compliance requirements, compliance commitments and compliance obligations in order to be successful in the long term.
The Importance of Leadership in ISO 19600
An organization’s approach to compliance is ideally shaped by its leadership applying core values and generally accepted corporate governance, ethical and community standards. Therefore the involvement of the top management in the organization’s compliance management system is one of the critical factors to ensure effectiveness. Additionally, the top management’s involvement provides the behavioral tone and sends a message of commitment and determination throughout the whole organization. Embedding compliance in the behavior of the people working for an organization depends above all on leadership at all levels and clear values of an organization, as well as an acknowledgment and implementation of measures to promote compliant behavior.
Being written in accordance with ISO’s ‘High level structure’ means that particular emphasis is placed upon leadership in ISO 19600. Indeed, when one reads the standard, one sees that the organization’s top management does not simply have the responsibility of managing the compliance management system, and quite a bit of involvement and accountability is required from them. They are required to integrate the requirements of ISO 19600 into the organization’s core processes, i.e. establish, develop, implement, evaluate, maintain and improve to ensure that the compliance management system achieves its intended outcomes. Furthermore, the organization’s top management is responsible for clearly communicating the importance of the compliance through clear and convincing statements supported by actions.
Organizations are increasingly convinced that by applying binding values and appropriate compliance management, they can safeguard their integrity and avoid or minimize noncompliance with the law. Moreover, the organization’s leadership and its commitment to lead by example are imperative for the creation of a successful compliance management system.
Risk-based approach in ISO 19600
A risk-based approach to compliance management is important; for it ensures that the system is in alignment with the organization’s objectives and establishes the basis for the implementation of a compliance management system. This means that the organization has to decide upon which requirements, needs, and expectations of its stakeholders are to be considered as obligations for the organization and that will be complied with.
The organization’s needs identify compliance risks by relating its compliance obligations to its activities, products, services and relevant aspects of its operations in order to identify situations where noncompliance can occur. The organization should identify the causes for and consequences of noncompliance.
The organization should analyze compliance risks by considering causes and sources of noncompliance and the severity of their consequences, as well as the likelihood that noncompliance and associated consequences can occur. Consequences can include, for example, personal and environmental harm, economic loss, reputational harm and administrative liability.
Risk evaluation involves comparing the level of compliance risk found during the analysis process with the level of compliance risk the organization is able and willing to accept. Based on this comparison, priorities can be set as a basis for determining the need for implementing controls and the extent of these controls.
The risk-based approach to compliance management does not mean that the organization should accept the noncompliance for low compliance risk situations. Organizations establish a zero tolerance approach to compliance quite often, which makes sense in terms of introducing an appropriate mindset among the organization’s personnel. Ignoring small wrongdoings may, in some cases, accidentally transmit an unintended message that compliance isn’t really important. The reality is that some rules carry more significance than others, and resources always have limitations.
ISO 19600 – a flexible guideline
ISO 19600 does not specify requirements, but provides guidance on compliance management systems and recommended practices. This is as a result of having the majority of ISO members approve the project and agree that there are enough certifiable management system standards for specific disciplines which include compliance management as an important element.