Академический Документы
Профессиональный Документы
Культура Документы
*Sylvie Bleker is the chair and Dick Hortensius is the secretary of the Dutch standards committee on
compliance management that actively contributes to the development of ISO 19600. Sylvie is also
Program Director of the Postgraduate education on Compliance & Integrity Management, and Chief
Compliance & Risk Officer at Ballast Nedam, whilst Dick is a senior-consultant at NEN Management
systems, Netherlands.
1http://www.iso.org/iso/home/about.htm
2 Business Compliance 02/2014
industry and in energy generation and is important with a view to safety and
distribution. All these sectors have environmental risks but also with a view
to cope with complicated legislation to business integrity (e.g. anti-corruption,
and regulations for which compliance terrorist financing or money laundering)
and related thereto, business continuity
and assurance of the continued delivery
Origins of the ISO 19600
of vital services. Companies acknowledge
In 2012, Australia proposed to that the basis for the effective achievement
start the development of an of any social responsibility objectives is a
ISO standard for compliance well organized and managed compliance
programs based on the national with rules and applicable laws, as well as
Australian standard AS 8306. This with the organisations own ethical codes
proposal was accepted by the and corporate directives. Government
members of ISO and a Project authorities show an increasing interest
Committee (PC) was established in the compliance management of
to develop the standard. ISO/PC companies. This may assist them in
271 Compliance Management setting priorities for inspection activities
is chaired by Martin Tolar, (e.g. less frequent visits to companies with
president of the Australasian sound compliance management systems)
Compliance Institute and the and in the way they carry out inspections
secretariat is provided by the (making use of information that emanates
Australian standards body SAI. from the compliance management
After two meetings of this ISO system).
Committee the Draft International
Standard ISO 19600 Compliance Broad approach
management systems - to compliance management
Guidelines has been published Compliance management is (much) more
for voting and comments by the than just meeting the requirements of
members of ISO. laws and regulations. Organisations
have to deal with many different types
3 Business Compliance 02/2014
About ISO
compliance management as an important that fits the needs and possibilities of the
system element; e.g. ISO 14001 for enterprise as such, and assist it in achieving
environmental management or OHSAS the subjacent compliance goals.
180012 for occupational health and safety
management. ISO 19600 is intended Risk based approach
to assist organisations in improving and As stated above, compliance management
broadening their existing approach to goes beyond the mere satisfaction of legal
compliance management. Therefore it is requirements. Compliance is also related
helpful that ISO 19600 follows the so-called to meeting the needs and expectations
high level structure for ISO management of a wide range of stakeholders.
system standards. Consequently, the Therefore making sound choices and
guideline can be applied as a plug-in to the setting of priorities is an important
adapt the overall management system of part of compliance management. ISO
an organisation to manage compliance 19600 follows a risk-based approach to
matters systematically as well (see figure compliance management that is aligned
1). with ISO 31000 (the ISO standard for
risk management). This approach is
Another reason why it is of importance to visualized in figure 2. By analyzing the
create a guideline instead of a certifiable context and environment in which an
management system is the fact that small organisation operates, its compliance
and medium size companies should be obligations are determined. This means
able to evaluate and implement solutions that the organisation has to decide
appropriate to them, rather than be upon which requirements, needs and
burdened to create such a management expectations of its stakeholders are to
system which would lead to a considerable be considered as obligations for the
disadvantage for these companies. These organisation and that will therefore be
businesses should embrace compliance complied with. Such decisions will be
and set up such a management system based on a risk assessment that asks:
What is the risk (threat or opportunity) the likelihood of occurrence and the
if I do (not) adopt a stakeholders need impact of the consequences of non-
as a compliance obligation? In case of compliance). Based on the assessment
legal requirements, the organisation of the compliance risk, mitigating
has no choice: any socially responsible measures (risk controls) are designed
organisation has to comply with the and implemented as well as methods
law. However, on the basis of a risk and procedures to monitor and evaluate
assessment, priorities will be set to compliance and the effectiveness of the
devote most management efforts and implemented controls. This risk-based
controls to those obligations with the approach assists organisations to provide
largest compliance risks (expressed as focus for their compliance management.
7 Business Compliance 02/2014
In the box four key definitions from system standards. All the standard
the draft ISO 19600 are included. These elements of a management system are
show that the scope of compliance adapted and supplemented for the subject
management covers both legal and of compliance (see the table overleaf). The
voluntary obligations. standard devotes much attention to the
roles and responsibilities of the governing
The compliance body, top management, line management
management system and employees of an organisation, as
As stated, ISO 19600 follows the High well as for the independence of the
level structure (HLS) for ISO management compliance officer (or more general:
Com p l i a nce o b l i g at i o n :
requirement that an organisation
has to, or chooses to comply with
Note Obligations may arise from mandatory requirements, such as applicable laws and regulations,
or voluntary commitments such as organisational and industry standards and codes, contractual
relationships, principles of good governance and community and ethical standards
Table C
orrespondence of the HLS system elements
with specific guidance on compliance management
the compliance function). The standard important part of any control measures.
emphasizes that an exemplary role and Monitoring of compliance and taking
commitment of management is essential action on instances of non-compliance
to establish a culture where compliance is described extensively, together with
is the standard and employees at all escalation expectations to appropriate
levels and in all circumstances (can) management levels when necessitated
show the right attitude and behaviour. by the seriousness of the instance of
The standard further recognizes that non-compliance. In figure 3, taken from
compliance lies in the end the result of ISO/DIS 19600, the relationship of the
the behaviour and actions of people, elements of compliance management
hence so-called soft controls become an according to the HLS is visualized.
9 Business Compliance 02/2014
The significance of ISO 19600 and supervising bodies can benefit when
Compliance management is an important, organisations accept their responsibility
at times critical, issue. Good conduct is with respect to the implementation
after all at the foundation of a companys of, and compliance with laws and
license to operate. The growing number regulations more seriously. By evaluating
and complexity of (legal) requirements the maturity of compliance management
that have to be complied with demands a in organisations where they have to
systematic and planned approach within enforce the law, supervisory authorities
an organisation. Government inspection can usefully adapt the quantitative and
10 Business Compliance 02/2014
and adherence by companies of their the influence the standard will have on
own (social) responsibilities on one hand, companies assessing the compliance
and the effective pursuit of oversight system of business partners in the future.
responsibilities of regulatory bodies and Even at this late stage, compliance
governments on the other. experts need to grasp the opportunity
to ascertain that the ISO standard is
Next steps not only theoretically correct, but also
ISO member bodies are able to vote practically effective. Although the ISO
and provide comments on the Draft compliance guideline will not lead to
International Standard until 22 April 2014. certification, companies may very well
During the next meeting of ISO/PC 271 decide to use the standard to assess
in July 2014 in Vienna, the results of the potential business partners, agencies,
voting and comments received will be distributors and outsourcing contracts
reviewed, and the text of the next draft included, verifying that they measure up
version prepared. Assuming that the to the ISO guideline; alternatively B2B
vote will be positive, the next draft of clients, suppliers, distributors and other
ISO 19600 will be issued as a Final Draft business partners may use the standard to
International Standard for a final ballot benchmark alignment and the maturity
amongst the ISO members. Then the of compliance management at your
standard may be published by ISO at the organisation. Whichever what way
beginning of 2015 in a world where social responsibility
extends to the business practices of all
Comments on the ISO Standard associated partners and service providers,
Until the 21st of April 2014 comments a standard defining accepted business
will be collected through the national compliance arrangements will have a
standardization committees. It is of significant impact.
particular importance that the global The I SO guideline on compliance
compliance community is aware of the management systems is intended for all
creation of the ISO standard/guideline kinds of companies and a wide diversity of
on compliance management, due to business activities. The standard applies
12 Business Compliance 02/2014
3http://www.iso.org/iso/home/about/iso_members.htm
4Argentina, Australia, Austria, Canada, China, Denmark, France, Germany, Malaysia, Netherlands,
Singapore, Spain and Switzerland.