ISO 19600:2014 provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization. The guidelines on compliance management systems are applicable to all types of organizations. The extent of the application of these guidelines depends on the size, structure, nature and complexity of the organization. ISO 19600:2014 is based on the principles of good governance, proportionality, transparency and sustainability.
The Standard ISO 19600 is an international document that will establish a benchmark in good practice in matters of Compliance Management, which goes beyond borders, cultures and jurisdictions.
The ISO Standard 19600 is aimed at organisations that want to implement a management system that permits them to demonstrate their commitment with the legal requirements to be applied and with other requirements with which they have voluntarily decided to adopt. It can be applied to all types of organisations regardless of any differences that may exist among them. The text of the standard acknowledges that the extent to which the recommendations of the guidelines must be applied depends on the size, structure, nature and complexity of each organisation.
The ISO Standard 19600 collects guidelines to implement, maintain and improve an efficient and receptive compliance management system. It includes recommendations on elements needed by organisations in order to ensure that the requirements of their compliance policy are fulfilled and that they have the capacity to assume their obligations in this field. The analysis of new training requirements in matters of compliance for professionals involved in this field in the event of organizational or legislative changes or changes in commitments with interest groups; the integration of a compliance management system in the assessment of employee performance, or supervision of outsourcing agreements in order to ensure that these fulfill their obligations in matters of compliance, are some recommendations provided by the ISO Standard 19600.
In 2012, Australia proposed the development of an ISO standard for compliance programs based on the national Australian standard which has existed since 1996. This proposal was accepted by the members of ISO and a Project Committee (PC) was established to develop the standard. ISO/PC 271 “Compliance Management” is chaired by Martin Tolar, Managing Director of the GRC Institute (formerly the Australasian Compliance Institute) and the secretariat is provided by the Australian standards body SA.
The ISO 19600 is being developed as a guideline for compliance management and not as a specification that provides requirements. This was the preference of the majority of the ISO members that approved the project. There are already enough certifiable management system standards for specific disciplines, that include compliance management as an important system element; e.g. ISO 14001 for environmental management or OHSAS 18001 for occupational health and safety management. ISO 19600 is intended to assist organizations in improving and broadening their existing approach to compliance management. The guideline can be applied as a ‘plug-in’ to adapt the overall management system of an organization to manage compliance matters systematically as well.
Compliance management goes beyond the mere satisfaction of legal requirements. Compliance is also related to meeting the needs and expectations of a wide range of stakeholders. Therefore making sound choices and setting priorities is an important part of compliance management. ISO 19600 follows a risk-based approach to compliance management that is aligned with ISO 31000 (the ISO standard for risk management). By analyzing the context and environment in which an organization operates, its compliance obligations can be determined. This means that the organization should decide with which requirements, needs and expectations of its stakeholders it will comply. Such decisions will be based on a risk assessment that asks: What is the risk (threat or opportunity) when I do (not) adopt a stakeholder’s need as a compliance obligation? With respect to legal requirements, the organization has no choice: any socially responsible organization has to comply with the law. However, on the basis of a risk assessment, priorities will be set to devote the majority of management efforts and controls to those obligations with the largest compliance risks (expressed as the likelihood of occurrence and the impact of the consequences of non-compliances). Based on the assessment of the compliance risk, measures (risk controls) are designed and implemented as well as methods and procedures to monitor and evaluate compliance and the effectiveness of the implemented controls. This risk-based approach assists organizations by ensuring the right focus in their compliance management efforts.