It’s been almost two years since Compliance Management System Standard ISO 19600 was first published. So has ISO 19600 lived up to expectations and delivered upon what the authors had hoped to achieve? or is there still room for improvement?
But first a recap.
What is ISO 19600?
ISO 19600 is a guidance standard that was based upon the Australian compliance standard AS 3806. As such the standard is not currently designed for organisations to have their compliance programme certified against, however the Austrian Standards Institute have developed a certifiable version of 19600. Certifications have been issued and there is a growing interest by many countries to adopt a similar approach.
The core of the standard is a set of interrelated or interacting elements that establish the policies, objectives and processes required for an organisation to build the framework to achieve their compliance objectives.
The structure of the standard
The structure of the standard is similar to other ISO standards that follow the management system standard (MSS) format. Additionally, underpinning ISO 19600 is the “plan–do–check–act” model which will be familiar to previous users of ISO 9001 or ISO 14000.
Understanding the organisation
The first substantive section of the standard deals with understanding the context of the organisation that is running the compliance management system. The context may take a wide number of factors into account, such as the size of the company, its industry and its general economic concerns. This is an important feature, as the standard is designed to support small- and medium-sized companies as well as large multinational corporations.
The section also deals with:
- recognising the stakeholders of the system and their requirements
- determining and documenting the scope of the system
- identifying the compliance obligations of the organisation
- analysing the risks associated with the compliance obligations
- prioritising the risks and obligations
- guidance regarding when to review the risk-assessment process.
The leadership section of ISO 19600 sets out the expectations and responsibilities of those in the governing body (i.e. board of directors) and in top management (i.e. C-suite roles). The standard makes it clear that these two groups bear the primary responsibility for compliance management. It places an onus on them to demonstrate their commitment to compliance by providing resources, management and oversight of the compliance management system. It also requires that they provide a clear and documented compliance policy that states their commitment to compliance and to continual improvement.
In addition to the senior management groups, guidance is provided as to the roles of middle- and lower-level management in supporting compliance in their general day-to-day activities. Employees are also required to play their part.
The compliance function
In order to provide support for the management teams, the standard sets out the requirements for the compliance function (which may not necessarily be a discrete position). These include developing the compliance programmes for the management team to run. The compliance function should be independent of the business, with direct access to top management.
The standard provides a clear and comprehensive description of what the compliance function should be responsible for, including:
- identifying compliance obligations with the support of relevant resources, and translating those obligations into actionable policies and procedures
- integrating compliance obligations into existing practices and procedures
- providing or organising on‐going training and support for employees to ensure that all relevant persons are trained on a regular basis
- promoting the inclusion of compliance responsibilities into position descriptions and employee performance-management processes
- putting in place a compliance reporting and documenting system
- developing and implementing processes for managing information such as hotlines, whistleblowing lines and other mechanisms
- establishing compliance performance indicators and monitoring and measuring compliance performance
- analysing performance to identify the need for corrective actions
- identifying compliance‐related risks and managing resulting compliance obligations relating to third parties (such as suppliers, agents, distributors, consultants and contractors)
- ensuring the compliance management system is reviewed on a regular basis
- ensuring there is access to appropriate professional advice in the establishment, implementation and maintaining of the management system
- providing employees with access to resources on compliance procedures and references
- providing objective advice to the organisation on compliance-related matters.
The compliance function is also responsible for determining which resources are needed to effectively implement a compliance programme for approval and execution by top management.
In addition to stating what the compliance function should do, there is also a useful description of the competencies needed in the function, including:
- integrity and commitment to compliance
- effective communication and influencing skills
- an ability and standing to command acceptance of advice and guidance
- relevant subject-matter competence.
Support and operations
The section of ISO 19600 that relates to support is the most important part of the standard from the point of view of the compliance function, as it sets out some of the key areas where it can provide support. These key areas include:
- awareness of compliance topics and the role that each person plays
- resources (including financial and human resources)
- competency assessments, to ensure that people know how to contribute to compliance
- training for any areas where competencies are lacking
- behavioural reviews and management, to understand and use underlying behaviours to direct people to do the right thing
- communication planning and management, to ensure that messages related to compliance are clear and well received
- documentation, to ensure that people know what is expected of them and that this knowledge is certified.
There is also a section on the controls that can be used to manage compliance obligations and achieve desired behaviours and outcomes. Different types of controls are considered, as well as a discussion on how to select them, integrate them with existing systems and monitor them.
One area that was not covered in the original Australian standard AS3806 is outsourcing and the inclusion of partners within the scope of the programmes. This is especially useful when considering topics such as bribery, but also with data privacy and other subjects where those partners significantly impact the compliance obligations of the organisation.
Evaluation and improvement
Finally, like the original standard and other ISO documents, ISO 19600 includes a section on continual review and improvement.
The evaluation process is documented in detail, including:
- how, when and where to monitor
- sources of feedback and information collection including hotlines, surveys and workshops
- analysis of the information using techniques such as root-cause investigations
- reporting systems and processes to communicate exceptions and issues in a timely manner
- audit planning and reporting
- management review and oversight.
Based on these evaluations, the final section of the standard deals with the implementation of remediation and corrective actions to fix any problems found and improve the overall effectiveness of the programme.
How effective has 19600 been?
It is still difficult to tell if ISO 19600 will have a significant impact upon the compliance profession and measuring the performance and effectiveness of compliance programmes internationally. This is partly due to the confusion that was caused in the market place via the publishing of ISO 37001 Anti-bribery Management Systems – Requirements with guidance for use 12 months after the publication if ISO 19600.
While ISO 37001 is much narrower in focus and addresses a specific market need, it has been designed so that organisations can have their anti-bribery frameworks certified. Given the number of high profile international bribery cases that emerge each year, coupled with aggressive regulatory action by the US DOJ and that certification is attractive for both businesses and certifying bodies, then it appears at present that ISO 37001 is the more successful of the two standards.
While it is difficult to determine adoption rates of both standards, ENI, Walmart and Microsoft have all announced that they have or are in the process of obtaining ISO 37001 certification. However, the ISO is in the process of devising a series of surveys that will attempt to obtain data that will provide a clearer picture on how both standards are being used and by whom.
At the most recent ISO meeting held in Quebec it was determined to bring forward the systematic review of ISO 19600. These systematic reviews are normally conducted every 5 years, however given the popularity of the competing and complementary 37001 standard and the calls for the production of a certifiable version of 19600, the review was brought forward. We will not know until early 2018 the results of the ballot and if work will commence on the re-working of 19600.
In conclusion, it’s safe to say that the jury is still out when it comes to assessing the success of ISO19600. What is clear however, is that there is confusion in the market as to why two similar standards were produced in relatively short time frames and that more needs to be done by the ISO to help promote awareness and the benefits of ISO 19600. Time will tell if a revamped certifiable version will assist in achieving increased profile and adoption by business.