What is the general idea behind the proposed ISO 19600?*
In 2012, Australia proposed the development of an ISO standard for compliance programs based on the national Australian standard which has existed since 1996. This proposal was accepted by the members of ISO and a Project Committee (PC) was established to develop the standard. ISO/PC 271 “Compliance Management” is chaired by Martin Tolar, Managing Director of the GRC Institute (formerly the Australasian Compliance Institute) and the secretariat is provided by the Australian standards body SA. The ISO 19600 is being developed as a guideline for compliance management and not as a specification that provides requirements.
This was the preference of the majority of the ISO members that approved the project. There are already enough certifiable management system standards for specific disciplines, that include compliance management as an important system element; e.g. ISO 14001 for environmental management or OHSAS 18001 for occupational health and safety management. ISO 19600 is intended to assist organizations in improving and broadening their existing approach to compliance management. The guideline can be applied as a ‘plug-in’ to adapt the overall management system of an organization to manage compliance matters systematically as well. Another reason why it is of importance to create a guideline instead of a certifiable management system is the fact that small and medium size companies should be able to evaluate and implement solutions appropriate to their operations rather than be burdened with the creation of potentially disadvantageous systems. These businesses should embrace compliance and set up a management system that fits the needs and possibilities of the enterprise.
What is the essence of the risk based approach to compliance management?
Compliance management goes beyond the mere satisfaction of legal requirements. Compliance is also related to meeting the needs and expectations of a wide range of stakeholders. Therefore making sound choices and setting priorities is an important part of compliance management. ISO 19600 follows a risk-based approach to compliance management that is aligned with ISO 31000 (the ISO standard for risk management). By analyzing the context and environment in which an organization operates, its compliance obligations can be determined. This means that the organization should decide with which requirements, needs and expectations of its stakeholders it will comply. Such decisions will be based on a risk assessment that asks: What is the risk (threat or opportunity) when I do (not) adopt a stakeholder’s need as a compliance obligation? With respect to legal requirements, the organization has no choice: any socially responsible organization has to comply with the law. However, on the basis of a risk assessment, priorities will be set to devote the majority of management efforts and controls to those obligations with the largest compliance risks (expressed as the likelihood of occurrence and the impact of the consequences of non-compliances). Based on the assessment of the compliance risk, measures (risk controls) are designed and implemented as well as methods and procedures to monitor and evaluate compliance and the effectiveness of the implemented controls. This risk-based approach assists organizations by ensuring the right focus in their compliance management efforts.
At what stage is the Project Committee with respect to completion of the Standard?
During the next meeting of ISO/PC 271 in July 2014 in Vienna, the results of the voting by ISO member bodies and comments received will be reviewed, and the text of the next draft version prepared. Assuming that the vote will be positive, the next draft of ISO 19600 will either be issued as a Final Draft International Standard and presented for a final ballot amongst the ISO members or directly put forward for publication by the ISO Central Secretariat. Therefore, it is possible that ISO will be able to publish the Standard even by the end of 2014.
Why is the standard important for Dutch stakeholders?
In the Netherlands organizations have to deal with a steadily growing number of (legal) requirements that have to be complied with and this begs for a systematic and planned approach within an organization. Government inspection and supervising bodies can benefit when organizations accept their responsibility with respect to the implementation of, and compliance with laws and regulations more seriously. In the last decade various pilots have been conducted to adapt frequency and depth of governmental inspections to the extent of demonstrated compliance management of a company itself. By evaluating the maturity of compliance management in organizations where they have to enforce the law, supervisory authorities can usefully adapt the quantitative and qualitative approach to carrying out inspections and of maintaining oversight. By following guidelines that clarify what constitutes mature compliance management, organizations can limit the disruption to business activities that normally accompany higher intensities of inspection visits. A common reference used in the Netherlands is the so-called ‘compliance competence checklist’; although useful, its disadvantages are that it is just a checklist and doesn’t provide guidance, it is not very well aligned with ‘ISO management systems’ and it is not internationally accepted. To support further steps in a new approach to enforcement of legal requirements a generally and well suited accepted reference for ‘good compliance management’ is an important tool. ISO 19600 will provide that reference and therefore will fulfill the needs of Dutch stakeholders.
 Occupational Health & Safety Assessment Series
Tel: +31 15 2690 115
*This interview is based on an article published in the Journal of Business Compliance.
The ETHIC Intelligence Experts’ Corner is an opportunity for specialists in the field of anti-corruption compliance to express their views on approaches to and developments in the sector. The views expressed in these articles are those of the authors.