Compliance: ISO 19600 comes with a new look
The implementation of effective compliance is still perceived by many companies as a major challenge. Once a compliance management system has been successfully implemented, companies are faced with the question of how they can demonstrate this to the outside world. ISO 19600-Compliance Management System is the most common compliance standard. It is currently undergoing an amendment and will in future be called ISO 37301. The new standard will be certifiable.
The ISO 19600 standard is an international and generally recognized compliance standard. Taking into account appropriateness and proportionality, ISO 19600 is applicable to all organizations - regardless of size, structure and complexity of the company. The guidelines set out in ISO 19600 serve as a guide for the development (conception), introduction and maintenance of an effective compliance management system.
Certification
When it was introduced in 2014, ISO 19600 was a so-called type B management system. In principle, ISO does not provide for certification of Type B standards. As companies demand a review and certification of compliance management systems (CMS), PS 980¹ enables auditors to review the adequacy and effectiveness of a CMS.
The relationship between the PS 980 standard and ISO 19600 is complementary: ISO 19600 is a setup standard ("How do I design a CMS? How do I implement a CMS in the company and how do I ensure its maintenance?"), while PS 980 - as the name suggests - is an auditing standard ("How does the auditor review and certify a compliance management system?").
However, the content of ISO 19600 largely covers the basic elements mentioned in PS 980. PS 980 is explicitly listed in ISO 19600 as a specific framework for the establishment of a CMS.
ISO 37301: direct certification possible
In response to the aforementioned need of companies to have their compliance management system certified, the local standards committees are revising the ISO-19600 standard. The change will result in a Type A standard, which will allow direct certification. The standard will also be given a new reference number: ISO 37301. It is worth noting from the work of the various local standards committees that the members of the Chinese committee are driving the changes particularly hard.
The standard, which comes in the new dress of ISO 37301, will now also define requirements in addition to guidelines. It is these requirements that make it directly certifiable. ISO 37301 is expected to be published in English in 2020.
What changes?
Although the revisions are still in progress, it can already be said that ISO 37301 corresponds in essence to its predecessor by specifying the lege artis of an effective CMS. What is added are definitions and notes (explanation of terms) as well as clarifications of the current wording. This facilitates the practical application of the standard.
In terms of language, ISO 37301 now contains "shall" provisions when it comes to requirements. In comparison, the current version uses the term "should", as these are guidelines or recommendations. In addition, ISO 37301 contains an annex with "guidance for use" with practical explanations.
What does ISO 37301 contain in concrete terms?
Companies that want to start implementing effective compliance or further develop their CMS can confidently use the current ISO 19600 standard as a guide until ISO 37301 is published. The core content of the revised standard remains the same.
During the development (conception) and introduction of the CMS, the compliance objectives are defined in accordance with ISO 37301, taking into account the size, structure and complexity of the company. Based on the compliance objectives, the company must carry out an evaluation of the compliance risks (compliance risk assessment). In this process, these risks are analyzed and evaluated in order to prioritize them. The priority is determined by the probability of occurrence and the impact of a violation ("probability and impact").
Next, the company defines the roles and responsibilities ("Who is responsible for which compliance risk?") as well as the measures to be taken first within the framework of the so-called compliance organization. Applying a risk-based approach, measures against risks with a high probability of occurrence and severe impact are to be given priority. ISO 37301 also provides for the creation of an independent compliance function.
As part of maintaining the CMS once it has been introduced, compliance must be continuously monitored and improved in accordance with ISO 37301.
Finally, ISO 37301 also mentions compliance communication and culture. Compliance communication concerns internal measures such as employee training and directives, but also communication with external stakeholders. The topic of culture is a common thread running through ISO 37301: In the very first paragraph of the introduction, the standard speaks of a culture of integrity and compliance. According to ISO 37301, these points are "not only the basis but also the opportunity for a sustainably successful organization". However, the standard also expresses itself with concrete requirements on culture and gives examples of factors that support the development of a compliance culture.
In summary, ISO 37301 specifies how a compliance management system is developed, implemented and maintained by the company. In addition, there are definitions and notes (explanation of terms) as well as guidance on application, which help in the use of the standard. These explanations are by no means new, but through the standard the topic of compliance becomes delimitable and the user gets a complete overview in the reliable ISO quality.
What do companies have to consider?
The expectation for companies to address the issue of compliance is an unmistakable reality. In addition, there are various demands from compliance-related areas (compliance in the broader sense) such as corporate governance, corporate social responsibility, ethical principles and social expectations. Against this background, the implementation of effective compliance is perceived by many companies as a major challenge.
ISO 19600 (soon ISO 37301) as a generally recognized compliance standard specifies how an effective CMS is developed (designed) and introduced and maintained in the company. Due to the high degree of concretization of the standard, it can serve as a guide for the company - regardless of size, structure and complexity - to implement effective compliance. Experience shows that this can be achieved with little effort and few organisational measures, especially in small companies.
Once CMS implementation is successful, companies often face the question of how to demonstrate this to their business partners and other stakeholders - for example, when a customer wants or expects its suppliers to implement and document a CMS. It may also be a matter of demonstrating to a (potential) business partner or other stakeholder that compliance is taken seriously within the company.
For many companies, the effect of a CMS in connection with liability risks in the event of breaches of rules is not insignificant. In the event of a breach of rules, a robust CMS can provide evidence of the absence of organisational culpability (cf. Art. 102 StGB).
Conclusion
ISO 19600, which will soon be known as ISO 37301, provides concrete assistance in implementing effective compliance. Compliance certification is already possible today through the interaction of ISO 19600 and PS 980. In the future (probably from 2020), ISO 37301 will allow direct certification. The reasons why companies are and should be concerned with compliance are many and varied. However, the corresponding expectations on companies are a reality. Violations cannot be prevented even with the best CMS, but their systematic and proper handling has become a requirement. The authors agree with ISO 37301, in particular, that integrity and compliance are not only a general basis, but contribute significantly to a sustainably successful organization.
Footnotes:
Test standard PS 980
¹ Swiss Auditing Standard PS 980 "Principles for the Audit of Compliance Management Systems"; cf. Germany: IDW PS 980 "Principles of Proper Auditing of Compliance Management Systems".
Authors: Philipp Lüttmann, National Chair of the SNV Committee "Governance of Organizations"; Alexander Rey, Attorney at Law, BDO AG