Introducing Compliance Management in an SME

Because of their perceived complexity and the feared expense, compliance management systems have not yet found their place in many SMEs. This is despite the fact that the environment has changed significantly due to increased legal enforcement against companies and members of top management, and compliance violations can lead to significant liability risks for companies and their management and threaten the reputation and existence of a company.

Compliance assistance also for SMEs
The international standard ISO 19600 "Compliance management systems - Guidelines", published in December 2014, supports SMEs in implementing and maintaining an effective and successful compliance management system (CMS). ISO 19600:2014 (now also published in German by DIN) is applicable to all organizations and, in accordance with the principle of appropriateness and proportionality, is a suitable guideline regardless of the size, structure, type and complexity of the company. Thus, a CMS according to ISO 19600:2014 can be tailored to the company without much additional bureaucracy. Practical experience shows that only a few organizational measures and procedures and about 15 pages of original texts (board resolution on values and governance, compliance policy, instructions on core risks, training plan, audit and reporting plan) are needed to build a simple, robust CMS, which, if the right measures are taken, is likely to be superior to the CMS of a large international corporation in terms of its coherence as a system and its effectiveness.

By means of an effective CMS according to ISO 19600:2014, a company can ensure with a high degree of effectiveness that the binding obligations are met. This eliminates or minimizes compliance risks and increases legal certainty.

Application example of a CMS according to ISO 19600:2014
At the ZHAW School of Engineering in Win-terthur, a Master's thesis in integrated risk management (MAS IRM) investigated the structure, development, implementation, evaluation, maintenance and improvement of a CMS in accordance with ISO 19600:2014 using the example of an international company with fewer than 20 employees.

The company's management system was already based on ISO 9001:2015, so the structure of the standards (High Level Structure) was uniform and the integration of the new ISO standard into the integrated management system (IMS) was simplified.

Approach to the implementation of ISO 19600:2014
ISO 19600:2014 consists of 7 main elements and is basically structured in two main phases, the setup and the operation of the CMS. It is important to note that all elements of ISO 19600:2014 must be implemented consistently in order to create an effective and efficient CMS. The CMS should also be based on the principles of good and responsible corporate governance (e.g. that management decisions are geared towards sustainable value creation, that transparent and open corporate communication is promoted, that the interests of interested parties are safeguarded, that risks are dealt with appropriately, etc.).

The Build-up phase primarily contains the "context of the organization" element, in which the strategic orientation of the CMS is determined. Clear compliance objectives were defined and aligned with the other objectives of the company. The scope of the CMS was also determined and documented. After that, the organizational framework could be defined. For this purpose, the important internal and external influencing factors that have an impact on the performance of the CMS were determined. The external environment was analysed by means of a systematic environment analysis. The requirements of relevant internal or external parties (persons or organisations) were also taken into account, which could be ascertained by means of a stakeholder analysis. The compliance strategy and compliance policy were also defined on the basis of the information obtained in the development phase.

At Transition between the deployment and operational phases procedures were established to systematically identify all legal and voluntary binding commitments and to review their impact with the company's activities, products and services. This made it possible to identify the risks arising from a breach of the binding obligations. As ISO 19600:2014 is a risk-based standard, risk assessment and risk management were given special attention.

Like the common structure of ISO standards, the risk-based approach has become an overarching and central interface in the ISO world. In an integrated management system where risks from different areas have to be assessed, it therefore makes sense to apply a systematic approach according to ISO 31000:2009 Risk Management. In this way, compliance-relevant risks could be optimally identified, analyzed, evaluated and managed.

In the Operating phase deals with the establishment, development, implementation, evaluation, maintenance and improvement of an effective and efficient CMS. With the help of the PDCA management cycle (Plan-Do-Check-Act), the compliance processes are continuously improved. First, the CMS was strategically planned in the "Planning" element to ensure that the objectives of the CMS are achieved and that unplanned effects are prevented, detected or reduced. To this end, concepts, measures and actions were defined to address the compliance risks identified in the set-up phase. Clear, measurable and verifiable compliance targets were also defined for relevant functions and areas. These were derived from the compliance policy, among other things.

By means of the element "leadership and commitment", it was possible to show how the management bodies can significantly influence the significance and performance of the CMS with their actions: ISO 19600:2014 emphasizes the central importance of good leadership and a values-based culture for the effectiveness of a CMS. This reflects empirical findings according to which a culture of ethics and compliance cannot develop without the example of top management ("tone at the top"), without values and good governance, and - even if a code of conduct and a "compliance program" are in place - effective compliance management is not possible.

The same management structure as the existing management system could be used for the responsibilities and responsibilities of compliance. An independent structure would have exceeded the company's capabilities and would have occupied management and employees with administrative tasks instead of devoting resources to the CMS. However, care was taken to ensure that the compliance function is independent and has sufficient authority and direct access to the supervisory body (principles of good governance).

In the "Support" element, the necessary internal and external resources for an effective CMS were identified so that they can be made available and effectively used by the company. Training, education and development were also planned to ensure that employees have the necessary competencies and can make the contribution required of them under the standard for an effective CMS. A communication concept was also developed to ensure active internal and external compliance communication. Afterwards, processes, guidelines, procedures and their control and steering measures, which are necessary for the fulfilment of the CMS, could be implemented in the element "Operation". External processes and third parties were also taken into account.

In order to ensure the effectiveness of the CMS, procedures were established in the "performance evaluation" element to regularly monitor, analyze and evaluate the CMS itself and its performance. To this end, measurable indicators were identified to quantify the company's compliance performance. These were efficiency of training, corrective measures assessed (activity indicators), number of compliance violations reported, financial impact of compliance violations (retrospective indicators), impact of compliance risks (forward-looking indicator).

A reporting system was also provided to inform the management about the effectiveness and appropriateness of the CMS. The results of the ongoing monitoring could be incorporated into the reports already available at the company. For events that must be reported promptly, such as compliance violations, an exception reporting system was set up so that these can be reported to the necessary departments, functions and authorities.

In order to improve the CMS and to uncover weak points, the element "Improvement." the company's handling of compliance violations. In this way, measures to eliminate the causes should be identified and a recurrence prevented as far as possible. Sanctioning employees at all levels in the event of deliberate or negligent compliance violations is a central element of a functioning CMS. Many companies shy away from demanding responsibility and imposing sanctions. Without a culture of responsibility and sanctions, however, the demand for respect for values and compliance with binding commitments remains an empty letter ("paper compliance"). The diagram shows how the PDCA management cycle is mapped in the standard.

ISO 19600:2014 is also suitable for SMEs
The investigations of the above-mentioned master thesis led to the conclusion that a CMS according to ISO 19600:2014 is also optimally suited for an SME with less than 20 employees and creates the prerequisites to meet the current and future requirements for an effective CMS according to the rules of art (lege artis).

• An integration of the CMS according to ISO 19600:2014 into existing management systems according to ISO is simple and practical due to the uniform structure of all ISO management systems, the uniformly defined terms and the efficiencies due to the existing basic knowledge of the management of PDCA management cycles and the simpler audit by internal and external auditors. The result is a strong management tool and a more efficient management system, as more aspects are considered and the management system is increasingly aligned with the overall objectives of the company. In this way, the company processes can be designed, directed and controlled more efficiently and effectively. This has a positive effect on the management of risks and thus on the success of the company, as does any good, professional management.
• When integrating the CMS, it is crucial to analyze and proactively maintain the interfaces with the organization's other management systems: quality management (ISO 9001:2015), risk management (ISO 31000:2009), environmental management (ISO 14001:2015), information security management (ISO 27001: 2013), occupational health and safety management (ISO 45001:2016) and business continuity management (BCM, ISO 22301: 2010). Only if this challenge is met can an effective and efficient Integrated Management System (IMS) be created that brings maximum benefit to the organization.
• The elements of ISO 19600:2014 follow the well-known PDCA management cycle. In this logical sequence, the CMS can be implemented and improved methodically and effectively. This leads to a sustainable and effective compliance solution.
• Compliance risks or activities that may lead to non-compliance with compliance obligations can be optimally identified, analyzed, evaluated and managed through interaction with ISO 31000:2009 (risk-based approach according to ISO 31000:2009).
• In the event of breaches of rules, a company can prove that there is no organisational culpability (corporate criminal law, Article 102 of the Criminal Code) and thus also protect management from liability risks and exonerate it in the event of an individual breach. Furthermore, an effective CMS also promotes the trust of interested parties, especially employees and customers.