Latest Products

ISO Standard on Compliance Management Systems - ISO 19600

Monday 11 August 2014
The new ISO Standard on Compliance Management Systems (ISO 19600) is close to completion after the third, and most likely final, meeting of the Committee responsible for its creation. The international committee met in July to finalise the draft standard, and it is now expected to be published in October. 
The standard is currently being edited, translated into French and going through the final ISO approval process. 
Martin Tolar, Managing Director of the GRC Institute, said that most substantive issues were agreed at the meeting, and the Standard was now at the final draft stage (FDIS). There remains one final sticking point, with the committee determined to see equal weightings given for mandatory and voluntary compliance obligations, when defining compliance obligation. 
The committee, and indeed most compliance professionals, believe compliance within organisations should push standards which exceed the law. The law should be a base-line for compliance, but there should be equal weighting on a firm’s own internal code of conduct and other compliance policies which exist alongside regulatory responsibilities. Interestingly, this is a view shared by regulators as well. Greg Medcraft, Chairman of ASIC, recently said compliance should go beyond what the law requires, because perception matters. 
Tolar is confident an agreement will be reached shortly between the committee and ISO on this last issue. 
Australia has had a compliance standard since 1996 (AS/NZS2806). The Standard was then updated in 2006 and forms the basis of ISO 19600. As more and more countries implemented more complex regulations, some with extraterritorial reach, the potential benefits of a uniform standard became evident.
The Compliance Standard ISO 19600 is intended to consist of over-arching guidelines on what companies could and should do, in order to respect ever-increasing compliance obligations, irrespective of how they originate. Companies will be able to use the Standard to benchmark their framework against international best practice. This benchmarking will provide assurance that, in the event of an isolated case of non-compliance, the program could be used to mitigate any potential penalties handed down by regulators or the courts.
The Standard will be flexible enough so that, following a needs assessment, any company will be able to implement the measures necessary, while also adhering to international best practices. 
Australian and New Zealand practitioners familiar with AS/NZS2806, will notice that ISO 19600 draws heavily on the Australian and New Zealand model. However, there are improvements. There is a greater emphasis on the risk-based approach to compliance. There is also recognition of the role of the three lines of defence. In the ISO standard, there is a real emphasis on ensuring business takes responsibility for their role in the compliance framework. 
The process has run remarkably smoothly, given the number of nations involved. All participating nations have been focused on achieving a standard which will serve the compliance profession in a practical way.
 GRC Professional will provide a detailed guide to the Standard in the Q3 edition of the magazine. 

David Price

Monday 11 August 2014
Good news. Well done GRCI and any others involved.