ISO 19600 comes along in the new dress as ISO 37301

The ISO 19600 standard is an international and generally recognized compliance standard. Taking into account appropriateness and proportionality, ISO 19600 is applicable to all organizations - regardless of size, structure and complexity of the company. The guidelines set out in ISO 19600 serve as a guide for developing (designing), implementing and maintaining an effective compliance management system.

Certification

When it was introduced in 2014, ISO 19600 was a so-called type B management system. In principle, ISO does not provide for certification of Type B standards. Since companies are asking for a review and certification of compliance management systems (CMS), PS 980¹ enables auditors to review the adequacy and effectiveness of a CMS.

The relationship between the PS 980 standard and ISO 19600 is complementary: ISO 19600 is a setup standard ("How do I design a CMS? How do I implement a CMS in the company and how do I ensure its maintenance?"), while PS 980 - as the name suggests - is an auditing standard ("How does the auditor review and certify a compliance management system?").

However, the content of ISO 19600 largely covers the basic elements mentioned in PS 980. PS 980 is explicitly listed in ISO 19600 as a specific framework for the establishment of a CMS.

ISO 37301: direct certification possible

In response to the aforementioned need for companies to have their compliance management systems certified, local standards committees are revising the ISO-19600 standard. The change will result in a Type A standard, which will allow direct certification. Also, the standard is getting a new reference number: ISO 37301. It is noteworthy to observe from the work of the various local standards committees that the members of the Chinese committee are particularly driving the changes.

The standard, which comes in the new dress of ISO 37301, will now define requirements in addition to guidelines. It is these requirements that make it directly certifiable. ISO 37301 is expected to be published in English in 2020.

What changes?

Although revisions are still underway, it can already be said that ISO 37301 is essentially the same as its predecessor in that it specifies the lege artis of an effective CMS. What is added are definitions and annotations (explanation of terms) as well as clarifications of the current wording. This facilitates the practical application of the standard.

In terms of language, ISO 37301 now contains "shall" provisions when it comes to requirements. In comparison, the current version uses the term "should", as these are guidelines or recommendations. In addition, ISO 37301 contains an annex with "guidance for use" with practical explanations.

What does ISO 37301 include in concrete terms?

Companies that want to start implementing effective compliance or further develop their CMS can confidently use the current ISO 19600 standard as a guide until ISO 37301 is published. The core content of the revised standard remains the same.

During the development (conception) and introduction of the CMS, the compliance objectives are defined in accordance with ISO 37301, taking into account the size, structure and complexity of the company. Based on the compliance objectives, the company must carry out an evaluation of the compliance risks (compliance risk assessment). This involves analyzing and evaluating these risks in order to prioritize them. The priority results from the probability of occurrence and the impact of a violation ("probability and impact").

Next, the company defines the roles and responsibilities ("Who is responsible for which compliance risk?") as part of the so-called compliance organization, as well as those measures that are to be taken first. Applying a risk-based approach, priority is to be given to measures against risks with a high probability of occurrence and severe impact. ISO 37301 also provides for the creation of an independent compliance function.

As part of maintaining the CMS once it has been introduced, compliance must be continuously monitored and improved in accordance with ISO 37301.

Finally, ISO 37301 also mentions compliance communication and culture. Compliance communication relates to internal measures such as employee training and directives, but also communication with external stakeholders. The topic of culture runs as a common thread through ISO 37301: Already in the first paragraph of the introduction, the standard speaks of a culture of integrity and conformity to rules. According to ISO 37301, these points are "not only the basis but also the opportunity for a sustainably successful organization". However, the standard also expresses itself with concrete requirements on culture and gives examples of factors that support the development of a compliance culture.

In summary, ISO 37301 specifies how a compliance management system is developed, implemented and maintained by the company. In addition, there are definitions and notes (explanation of terms) as well as guidance on application, which help in the use of the standard. These explanations are by no means new, but the standard makes the subject of compliance definable and the user gets a complete overview in the reliable ISO quality.

What do companies need to consider?

The expectation for companies to deal with the topic of compliance is an unmistakable reality. In addition, there are various demands from compliance-related areas (compliance in the broader sense) such as corporate governance, corporate social responsibility, ethical principles and social expectations. Against this background, the implementation of effective compliance is perceived by many companies as a major challenge.

ISO 19600 (soon ISO 37301) as a generally recognized compliance standard specifies how an effective CMS is developed (designed) and introduced and maintained in the company. Due to the high degree of concretization of the standard, it can serve as a guide for the company - regardless of size, structure and complexity - to implement effective compliance. Experience shows that this can be achieved with little effort and few organizational measures, especially in small companies.

Once CMS implementation is successful, companies often face the question of how to demonstrate this to their business partners and other stakeholders - for example, when a customer wants or expects its suppliers to implement and document a CMS. It may also be a matter of demonstrating to a (potential) business partner or other stakeholder that compliance is taken seriously within the company.

For many companies, the effect of a CMS in connection with liability risks in the event of breaches of rules is not insignificant. In the event of a possible breach of rules, a robust CMS can be used to prove the absence of organizational culpability (cf. Art. 102 StGB).

Conclusion

ISO 19600, which will soon appear as ISO 37301, provides concrete assistance in implementing effective compliance. Compliance certification is already possible today through the interaction of ISO 19600 and PS 980. In the future (probably from 2020), ISO 37301 will allow direct certification. The reasons why companies are and should be concerned with compliance are many and varied. However, the corresponding expectations on companies are a reality. Violations cannot be prevented even with the best CMS, but their systematic and proper handling has become a requirement. The authors agree with ISO 37301, in particular, that integrity and compliance are not just a general basis, but contribute significantly to a sustainably successful organization.

Test standard PS 980

¹ Swiss Auditing Standard PS 980 "Principles for the Audit of Compliance Management Systems"; cf. Germany: IDW PS 980 "Principles of Proper Auditing of Compliance Management Systems".

Authors

Philipp Lüttmann, National Chair of the SNV Committee on Governance of Organizations

Alexander Rey, Attorney at Law, BDO AG