Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

19600 compliance management system guidelines

2,882 views

Published on

Most organizations have a siloed approach to compliance with environmental, safety, quality, community engagement and other departments managing their compliance issues separately. Increasing fines, penalties and criminal proceedings for non-compliance are driving organizations around the world to change their approach to compliance management. ISO recently introduced a unified compliance management system, 19600. This standard has not yet been widely adopted, but there is a clear trend to try and centralize compliance obligations.

In this webinar, we discuss the best practices and guidelines for compliance management as described in the standard.

You will learn:
- the 7 elements that make up an effective compliance management system - Context of the organization, Leadership, Planning, Support, Operations, Performance Evaluation and Improvement
- In-depth details of each of the 7 elements
- Examples of how you can apply the recommendations at your organization

Presenter - Jonathan Brun, CEO Nimonik

Published in: Environment
  • Login to see the comments

19600 compliance management system guidelines

  1. 1. ISO 19600 Compliance Management System by Nimonik
  2. 2. About the speaker • CEO of Nimonik • Metallurgical engineer • Passionate about world-class compliance and easy-to-use software
  3. 3. Let us begin with a safety moment
  4. 4. Poll Have you heard of the ISO 19600 standard?
  5. 5. Poll Are you familiar with the contents of the ISO 19600 standard?
  6. 6. The guidelines on compliance management systems are applicable to all types of organizations The International Standard is based on the principles of good governance, proportionality, transparency and sustainability It has 10 sections with requirements contained in section 4-10 ISO 19600 – Compliance management system standard
  7. 7. 9 Performance evaluation Sections 4-10 4 Context of the organization 5 Leadership 6 Planning 10 Improvement 8 Operation 7 Support
  8. 8. 4 - Context of the organization 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the compliance management system 4.4 Compliance management system and principles of good governance 4.5 Compliance obligations 4.6 Identification, analysis and evaluation of compliance risks
  9. 9. 4.1 Understanding the organization and its context Internal and External issues Regulatory Social Cultural Economic Internal policies Resources The organization should determine external and internal issues that affect its ability to achieve the intended outcomes of its compliance management system (CMS)
  10. 10. 4.2 Understanding the needs and expectations of interested parties The organization should determine: • the interested parties that are relevant to the CMS • the requirements of these interested parties Who? Requirements? Stakeholders
  11. 11. 4.3 Determining the scope of the compliance management system Scope of the compliance management system (geographical/organizational) Requirements of interested parties Internal and External issues The organization should determine the boundaries and applicability of the compliance management system to establish its scope.
  12. 12. 4.3 Determining the scope of the compliance management system https://www.nytimes.com/2019/09/12/wo rld/europe/france-sex-work-accident.html
  13. 13. 4.4 Compliance management system and principles of good governance Compliance management system Governance principles Organization's values Organization's objectives Organization's strategy Organization's compliance risks Organization's compliance obligations The organization should establish a CMS taking into consideration the following governance principles: • direct access of the compliance function to the governing body • independence of the compliance function • appropriate authority and adequate resources allocated to the compliance function The compliance management system should reflect the organization’s values, objectives, strategy and compliance risks.
  14. 14. 4.5 Compliance obligations • agreements with community • agreements with customers • organizational policies • voluntary principles • industry standards Compliance requirements Compliance commitments • Laws, regulations, permits • orders, guidance • treaties, conventions Identify compliance obligations Maintenance of compliance obligations Determine implications of CO for its activities Document compliance obligations 1 2 3 4 • identify new and changed laws • evaluate the impact of changes • implement changes in the management of the CO The organization should identify its compliance obligations and should have processes in place to identify new and changed laws, regulations, codes and other compliance obligations to ensure ongoing compliance
  15. 15. 4.6 Identification, analysis and evaluation of compliance risks Compliance risks Compliance risks the organization is willing to take Non-compliance severity and likelihood Prioritize risk controls set- up and implementation Risk evaluation The organization should identify, evaluate and prioritize its compliance risks. The risk-based approach does not mean that for low risk situations, non-compliance is accepted. It only assists in focussing primary attention on higher risks as a priority, and ultimately will cover all compliance risks. The compliance risks should be reassessed periodically and whenever there are: • new activities, products or services • changes to the structure or strategy of the organization • external changes - financial-economic • changes to compliance obligations • non-compliances
  16. 16. 6 9 1087 Performance evaluation Sections 4-10 4 Context of the organization 5 Leadership Planning ImprovementOperationSupport
  17. 17. 5 - Leadership 5.1 Leadership and commitment 5.2 Compliance policy 5.3 Organizational roles, responsibilities and authorities
  18. 18. 5.1 Leadership and commitment Management Compliance policy Resource allocation Integrate CMS into business processes Communicati ng CMS importance Non- compliance reporting CMS achieve its objectives Continual improvement The governing body and top management should demonstrate leadership and commitment with respect to the compliance management system
  19. 19. 5.2 Compliance policy Top management should establish a compliance policy. The compliance policy establishes the principles to achieving compliance. It sets the level of responsibility and performance required and sets expectations to which actions will be assessed. The compliance policy should not be a stand-alone document but supported by other Documents - operational policies, procedures and processes. The compliance policy should: • be available as documented information • be written in plain language • be communicated clearly and made readily available • be updated as required Compliance policy Framework for compliance objectives Commitment to satisfy requirements Continually improve CMS Compliance integration with other functions Compliance into operational policies Autonomy of compliance function Responsibility for compliance issues Consequences of non- compliance
  20. 20. Poll Does your organization have a compliance policy?
  21. 21. 5.3 Organizational roles, responsibilities and authorities Top Management Compliance Function • establish and respect compliance policy • allocate adequate resources for compliance management system • include compliance responsibilities in position statements of top managers • appoint a compliance function with access to expert advice on relevant laws regulations, codes etc. • ensure that effective and timely systems of reporting are in place • identifying CO with the support of relevant resources • providing on-going training to employees • compliance reporting and documenting system • compliance performance indicators • corrective action • compliance risks • Review CMS at planned intervals • ensuring access to appropriate professional advice for establishing and maintaining CMS
  22. 22. • identifying CO with the support of relevant resources • providing on-going training to employees • compliance reporting and documenting system; • compliance performance indicators • corrective action; • compliance risks • Review CMS at planned intervals; • ensuring access to appropriate professional advice for establishing and maintaining CMS; 5.3 Organizational roles, responsibilities and authorities Compliance Function Employee • respect CO; • participate in compliance training; • report compliance concerns, issues and failures.
  23. 23. 6 9 1087 Performance evaluation Sections 4-10 4 Context of the organization 5 Leadership Planning ImprovementOperationSupport
  24. 24. 6 - Planning 6.1 Actions to address compliance risks 6.2 Compliance objectives and planning to achieve them
  25. 25. 6.1 Actions to address compliance risks 1 Identify compliance risks 2 Document compliance risks 3 Plan how to address compliance risks 4 Plan how to integrate and implement actions into CMS processes 5 Plan how to evaluate the effectiveness of actions The organization should plan: • actions to address these compliance risks and • how to integrate and implement the actions into its compliance management system processes • how to evaluate the effectiveness of these actions The organization should retain documented information on the compliance risks and on the planned actions to address them.
  26. 26. 6.2 Compliance objectives and planning to achieve them Compliance Objectives Consistent with compliance policy Measurable Take into account requirements Monitored Communicated Revised The organization should establish its compliance management system objectives at relevant functions and levels. When planning how to achieve its compliance objectives, the organization should determine: • what will be done • what resources will be required • who will be responsible • when it will be completed • how the results will be evaluated The organization should retain documented information on the compliance objectives and on the planned actions to achieve them.
  27. 27. 7 6 9 108 Performance evaluation Sections 4-10 4 Context of the organization 5 Leadership Planning ImprovementOperationSupport
  28. 28. 7 - Support 7.1 Resources 7.2 Competence and training 7.3 Awareness 7.4 Communication 7.5 Documented information
  29. 29. 7.1 Resources Access to external advice Human Financial Access to specialized skills Infrastructure & technology Reference material on legal obligations Professional development Top management and all other levels of management should ensure that the necessary resources are deployed effectively to ensure that the compliance management system meets its objectives, and that compliance is achieved.
  30. 30. 7.2 Competence and training The organization should ensure that people working directly with the CMS have the necessary skills. Training should be: • Tailored to compliance risks related to their role • On-going and should begin at recruitment • Easy to understand and practical • Assessed for effectiveness • Documented and recorded • Revised Ensure competence Determine competence Train and test Maintain documentation Compliance Function
  31. 31. 7.3 Awareness Top management should ensure that all employees of an organization are aware of: • the compliance policy • their role to the effectiveness of the CMS • the implications of not conforming with the CMS requirements Top Management Clear integration of compliance in all organization processes Management seen respecting CMS Compliance training for new employees On-going compliance training of all employees On-going communication on compliance issues Employee performance reviews that consider compliance behavior Prompt actions on non-compliance Compliance Culture ensuring operational objectives and targets do not compromise compliant behaviour integrating compliance to organization’s objectives and strategy communicating its commitment to compliance an environment where non- compliance reporting is encouraged identifying promptly correcting non- compliance
  32. 32. 7.4 Communication The organization should determine when, and how to share relevant information about the CMS to internal and external parties Organization should adopt appropriate methods of communication to ensure that the compliance message is heard and understood by all employees and external parties including customers, suppliers, contractors etc.
  33. 33. Poll How many times do you have to repeat something to create a habit?
  34. 34. https://service-design.co/you-need-to-repeat-a- behavior-66-times-to-create-a-new-habit- 4e220f881eb6
  35. 35. 7.5 Documented information Documented information is an integral part a compliance management system Documented information should be controlled for access, availability and protection against loss or improper use Compliance policy Roles and responsibilities Compliance risk registers and prioritization Annual compliance plans CMS Objectives, targets, structure Register of relevant compliance obligations Register of non- compliances and near misses Training records
  36. 36. 7 6 9 108 Performance evaluation Sections 4-10 4 Context of the organization 5 Leadership Planning ImprovementOperationSupport
  37. 37. 8.1 Operational planning and control 8 - Operation 8.2 Establishing controls and procedures 8.3 Outsourced processes
  38. 38. 8.1 Operational planning and control Defining objectives of processes Establishing criteria for processes Implementing control for processes Documenting process information The organization should plan processes needed to meet the compliance obligations and address compliance risks by:
  39. 39. 8.2 Establishing controls and procedures Effective controls should be set to ensure compliance obligations are met and non-compliances prevented, detected and corrected Procedures should be established to translate the compliance obligations into practice Examples of controls Examples of procedures Easy to follow and documented policies, procedures, processes Systems and exception reports Approvals Automated processes Annual compliance plans Employee performance plans Compliance assessments and audits Active and frequent communication on expected behaviour of employees Integrating the compliance obligations into procedures like forms, reporting contracts etc. Assessment to ensure that employees comply with procedures Arrangements for identifying, and escalating non- compliances On-going monitoring and measurement
  40. 40. 8.3 Outsourced processes The organization should ensure that outsourced processes are controlled and monitored 1 • Organization should undertake effective due diligence to ensure its commitment to compliance is not lowered 2 • Controls over contractors should be in place to ensure • Contract is complied with effectively (e.g. third-party performance appraisals) 3 • The organization should consider compliance risks related to third- party-related processes, such as supply and distribution of their goods and services
  41. 41. 7 6 9 108 Performance evaluation Sections 4-10 4 Context of the organization 5 Leadership Planning ImprovementOperationSupport
  42. 42. 9.1 Monitoring, measurement, analysis and evaluation 9 – Performance Evaluation 9.2 Audit 9.3 Management review
  43. 43. 9.1 Monitoring, measurement, analysis and evaluation The organization should determine what needs to be measured, how and when it will be measured and the results will be reported Monitoring Sources of feedback on compliance performance Methods of information collection Information analysis and classification Development of indicators Compliance reporting Content of compliance reports Record- keeping A plan for continual monitoring should be established, setting out monitoring processes, schedules, resources and the information to be collected. Monitoring of the CMS includes effectiveness of trainings, controls, currency of CO etc. Monitoring of compliance performance includes leading and lagging indicators, non-compliances, compliance culture etc. The organization should establish procedures for seeking feedback on its compliance performance from a range of sources like employees, customers, suppliers etc. • reports of non-compliance • information gained through hot lines, complaints • informal discussions, workshops and focus groups • training requests and feedback provided during training A system should be developed for classifying, storing and retrieving the information. Examples of information classification criteria include source, department, noncompliance description etc.
  44. 44. 9.1 Monitoring, measurement, analysis and evaluation The organization should determine what needs to be measured, how and when it be measured and the results will be reported. Monitoring Sources of feedback on compliance performance Methods of information collection Information analysis and classification Development of indicators Compliance reporting Content of compliance reports Record- keeping A set of measurable indicators to quantify compliance performance. For example, percentage of employees trained effectively, time taken to report and take corrective action Accurate, up-to-date records of the organization’s compliance activities should be maintained including compliance reports, details of noncompliance and corrective and preventive actions, results of reviews and audits etc. Compliance reports include matters required to notify to any regulatory authority, changes in compliance obligations, measurement of compliance performance, number and details of noncompliance, corrective actions, results from audits etc. Internal reporting arrangements should ensure that appropriate criteria and obligations for reporting are set out, timelines for regular reporting are established, there is sign-off on the accuracy of reports etc.
  45. 45. 9.2 Audit The organization should conduct audits at planned intervals to determine and report if the CMS is effectively implemented and maintained Plan an audit programme including frequency, methods, responsibilities, planning requirements and reporting Define the audit criteria and scope for each audit Ensure objectivity and the impartiality of the audit process Ensure that the results of the audits are reported to relevant management Retain documented information as evidence of the implementation of the audit programme Retain documented information as evidence of audit results
  46. 46. 9.3 Management review Top management should review the organization’s compliance management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness Review The status of actions from previous management reviews The adequacy of the compliance policy The extent to which the compliance objectives have been met Adequacy of resources Changes in external and internal issues that are relevant to the CMS Information on the compliance performance, including trends in nonconformities, corrective actions and timelines for resolution Opportunities for continual improvement Recommend The need for changes to the compliance policy, objectives, structure and personnel Areas to be monitored for potential future noncompliance Longer term continual improvement initiatives Changes to compliance processes for better integration with operations Corrective actions for non- compliances Recognition of exemplary compliance behaviour within the organization
  47. 47. 9.3 Management review https://www.vox.com/science-and- health/2019/11/8/20948348/delhi-india-air- pollution-quality-cause
  48. 48. 7 6 9 108 Performance evaluation Sections 4-10 4 Context of the organization 5 Leadership Planning ImprovementOperationSupport
  49. 49. 10 - Improvement 10.1 Nonconformity, noncompliance and corrective action 10.2 Continual improvement
  50. 50. 10.1 Nonconformity, noncompliance and corrective action When a nonconformity and/or noncompliance occurs, the organization should: • take action to control and correct it • manage the consequences • eliminate the root causes • determining if similar nonconformities and/or non- compliances exist • review the effectiveness corrective action taken • make changes to the compliance management system, if necessary A clear escalation process should be adopted and communicated to ensure that all non-compliances are raised, reported and eventually escalated to relevant management. The process should specify to whom, how and when issues are to be reported and the timelines for internal and external reporting. Non compliance take action to control and correct it manage the consequences eliminate the root causes determine if similar nonconformities exist review effectiveness of corrective action taken changes to the compliance management system
  51. 51. 10.2 Continual improvement The organization should seek to continually improve the effectiveness of the compliance management system. The information collected and evaluated in compliance reports should be used as basis to identify opportunities for improvement. Plan DoCheck Act
  52. 52. Flowchart of compliance management system
  53. 53. Comprehensive Compliance approach Successful Compliance Programs Successful compliance programs require three key elements: Software solution Centrally managed compliance
  54. 54. Comprehensive Compliance approach Centralized Compliance - a central place where management can view the compliance performance of all facilities worldwide in one place in real time. Software solution Centrally managed compliance Successful Compliance Programs Source - October 2019 Survey results - ‘Centrally managed vs Locally managed compliance’.
  55. 55. Comprehensive Compliance approach The next key factor is a software solution to manage compliance Software solution Centrally managed compliance Successful Compliance Programs
  56. 56. 75% of all operations still monitor regulatory requirements manually 75% 80% of countries are planning to issue new EHS regulations this year 80% 65% of an organization’s costs for monitoring regulations can be reduced with a software solution 65% 40% of all amended and new laws are EHS related 40% Software Solution is critical to a successful compliance program
  57. 57. Comprehensive Compliance approach And the third key factor is a ‘Comprehensive Compliance’ approach Software solution Centrally managed Compliance Successful Compliance Programs
  58. 58. Nimonik’s 7 Steps for Comprehensive Compliance 2 Select requirements that apply to you 3 Implement a process with your subject matter experts Plan 4 Document your compliance actions 5 Monitor for changes to your requirements 7 Take action on non-compliance and opportunities for improvement Do Check Act 1 Identify your applicable regulations, codes and standards 6 Verify compliance with audits and management reviews Continuous Improvemen t
  59. 59. Clause - Level Compliance Obligations 02 ● Access specific requirements in over 200,000 EHS regulations, standards and guidelines for global jurisdictions on our easy to use software, NimonikApp. ● Receive alerts when the specific applicable requirements change or new ones get introduced. ● Use the specific requirements as audit protocols to assess your compliance. Audit and Inspection Software 03 Audit efficiently with an easy to use app available on web and mobile devices. Title- Level Compliance Obligations 01 ● Access over 200,000 EHS regulations, standards and guidelines for global jurisdictions on our easy to use software, NimonikApp. ● Receive alerts when applicable documents change or new ones get introduced. Nimonik helps with all three key elements with our 3 services
  60. 60. Comprehensive compliance workshop Please send ‘Workshop’ in the chat and we will get in touch
  61. 61. Thank you nimonik.com | +1-888-608-7511 | info@nimonik.com ● Please fill the post-webinar survey ● Text ‘Workshop’ in the chat if interested in the Comprehensive Compliance workshop for your team

×