19600 compliance management system guidelines

1. ISO 19600 Compliance Management System by Nimonik

2. About the speaker • CEO of Nimonik • Metallurgical engineer • Passionate about world-class compliance and easy-to-use software

3. Let us begin with a safety moment

4. Poll Have you heard of the ISO 19600 standard?

5. Poll Are you familiar with the contents of the ISO 19600 standard?

6. The guidelines on compliance management systems are applicable to all types of organizations The International Standard is based on the principles of good governance, proportionality, transparency and sustainability It has 10 sections with requirements contained in section 4-10 ISO 19600 – Compliance management system standard

7. 9 Performance evaluation Sections 4-10 4 Context of the organization 5 Leadership 6 Planning 10 Improvement 8 Operation 7 Support

8. 4 - Context of the organization 4.1 Understanding the organization and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the compliance management system 4.4 Compliance management system and principles of good governance 4.5 Compliance obligations 4.6 Identification, analysis and evaluation of compliance risks

9. 4.1 Understanding the organization and its context Internal and External issues Regulatory Social Cultural Economic Internal policies Resources The organization should determine external and internal issues that affect its ability to achieve the intended outcomes of its compliance management system (CMS)

10. 4.2 Understanding the needs and expectations of interested parties The organization should determine: • the interested parties that are relevant to the CMS • the requirements of these interested parties Who? Requirements? Stakeholders

11. 4.3 Determining the scope of the compliance management system Scope of the compliance management system (geographical/organizational) Requirements of interested parties Internal and External issues The organization should determine the boundaries and applicability of the compliance management system to establish its scope.

12. 4.3 Determining the scope of the compliance management system https://www.nytimes.com/2019/09/12/wo rld/europe/france-sex-work-accident.html

13. 4.4 Compliance management system and principles of good governance Compliance management system Governance principles Organization's values Organization's objectives Organization's strategy Organization's compliance risks Organization's compliance obligations The organization should establish a CMS taking into consideration the following governance principles: • direct access of the compliance function to the governing body • independence of the compliance function • appropriate authority and adequate resources allocated to the compliance function The compliance management system should reflect the organization’s values, objectives, strategy and compliance risks.

14. 4.5 Compliance obligations • agreements with community • agreements with customers • organizational policies • voluntary principles • industry standards Compliance requirements Compliance commitments • Laws, regulations, permits • orders, guidance • treaties, conventions Identify compliance obligations Maintenance of compliance obligations Determine implications of CO for its activities Document compliance obligations 1 2 3 4 • identify new and changed laws • evaluate the impact of changes • implement changes in the management of the CO The organization should identify its compliance obligations and should have processes in place to identify new and changed laws, regulations, codes and other compliance obligations to ensure ongoing compliance

15. 4.6 Identification, analysis and evaluation of compliance risks Compliance risks Compliance risks the organization is willing to take Non-compliance severity and likelihood Prioritize risk controls set- up and implementation Risk evaluation The organization should identify, evaluate and prioritize its compliance risks. The risk-based approach does not mean that for low risk situations, non-compliance is accepted. It only assists in focussing primary attention on higher risks as a priority, and ultimately will cover all compliance risks. The compliance risks should be reassessed periodically and whenever there are: • new activities, products or services • changes to the structure or strategy of the organization • external changes - financial-economic • changes to compliance obligations • non-compliances

16. 6 9 1087 Performance evaluation Sections 4-10 4 Context of the organization 5 Leadership Planning ImprovementOperationSupport

17. 5 - Leadership 5.1 Leadership and commitment 5.2 Compliance policy 5.3 Organizational roles, responsibilities and authorities

18. 5.1 Leadership and commitment Management Compliance policy Resource allocation Integrate CMS into business processes Communicati ng CMS importance Non- compliance reporting CMS achieve its objectives Continual improvement The governing body and top management should demonstrate leadership and commitment with respect to the compliance management system

19. 5.2 Compliance policy Top management should establish a compliance policy. The compliance policy establishes the principles to achieving compliance. It sets the level of responsibility and performance required and sets expectations to which actions will be assessed. The compliance policy should not be a stand-alone document but supported by other Documents - operational policies, procedures and processes. The compliance policy should: • be available as documented information • be written in plain language • be communicated clearly and made readily available • be updated as required Compliance policy Framework for compliance objectives Commitment to satisfy requirements Continually improve CMS Compliance integration with other functions Compliance into operational policies Autonomy of compliance function Responsibility for compliance issues Consequences of noncompliance

20. Poll Does your organization have a compliance policy?

21. 5.3 Organizational roles, responsibilities and authorities Top Management Compliance Function • establish and respect compliance policy • allocate adequate resources for compliance management system • include compliance responsibilities in position statements of top managers • appoint a compliance function with access to expert advice on relevant laws regulations, codes etc. • ensure that effective and timely systems of reporting are in place • identifying CO with the support of relevant resources • providing on-going training to employees • compliance reporting and documenting system • compliance performance indicators • corrective action • compliance risks • Review CMS at planned intervals • ensuring access to appropriate professional advice for establishing and maintaining CMS

22. • identifying CO with the support of relevant resources • providing on-going training to employees • compliance reporting and documenting system; • compliance performance indicators • corrective action; • compliance risks • Review CMS at planned intervals; • ensuring access to appropriate professional advice for establishing and maintaining CMS; 5.3 Organizational roles, responsibilities and authorities Compliance Function Employee • respect CO; • participate in compliance training; • report compliance concerns, issues and failures.

23. 6 9 1087 Performance evaluation Sections 4-10 4 Context of the organization 5 Leadership Planning ImprovementOperationSupport

24. 6 - Planning 6.1 Actions to address compliance risks 6.2 Compliance objectives and planning to achieve them

25. 6.1 Actions to address compliance risks 1 Identify compliance risks 2 Document compliance risks 3 Plan how to address compliance risks 4 Plan how to integrate and implement actions into CMS processes 5 Plan how to evaluate the effectiveness of actions The organization should plan: • actions to address these compliance risks and • how to integrate and implement the actions into its compliance management system processes • how to evaluate the effectiveness of these actions The organization should retain documented information on the compliance risks and on the planned actions to address them.

26. 6.2 Compliance objectives and planning to achieve them Compliance Objectives Consistent with compliance policy Measurable Take into account requirements Monitored Communicated Revised The organization should establish its compliance management system objectives at relevant functions and levels. When planning how to achieve its compliance objectives, the organization should determine: • what will be done • what resources will be required • who will be responsible • when it will be completed • how the results will be evaluated The organization should retain documented information on the compliance objectives and on the planned actions to achieve them.

27. 7 6 9 108 Performance evaluation Sections 4-10 4 Context of the organization 5 Leadership Planning ImprovementOperationSupport

28. 7 - Support 7.1 Resources 7.2 Competence and training 7.3 Awareness 7.4 Communication 7.5 Documented information

29. 7.1 Resources Access to external advice Human Financial Access to specialized skills Infrastructure & technology Reference material on legal obligations Professional development Top management and all other levels of management should ensure that the necessary resources are deployed effectively to ensure that the compliance management system meets its objectives, and that compliance is achieved.

30. 7.2 Competence and training The organization should ensure that people working directly with the CMS have the necessary skills. Training should be: • Tailored to compliance risks related to their role • On-going and should begin at recruitment • Easy to understand and practical • Assessed for effectiveness • Documented and recorded • Revised Ensure competence Determine competence Train and test Maintain documentation Compliance Function

31. 7.3 Awareness Top management should ensure that all employees of an organization are aware of: • the compliance policy • their role to the effectiveness of the CMS • the implications of not conforming with the CMS requirements Top Management Clear integration of compliance in all organization processes Management seen respecting CMS Compliance training for new employees On-going compliance training of all employees On-going communication on compliance issues Employee performance reviews that consider compliance behavior Prompt actions on non-compliance Compliance Culture ensuring operational objectives and targets do not compromise compliant behaviour integrating compliance to organization’s objectives and strategy communicating its commitment to compliance an environment where noncompliance reporting is encouraged identifying promptly correcting noncompliance

32. 7.4 Communication The organization should determine when, and how to share relevant information about the CMS to internal and external parties Organization should adopt appropriate methods of communication to ensure that the compliance message is heard and understood by all employees and external parties including customers, suppliers, contractors etc.

33. Poll How many times do you have to repeat something to create a habit?

34. https://service-design.co/you-need-to-repeat-a- behavior-66-times-to-create-a-new-habit- 4e220f881eb6

35. 7.5 Documented information Documented information is an integral part a compliance management system Documented information should be controlled for access, availability and protection against loss or improper use Compliance policy Roles and responsibilities Compliance risk registers and prioritization Annual compliance plans CMS Objectives, targets, structure Register of relevant compliance obligations Register of non- compliances and near misses Training records

37. 8.1 Operational planning and control 8 - Operation 8.2 Establishing controls and procedures 8.3 Outsourced processes

38. 8.1 Operational planning and control Defining objectives of processes Establishing criteria for processes Implementing control for processes Documenting process information The organization should plan processes needed to meet the compliance obligations and address compliance risks by:

39. 8.2 Establishing controls and procedures Effective controls should be set to ensure compliance obligations are met and non-compliances prevented, detected and corrected Procedures should be established to translate the compliance obligations into practice Examples of controls Examples of procedures Easy to follow and documented policies, procedures, processes Systems and exception reports Approvals Automated processes Annual compliance plans Employee performance plans Compliance assessments and audits Active and frequent communication on expected behaviour of employees Integrating the compliance obligations into procedures like forms, reporting contracts etc. Assessment to ensure that employees comply with procedures Arrangements for identifying, and escalating non- compliances On-going monitoring and measurement

40. 8.3 Outsourced processes The organization should ensure that outsourced processes are controlled and monitored 1 • Organization should undertake effective due diligence to ensure its commitment to compliance is not lowered 2 • Controls over contractors should be in place to ensure • Contract is complied with effectively (e.g. third-party performance appraisals) 3 • The organization should consider compliance risks related to third- party-related processes, such as supply and distribution of their goods and services

42. 9.1 Monitoring, measurement, analysis and evaluation 9 – Performance Evaluation 9.2 Audit 9.3 Management review

43. 9.1 Monitoring, measurement, analysis and evaluation The organization should determine what needs to be measured, how and when it will be measured and the results will be reported Monitoring Sources of feedback on compliance performance Methods of information collection Information analysis and classification Development of indicators Compliance reporting Content of compliance reports Record- keeping A plan for continual monitoring should be established, setting out monitoring processes, schedules, resources and the information to be collected. Monitoring of the CMS includes effectiveness of trainings, controls, currency of CO etc. Monitoring of compliance performance includes leading and lagging indicators, non-compliances, compliance culture etc. The organization should establish procedures for seeking feedback on its compliance performance from a range of sources like employees, customers, suppliers etc. • reports of non-compliance • information gained through hot lines, complaints • informal discussions, workshops and focus groups • training requests and feedback provided during training A system should be developed for classifying, storing and retrieving the information. Examples of information classification criteria include source, department, noncompliance description etc.

44. 9.1 Monitoring, measurement, analysis and evaluation The organization should determine what needs to be measured, how and when it be measured and the results will be reported. Monitoring Sources of feedback on compliance performance Methods of information collection Information analysis and classification Development of indicators Compliance reporting Content of compliance reports Record- keeping A set of measurable indicators to quantify compliance performance. For example, percentage of employees trained effectively, time taken to report and take corrective action Accurate, up-to-date records of the organization’s compliance activities should be maintained including compliance reports, details of noncompliance and corrective and preventive actions, results of reviews and audits etc. Compliance reports include matters required to notify to any regulatory authority, changes in compliance obligations, measurement of compliance performance, number and details of noncompliance, corrective actions, results from audits etc. Internal reporting arrangements should ensure that appropriate criteria and obligations for reporting are set out, timelines for regular reporting are established, there is sign-off on the accuracy of reports etc.

45. 9.2 Audit The organization should conduct audits at planned intervals to determine and report if the CMS is effectively implemented and maintained Plan an audit programme including frequency, methods, responsibilities, planning requirements and reporting Define the audit criteria and scope for each audit Ensure objectivity and the impartiality of the audit process Ensure that the results of the audits are reported to relevant management Retain documented information as evidence of the implementation of the audit programme Retain documented information as evidence of audit results

46. 9.3 Management review Top management should review the organization’s compliance management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness Review The status of actions from previous management reviews The adequacy of the compliance policy The extent to which the compliance objectives have been met Adequacy of resources Changes in external and internal issues that are relevant to the CMS Information on the compliance performance, including trends in nonconformities, corrective actions and timelines for resolution Opportunities for continual improvement Recommend The need for changes to the compliance policy, objectives, structure and personnel Areas to be monitored for potential future noncompliance Longer term continual improvement initiatives Changes to compliance processes for better integration with operations Corrective actions for non- compliances Recognition of exemplary compliance behaviour within the organization

47. 9.3 Management review https://www.vox.com/science-and- health/2019/11/8/20948348/delhi-india-air- pollution-quality-cause

49. 10 - Improvement 10.1 Nonconformity, noncompliance and corrective action 10.2 Continual improvement

50. 10.1 Nonconformity, noncompliance and corrective action When a nonconformity and/or noncompliance occurs, the organization should: • take action to control and correct it • manage the consequences • eliminate the root causes • determining if similar nonconformities and/or non- compliances exist • review the effectiveness corrective action taken • make changes to the compliance management system, if necessary A clear escalation process should be adopted and communicated to ensure that all non-compliances are raised, reported and eventually escalated to relevant management. The process should specify to whom, how and when issues are to be reported and the timelines for internal and external reporting. Non compliance take action to control and correct it manage the consequences eliminate the root causes determine if similar nonconformities exist review effectiveness of corrective action taken changes to the compliance management system

51. 10.2 Continual improvement The organization should seek to continually improve the effectiveness of the compliance management system. The information collected and evaluated in compliance reports should be used as basis to identify opportunities for improvement. Plan DoCheck Act

52. Flowchart of compliance management system

53. Comprehensive Compliance approach Successful Compliance Programs Successful compliance programs require three key elements: Software solution Centrally managed compliance

54. Comprehensive Compliance approach Centralized Compliance - a central place where management can view the compliance performance of all facilities worldwide in one place in real time. Software solution Centrally managed compliance Successful Compliance Programs Source - October 2019 Survey results - ‘Centrally managed vs Locally managed compliance’.

55. Comprehensive Compliance approach The next key factor is a software solution to manage compliance Software solution Centrally managed compliance Successful Compliance Programs

56. 75% of all operations still monitor regulatory requirements manually 75% 80% of countries are planning to issue new EHS regulations this year 80% 65% of an organization’s costs for monitoring regulations can be reduced with a software solution 65% 40% of all amended and new laws are EHS related 40% Software Solution is critical to a successful compliance program

57. Comprehensive Compliance approach And the third key factor is a ‘Comprehensive Compliance’ approach Software solution Centrally managed Compliance Successful Compliance Programs

58. Nimonik’s 7 Steps for Comprehensive Compliance 2 Select requirements that apply to you 3 Implement a process with your subject matter experts Plan 4 Document your compliance actions 5 Monitor for changes to your requirements 7 Take action on non-compliance and opportunities for improvement Do Check Act 1 Identify your applicable regulations, codes and standards 6 Verify compliance with audits and management reviews Continuous Improvemen t

59. Clause - Level Compliance Obligations 02 ● Access specific requirements in over 200,000 EHS regulations, standards and guidelines for global jurisdictions on our easy to use software, NimonikApp. ● Receive alerts when the specific applicable requirements change or new ones get introduced. ● Use the specific requirements as audit protocols to assess your compliance. Audit and Inspection Software 03 Audit efficiently with an easy to use app available on web and mobile devices. Title- Level Compliance Obligations 01 ● Access over 200,000 EHS regulations, standards and guidelines for global jurisdictions on our easy to use software, NimonikApp. ● Receive alerts when applicable documents change or new ones get introduced. Nimonik helps with all three key elements with our 3 services

60. Comprehensive compliance workshop Please send ‘Workshop’ in the chat and we will get in touch

61. Thank you nimonik.com | +1-888-608-7511 | info@nimonik.com ● Please fill the post-webinar survey ● Text ‘Workshop’ in the chat if interested in the Comprehensive Compliance workshop for your team