ISO 19600, the international standard for

compliance management

Dick Hortensius, NEN

1
 government industry

NGO’s
unions Mission:
The main knowledge
network for standards
development and
consumers standards application in
the Netherlands

consultancy/
academics

161 members 34 members

Opzetten en invoeren van een Kwaliteitsmanagementsysteem 2

Agenda for this presentation

• Issuesin compliance
• Compliance and management systems
• ISO 19600:
– System: hard controls
– Culture and behavior: soft controls

• Next steps with ISO 19600

3
4
5
Fraud culture because of targets to be
achieved

7
 WM hoofdstuk 10
Waterwet vergunning
Atex

Emissiehandel / BEES A PGS 15 Wet geluidhinder

Drukvaten besluit
MEE

Ner

Gebruiksbesluit

BRZO / PGS 13

ARBO besluit en regeling

grondwater vergunning

E-PRTR

Milieuvergunning & IPPC

Heineken brewery Netherlands

Three boundary conditions for safety
and compliancy

Technical Culture,
integrity behavior

Good compliance
performance

And
standards
System can assist!

9
De essence of a management system
Management
system

Needs/ input Policies and

expectations objectives

Good correspondence
ISO 9001
ISO 14001
Plan
ISO 45001
ISO 27001
Act Do ISO 22000
ISO 50001
Stakeholders Check Certificates

Feedback/
accountability
output Performance
The challenge
ISO 14001:2004
Environmenal management
PAS 55:2008
ISO 9001:2008 Asset management
Quality management
OHSAS 18001
OHS management

ISO 27001
BS 25999
Information
Business
security
Continuity
ISO 30301
Records
ISO 22000 management
Food safety ISO 28000
ISO 50001 Supply chain
energy management security
Flowermodel quality
Van NEN
Environment OH&S
Generic
core with
basic requirements
for a
management-
system

Other Safety
 The solution: Plug-in model ISO MSS
Sector standards

ISO/TS 16949

ISO/TS 29001
ISO 22000
Exanples: Examples:
• Quality management • Automotive
• Environmental management • Food industry
• OH&S management • Oil & gas industry
Generic standards

on MS elements
Specific guidelines
ISO 9001 Common
structure and
ISO 19011
core
ISO 14001 requirements
ISO 10013
ISO 45001
HLS
Examples:
Examples: • Auditing
• Risk management • Documentation
ISO 31000

ISO 26000

ISO 19600

• Social responsibility
• Compliance management

Generic management guidelines

Core of the ‘plug in model’

MSS CORE
ELEMENTS

The core of the ‘plug-in’ model requires for MSS:

✓ Same structure (HLS))
✓ Identical terms and definitions →JTCG
✓ Common basic requirements
Draft ISO Guide 83 → Annex SL text
High level structure and identical text for MSS and
common core MS terms and definitions

4. Context of the organization

5. Leadership • The organization and its
context (issues/risks)
6. Planning
• Needs and expectations of
7. Support interested parties
8. Operation • Scope of MS
9. Performance evaluation
• Leadership and commitment
10. Improvement • Policy
• Organizational roles,
responsibilities and authorities

15
Draft ISO Guide 83 → Annex SL text
High level structure and identical text for MSS and
common core MS terms and definitions

4. Context of the organization

5. Leadership • Actions to address
6. Planning risks and opportunities
• Objectives and plans to
7. Support achieve them
8. Operation
9. Performance evaluation• Resources
10. Improvement • Competence
• Awareness
• Communication
• Documented information
16
Draft ISO Guide 83 → Annex SL text
High level structure and identical text for MSS and
common core MS terms and definitions

4. • Operational planning
Context of the organization
5. Leadership and control

6. Planning • Monitoring, measurement,

7. Support analysis and evaluation
• Internal audit
8. Operation • Management review
9. Performance evaluation
10. Improvement
• Nonconformity and
corrective action
• Continual improvement
17
Management processes
High level structure and identical text for MSS and
common core MS terms and definitions
Seven generic management processes:
1. Leadership
2. Stakeholder management
3. Risk management
4. Compliance management
5. Process management
6. Improvement management
7. (Human) resources

18
 Connecting HLS clauses en board room themes
(vertical linkages)

Support,
Themes → Risk Compliance Stakeholder Process Improvement
Leadership management management management management (human)
HLS management
resources
4.2 4.2
Context of the 4 Context 4.1 Internal 4.4
stakeholders, Stakeholders
of the and external needs and needs and Management
organisation organization issues expectations expectations system
5.1 Integration 5.3
5
Leadership Leadership
system in 5.2 Policy Structure, roles,
business
responsibities
processes
6.1 addressing 6.2 objectives/ 6.2
Planning 6.1 Risks and
requirements in planning Objectives
opportunities planning

7.1/7.2
7.4 7
Support 7.1 resources resources, 7.1 Resources
Communication Support
competencies

8.1 8.1
Operation 8 Operational
Process
Risk control control
control

9.3 9.3 9.1 9.1, 9.2, 9.3

Evaluation of Management 9.1 monitoring 9.1 monitoring Monitoring,
Management Evaluatie
performance Review of control of compliance
Review measuring prestaties

10.1, 10.2
10.2 10.1 correction, 10.1 correction, 10.1 correction, Corrective
Improvement improvement corrective action corrective action corrective acion actions and
improvement
 Generic risk and compliance management
approach in ISO management standards
What is happening
what are the trends? What are the risks (threats/opportunities)?

Analysis, prioritization
4.1 Issues (factors) 6.1 Risk management

Strategic 8 Operational control

4 Understanding assessment
the context 9. Performance evaluation

4.2 stakeholders 6.1 compliance management

Who are we effecting? What are the requirements, needs and

Who are affecting us? expectations?
Who do we need to consider? What are our compliance obligations?

20
Two management levels in the HLS
(direction and control) External/internal issues and
developments
strategic analysis
Stakeholders, needs and
4.1/4.2 expectations
context
analysis

9.3
manage- 4.3/4.4
ment system

Strategic level review

PDCA
Direction
“doing the right things”

review (results internal audits)

5.2 policy 5.1
5.3 leader
structure ship

Input to management
6.1
addressing
Operational
risks and
opportunites risk and compliance
assessment
10
Corrective 6.2 objectives

Operational level
action and
improvement
PDCA
and planning
Control
“doing the things right”
9 Evaluation of
performance/
8 Operation
7 support
Operational
internal audit
controls

21
ISO 19600:
plug-in for compliance management

ISO 19600 2015

22
ISO 19600
Some important characteristics
• Guideline, not a standard with requirements
→Not intended for certification
• Describes a management system
→PDCA approach to compliance management
• Follows the High Level Structure (HLS)
→Can be applied as ‘plug-in’ to ISO MSS
• Is risk-based
→Compatible with ISO 31000
• Pays attention to cultural and behavioral aspects

23
ISO 19600
Some important terms/concepts
• Compliance
– meeting all the organization’s compliance obligations
• Compliance obligation
– requirement that an organization has to or chooses to
comply with
• Non-compliance
– non-fulfilment of a compliance obligation
• Compliance risk
– likelihood
of occurrence and the consequences of
noncompliance

24
ISO 19600 – risk based approach
Context of the organization
(issues, stakeholder requirements, needs and expectations)

Step 1 Risk assessment

Compliance obligations
Evaluation of
Step 2
compliance risks
Compliance risks

Step 3 Choice of controls

Compliance controls
and monitoring
X
non-compliances

25
 ISO 19600
4.5 Compliance obligations
structure and content
5.1 leadership and commitment
4.5.1 identification van compliance obligations
✓ Upholding the core values of the organization
examples of compliance requirements
✓ Ensuring availability of resources
examples of compliance commitments
✓ Ensuring
Clauses (generic MSS) the integration of the compliance
Important management
compliance system
elements
4.5.2 Maintenance of compliance obligations
requirements into the organization’s business processes
Scope contact with regulatory agencies
Applicable to all types and sizes of
✓ communicating the importance of an effective compliance
agreements with legal advisors
organizations
management
subscribing to information services
✓ ensuring alignment betweenCompliance,
Terms and definitions operationalcompliance
targets and obligations,
compliance
compliance culture
obligations
Context5.3
4.6
of the
identification, analysis andUnderstanding
organisatie
evaluation ofneeds
compliance risks
and expectations of
roles, responsibilities and accountabilities
a) Relating obligations tointerested
activities,parties,
products and services
Identification and
✓ Compliance function:
b) Identification causes and consequences
maintenance of non-compliances
of obligations, risk assessment of
• Authority and responsibility for the CMS
c) Determination of probability and severity
compliance obligations
• Clear and unambiguous support from and direct access to
d) Determination necessity and extentcommitment,
of control measures
Leadership governing body and topManagement
management policy, roles
and the governing &
body;
e) Periodic re-assessment responsibilities of governing body, top and line
• the authority and capacity to execute countervailing power
management, compliance function, employees
Planning Actions to address compliance risks

26
 7.3.2 Behavior
ISO 19600
Role of top management:
✓ creating an environment where the reporting of noncompliance is
structure and content
encouraged and the reporting employee will be safe from retaliation;
✓ ensuring compliance is incorporated into the broader organization
culture
✓ ensuring that operational objectives and targets do not compromise
Clauses (generic MSS) Important compliance elements
compliance behaviour
Support Resources, competence, awareness, training,
behaviour, culture, commmunication,
Compliance culture
documentation
✓ a clear set of published values
Operation✓ management actively seen to be Controls to manageand
implementing obligations
abidingand desired
by the
behaviours
values
✓ mentoring,
Performance evaluation coaching and leading
Monitoring compliance performance, evaluation,
by example
compliance
✓ visible recognition of achievements reporting, management
in compliance audit & managrement
and
review
Improvementoutcomes
✓ prompt and proportionate disciplining
Management
in theofcase
non-compliances (including
of wilful or negligent
escalation procedures)
breaches of compliance obligations
✓ open communication

27
 4.1 Identification of Compliance MS according to ISO 19600
external and internal
issues 4.3/4.4 Determining
Good governance
the scope and
principles
establishing the CMS
4.2 Identification of
stakeholder
requirements
5.2 Establishing
compliance policy
Compliance culture:
the values, ethics and beliefs that exist
4.5/4.6 Identification
throughout an organization and interact with
of compliance
the organization’s structures andandcontrol
obligations
evaluating compliance
systems to produce behavioral risksnorms that are

conducive to Maintain
compliance outcomes Develop
5 Leadership
Independent
10 Managing non- 6.1 Planning to address
compliance function
compliances and compliance risks and to
5.3 Responsibilities at
continual improvement achieve objectives
all levels
7 Support functions

Evaluate Implement

9 Performance 8.1/8.2 Operational

evaluation and planning and control
compliance reporting of compliance risks
Input: understanding the internal and external context

Policy, leadership, culture, design of the management system

Output: Compliance results (reports)

and needs and expectations of stakeholders

accepted by stakeholders
Monitoring,
Determination Determination

(“license to operate”)
measuring Analyzing non-
of: of:
Implementation Analyzing and conformities
• scope CMS • Controls
and operation of evaluating Correctives
• compliance • Objectives
control Reporting actions
obligations and
measures Internal audit Escalation
• compliance programmes
Management Improvement
risks to achieve
review

Overview of
Overview of
Overview of Overview of results Overview of
implemented
compliance planned Reports corrective
controls for
obligations and controls and Results of actions and
departments
risks objectives audits and improvements
and persons
reviews

Plan Plan Do Check Act

Resources, competencies, training, communication, document control

Based on the 6-step model for CMS of KWA Bedrijfsadviseurs BV

ISO 19600 – behavioral aspects
(Muel Kaptein)
Seven fundamental factors that influence behavior of
people are addressed in the standard:
Clarity of what is expected (norms, values, responsibilities)
Role-modelling: exemplary behavior of line managers, higher management
and directors
Why good
Achievability of goals, duties and responsibilities

people do
Commitment: motivation to invest efforts in the interest of the organization;
supported by respectful treatment of employees
Transparency: seeing the effectssometimes bad
of their own behavior as well as the
behavior of others.
things
Openness: freedom people have to discuss opinions, feelings, dilemmas
and transgressions at work.
Enforcement; extent to which people within the organization are valued and
rewarded for exhibiting desired behavior and punished for undesirable
behavior

30
 Behavioral aspects in ISO 19600
Themes → Clarity
Role
Achievability Commitment Transparency Openness Enforcement
HLS modelling

Context of the
organisation
Leadership Roles,
Policy Role of
Leadership roles, Leadership Leadership
management
responsibility,
responsibilities accountability

Planning Objectives

Clear set of Behavior and

Behavior and Role top Behavior and
Support values
culture
Awareness
culture culture
Communication management

Clear
Operation procedures

Evaluation of reporting Sources of

performance feedback

Correction and
Improvement Escalation corrective
actions
Use of ISO 19600
ISO 19600 ISO 19600
Company Authorities

Supplier

Q H S E

client

ISO 19600

Designing a CMS Reference for improvement

ISO 19600
Next steps
• Developed by ISO/PC 271
• Publication ISO 19600 in december 2014
• Transfer of subject to ISO/TC 309
‘Governance of organizations’
• Systematic review in 2017
• NWIP for revision of ISO 19600 into type A
(requirements) MSS circulated in June 2018

33
Standards for
compliance ??
Still the missing link in ISO
management
Technical Culture,
Integrity behavior

Good
compliance
performancer ISO 45001 –OH&S
ISO 19600 - compliance
ISO 31000 – risk
management
ISO 31010 – risk
ISO 55000-series on asset
System assessment techniques
management ISO 14001 - environment
Many technical standards

34
More information

www.nen.nl/compliance
dick.hortensius@nen.nl
https://committee.iso.org/home/tc309

35