Professional Documents
Culture Documents
ISO 19600:2014
Awareness
Training Programme
NATIONAL INSPECTION AND TECHNICAL TESTING CO.
P.O. Box 3998, Dammam 31481, KSA
Tel +966 (0) (13) 8408333
Email: training@fahss.com
Important Guidelines to Follow
To achieve optimum results kindly
observe the following:
ISO is a network of the national
standards institutes of 164 countries,
on the basis of one member per
country, with a Central Secretariat in
3
The Definition of
Compliance
Compliance is either a state of being in accordance
with established guidelines or specifications, or the
process of becoming
Complience Managemnet Sysyem
5
?Why is a CMS important
in the marketplace
enforcement, actions
6
Birth of ISO 19600:2014
This standard is more widely used in the financial industry, being endorsed by
Australian Prudential Regulation Authority and the Australian Securities and
Investment Commission.
The draft stage of ISO 19600 was completed in April 2014; the final version
was published on 5 December 2014
7
The Key Elements of the
:C.M.S. are
1. Configurable dashboards that show up-to-the-minute results for
quick action
2. Hotline & Case Manager for integration intake with case
management and smart reporting
3. Policy Manager for automated delivery of company policies with
digital signatures
4. Conflicts of Interest Manager for fewer conflicts and greater
transparency
8
5. Predictive analytics so you can prevent instead of react
ISO 19600: The development of a global standard
on compliance management
9
CMS Certification
Accreditation body
ISO
Audit Issue
Audit
Implement
Certification Body Organization
ISO 19600:2014
Certificate
10
Structure
0 - Introduction 5 – Leadership
1 - Scope 6 – Planning
2 - Normative Reference 7 – Support
3 - Terms and definitions 8 – Operation
4 – Context of the 9 – Performance Evaluation
organization 10 – Improvement
11
ISO 9001 Structure in relation to the PDCA cycle
Terms and definition
1. Organization - person or group of people that has its own functions with
responsibilities, authorities and relationships to achieve its objectives
10. Process - set of interrelated or interacting activities which transforms inputs into outputs
19. compliance culture -values, ethics and beliefs that exist throughout an organization and interact with
the organization’s structures and control systems to produce behavioral norms that are conducive to
compliance outcomes
20. Code - statement of practice developed internally or by an international, national or industry body or
other organization
Terms and definition
21. Organizational and industry standards - documented codes , good practices, charters ,
22. Regulatory authority - organization responsible for regulating or enforcing compliance with
23. Competence -ability to apply knowledge and skills to achieve intended results
28. Outsource (verb) - make an arrangement where an external organization performs part of an
31. Audit - systematic, independent and documented process for obtaining audit evidence and
evaluating it objectively to determine the extent to which the audit criteria are fulfilled
18
List of Clauses and Sub-clauses
7. Support
6. Planning
19
List of Clauses and Sub-clauses
8. Operation 9. Performance evaluation
20
List of Clauses and Sub-clauses
10. Improvement
21
CONTEXT OF THE .4
ORGANIZATION
44
Context of the ORGANIZATION .4
4.1 UNDERSTANDING THE ORGANIATION AND ITS CONTEXT
External Issues – Legal , Political , Economic , Demographic,
Technology, Market , Climate
Legal Issues
– Choice and Entities ( Logo and Trademark)
--Tax law
--Employment Regulation
--Intellectual Property Law
--Digital Regulation
-- Insurance
23
Context of the ORGANIZATION .4
24
Context of the ORGANIZATION .4
25
4.2 UNDERSTANDING THE NEEDS AND
EXPECTATIONS OF INTERESTED PARTIES
49
4.2 UNDERSTANDING THE NEEDS AND
EXPECTATIONS OF INTERESTED PARTIES
50
4.3 Determining the scope of the compliance
management system
Maintained as
Requirement of “Documented
Interested parties Information”
51
4.4 Compliance management system and
principles of good governance
52
4.4 Compliance management system and
principles of good governance
Governance principles:
Appropriate
Direct access of the
Independence of authority and
compliance
the compliance adequate resources
function to the
function allocated to the
governing body
compliance function
53
4.5 Compliance obligations
4.5.1 Identification of compliance obligations
Appropriate to
organization size
Identify
Operations compliance Complexity
obligation
Structure
39
5.1 Leadership and commitment
5.1 Top management need to demonstrate leadership and commitment.
Compliance Policies,
policy and procedures and Process
compliance processes approach and
objectives risk-based
thinking
Establishing Resources
and upholding needed for the
the core values compliance
management
(Continued)
05/02/2022 40
5.1 Leadership and commitment
5.1.Top management need to demonstrate leadership and commitment.
05/02/2022 41
5.1 Leadership and commitment
Effective compliance requires an active commitment from the governing body and top management that permeates the
whole organization. The level of commitment is indicated by the degree to which:
The governing body and all levels of management actively demonstrate commitment to establishing, developing,
implementing, evaluating, maintaining and improving an effective and responsive compliance management system
through their actions and decisions;
The compliance policy is formally approved by the governing body;
Top management takes responsibility for ensuring that the commitment to compliance of the organization is fully
realized;
All levels of management consistently convey a clear message (demonstrated by words and actions) to employees that the
The compliance function is given a level of authority which reflects the importance of effective compliance and has direct
core values;
The organization assigns and requires accountability for compliance to management across all levels of the organization;
Continual improvement
05/02/2022 43
The compliance policy should
articulate:
Compliance management system
Documented Communicated,
information understood and
applied
Available to relevant
interested parties
05/02/2022 46
5.2.2 Development
In developing the compliance policy, consideration should be
given to:
A) specific international, regional, or local obligations;
B) the organization’s strategy, objectives and values;
C) the organization’s structure and governance framework;
D) the nature and level of risk associated with noncompliance;
E) other internal policies, standards and codes.
5.3 Organizational roles, responsibilities
and authorities
Roles
Responsibility Authority
05/02/2022 48
Organizational roles, responsibilities and authorities
05/02/2022 49
5.3.2 Assigning responsibility for
compliance in the organization
The active involvement of, and supervision by, governing body and top management is an integral part
of an effective compliance management system. This helps ensure that employees fully understand the
organization’s policy and operational procedures and how these apply to their jobs, and that they carry
out compliance obligations effectively.
For a compliance management system to be effective the governing body and top management need to lead
by example, by adhering to and actively supporting compliance and the compliance management system.
Many organizations have a dedicated person (e.g. a compliance officer) responsible for day-to-day
compliance management, and some have a cross-functional compliance committee to coordinate
compliance across the organization.
Some organizations – depending on their size –also have someone who has overall responsibility for
compliance management, although this may be in addition to other roles or functions, including existing
committees, organizational unit(s), or outsource elements to compliance experts.
This should not be seen as absolving other levels of management of their compliance responsibilities,
as all managers have a role to play with respect to the compliance management system. It is therefore
important that their respective responsibilities are clearly set out and included in their job descriptions.
Compliance responsibilities of managers will, by necessity, vary according to levels of authority, influence
and other factors, such as the nature and size of the organization. However, some responsibilities are
likely to be common across a variety of organizations.
5.3.3 Governing body and top management
role and responsibility
The governing body and top management should:
a) establish a compliance policy in accordance with 5.2.2;
b) ensure that the commitment to compliance is maintained and that noncompliance and
noncompliant behaviour are dealt with appropriately;
c) include compliance responsibilities in position statements of top managers;
d) appoint or nominate a compliance function with:
1) authority and responsibility for the design, consistency and integrity of the compliance
management system;
2) clear and unambiguous support from and direct access to the governing body and top
management;
3) access to:
senior decision-makers and the opportunity to contribute early in the decision-making processes;
all levels of the organization:
all documented information and data needed to perform the compliance tasks;
expert advice on relevant laws, regulations, codes and organizational standards;
4) the authority and capacity to execute countervailing power, by showing any consequences for
compliance in relevant decision-making processes;
e) ensure that the compliance function has authority to act independently and is not compromised by
conflicting priorities, particularly where compliance is embedded in the business.
5.3.3 Governing body and top management
role and responsibility
Top management should:
05/02/2022 57
6.1.1 Actions to address compliance risks
When planning for the compliance management system, the organization should consider
the issues referred to in 4.1, the requirements referred to in 4.2, the principles of good
governance referred to in 4.4, the compliance obligations identified in 4.5 and the results
of the compliance risk assessment referred to in 4.6 to determine the compliance risks
that need to be addressed to:
05/02/2022 58
Organization need to determine and plan how it will
address the identified risks and opportunities
05/02/2022 59
6.2 Compliance objectives & planning to
achieve them
Specific
Documented Measurable
Monitored, Attainable
communicated,
Relevant
updated
Time
Bound
05/02/2022 60
6.2 Planning how to achieve its compliance
objectives
What will
be done ?
What
resources
will be
required ? How the
Who will be
results will
responsible
When it will be
?
be evaluated ?
completed
?
05/02/2022 61
7 Support
05/02/2022 62
7.1 Resources
General
Determine and provide all the necessary resources.
05/02/2022 63
7.1 Resources
Financial
Human
Technology
resource
Recourses
may
include
Professional
Infrastructure
development
7.2.1 Competence
Competence Training
Experience
05/02/2022 65
7.2.2 Training
Education and training of employees should be:
a) tailored to the obligations and compliance risks related to the roles and responsibilities of the
employee;
b) where appropriate, based on an assessment of gaps in employee knowledge and competence;
c) undertaken at commencement with the organization and be on-going ;
d) aligned to the corporate training program and be incorporated into annual training plans;
e) practical and readily understood by employees;
f) relevant to the day-to-day work of employees and illustrative of the industry, organization or
sector concerned;
g) sufficiently flexible to account for a range of techniques to accommodate the differing needs
of organizations and employees;
h) assessed for effectiveness;
i) updated as required;
j) recorded and retained.
Compliance retraining should be considered whenever there is a:
Change of position or responsibilities;
Changes in internal, policies, procedures and processes;
Changes in organization structure;
Change in the compliance obligations, especially in legal or interested parties
requirements;
Change in activities, products or services;
Issues arising from monitoring, auditing, reviews, complaints and
noncompliance, including stakeholder feedback.
7.3 Awareness
Complience policy
Compliance objectives
05/02/2022 68
7.3.2 Behaviour
Behavior that creates and supports compliance should be
encouraged and behavior that compromises compliance should
not be tolerated.
7.3.2.2 Role of top management in encouraging
compliance
Aligning the organization’s commitment to compliance to its values, objectives and strategy in order
Communicating its commitment to compliance in order to build awareness and motivate employees
Encouraging all employees to accept the importance of achieving the compliance objectives for
Creating an environment where the reporting of noncompliance is encouraged and the reporting
Encouraging employees to make suggestions that facilitate continual improvement in compliance performance;
Ensuring compliance is incorporated into the broader organization culture and culture change initiatives;
Ensuring that organizational policies, procedures and processes support and encourage compliance;
Ensuring that operational objectives and targets do not compromise compliant behaviour.
7.3.2.3 Compliance culture
The development of a compliance culture requires the
active, visible, consistent and sustained commitment of
the governing body, top management and management
towards a common, publisheds tandard of behaviour
that is required throughout every area of the
organization.
7.3.2.3 Compliance culture
Examples of factors that will support the development of a compliance culture include:
A clear set of published values;
values;
On-going compliance training, including updates to the training;
compliance obligations;
A clear link between the organization’s strategy and individual roles, reflecting
What?
Who?
When
How? ?
With
whom?
05/02/2022 73
7.4.2 Internal communication
The organization should adopt appropriate methods of communication to
ensure that the compliance message is heard and understood by all
employees on an on-going basis. The communication should clearly set out
the organization’s expectation of employees and those noncompliances that
are expected to be escalated and under what circumstances and to whom.
7.4.3 External communication
A practical approach to external communication, targeting all interested parties, should be
neighbors.
Methods of communication may include websites and e-mail, press releases,
advertisements and periodic newsletters, annual (or other periodic) reports, informal
events and telephone hotlines. These approaches can encourage understanding and
Size Activity
Documented
information
Complexity Competence
05/02/2022 76
Examples of documented information include:
Identification
Description
05/02/2022 78
7.5.3 Control of documented information.
Availability Suitability
Protection
05/02/2022 79
Distribution &
Retrieval
access
Storage &
Changes
preservation
Retention &
disposal
05/02/2022 80
8 Operation
05/02/2022 81
8.1 Operational planning and control
Plan, implement and control the process for product or service
realization and for the achievement of compliance objectives
Resources
Objectives of
the process
Control of
processes
Processes
Criteria Documented
information
Acceptance
Criteria
Organization’s
compliance
obligations are met
Identified
compliance
obligations and Noncompliances are
Ensure associated prevented
Compliance risk and
to achieve desired
behaviour Controls define for
achieving the
compliance
obligations
05/02/2022 83
Examples of controls include:
4. Segregation of
incompatible roles
1. Clear, practical & and
easy to follow responsibilities 8. Compliance
documented operating assessments and
policies, procedures, & audits;
WI 5. automated
processes;
84
Procedures should be established, documented, implemented and maintained to
support the compliance policy and translate the compliance obligations into
practice.
05/02/2022 86
9. Performance Evaluation
05/02/2022 87
9.1 Monitoring, measurement, analysis and evaluation
9.1.1 General
What?
Monitoring
Determine and How? To be performed
measurement
When?
05/02/2022 88
9.1.2 Monitoring
(continued)
89
Monitoring of the compliance management system typically includes:
Effectiveness of training;
Effectiveness of controls, e.g. By sample testing outputs;
Effective allocation of responsibilities for meeting compliance
obligations;
Currency of compliance obligations;
Effectiveness in addressing compliance failures previously identified;
Instances where internal compliance inspections are not performed as
scheduled.
Monitoring of compliance performance typically
includes:
Suppliers;
Regulators;
Process control logs and activity records (including both computer and paper based).
Examples of feedback on compliance performance include:
Compliance issues,
Noncompliances and compliance concerns,
Emerging compliance issues,
On-going regulatory and organizational changes and
Comments on compliance effectiveness and performance.
Feedback should serve as a key source of continuous improvement of the compliance
management system.
9.1.4 Methods of information
collection
There are many methods for collecting information. Each
method listed below is relevant in different circumstances
and care should be taken to select the variety of tools
appropriate to the size, scale, nature and complexity of the
organization.
Examples of information collection
1. Ad hoc reports of noncompliance as they emerge or are identified;
2. Information gained through hot lines, complaints and other feedback, including whistle
blowing;
8. Stakeholder queries, training requests and feedback provided during training (particularly
those of employees).
9.1.5 Information analysis and
classification
Effective classification and management of the information is critical.
A system should be developed for classifying, storing and retrieving
the information.
organization in measuring achievement of its objectives (see 6.2) and quantifying its
compliance performance. This process should take into account the results of the
assessment of compliance risks (see 4.6) to ensure that indicators relate to the relevant
characteristics of the compliance risks of the organization. The issue of what and how to
Furthermore, the indicators needed will vary with the organization’s maturity and the
monitoring and review process and demonstrate conformity with the compliance management system.
Record-keeping should include recording and classifying complaints, disputes and alleged noncompliance and
Records should be stored in a manner that ensures they remain legible, readily identifiable and retrievable.
These records should be protected against any addition, deletion, modification, unauthorized use or
concealment.
d) results of reviews and audits of the compliance management system and actions taken.
9.2 Internal audit
Conformity to
own requirements
Internal
Planned intervals Information
audit
Conformity to
CMS requirements
Effective CMS
Implementation
Identify
Effective CMS Maintenance
05/02/2022 102
9.2 Internal audit (continued)
Impartial &
Auditors
objective
Relevant
Corrections process
/corrective actions owners/
management
05/02/2022 103
9.3 Management review
9.3.1 General
To ensure adequacy, effectiveness and continuing suitability, the CMS need
to be reviewed at defined intervals.
05/02/2022 104
The management review should include consideration of:
05/02/2022 107
10 Improvement
10.1 General
Improving
Correcting, preventing or
reducing undesired
effects.
Improving performance
and effectiveness of CMS
05/02/2022 108
10. Nonconformity and corrective action
Control
Nonconformity
Necessary action
Correct
(continued)
05/02/2022 109
10.1 Nonconformity and corrective action
10.1 continued
Review
Determine the
Nonconformity
root cause
Analyze
Consider
05/02/2022 110
10.1 Nonconformity and corrective action
Make changes to
CMS (If necessary)
111
10.1 Nonconformity and corrective action
Suitability
Improve CMS
Adequacy
Effectiveness
Analysis &
Evaluation Determine Underperformance areas
Output
Management Opportunities for
Identify
Review improvement
118
10.2 Continual Improvement
119