Companies can have their compliance management system certified according to ISO 19600. Whether and when this makes sense must be carefully examined.
The standard can be applied in companies as well as in other organisations. Small and medium-sized companies can also benefit from the standard, as the recommendations are scalable and can be applied to varying degrees depending on the size of the company.
The Compliance Management System (CMS) of ISO 19600 is based on five pillars, which can also serve as a "roadmap" for the introduction of a CMS:
1. compliance and risk audit
The compliance audit serves to determine the status quo of the company with regard to its compliance activities. The risk audit serves to identify the compliance obligations (risks). The result is a "compliance risk map" for the company. This analysis is the basis for all further measures for the development of the CMS.
2. leadership
The different roles, responsibilities and competences within the company are considered, especially the company management. The management must make the decision to introduce a CMS and define the goals and framework of the CMS as well as provide the corresponding resources. The role model function of the management is crucial: if the management is committed to clean, legally compliant behaviour and thus to preventing and punishing illegal practices, and if it lives up to this commitment, then an important prerequisite for a CMS to work has been created.
3. steering and control measures
The control measures that a company must introduce include regulations such as a code of conduct, process descriptions and instructions for action. These are to be developed depending on the results of the compliance and risk audit and should be specifically designed with regard to identified compliance risks - always close to the business processes. Suitable monitoring and control measures must be integrated into the processes.
4. communication and training
Most rule violations are based on a lack of knowledge. Knowledge about the existence of a requirement and about the consequences of one's own actions is therefore crucial if compliance is to be achieved. The standard requires ongoing training to enable employees to know compliance requirements and act accordingly. Intensive communication as well as awareness-raising contribute to the creation of a sustainable corporate culture.
5. continuous improvement
Similar to quality management, the continuous improvement of the implemented CMS is one of the central tasks. This involves random and ad hoc checks on the fulfilment of compliance requirements (e.g. through internal audits). Continuous monitoring of the legal environment as well as continuous updating of the risk analysis is necessary in order to constantly adapt the system to new circumstances.
Identified compliance violations must result in a reaction by the company. This includes investigating the incident and determining the consequences of the identified misconduct (sanction). Corrective and preventive measures serve to avoid recurrence.
Certification of a management system is not always sensible or necessary. Therefore, when setting up a CMS, this aspect should be carefully examined in advance: what are the advantages of certification? Is it required (by the market, by customers)?
Only if these and similar questions can be clearly answered with "yes" should certification be considered. In addition to certification, there are numerous alternative options available to the company to effectively communicate the existence of the CMS.
About the author
Eckart Achauer, studied law and business administration, postgraduate studies to become a Master of Business Administration (MBA). In-service training to become a European Quality Manager (DGQ), a mediator specialising in business mediation and a Certified Compliance Manager (TÜV).
He worked for around 10 years in the international insurance industry in the management of a Swiss insurance group in various functions (claims department, sales, assistance) before moving into management and business consulting in 1997.
As a consultant and managing director of various consulting companies, Mr Achauer has specialised thematically in organisational and process optimisation as well as in the development and implementation of management systems - quality management, risk and compliance management.
At Senator Executive Search Partners, Mr Achauer is responsible for the area of compliance management. Within the scope of compliance audits, he analyses their organisational "compliance fitness", he sensitises and trains the management, executives and employees and supports the companies in setting up and implementing individual compliance management systems. In doing so, he always takes into account the specific risk situation of the companies. Due to his many years of experience as a manager and consultant, he is very familiar with the entrepreneurial challenges from practice.
