Companies can have their compliance management system certified in accordance with ISO 19600. Whether and when this is advisable must be carefully considered.
The standard can be applied in both companies and other organizations. Small and medium-sized enterprises can also benefit from the standard, as the recommendations are scalable and can be applied to varying degrees depending on the size of the company.
The Compliance Management System (CMS) of ISO 19600 is based on five pillars, which can also serve as a "roadmap" for the introduction of a CMS:
1. Compliance and risk audit
The compliance audit serves to determine the status quo of the company with regard to its compliance activities. The risk audit serves to identify compliance obligations (risks). The result is a "compliance risk map" for the company. This analysis forms the basis for all further measures for setting up the CMS.
2. Leadership
The different roles, responsibilities, and competencies within the company are considered, especially those of company management. Management must make the decision to introduce a CMS, define the goals and framework of the CMS, and provide the necessary resources. The role model function of management is crucial here: if management is committed to clean, legally compliant behavior and thus to preventing and punishing illegal practices, and if it lives up to this commitment, then an important prerequisite for a CMS to function is in place.
3. Management and control measures
The control measures that a company must introduce include regulations such as a code of conduct, process descriptions, and instructions. These must be developed based on the results of the compliance and risk audit and should be designed specifically with identified compliance risks in mind—always closely aligned with business processes. Appropriate monitoring and control measures must be integrated into the processes.
4. Communication and training
Most rule violations are based on a lack of knowledge. Knowledge about the existence of a requirement and about the consequences of one's own actions is therefore crucial if compliance is to be achieved. The standard requires ongoing training to enable employees to understand compliance requirements and act accordingly. Intensive communication and awareness-raising contribute to the creation of a sustainable corporate culture.
5. Continuous improvement
Similar to quality management, continuous improvement of the CMS is one of the central tasks. This involves random and event-driven checks of compliance requirements (e.g., through internal audits). Ongoing monitoring of the legal environment and continuous updating of the risk analysis are necessary in order to constantly adapt the system to new circumstances.
Any compliance violations that are identified must be followed up by the company. This includes investigating the incident and determining the consequences of the misconduct identified (sanction). Corrective and preventive measures serve to prevent recurrence.
Certification of a management system is not always useful or necessary. Therefore, when setting up a CMS, this aspect should be carefully examined in advance: what are the advantages of certification? Is it required (by the market, by customers)?
Only if these and similar questions can be answered with a clear "yes" should certification be considered. In addition to certification, there are numerous alternative options available to the company for effectively communicating the existence of the CMS.
About the author
Eckart Achauer, studied law and business administration, postgraduate studies leading to a Master of Business Administration (MBA). In-service training as a European Quality Manager (DGQ), mediator specializing in business mediation, and Certified Compliance Manager (TÜV).
He worked for around 10 years in the international insurance industry in various management positions at a Swiss insurance group (claims department, sales, assistance) before moving into management and business consulting in 1997.
As a consultant and managing director of various consulting firms, Mr. Achauer has specialized in organizational and process optimization as well as the development and implementation of management systems—quality management, risk and compliance management.
At Senator Executive Search Partners, Mr. Achauer is responsible for compliance management. As part of compliance audits, he analyzes their organizational "compliance fitness," raises awareness and trains management, executives, and employees, and supports companies in setting up and implementing individual compliance management systems. In doing so, he always takes into account the specific risk situation of the companies. Thanks to his many years of experience as a manager and consultant, he is very familiar with the practical challenges of business.
