Companies can have their compliance management system certified in accordance with ISO 19600. Whether and when this makes sense must be carefully examined.
The standard can be applied both in companies and in other organizations. Small and medium-sized companies can also benefit from the standard, as the recommendations are scalable and can be applied to varying degrees depending on the size of the company.
The Compliance Management System (CMS) of ISO 19600 is based on five pillars, which can also serve as a "roadmap" for the introduction of a CMS:
1. compliance and risk audit
The compliance audit serves to determine the status quo of the company with regard to its compliance activities. The risk audit serves to identify the compliance obligations (risks). The result is a "compliance risk map" for the company. This analysis forms the basis for all further measures for the development of the CMS.
2. leadership
The various roles, responsibilities and competencies within the company are taken into account, especially the company management. Management must make the decision to introduce a CMS, define the objectives and framework of the CMS and provide the appropriate resources. The management's role model function is crucial here: if it is committed to clean, legally compliant behavior and thus to preventing and punishing unlawful practices, and if it lives up to this commitment, then an important prerequisite has been created for a CMS to work.
3. management and control measures
The control measures that a company must introduce include regulations such as a code of conduct, process descriptions and instructions. These should be developed in line with the results of the compliance and risk audit and should be specifically designed with regard to identified compliance risks - always close to the business processes. Suitable monitoring and control measures must be integrated into the processes.
4. communication and training
Most rule violations are based on a lack of knowledge. Awareness of the existence of a requirement and the consequences of one's own actions is therefore crucial if compliance is to be achieved. The standard requires ongoing training to enable employees to be aware of compliance requirements and to act accordingly. Intensive communication and awareness-raising contribute to the creation of a sustainable corporate culture.
5. continuous improvement
Similar to quality management, the continuous improvement of the implemented CMS is one of the central tasks. This involves random and ad hoc checks on the fulfillment of compliance requirements (e.g. through internal audits). Ongoing monitoring of the legal environment and continuous updating of the risk analysis is necessary in order to constantly adapt the system to new circumstances.
Any compliance violations identified must result in a response from the company. This includes investigating the incident and determining the consequences of the identified misconduct (sanction). Corrective and preventive measures serve to avoid repetition.
Certification of a management system is not always sensible or necessary. Therefore, when setting up a CMS, this aspect should be carefully examined in advance: what are the benefits of certification? Is it required (by the market, by customers)?
Certification should only be considered if these and similar questions can be answered with a clear "yes". In addition to certification, there are numerous alternative options available to the company to effectively communicate the existence of the CMS.
About the author
Eckart Achauer, studied law and business administration, postgraduate Master of Business Administration (MBA). In-service training as European Quality Manager (DGQ), mediator specializing in business mediation and Certified Compliance Manager (TÜV).
He worked for around 10 years in the international insurance industry in the management of a Swiss insurance group in various functions (claims department, sales, assistance) before moving into management and business consulting in 1997.
As a consultant and managing director of various consulting companies, Mr. Achauer has specialized in organizational and process optimization as well as in the development and implementation of management systems - quality management, risk and compliance management.
At Senator Executive Search Partners, Mr. Achauer is responsible for compliance management. As part of compliance audits, he analyses their organizational "compliance fitness", raises awareness and trains management, executives and employees and supports companies in setting up and implementing individual compliance management systems. In doing so, he always takes into account the specific risk situation of the company. Thanks to his many years of experience as a manager and consultant, he is very familiar with the business challenges faced in practice.
