We last wrote about ISO 19600:2014 Compliance Management – Guidelines (ISO 19600) in our article ‘A New Global Standard for Compliance: ISO 19600‘. Since that time ISO 19600 has been adopted as the international standard.
ISO 19600 was developed under the auspices of the International Organization for Standardisation (the ISO). Although at the date of publication, ISO 19600 has not officially replaced the existing Australian Standard for Compliance AS 3806:2006 (AS 3806), given that ISO 19600 is largely based on AS 3806 and that it was developed by a committee based in Australia, official recognition is likely to come soon. This has been confirmed in our conversations with Standards Australia, although prior to the adoption of ISO 19600 as the new Australia Standard, it will need to go through the usual public consultation period.
When ISO 19600 is recognised in Australia, it will be important for many organisations to understand the differences between the new standard and AS 3806. This article is designed to assist in this process.
A new approach
Whilst AS 3806 speaks of a compliance ‘program’, ISO 19600 speaks of a compliance ‘management system’. The difference is not just semantic, it demonstrates a different approach to compliance.
ISO 19600 places emphasis on compliance as being ’embedded’ in the culture of the organisation and ‘integrated with the organisation’s financial, risk, quality, environmental and health and safety management processes and its operational requirements and procedures’. It makes it clear that compliance is a responsibility of an organisation’s governing body, and not a mere ‘function’ of the organisation.
Structure of the standards
One of the first differences you will notice between the standards is that they have a fundamentally different structure.
AS 3806 divides 12 principles into four key themes:
- monitoring & measurement; and
- continual improvement.
ISO 19600 on the other hand, refers to seven key themes each with multiple elements. The seven key themes are:
- context of the organisation;
- performance evaluation; and
The structure of ISO 19600 is designed to place emphasis on the organisational elements that are required to support compliance.
ISO 19600 uses standard terminology to bring it into line with other ISO standards. This standard terminology is explained by the ISO.
A compliance ‘management system’ is defined as a ‘set of interrelated or interacting elements of an organisation to establish policies and objectives and processes to achieve those objectives’. This contrasts to the previous ‘compliance program’, defined as ‘a series of activities that when combined are intended to achieve compliance’.
Some other notable new definitions include:
- compliance – meeting all the organisation’s compliance obligations;
- compliance obligations – requirement or commitments that an organisation has to or chooses to comply with; and
- compliance risk – effect of uncertainty on compliance objectives.
Whereas many organisations confine themselves to dealing with their ‘legal and regulatory’ obligations, ISO 19600 makes it clear that the concept of compliance is much more expansive and extends to obligations such as those set out in an organisation’s standard operating procedures. This fits in with our thinking at CompliSpace where we often refer to the key compliance areas as being:
- legal and regulatory;
- organisational (including obligations arising from policies and procedures as well as risk treatments); and
The internationalisation of this compliance standard also brings with it a blink-and-you’ll-miss-it change. ISO 19600 states that ‘compliance risk assessment constitutes the basis for the implementation of the compliance management system’. This is a significant inclusion as it makes risk management an essential part of a compliance program.
Previously it was possible to say that ‘whilst risk cannot live without compliance, compliance can live without risk’. This is no longer the case.
Notably, this change matches commercial practice where most organisations, consciously or unconsciously, prioritise the treatment of their compliance obligations based on their perceived risk of non-compliance.
ISO 19600 includes a flowchart which shows how the components of a compliance management system fit within the continual improvement principle, which is part of other ISO standards.
The future of ISO 19600
In an ISO press release Martin Tolar, Chair of the ISO project committee ISO/PC 271 that developed ISO 19600, states that ISO 19600 is ‘expected to serve as a global benchmark for compliance officers, businesses, commentators, academics – and regulators and the courts of course. And thanks to the standard’s customisable guidance, all organisations can benefit.’
We have contacted Standards Australia to enquire as to whether or not it is intended that ISO 19600 will replace AS 3806. Standards Australia confirmed that ISO 19600 will be adopted as an AS/NZS standard and a version will be released for public comment by June this year as part of the normal standard development process. Subject to public comment, the content of ISO 19600 is intended to be adopted in a new AS/NZS standard. At that time it will replace AS 3806.
In the meantime, AS 3806 will continue to be the relevant Australian Standard and organisations can decide whether to sit back and wait, or to upgrade their existing compliance programs to the new ISO 19600 standard in anticipation of its adoption.