Most organizations have a siloed approach to compliance with environmental, safety, quality, community engagement and other departments managing their compliance issues separately. Increasing fines, penalties and criminal proceedings for non-compliance are driving organizations around the world to change their approach to compliance management. ISO recently introduced a unified compliance management system, 19600. This standard has not yet been widely adopted, but there is a clear trend to try and centralize compliance obligations.
In this webinar, we discuss the best practices and guidelines for compliance management as described in the standard.
You will learn:
- the 7 elements that make up an effective compliance management system - Context of the organization, Leadership, Planning, Support, Operations, Performance Evaluation and Improvement
- In-depth details of each of the 7 elements
- Examples of how you can apply the recommendations at your organization
Presenter - Jonathan Brun, CEO Nimonik
6. The guidelines on compliance management systems are
applicable to all types of organizations
The International Standard is based on the principles of
good governance, proportionality, transparency and
sustainability
It has 10 sections with requirements contained in section
4-10
ISO 19600 – Compliance management system standard
8. 4 - Context of the organization
4.1 Understanding
the organization and
its context
4.2 Understanding
the needs and
expectations of
interested parties
4.3 Determining the
scope of the
compliance
management system
4.4 Compliance
management system
and principles of
good governance
4.5 Compliance
obligations
4.6 Identification,
analysis and
evaluation of
compliance risks
9. 4.1 Understanding the organization and its context
Internal
and
External
issues
Regulatory
Social
Cultural
Economic
Internal
policies
Resources The organization should determine external and
internal issues that affect its ability to achieve the
intended outcomes of its compliance management
system (CMS)
10. 4.2 Understanding the needs and expectations of
interested parties
The organization should determine:
• the interested parties that are relevant to the CMS
• the requirements of these interested parties
Who? Requirements?
Stakeholders
11. 4.3 Determining the scope of the compliance
management system
Scope of the compliance management system
(geographical/organizational)
Requirements
of interested
parties
Internal and
External
issues
The organization should determine the boundaries and
applicability of the compliance management system to
establish its scope.
12. 4.3 Determining the scope of the compliance
management system
https://www.nytimes.com/2019/09/12/wo
rld/europe/france-sex-work-accident.html
13. 4.4 Compliance management system and principles of
good governance
Compliance
management
system
Governance
principles
Organization's
values
Organization's
objectives
Organization's
strategy
Organization's
compliance
risks
Organization's
compliance
obligations
The organization should establish a CMS taking into
consideration the following governance principles:
• direct access of the compliance function to the governing
body
• independence of the compliance function
• appropriate authority and adequate resources allocated to the
compliance function
The compliance management system should reflect the
organization’s values, objectives, strategy and
compliance risks.
14. 4.5 Compliance obligations
• agreements with community
• agreements with customers
• organizational policies
• voluntary principles
• industry standards
Compliance
requirements
Compliance
commitments
• Laws, regulations, permits
• orders, guidance
• treaties, conventions
Identify
compliance
obligations
Maintenance
of
compliance
obligations
Determine
implications
of CO for its
activities
Document
compliance
obligations
1 2 3 4
• identify new and changed laws
• evaluate the impact of changes
• implement changes in the
management of the CO
The organization should identify its compliance obligations and should have processes
in place to identify new and changed laws, regulations, codes and other compliance
obligations to ensure ongoing compliance
15. 4.6 Identification, analysis and evaluation of compliance
risks
Compliance
risks
Compliance
risks the
organization
is willing to
take
Non-compliance
severity and likelihood
Prioritize risk controls set-
up and implementation
Risk evaluation
The organization should identify, evaluate and prioritize its
compliance risks.
The risk-based approach does not mean that for low risk situations,
non-compliance is accepted. It only assists in focussing primary
attention on higher risks as a priority, and ultimately will cover all
compliance risks.
The compliance risks should be reassessed periodically and
whenever there are:
• new activities, products or services
• changes to the structure or strategy of the organization
• external changes - financial-economic
• changes to compliance obligations
• non-compliances
17. 5 - Leadership
5.1 Leadership and
commitment
5.2 Compliance
policy
5.3 Organizational
roles, responsibilities
and authorities
18. 5.1 Leadership and commitment
Management
Compliance
policy
Resource
allocation
Integrate
CMS into
business
processes
Communicati
ng
CMS
importance
Non-
compliance
reporting
CMS achieve
its objectives
Continual
improvement The governing body and top management should
demonstrate leadership and commitment with respect
to the compliance management system
19. 5.2 Compliance policy
Top management should establish a compliance policy.
The compliance policy establishes the principles to
achieving compliance. It sets the level of responsibility and
performance required and sets expectations to which
actions will be assessed.
The compliance policy should not be a stand-alone
document but supported by other Documents - operational
policies, procedures and processes.
The compliance policy should:
• be available as documented information
• be written in plain language
• be communicated clearly and made readily available
• be updated as required
Compliance
policy
Framework
for
compliance
objectives
Commitment
to satisfy
requirements
Continually
improve CMS
Compliance
integration
with other
functions
Compliance
into
operational
policies
Autonomy of
compliance
function
Responsibility
for
compliance
issues
Consequences
of non-
compliance
21. 5.3 Organizational roles, responsibilities and authorities
Top
Management
Compliance
Function
• establish and respect compliance policy
• allocate adequate resources for compliance management system
• include compliance responsibilities in position statements of top
managers
• appoint a compliance function with access to expert advice on
relevant laws regulations, codes etc.
• ensure that effective and timely systems of reporting are in place
• identifying CO with the support of relevant resources
• providing on-going training to employees
• compliance reporting and documenting system
• compliance performance indicators
• corrective action
• compliance risks
• Review CMS at planned intervals
• ensuring access to appropriate professional advice for establishing
and maintaining CMS
22. • identifying CO with the support of relevant resources
• providing on-going training to employees
• compliance reporting and documenting system;
• compliance performance indicators
• corrective action;
• compliance risks
• Review CMS at planned intervals;
• ensuring access to appropriate professional advice for establishing and
maintaining CMS;
5.3 Organizational roles, responsibilities and authorities
Compliance
Function
Employee
• respect CO;
• participate in compliance training;
• report compliance concerns, issues and failures.
24. 6 - Planning
6.1 Actions to
address compliance
risks
6.2 Compliance
objectives and
planning to achieve
them
25. 6.1 Actions to address compliance risks
1 Identify compliance risks
2 Document compliance risks
3 Plan how to address
compliance risks
4
Plan how to integrate and
implement actions into
CMS processes
5 Plan how to evaluate the
effectiveness of actions
The organization should plan:
• actions to address these compliance risks and
• how to integrate and implement the actions into its
compliance management system processes
• how to evaluate the effectiveness of these actions
The organization should retain documented
information on the compliance risks and on the
planned actions to address them.
26. 6.2 Compliance objectives and planning to achieve them
Compliance
Objectives
Consistent with
compliance
policy
Measurable
Take into
account
requirements
Monitored
Communicated
Revised
The organization should establish its compliance management system
objectives at relevant functions and levels.
When planning how to achieve its compliance objectives, the
organization should determine:
• what will be done
• what resources will be required
• who will be responsible
• when it will be completed
• how the results will be evaluated
The organization should retain documented information on the
compliance objectives and on the planned actions to achieve them.
28. 7 - Support
7.1 Resources
7.2 Competence and
training
7.3 Awareness
7.4 Communication
7.5 Documented
information
29. 7.1 Resources
Access to
external advice
Human
Financial
Access to
specialized
skills
Infrastructure
& technology
Reference
material on
legal
obligations
Professional
development
Top management and all other levels of management should
ensure that the necessary resources are deployed effectively
to ensure that the compliance management system meets its
objectives, and that compliance is achieved.
30. 7.2 Competence and training
The organization should ensure that people working
directly with the CMS have the necessary skills.
Training should be:
• Tailored to compliance risks related to their role
• On-going and should begin at recruitment
• Easy to understand and practical
• Assessed for effectiveness
• Documented and recorded
• Revised
Ensure
competence
Determine
competence
Train and test
Maintain
documentation
Compliance
Function
31. 7.3 Awareness
Top management should ensure that all employees of an organization are aware of:
• the compliance policy
• their role to the effectiveness of the CMS
• the implications of not conforming with the CMS requirements
Top
Management
Clear integration of
compliance in all
organization processes
Management seen
respecting CMS
Compliance
training for new
employees
On-going
compliance
training of all
employees
On-going
communication on
compliance issues
Employee
performance reviews
that consider
compliance behavior
Prompt actions on
non-compliance
Compliance
Culture
ensuring operational objectives
and targets do not compromise
compliant behaviour
integrating compliance
to organization’s
objectives and strategy
communicating its
commitment to
compliance
an environment where non-
compliance reporting is
encouraged
identifying promptly
correcting non-
compliance
32. 7.4 Communication
The organization should determine when, and how to share
relevant information about the CMS to internal and external
parties
Organization should adopt appropriate methods of
communication to ensure that the compliance message is
heard and understood by all employees and external parties
including customers, suppliers, contractors etc.
35. 7.5 Documented information
Documented information is an integral part a compliance
management system
Documented information should be controlled for access,
availability and protection against loss or improper use
Compliance policy
Roles and
responsibilities
Compliance risk
registers and
prioritization
Annual compliance
plans
CMS Objectives,
targets, structure
Register of relevant
compliance
obligations
Register of non-
compliances and
near misses
Training records
37. 8.1 Operational
planning and control
8 - Operation
8.2 Establishing
controls and
procedures
8.3 Outsourced
processes
38. 8.1 Operational planning and control
Defining
objectives of
processes
Establishing
criteria for
processes
Implementing
control for
processes
Documenting
process
information
The organization should plan processes needed to meet the compliance obligations and
address compliance risks by:
39. 8.2 Establishing controls and procedures
Effective controls should be set to ensure compliance
obligations are met and non-compliances prevented,
detected and corrected
Procedures should be established to translate the
compliance obligations into practice
Examples of controls
Examples of procedures
Easy to follow and
documented policies,
procedures, processes
Systems and
exception reports
Approvals
Automated processes
Annual compliance
plans
Employee
performance plans
Compliance
assessments and
audits
Active and frequent
communication on
expected behaviour of
employees
Integrating the
compliance
obligations into
procedures like
forms, reporting
contracts etc.
Assessment to
ensure that
employees
comply with
procedures
Arrangements for
identifying, and
escalating non-
compliances
On-going
monitoring and
measurement
40. 8.3 Outsourced processes
The organization should ensure that outsourced processes are controlled and monitored
1
• Organization should undertake effective due diligence to ensure its
commitment to compliance is not lowered
2
• Controls over contractors should be in place to ensure
• Contract is complied with effectively (e.g. third-party performance
appraisals)
3
• The organization should consider compliance risks related to third-
party-related processes, such as supply and distribution of their
goods and services
43. 9.1 Monitoring, measurement, analysis and evaluation
The organization should determine what needs to be measured, how and when it will be
measured and the results will be reported
Monitoring
Sources of
feedback on
compliance
performance
Methods of
information
collection
Information
analysis and
classification
Development
of indicators
Compliance
reporting
Content of
compliance
reports
Record-
keeping
A plan for continual monitoring should be established, setting out
monitoring processes, schedules, resources and the information to be
collected. Monitoring of the CMS includes effectiveness of trainings,
controls, currency of CO etc. Monitoring of compliance performance
includes leading and lagging indicators, non-compliances, compliance
culture etc.
The organization should establish procedures for seeking
feedback on its compliance performance from a range of
sources like employees, customers, suppliers etc.
• reports of non-compliance
• information gained through hot lines, complaints
• informal discussions, workshops and focus groups
• training requests and feedback provided during training
A system should be developed for classifying, storing and retrieving the
information. Examples of information classification criteria include
source, department, noncompliance description etc.
44. 9.1 Monitoring, measurement, analysis and evaluation
The organization should determine what needs to be measured, how and when it be
measured and the results will be reported.
Monitoring
Sources of feedback
on compliance
performance
Methods of
information
collection
Information analysis
and classification
Development
of indicators
Compliance
reporting
Content of
compliance
reports
Record-
keeping
A set of measurable indicators to quantify compliance performance. For
example, percentage of employees trained effectively, time taken to report and
take corrective action
Accurate, up-to-date records of the organization’s compliance activities should
be maintained including compliance reports, details of noncompliance and
corrective and preventive actions, results of reviews and audits etc.
Compliance reports include matters required to notify to any regulatory
authority, changes in compliance obligations, measurement of
compliance performance, number and details of noncompliance,
corrective actions, results from audits etc.
Internal reporting arrangements should ensure that appropriate criteria
and obligations for reporting are set out, timelines for regular reporting
are established, there is sign-off on the accuracy of reports etc.
45. 9.2 Audit
The organization should conduct audits at planned intervals to determine and report if
the CMS is effectively implemented and maintained
Plan an audit programme
including frequency, methods,
responsibilities, planning
requirements and reporting
Define the audit criteria and
scope for each audit
Ensure objectivity and the
impartiality of the audit process
Ensure that the results of the
audits are reported to relevant
management
Retain documented information
as evidence of the
implementation of the audit
programme
Retain documented information
as evidence of audit results
46. 9.3 Management review
Top management should review the organization’s compliance management system, at planned
intervals, to ensure its continuing suitability, adequacy and effectiveness
Review
The status of actions from
previous management
reviews
The adequacy of the
compliance policy
The extent to which the
compliance objectives
have been met
Adequacy of resources
Changes in external and
internal issues that are
relevant to the CMS
Information on the
compliance performance,
including trends in
nonconformities,
corrective actions and
timelines for resolution
Opportunities for continual
improvement
Recommend
The need for changes
to the compliance
policy, objectives,
structure and
personnel
Areas to be monitored
for potential future
noncompliance
Longer term continual
improvement
initiatives
Changes to compliance
processes for better
integration with operations
Corrective actions for non-
compliances
Recognition of exemplary
compliance behaviour within
the organization
50. 10.1 Nonconformity, noncompliance and corrective action
When a nonconformity and/or noncompliance occurs, the
organization should:
• take action to control and correct it
• manage the consequences
• eliminate the root causes
• determining if similar nonconformities and/or non-
compliances exist
• review the effectiveness corrective action taken
• make changes to the compliance management system, if
necessary
A clear escalation process should be adopted and
communicated to ensure that all non-compliances are
raised, reported and eventually escalated to relevant
management. The process should specify to whom, how and
when issues are to be reported and the timelines for internal
and external reporting.
Non
compliance
take action to
control and
correct it
manage the
consequences
eliminate the
root causes
determine if
similar
nonconformities
exist
review
effectiveness of
corrective
action taken
changes to the
compliance
management
system
51. 10.2 Continual improvement
The organization should seek to continually improve the effectiveness of the
compliance management system. The information collected and evaluated in
compliance reports should be used as basis to identify opportunities for
improvement.
Plan
DoCheck
Act
54. Comprehensive
Compliance
approach
Centralized Compliance - a central place where
management can view the compliance performance of
all facilities worldwide in one place in real time.
Software solution
Centrally managed
compliance
Successful Compliance Programs
Source - October 2019 Survey results - ‘Centrally managed vs Locally
managed compliance’.
56. 75% of all operations
still monitor regulatory
requirements manually
75%
80% of countries are
planning to issue new
EHS regulations this
year
80%
65% of an
organization’s costs for
monitoring regulations
can be reduced with a
software solution
65%
40% of all amended and
new laws are EHS
related
40%
Software Solution is critical to a successful compliance program
58. Nimonik’s 7 Steps for
Comprehensive Compliance
2
Select requirements that apply
to you
3
Implement a process with your
subject matter experts
Plan
4
Document your compliance
actions
5
Monitor for changes to your
requirements
7
Take action on non-compliance
and opportunities for
improvement
Do
Check
Act
1
Identify your applicable
regulations, codes and standards
6
Verify compliance with audits and
management reviews
Continuous
Improvemen
t
59. Clause - Level
Compliance Obligations
02
● Access specific requirements in over
200,000 EHS regulations, standards and
guidelines for global jurisdictions on our
easy to use software, NimonikApp.
● Receive alerts when the specific
applicable requirements change or new
ones get introduced.
● Use the specific requirements as audit
protocols to assess your compliance.
Audit and Inspection
Software
03
Audit efficiently with an easy to use
app available on web and mobile
devices.
Title- Level
Compliance Obligations
01
● Access over 200,000 EHS
regulations, standards and
guidelines for global jurisdictions on
our easy to use software,
NimonikApp.
● Receive alerts when applicable
documents change or new ones get
introduced.
Nimonik helps with all three key elements with
our 3 services
61. Thank you
nimonik.com | +1-888-608-7511 | info@nimonik.com
● Please fill the post-webinar survey
● Text ‘Workshop’ in the chat if interested in
the Comprehensive Compliance workshop
for your team