New compliance standard: AS/ISO 19600:2015

facebook Twitter LinkedIn RSS

The ISO 19600:2014 Compliance Management – Guidelines (ISO 19600) has now been adopted in Australia as AS/ISO 19600:2015 (AS/ISO 19600).

The Australian Standard was approved on behalf of the Council of Standards Australia on 2 June 2015 and it was published on 22 June 2015.

AS/ISO 19600 replaces the former Australian Standard for Compliance AS 3806:2006 (AS 3806) and should be considered to be the Australian and international benchmark for compliance programs.

We’ve previously written about the origin of ISO 19600 and the motives for introducing a new compliance standard. That blog is available here.

AS/ISO 19600 and ISO 19600

AS/ISO 19600 is identical to, and has been reproduced from, ISO 19600. The extent of duplication is evidenced by the fact that in AS/ISO 19600, references to the ‘International Standard’ have not been replaced with the words ‘Australian Standard’ and so readers are instructed to regard references to the International Standard as references to AS/ISO 19600.

We have previously written about the structure and content of ISO 19600 and how it differs to AS 3806. That blog is available here.

For a refresh, the key differences include:

  • a new approach to compliance: whilst AS 3806 spoke of a compliance ‘program’, AS/ISO 19600 speaks of a compliance ‘management system’;
  • new structure: AS/ISO 19600 refers to seven key themes each with multiple elements, compared to the four key themes and 12 principles in AS 3806;
  • new terminology: including defined concepts such as ‘compliance’, ‘compliance obligations’ and ‘compliance risk’; and
  • risk management: AS/ISO 19600 states that ‘compliance risk assessment constitutes the basis for the implementation of the compliance management system’. This is a significant inclusion as it makes risk management an essential part of a compliance program.

Importantly the expanded new concept of ‘compliance’ meaning, ‘meeting all the organisation’s compliance obligations’ makes it clear that the concept of compliance is much more expansive and extends to obligations such as those set out in an organisation’s standard operating procedures.

What should your organisation do now?

AS 3806 is referenced by numerous Australian regulators including the Australian Securities and Investments Commission (ASIC) and the Australian Competition and Consumer Commission. Given the substantive differences between AS 3806 and AS/ISO 19600, it’s unclear whether, or when, those regulators will formally adopt the new standard and they have not yet released any form of communications on the issue. Historically, our experience is that regulators can take years to recognise a new Australian Standard and to update their guidelines.

Despite the fact that the regulators have not formally adopted AS/ISO 19600, the fact that it has superseded AS 3806 means that organisations should be adopting AS/ISO 19600 in order to meet their compliance management obligations.

That said, due to the regulators failure to adopt AS/ISO 19600 from the outset, they are unlikely to take any enforcement action in relation to an organisation’s failure to adopt AS/ISO 19600 in the short (or long) term.

Consequently, while it may seem tempting to wait until AS/ISO 19600 has been adopted by regulators before adopting new structures built to AS/ISO 19600, it would be prudent to take steps now to understand what is required to achieve compliance with AS/ISO 19600 and begin the implementation process.

Alternatively you may already have taken steps to review your compliance system and made changes so that it reflects the structure and principles of ISO 19600. If your organisation falls into this category, you will be aware that implementing such changes requires time and resources.

For those organisations that have no current compliance management program, the introduction of AS/ISO 19600 provides a valuable tool for your organisation to create a compliance management system that meets international compliance benchmarks, should you choose to adopt it.

Compliance and culture in focus

AS/ISO 19600 places emphasis on compliance as being ’embedded’ in the culture of the organisation and ‘integrated with the organisation’s financial, risk, quality, environmental and health and safety management processes and its operational requirements and procedures’. It makes it clear that compliance is a responsibility of an organisation’s governing body, and not a mere ‘function’ of the organisation.

The adoption of AS/ISO 19600 is timely given the current focus of regulators, shareholders and the media on the corporate governance practices of organisations.

We’ve previously written about ASIC’s current focus on directors and their duty not only to ensure the viable functioning of a business, but also to ensure that a culture of regulatory compliance, risk management and proper corporate governance exists and is enforced in their organisation. To that end, ASIC introduced the ‘3 C’s’ framework on culture risk for organisations, being:

  • communication;
  • challenge; and
  • complacency.

Now that AS/ISO 19600 has been freshly adopted in Australia, it is impossible for an organisation to ignore the good governance opportunity that this new standard presents to organisations who would like to embrace ASIC ‘3 C’s’ framework and improve their compliance culture.

While a significant amount of work may be required to review and restructure your organisation’s compliance program to reflect the compliance ‘management system’ suggested in AS/ISO 19600, doing so will ensure that your organisation avoids being labelled ‘complacent’ on the compliance front.

How can CompliSpace help?

CompliSpace combines specialist governance, risk and compliance consulting services with practical, technology-enabled solutions.

CompliSpace content is delivered online, in a format that allows clients to quickly and efficiently tailor the content to their own particular specifications.

If you are looking to streamline your existing governance, risk or compliance programs and make them more relevant to your organisation, give us a call.

We are committed to helping organisations to implement sustainable governance solutions.


Compliance with Current and Future Child Protection Laws – Embedding a Child Protection Culture. How can this be achieved?


Financial Services Updates

Financial Services Updates