A New Global Standard for Compliance: ISO 19600

facebook Twitter LinkedIn RSS

ISO 19600 Compliance management systems (ISO 19600), a new International Standard for compliance, is currently being finalised, having been under development for some time.

This standard was developed by Project Committee 271, whose secretariat is based in the offices of Standards Australia. Eleven countries are participating in the project and most of the drafting has been done by an Australian drafting committee.

Due for publication by the end of 2014 (the final draft is still subject to negotiation), the new standard will:

  • update and enhance the existing Australian Standard, AS3806:2006 Compliance programs (AS 3806);
  • introduce an international, cross-jurisdictional standard to measure compliance; and
  • provide an international benchmark for compliance systems.

AS 3806

ISO 19600 is based on AS 3806, a Standard developed in Australia which promotes a leading system of compliance management. AS 3806 was originally created in 1998 following a request from the Australian Competition and Consumer Commission (ACCC). It was updated in 2006 and adopts a ‘principles approach’ to compliance, based on four key aspects of compliance being:

  • commitment;
  • implementation;
  • monitoring and measuring; and
  • continual improvement.

The AS 3806 standard is well respected and is referenced by numerous Australian regulators including the Australian Securities and Investments Commission (ASIC) and the ACCC. It is also referenced in the ASX Corporate Governance Principles and Recommendations.

Why a new standard?

In the global regulatory environment, the law shapes many duties and obligations. In some highly regulated industries, a compliance program is a mandated part of a organisation’s obligations. For example, in Australia, Regulatory Guide 104 obliges Australian Financial Services Licence holders to implement a compliance program.

As the regulatory environment changes, leading to new and challenging influences on an entity, its compliance framework should be flexible enough to adapt to these changes.

Although Australia has had a version of a compliance standard in AS 3806 since 1996, ISO 19600 is the first international standard on this topic. According to Standards Australia, the standard has been designed to ultimately increase market confidence, increase consumer confidence and improve outcomes for government, consumers and investors.

Standards Australia’s policy is to recommend local adoption of international standards where possible so AS 3806 is likely to be replaced by ISO 19600 once it’s been finalised.

A defence against court actions?

ISO 19600 states that ‘in a number of jurisdictions, the courts have considered an organisation’s commitment to compliance through its compliance management system when determining the appropriate penalty to be imposed for contravention of relevant laws’. According to the Governance Risk and Compliance Institute, this position suggests that if companies use ISO 19600 to benchmark their compliance framework against international best practice, the framework could be used to mitigate any potential penalties handed down by regulators or the courts.

Whether this is true remains to be seen but in some cases it is clear that, at the very least, having in place a compliance management system will allow an organisation to demonstrate compliance to regulators or the courts.

Given the ‘compliance’ gap that has existed to date internationally, the new standard is important as it has the potential to be adopted by regulators internationally as the accepted benchmark for making out due diligence defences, and ultimately for the assessment of adequacy of organisational efforts in the context of breaches or control failures.

AS 3806 vs ISO 19600

According to an article by leading Australian law firm Clayton Utz, five ‘key enhancements’ will be incorporated into ISO 19600 being:

  1. The relationship between compliance and governance, risk, audit, legal, environment and health and safety will need to be set out.
  2. The scope of the compliance management system will need to be determined. i.e., whether contractual obligations will be included with statutes and other such duties.
  3. An improvement to the link between risk and compliance, so that controls for these risks and compliance work together.
  4. Compliance will be able to be demonstrated, and reported up to management and the board.
  5. Steps will be taken to have a healthy culture of compliance and compliance behaviours.

Randal Dennings, a Clayton Utz Partner who represents the Law Council of Australia on the Project Committee, writes with Wei-Loong Chen (a Clayton Utz Special Counsel) that ‘organisations who clearly meet the existing requirements of AS3806 should need to do little to meet the requirements of the international standard’.

According to the GRC Institute, ISO 19600 will also improve on AS 3806 by putting a greater emphasis on a risk-based approach to compliance.

ISO 31000 & ISO 19600

As many readers will be aware Australia also leads the way in the development of the International Risk Management Standard (ISO 31000 – 2009) which was based on the original Australian Risk Management Standard (AS/NZ 4360 – 2004).

At CompliSpace we often say that ‘whilst a compliance program can live without a risk management program, a risk management program can’t live without a compliance program’. It is therefore pleasing to see that Australia is once again leading the way with the development of this critical international governance standard.

Compliance with Current and Future Child Protection Laws – Embedding a Child Protection Culture. How can this be achieved?

Financial Services Updates

Financial Services Updates