ISO 19600:2014 Compliance Management Systems CONTEXT OF

The compliance framework needs to be contextualized so that it reflects not only the internal issues that affect the operation
of the organisation but it also the external environment. Here you must:
• Establish what will be covered by the
compliance management system.
• Identify obligations, these can be
both mandatory and or voluntary.
• Ensure the compliance management
system (CMS) reflects the
organisation’s values, objectives,
strategy and compliance risks.
• Build processes to identify new and
changed laws, regulations, codes and
other compliance obligations.
• Identify and evaluate its compliance
risks through a formal compliance
risk assessment or conducted via
alternative approaches.
The governing body and top management should demonstrate leadership and
commitment to the compliance management system. Management also must show
commitment by:
• Establishing a compliance policy that is appropriate for the organisation and
communicated to all levels of the business.
• Assigning responsibilities and authority for relevant roles.
• Establishing a recognised compliance function, even if not standalone.
The organisation needs to plan adequately to assure the
compliance management system can achieve its intended
outcome. Through planning you must:
• Setting the right tone from the top, the governing body and leadership team
need to establish and uphold the organisation’s values.
• Prevent, detect and reduce undesired effects of the CMS.
• Achieve continual improvement in the CMS.
The framework needs to be monitored to ensure its effective,
current, and can identify instances where non-compliance
has occurred. Compliance indicators and reporting needs to
be established to help with this aspect. This includes:
• A plan for continual monitoring should be established,
setting out monitoring processes, schedules, resources
and the information to be collected.
• Conducting audits at least at planned intervals to provide
information on whether the compliance management
system is meeting its objective.
ISO 19600:2014
The compliance management system should drive continuous improvement in the
compliance program. This means:
• When noncompliance occurs, the organization should take action to control and
correct it, and/or manage the consequences.
effectiveness of the CMS.
• Identifying opportunities for improvement
of the compliance performance of the
• The organization should seek to continually improve the suitability, adequacy and
• If required, the framework should be
improved to address any short comings.
The operation of the compliance management system needs
to be managed and controlled. This includes:
• Putting in place effective controls to ensure that the
organization's compliance obligations are met and that non
compliances are prevented or detected and corrected.
• Outsourced processes need to be exposed to a due diligence
process to ensure that they will adhere to expected levels of
behaviour. All contractors and related third parties need to
be covered by the compliance management system.
The organisation needs to adequately support the
compliance management system. This includes:
• Providing the resources needed for the establishment,
development, implementation, evaluation, maintenance
and continual improvement of the CMS.
• All employees adhering to compliance requirements,
participate in training, report compliance concerns and
• All staff should be provided with the necessary training
for them to undertake their duties while operating within
the framework.
• Undertaking training when there are significant changes
or updates required or there have been a larger than
acceptable number of compliance breaches.
• Raising awareness of the compliance policy and outlining
appropriate behaviour and the compliance culture of the
• Developing a common, published standard of behaviour
that is required throughout every area of the organization.
• Determining the need for internal and external
communications relevant to the CMS.
• The compliance framework needs to be documented,
available and updated as required.
Solutions for the GRC Lifecycle
360 Degrees of Compliance
The increasing complexity of global compliance and regulatory changes impacting your organization creates
operational and business risk that demands a considered strategy and comprehensive program that identifies
risks, eliminates gaps, and delivers the flexibility to respond to changes systematically and proactively.
Having the proper tools and analysis in place to build and maintain your compliance program is essential to evaluate, execute
and evolve the supporting components and operational effectiveness of your program. A comprehensive Governance, Risk, and
Compliance (GRC) solution can serve as an organisation’s “compliance system of record,” streamlining and automating the
compliance process across the enterprise and ultimately providing a body of evidence needed to demonstrate program effectiveness.
There is a variety of published compliance guidance from governmental entities and regulatory bodies around the world.
From those published compliance guidelines SAI Global has distilled them into five key elements that enable
organisations to comply with those regulations and build effective compliance programs.
Grade Technology
Compliance Workspace
(regulations, legislation,
Living Code
Content Library
Instructor led
Third Party Risk
Surveys &
Gifts & Hospitality
Virtual Evidence
Incident Management
Conflicts of Interest
Compliance 360
& Reports
To learn more:
Email [email protected]
Call +61 2 8206 6060
Industry Leading
Analyst Recognition
Broad Capability
Focus on
Australian Market
Local Delivery Teams
Local Support
Teams & Hours
Prioritise Australian
Australian Hosting