Полная версия
Successful Compliance
Imprint
ISBN 978-3-85402-308-1
Also available as printed version:
ISBN 978-3-85402-307-4
Also available in German language:
ISBN 978-3-85402-305-0
e-Pub ISBN 978-3-85402-306-7
First edition 2015
This work is protected by copyright.
All rights reserved.
Reprint, duplication, photographing or recording on any other media or data medium, even if only used in extracts shall be permissible only based upon explicit written consent on the part of Austrian Standards plus GmbH. Despite of thorough editing no responsibility can be taken for the correctness of the data given in the book. Publisher and author cannot be held liable.
© Austrian Standards plus GmbH, Vienna 2015
Austrian Standards plus GmbH is an enterprise of Austrian Standards Institute.
AUSTRIAN STANDARDS PLUS GMBH
1020 Vienna, Heinestraße 38
T +43 1 213 00-300
F +43 1 213 00-818
E sales@austrian-standards.at
www.austrian-standards.at
PROJECT COORDINATION
Gertraud Reznicek
COVERPHOTO
©iStock.com/Alexander Bedrin
GRAPHICAL DESIGN
Martin Aschauer
PRINTING
Morawa Lesezirkel GesmbH, 1140 Wien
Inhalt
Foreword
Abbreviations
1 Basic principles and general framework
1.1 Definition of the term ‘compliance’
1.2 Legal framework for compliance in organsations
1.2.1 Responsibility of organisations in the international arena
1.2.2 Responsibility of organisations at the national level
1.2.3 Responsibility for compliance in Austria
1.3 Compliance as a tool of strategic management
1.3.1 Definition of management systems
1.3.2 Compliance Management Systems
1.4 Distinction between corporate governance – ICS – RMS – CMS
1.4.1 Corporate governance
1.4.2 Internal control system (ICS)
1.4.3 Risk management system (RMS)
1.4.4 Compliance management system (CMS)
1.5 Standardisation of management systems in accordance with ISO
1.6 Certification
1.6.1 Importance of the certification of a CMS
1.6.2 Certification under ISO
2 A CMS in accordance with ISO 19600 at a glance
2.1 Positioning of ISO 19600 as a best-practise approach
2.1.1 Positioning of ISO 19600 compared to legal requirements
2.1.2 ISO 19600 in comparison with selected management tools
2.2 Approach for the implementation of a CMS in accordance with ISO 19600
2.2.1 PLAN – Preparation
2.2.2 DO – Implementation
2.2.3 CHECK – Verification
2.2.4 ACT – Improvement
3 Elements of ISO 19600 – compliance management systems
3.1 Introduction
3.2 Area of application of the ISO 19600 standard
3.3 Definitions in accordance with ISO 19600
3.4 Context of the organisation
3.4.1 Understanding the organisation and its context
3.4.2 Understanding the needs and expectations of interested parties
3.4.3 Determining the scope of the compliance management systems
3.4.4 CMS and principles of good governance
3.4.5 Compliance obligations
3.4.6 Identification, analysis and evaluation of compliance risks
3.5 Leadership
3.5.1 Leadership and commitment
3.5.2 Compliance policy
3.5.3 Organisational roles, responsibilities and authorities
3.5.4 Management responsibility
3.5.5 Employee responsibility
3.6 Planning
3.6.1 Actions to address compliance risks
3.6.2 Compliance objectives and planning to achieving them
3.7 Support
3.7.1 Resources
3.7.2 Competence and training
3.7.3 Awareness
3.7.4 Communication
3.7.5 Documented information
3.8 Operation
3.8.1 Operational planning and control
3.8.2 Establishing controls and procedures
3.8.3 Outsourced processes
3.9 Performance evaluation
3.9.1 Monitoring, measurement, analysis and evaluation
3.9.2 Audits
3.9.3 Management review
3.10 Improvement
3.10.1 Nonconformity, non-compliance and corrective measures
3.10.2 Escalation
3.10.3 Continual improvement
4 Guide for small and medium-sized enterprises (SMEs)
4.1 Compliance-relevant characteristics of SMEs
4.2 Implementation and configuration of compliance management in the SME sector
4.3 Conclusion
5 Advanced concepts
5.1 Change management as a management tool
5.1.1 Definition of change management
5.1.2 Reasons/drivers for change management processes
5.1.3 Factors influencing change management processes
5.1.4 Three-phase approach to changes according to Lewin
5.1.5 Leading Change – The 8-Step Model by John Kotter
5.1.6 Change management and a CMS in accordance with ISO 19600
5.2 Organisational culture as a management tool
5.2.1 Influences on organisational cultures
5.2.2 Characteristics of organisational cultures
5.2.3 The cultural model according to Schein
5.2.4 Effect and function of organisational cultures
5.2.5 Measurement of organisational cultures – the model by Denison
5.2.6 Organisational culture and a CMS in accordance with ISO 19600
5.3 Risk management
5.3.1 A brief history of risk management
5.3.2 Risk management systems at a glance
5.3.3 ERM – a holistic, organisation-wide risk management system
5.3.4 ISO 31000 Risk Management
5.3.5 Risk management and a CMS in accordance with ISO 19600
6 Summary and forecast
Bibliography
The author
List of figures
Figure 1 COSO Internal Control – Integrated Framework
Figure 2 Audit process in accordance with ISO/IEC 17021
Figure 3 ISO 19600 in the Deming cycle of continuous improvement
Figure 4 PESTLE analysis of the external environment
Figure 5 Internal determinants of an organisation according Huczynski/Buchanan
Figure 6 Stakeholders/interested parties
Figure 7 Risk Matrix
Figure 8 Level and characteristics of a code of conduct
Figure 9 Compliance in support of organisational goals
Figure 10 Means of implementing compliance policy
Figure 11 Components of the capacity to act
Figure 12 The Fraud Triangle and approaches to prevention according to Grüninger
Figure 13 Indicators for CMS objectives according to Johnson/Søreide
Figure 14 Value orientation of CMS according to Grüninger
Figure 15 Overview of communication according to Mast/Maletzke
Figure 16 Sequence of a monitoring procedure
Figure 17 DMAIC cycle of continuous improvement
Figure 18 EU definition of SME
Figure 19 Approaches to compliance management according to Saitz/Tempel/Brühl
Figure 20 Change management as a method/operating principle
Figure 21 Reasons/drivers for change management processes according to Kotter
Figure 22 7-S Model according to Pascal / Athos
Figure 23 Promotors and destructors according to Ladwig/Domsch
Figure 24 The complexity of relations according to Neuburger
Figure 25 Common symptoms of resistance according to Doppler/Lauterburg
Figure 26 Selected areas of action for resistance according to Reiss
Figure 27 Acceptance-promoting aspects of change processes according to Reiss
Figure 28 Phase diagram of changes according to Lewin
Figure 29 8-step model for changes according to Kotter
Figure 30 Factors of organisational culture according to Sackmann
Figure 31 Cultural box model according to Thomas
Figure 32 Cultural levels according to Schein
Figure 33 Framework organisational culture/effectiveness according to Denison
Figure 34 Organisational cultures according to Denison
Figure 35 Corporate culture and effectiveness
Figure 36 Building-blocks of a risk management system
Figure 37 COSO ERM Framework
Figure 38 Risk matrix
Figure 39 Connecting elements of risk framework according ISO 3100:2009
Figure 40 Risk management process ISO 31000:2009
List of tables
Table 1 Types of system audits
Table 2 Guideline UK Bribery Act vs. ISO 19600
Table 3 US Sentencing Guideline Manual Chapter 8(B) vs. ISO 19600
Table 4 ICC Anti-Corruption Policy vs. ISO 19600
Table 5 Kotter Change Management Model vs. ISO 19600
Table 6 Denison effectiveness model vs. ISO 19600
Table 7 COSO ERM vs. ISO 19600
Table 8 Probability scale
Table 9 Specimen risk map
Table 10 Information and communication needs according to Bruhn
Table 11 Classification of means of communication according to Vahs/Weiand
Table 12 Structure of key risk indicators (KRI)
Foreword
Compliance is not, in itself, a new thing – it should, after all, be self-evident that organisations will observe laws and obligations that they have freely entered into. What is new, however, is the structured approach taken to the subject. Compliance management involves the standardised identification of obligations and their systematic translation to the organisation’s everyday operations. The development of structures and activities and their integration into existing procedures and processes reduces the risk of noncompliant behaviour in the conduct of business. However, a compliance management system (CMS) must offer more. The frequently used argument that the costs of such a system are less than the costs of non-compliance cannot stand up. In order to be accepted, compliance measures must be closely linked to effectiveness and efficiency and must not be perceived as bureaucratic obstacles. Compliance is therefore not a mere duty to be performed in order to avert negative consequences for an organisation, but rather contributes to the improvement of business operations. This book is intended to make a contribution and support organisations of all kinds in applying compliance measures to enhance the effectiveness and efficiency of the organisation’s management as a whole.
ISO 19600:2014-12-15 “Compliance management systems – Guidelines” was developed by users for users and claims to be a best-practise approach for a globally unified policy for the development, implementation, maintenance and continuous improvement of a CMS. The extent to which individual elements are implemented must, in accordance with the principle of appropriateness, be matched to the particular characteristics of the organisation. The standard is therefore applicable to all types of organisations – irrespective of their size, sector, and type of business or legal form.
This commentary explains all elements of ISO 19600 and provides numerous practical tips for a phased implementation approach. When a holistic approach is taken, a CMS in accordance with ISO 19600 becomes a key tool in strategic management. This book aims to provide a scientific basis for practical implementation, coupled with decades of experience in building and managing complex systems.
I would like to express my sincere gratitude to the many people who have provided me with support and motivation in the writing of this practical commentary. I would like to express my particular gratitude to Dr. Peter Jonas and DDr. Alexander Petsche for their stimulating discussions and cooperation in the development of this standard as representatives of Austria in ISO Project Committee 271. I would especially like to thank Mag. Gertraud Reznicek of Austrian Standards plus Publishing for her effective and professional cooperation and valuable support.
To all readers I wish that they will obtain many useful ideas and benefits that are relevant to their work in practise. I look forward to receiving any comments, feedback and suggestions at bneiger@neiger.eu!
Vienna, August 2015 Barbara Neiger
Abbreviations
ACCG Austrian Code of Corporate Governance
AG Joint Stock Company (Aktiengesellschaft)
AktG Stock corporation law (Aktiengesetz)
AQAP Allied Quality Assurance Publications
ArbVG Labour Constitution Act (Arbeitsverfassungsgesetz)
AS Australia
BGBl Austrian Federal Law Gazette (Bundesgesetzblatt)
BWG Banking Law (Bankwesengesetz)
BSI British Standards Institution
CMS Compliance Management System
COSO Committee of Sponsoring Organizations of the Treadway Commission
DOJ United States Department of Justice
DMAIC Define-Measure-Analyse-Improve-Control
DSG Data Protection Law (Datenschutzgesetz)
DSK Data Protection Commission (Datenschutzkommission)
e.g. for example
etc. et cetera
EU European Union
ERM Enterprise Risk Management
ERP Enterprise Resource Planning
EUR Euro
FATF Financial Action Task Force
FCPA United States Foreign Corrupt Practices Act
FMA Financial Market Authorisation (Finanzmarktaufsicht)
FSGM Federal Sentencing Guidelines Manual
GARP Global Association of Risk Professionals
GenG Act on Cooperatives (Genossenschaftsgesetz)
GmbHG Law on Limited Liability Company (Gesetz über die Gesellschaft mit beschränkter Haftung)
HLS High Level Structure
ICC International Chamber of Commerce
IEC International Electrotechnical Commission
ICS Internal Control System
ILO International Labour Organization
ISO International Organization for Standardization
IT Information Technology
JTC Joint Technical Committee
JTCG Joint Technical Coordinating Group
KPI Key Performance Indicator
KRI Key Risk Indicator
MS Management System
MMS Management System Standard
NATO North Atlantic Treaty Organization
NZS New Zealand
OECD Organisation for Economic Cooperation and Development
OGH Supreme Court (Oberster Gerichtshof)
OWiG Administrative Offenses Act (Gesetz über Ordnungswidrigkeiten)
PACI Partnering Against Corruption Initiative
PDCA Plan-Do-Check-Act
RM Risk Management
RMS Risk Management System
SAI Social Accountability International
SCGM Sentencing Guidelines Manual
SEC United States Securities and Exchange Commission
SME Small and Medium Sized Company
SOX Sarbanes-Oxley Act
TMB Technical Management Board
VAG Insurance Supervision Act (Versicherungsaufsichtsgesetz)
VbVG Corporate Liability Law (Verbandsverantwortlichkeitsgesetz)
UN United Nations (Vereinte Nationen)
UNODC United Nations Office on Drugs and Crime
UK United Kingdom
US, USA United States
vs. versus
WAG Securities Supervision Act (Wertpapieraufsichtsgesetz)
1BASIC PRINCIPLES AND GENERAL FRAMEWORK
The basic principles and general framework for a compliance management system (CMS) in accordance with ISO 19600 are presented in six chapters. First of all, the meaning of the term ‘compliance’ in the context of this practical commentary must be clarified: the fulfilment of obligations which are binding to an organisation due to mandatory regulations and obligations that have been voluntarily entered into by the organisation. Chapter 1.2 describes the legal framework for compliance in organisations based on national and international regulations on the (criminal) responsibility of organisations for non-compliant actions on the part of their employees. The obligation of management to set up a CMS that is tailored to the organisation’s individual situation is based on its general duty to perform due diligence as a responsible business man. As outlined in chapter 1.3, a CMS, as a strategic management tool, should utilise a planned approach to ensure that obligations relevant to the organisation are complied with in the conduct of activities. The avoidance of compliance violations or mitigation of their negative impact supports the achievement of an organisation’s objectives. The definition of CMS in respect of corporate governance and other management tools such as internal control systems (ICS) and risk management systems (RMS) is then discussed in chapter 1.4. Chapter 1.5 provides an overview of the historical roots of management systems and their development in the context of the International Organisation for Standardisation (ISO). Finally, chapter 1.6 discusses the importance of external ratings in general and the certification of a CMS in particular. To conclude, a brief description is given of requirements for the certification of management systems.
1.1DEFINITION OF THE TERM ‘COMPLIANCE’
The term ‘compliance’ is derived[1] from the verb ‘to comply with something’, and in the context of this manual means the observance of rules by an organisation – that is, those rules that are binding for the organisation due to statutory provisions, as well as those to whose compliance the organisation has voluntarily submitted.
Under this definition, compliance requires first of all only that all obligations are met. This is nothing new and is a self-evident principle in states governed by the rule of law.[2] However, compliance also includes the issue of how organisations ensure that their statutory bodies and employees comply with rules. It is the responsibility of the competent managers to ensure, as part of their supervisory duty and due diligence, that people who work for organisations comply with statutory requirements, industry regulations and corporate policies in everyday business transactions.
The obligation to comply with legal regulations applies to all organisations. Also compliance with industry regulations and internal policies is not an end in itself, but is in the interest of the organisation. All organisations, irrespective of their legal form, size or field of activity, have only limited resources at their disposal. These must be deployed as efficiently and effectively as possible. It is not correct to argue that the requirement for such economic actions applies only to for-profit organisations. Non-profit organisations, too, have limited resources at their disposal, which must be deployed to achieve the best possible result. Negative financial consequences of non-compliance, in the form of penalties and fines, certainly do not fall within the definition of the ‘best possible result’.
1.2LEGAL FRAMEWORK FOR COMPLIANCE IN ORGANSATIONS
Societas delinquere non potest – corporations cannot be held criminally responsible – so describes the principle that only natural persons can commit criminal acts, while legal entities are incapable of committing offences.[3] While Anglo-Saxon law (common law in the UK, USA and other countries) has long made no distinction between natural persons and legal entities, only developments within the last 20 years have led to the establishment of liability for legal entities in continental European states too.[4] Numerous intergovernmental legislative acts both inside and outside the EU obligate member states and treaty states to provide for the liability of legal entities for certain crimes.
The first legislative act within the EU to provide for such an obligation is the Second Protocol to the Convention on the Protection of the European Communities’ Financial Interests,[5] which requires the criminal liability of organisations if fraud, corruption or money-laundering has been committed for their benefit by persons acting either alone or as part of the legal entity’s organisation. Organisations must in particular be made responsible if a lack of supervision or control has made the act possible. In addition to the Second Protocol, there are numerous other legislative acts providing for the liability of legal entities for approximately one hundred criminal offences (e.g. property-related offences such as fraud, embezzlement, misappropriation of subsidies or collusion in procurement procedures; corruption and environmental offences; offences in copyright law, stock exchange law, financial criminal law or the law on unfair competition).[6]
Among legislative acts outside the EU, the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions of 1997 is to be mentioned. The responsibility of legal entities is further governed by three conventions of the European Council (Protection of the Environment, 1998; Prevention of Cyber Crime, 2001; Counterterrorism, 2005). In order to combat money laundering, FATF recommendations require effective, proportionate and deterrent sanctions against legal entities.[7] Finally, the UN Conventions for the Suppression of the Financing of Terrorism (2000) and against Corruption (2005) contain further requirements for the criminal or the administrative liability of legal entities.[8]
1.2.1Responsibility of organisations in the international arena
The majority of European countries have implemented the responsibility of legal entities in their legal systems. In continental Europe, a distinction is made between purely criminal, purely administrative or mixed models,[9] while Anglo-Saxon countries such as the UK, Ireland or Cyprus know no administrative criminal law. In some countries (e.g. France, Italy, Switzerland, Hungary, and Poland), the state and its regional authorities are entirely exempt from liability. In some countries (France, Netherlands, Croatia, UK), such a restriction applies only to official activities. The liability of publicly-owned companies is not limited in principle. In most countries, the liability of legal entities covers all, and in some countries, only a few offences restricted to those governed by international agreements (e.g. in Spain, Italy and Malta).[10] In some countries, the accountability of liability requires that the act was carried out to the benefit of, on behalf of, in the name of or in the interests of the legal entity (e.g. Germany, France, Italy, Poland and Slovenia). In some countries (e.g. Switzerland, the UK), a mere connection with the business activity of the legal entity is sufficient for the establishment of corporate liability. In most states (e.g. Germany, France, Netherlands, Italy, Poland and Hungary), a legal entity may be held accountable for offences committed by a subordinate employee only in connection with a lack of control or supervision by a person in a leading position. In some countries (Belgium, Switzerland, Romania), an act committed by any person working for a legal entity is sufficient to trigger corporate liability.[11] Almost all jurisdictions make provision for the punishment of the legal entity in addition to that of the natural person. In Belgium, insofar as a natural person did not act knowingly or wilfully that entity (natural person or legal entity) that bears the greatest guilt is the one liable for punishment.