Compliance management: Norm, standard or practice?
Ulrich Palmer, Managing Director at 3GRC GmbH
Published in: DiALOG - THE MAGAZINE FOR ENTERPRISE INFORMATION MANAGEMENT | MARCH 2016
Introducing compliance management in a company is certainly not an easy project. On the one hand, you don't want to create too much bureaucracy, but on the other hand you also want to reduce the so-called directors' and officers' liability so that any liability claims arising from non-compliance actions by the company can be settled quickly. For many companies, IDW audit standard PS 980 and the ISO 19600 standard published in 2014 are suitable tools for implementation.
The standard: PS 980
Published by the Institute of German Auditors (IDW) in April 2011, the auditing standard PS 980 contains the principles of proper auditing of compliance management systems (CMS). The auditing standard establishes a uniform, standardised benchmark for compliance management systems for the first time and also allows these requirements to be audited by an external auditor. Companies are given sufficient room for manoeuvre in the interpretation of the individual elements. The audit of the CMS in accordance with IDW PS 980 is voluntary and is intended in principle for German-speaking countries. However, it is in line with the International Framework for Assurance Engagements (ISAE) 3000 and is therefore also recognised internationally. The basic elements of a compliance management system are the following components in accordance with the audit standard:
The standard: ISO 19600:2014
In December 2014, ISO 19600:2014 was published as the first internationally valid standard for the establishment of compliance systems. Based on ÖNORM ONR 192050 and an Australian guideline, ISO 19600 is intended to enable greater standardisation in compliance implementation. The standard is a flexible guideline that can be used in all organisations, companies, authorities and institutions. The standard gives companies a great deal of leeway depending on the size, structure and existing complexity of the organisation. Based on the principles of "good corporate governance", proportionality, transparency and sustainability, ISO 19600:2014 represents a modern guideline for the introduction of a CMS.
The practice
Studies show that compliance has now arrived in a good 80 per cent of German companies - regardless of whether they are small, medium-sized or large companies. The pressure from shareholders, legislators and an increasingly sensitive public is too great. The main differences can be found in the design of the compliance management system and the implementation of compliance measures. Most companies still have a considerable need for action here.
In particular, the communication of and compliance with compliance rules to and by employees is insufficient in many companies. Yet this is where the greatest potential for compliant business lies. Communicating the compliance rules to all employees in a comprehensible and transparent manner should therefore be a fundamental concern of company management. Supporting an open compliance culture is also very important.
The question remains as to whether IDW PS 980 and ISO 19600:2014 are mutually exclusive or complementary regulations. The IDW's working group "Auditing and business management issues relating to governance, risk and compliance" has come to the conclusion that the auditing standard and the standard complement each other and do not contradict each other. While the ISO standard is aimed at the companies themselves and is intended to serve as an "implementation standard for CMS", PS 980 is aimed at auditors who have to determine the appropriateness and effectiveness of a CMS.
Regardless of the system or standard according to which a functioning compliance management system is to be introduced, support from external consulting, software or training companies can be useful in many cases. You can find a selection of suitable partners on the website www.3grc.de.
3GRC.de was created in spring 2014 under the direction of Ulrich Palmer as an online hub for the topics summarised under the umbrella term Governance, Risk & Compliance (GRC). The portal is available to all internet users free of charge for research purposes. In the case of complex GRC issues, 3GRC GmbH advises companies on the definition of project goals and the selection of suitable software, consulting or training partners.
www.3grc.de