New compliance standard: AS/ISO 19600:2015
As happened with risk management, where the international standard replaced the Australian one, the new international standard for compliance, AS/ISO 19600, replaces the former Australian Standard for Compliance AS 3806:2006 (AS 3806). It includes risk management as an essential aspect of a compliance management system and also focuses on compliance as part of the culture of the organisation. In turn, this places an emphasis on compliance as the responsibility of an organisation’s governing body rather than a purely management function.
In light of ASIC’s focus on culture as part of its risk-based surveillance, the emphasis in the new standard on compliance being ‘integrated with the organisation’s financial, risk, quality, environmental and health and safety management processes and its operational requirements and procedures’ is likely to have the regulator make reference to whether a company has adopted the standard if it is undertaking an assessment. While policies and procedures are important, the manner in which they are communicated and implemented within a company is key. Accountability is also a key issue — who is communicating the policy, as well as to whom they are communicating or not.
The new standard has introduced new terminology, that companies will need to understand. While AS 3806 covered a compliance ‘program’, AS/ISO 19600 addresses a compliance ‘management system’, and the new definition of ‘compliance’ means ‘meeting all the organisation’s compliance obligations’. This expands the definition to cover obligations set out in a company’s operating procedures. Other concepts with new meanings include ‘compliance obligations’ and ‘compliance risk'.
Importantly, AS/ISO 19600 states that ‘compliance risk assessment constitutes the basis for the implementation of the compliance management system’, which embeds risk management at the heart of a compliance management system.
The Australian standard AS 3806 is referenced by multiple regulators, including the Australian Securities and Investments Commission (ASIC) and the Australian Competition and Consumer Commission (ACCC). They are likely, over time, to reference the new international standard.