Compliance management systems - Guidelines

ISO 19600:2014 provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization.
The guidelines on compliance management systems are applicable to all types of organizations. The extent of the application of these guidelines depends on the size, structure, nature and complexity of the organization. ISO 19600:2014 is based on the principles of good governance, proportionality, transparency and sustainability.

Systèmes de management de la compliance - Lignes directrices

L'ISO 19600:2014 fournit des lignes directrices relatives � l'�tablissement, au d�veloppement, � la mise en oeuvre, � l'�valuation, � la maintenance et � l'am�lioration d'un syst�me de management de la compliance efficace et r�actif au sein d'une organisation.
Les lignes directrices concernant les syst�mes de management de la compliance sont applicables � tous les types d'organisations. L'�tendue de l'application de ces lignes directrices d�pend de la taille, de la structure, de la nature et de la complexit� de l'organisation. L'ISO 19600:2014 est bas�e sur les principes de bonne gouvernance, de proportionnalit�, de transparence et de durabilit�.

Sistemi za upravljanje skladnosti - Smernice

Ta mednarodni standard podaja smernice za vzpostavljanje, razvijanje, uvajanje, ocenjevanje, vzdrževanje in izboljševanje učinkovitega in odzivnega sistema za upravljanje skladnosti znotraj organizacije.
Smernice za sistem za upravljanje skladnosti se uporabljajo za vse vrste organizacij. Obseg uporabe teh smernic je odvisen od velikosti, strukture, narave in kompleksnosti organizacije. Ta mednarodni standard temelji na načelih dobrega upravljanja, sorazmernosti, transparentnosti in trajnosti.

General Information

Status
Published
Publication Date
23-Oct-2016
Current Stage
6100 - Translation of adopted SIST standards (Adopted Project)
Start Date
31-Mar-2016
Due Date
30-Mar-2017
Completion Date
19-Jan-2017

Buy Standard

Standard
ISO 19600:2014 - Compliance management systems -- Guidelines
English language
28 pages
sale 15% off
Preview
sale 15% off
Preview
Standard
SIST ISO 19600:2016
English language
34 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day
Standard
ISO 19600:2014 - Systemes de management de la compliance -- Lignes directrices
French language
31 pages
sale 15% off
Preview
sale 15% off
Preview
Standard – translation
SIST ISO 19600:2016
Slovenian and English language
48 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

INTERNATIONAL ISO
STANDARD 19600
First edition
2014-12-15
Compliance management systems —
Guidelines
Systèmes de management de la conformité — Lignes directrices
Reference number
ISO 19600:2014(E)
ISO 2014
---------------------- Page: 1 ----------------------
ISO 19600:2014(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2014

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2014 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 19600:2014(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definition ........................................................................................................................................................................................ 1

4 Context of the organization ....................................................................................................................................................................... 5

4.1 Understanding the organization and its context ....................................................................................................... 5

4.2 Understanding the needs and expectations of interested parties .............................................................. 5

4.3 Determining the scope of the compliance management system ................................................................. 5

4.4 Compliance management system and principles of good governance ................................................... 6

4.5 Compliance obligations ................................................................................................................................................................... 6

4.6 Identification, analysis and evaluation of compliance risks ............................................................................ 7

5 Leadership .................................................................................................................................................................................................................. 8

5.1 Leadership and commitment ..................................................................................................................................................... 8

5.2 Compliance policy ................................................................................................................................................................................ 9

5.3 Organizational roles, responsibilities and authorities.......................................................................................10

6 Planning ......................................................................................................................................................................................................................13

6.1 Actions to address compliance risks .................................................................................................................................13

6.2 Compliance objectives and planning to achieve them .......................................................................................14

7 Support ........................................................................................................................................................................................................................14

7.1 Resources ..................................................................................................................................................................................................14

7.2 Competence and training ............................................................................................................................................................14

7.3 Awareness ................................................................................................................................................................................................16

7.4 Communication ...................................................................................................................................................................................17

7.5 Documented information ............................................................................................................................................................18

8 Operation ..................................................................................................................................................................................................................19

8.1 Operational planning and control .......................................................................................................................................19

8.2 Establishing controls and procedures .............................................................................................................................19

8.3 Outsourced processes ....................................................................................................................................................................20

9 Performance evaluation ............................................................................................................................................................................21

9.1 Monitoring, measurement, analysis and evaluation ............................................................................................21

9.2 Audit ..............................................................................................................................................................................................................25

9.3 Management review ........................................................................................................................................................................25

10 Improvement .........................................................................................................................................................................................................26

10.1 Nonconformity, noncompliance and corrective action .....................................................................................26

10.2 Continual improvement ...............................................................................................................................................................27

Bibliography .............................................................................................................................................................................................................................28

© ISO 2014 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 19600:2014(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any

patent rights identified during the development of the document will be in the Introduction and/or on

the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the meaning of ISO specific terms and expressions related to conformity

assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers

to Trade (TBT) see the following URL: Foreword - Supplementary information

The committee responsible for this document is Project Committee ISO/PC 271, Compliance

management systems.
iv © ISO 2014 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 19600:2014(E)
Introduction

Organizations that aim to be successful in the long term need to maintain a culture of integrity and

compliance, and to consider the needs and expectations of stakeholders. Integrity and compliance are

therefore not only the basis, but also an opportunity, for a successful and sustainable organization.

Compliance is an outcome of an organization meeting its obligations, and is made sustainable by

embedding it in the culture of the organization and in the behaviour and attitude of people working for

it. While maintaining its independence, it is preferable if compliance management is integrated with the

organization’s financial, risk, quality, environmental and health and safety management processes and

its operational requirements and procedures.

An effective, organization-wide compliance management system enables an organization to demonstrate

its commitment to compliance with relevant laws, including legislative requirements, industry codes

and organizational standards, as well as standards of good corporate governance, best practices, ethics

and community expectations.

An organization’s approach to compliance is ideally shaped by the leadership applying core values and

generally accepted corporate governance, ethical and community standards. Embedding compliance

in the behaviour of the people working for an organization depends above all on leadership at all levels

and clear values of an organization, as well as an acknowledgement and implementation of measures

to promote compliant behaviour. If this is not the case at all levels of an organization, there is a risk of

noncompliance.

In a number of jurisdictions, the courts have considered an organization’s commitment to compliance

through its compliance management system when determining the appropriate penalty to be imposed

for contraventions of relevant laws. Therefore, regulatory and judicial bodies can also benefit from this

International Standard as a benchmark.

Organizations are increasingly convinced that by applying binding values and appropriate compliance

management, they can safeguard their integrity and avoid or minimize noncompliance with the law.

Integrity and effective compliance are therefore key elements of good, diligent management. Compliance

also contributes to the socially responsible behaviour of organizations.

This International Standard does not specify requirements, but provides guidance on compliance

management systems and recommended practices. The guidance in this International Standard is

intended to be adaptable, and the use of this guidance can differ depending on the size and level of

maturity of an organization’s compliance management system and on the context, nature and complexity

of the organization’s activities, including its compliance policy and objectives.

The flowchart in Figure 1 is consistent with other management systems and is based on the continual

improvement principle (“Plan-Do-Check-Act”).
© ISO 2014 – All rights reserved v
---------------------- Page: 5 ----------------------
&TUBCMJTI
ISO 19600:2014(E)
*EFOUJGJDBUJPO
PGFYUFSOBMBOE
JOUFSOBMJTTVFT %FUFSNJOJOHUIFTDPQF

BOEFTUBCMJTIJOHUIF
(PPEHPWFSOBODF
DPNQMJBODF
QSJODJQMFT 
NBOBHFNFOUTZTUFN
*EFOUJGJDBUJPO 
PGJOUFSFTUFEQBSUJFT
SFRVJSFNFOUT

&TUBCMJTIJOH
DPNQMJBODFQPMJDZ

*EFOUJGJDBUJPOPG
DPNQMJBODFPCMJHBUJPOT
BOEFWBMVBUJOH
DPNQMJBODFSJTLT

%FWFMPQ
.BJOUBJO
-FBEFSTIJQ
DPNNJUNFOU
.BOBHJOH 1MBOOJOHUP
OPODPNQMJBODFT *OEFQFOEFOU BEESFTTDPNQMJBODF
BOEDPOUJOVBM DPNQMJBODFGVODUJPO SJTLTBOEUP
JNQSPWFNFOU 
3FTQPOTJCJMJUJFT BDIJFWFPCKFDUJWFT

BUBMMMFWFMT 
 
4VQQPSUGVODUJPOT 
&WBMVBUF *NQMFNFOU
1FSGPSNBODF 0QFSBUJPOBM
FWBMVBUJPOBOE QMBOOJOHBOE
DPNQMJBODF DPOUSPMPG
SFQPSUJOH DPNQMJBODFSJTLT

Figure 1 — Flowchart of a compliance management system

This International Standard has adopted the “high-level structure” (i.e. clause sequence, common text

and common terminology) developed by ISO to improve alignment among its International Standards

for management systems. In addition to its generic guidance on a compliance management system, this

International Standard also provides a framework to assist in the implementation of specific compliance-

related requirements in any management system.

Organizations that have not adopted management system standards or a compliance management

framework can easily adopt this International Standard as stand-alone guidance within their

organization.

This International Standard is suitable to enhance the compliance-related requirements in other

management systems and to assist an organization in improving the overall management of all its

compliance obligations.

This International Standard can be combined with existing management system standards (e.g.

ISO 9001, ISO 14001, ISO 22000) and generic guidelines (e.g. ISO 31000, ISO 26000).

vi © ISO 2014 – All rights reserved
*NQSPWF
---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO 19600:2014(E)
Compliance management systems — Guidelines
1 Scope

This International Standard provides guidance for establishing, developing, implementing, evaluating,

maintaining and improving an effective and responsive compliance management system within an

organization.

The guidelines on compliance management systems are applicable to all types of organizations. The

extent of the application of these guidelines depends on the size, structure, nature and complexity of the

organization. This International Standard is based on the principles of good governance, proportionality,

transparency and sustainability.
2 Normative references
There are no normative references.
3 Terms and definition
For the purpose of this document, the following terms and definitions apply.
3.1
organization

person or group of people that has its own functions with responsibilities, authorities and relationships

to achieve its objectives (3.9)

Note 1 to entry: The concept of organization includes, but is not limited to sole-trader, company, corporation, firm,

enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated

or not, public or private.
3.2
interested party (preferred term)
stakeholder (admitted term)

person or organization (3.1) that can affect, be affected by, or perceive themselves to be affected by a

decision or activity
3.3
top management

person or group of people who directs and controls an organization (3.1) at the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the

organization.

Note 2 to entry: If the scope of the management system (3.7) covers only part of an organization then top

management refers to those who direct and control that part of the organization.
3.4
governing body

person or group of people that governs an organization (3.1), sets directions and holds top management

(3.3) to account
3.5
employee

individual in a relationship recognized as an employment relationship in national law or practice

© ISO 2014 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO 19600:2014(E)
3.6
compliance function
person(s) with responsibility for compliance (3.17) management

Note 1 to entry: Preferably one individual will be assigned overall responsibility for compliance (3.17) management

3.7
management system

set of interrelated or interacting elements of an organization (3.1) to establish policies (3.8) and objectives

(3.9) and processes (3.10) to achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning,

operation, etc.

Note 3 to entry: The scope of a management system may include the whole of the organization, specific and

identified functions of the organization, specific and identified sections of the organization, or one or more

functions across a group of organizations.
3.8
policy

intentions and direction of an organization (3.1) as formally expressed by its top management (3.7)

3.9
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical and/or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental

goals) and can apply at different levels (such as strategic, organization-wide, project, product and process (3.10)).

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational

criterion, as a compliance objective or by the use of other words with similar meaning (e.g. aim, goal, or target).

Note 4 to entry: In the context of compliance management systems, compliance objectives are set by the

organization, consistent with the compliance policy, to achieve specific results.

3.10
process

set of interrelated or interacting activities which transforms inputs into outputs

3.11
risk
effect of uncertainty on objectives (3.9)

Note 1 to entry: An effect is a deviation from the expected — positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or

knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009,

3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including

changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.

3.12
compliance risk
effect of uncertainty on compliance objectives (3.9)

Note 1 to entry: Compliance risk can be characterized by the likelihood of occurrence and the consequences of

noncompliance (3.18) with the organization’s compliance obligations (3.16).
2 © ISO 2014 – All rights reserved
---------------------- Page: 8 ----------------------
ISO 19600:2014(E)
3.13
requirement
need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested

parties that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, for example in documented information.

3.14
compliance requirement
requirement (3.13) that an organization (3.1) has to comply with
3.15
compliance commitment
requirement (3.13) that an organization (3.1) chooses to comply with
3.16
compliance obligation
compliance requirement (3.14) or compliance commitment (3.15)
3.17
compliance
meeting all the organization’s compliance obligations (3.16)

Note 1 to entry: Compliance is made sustained by embedding it in the culture of an organization (3.1) and in the

behaviour and attitude of people working for it.
3.18
noncompliance
non-fulfilment of a compliance obligation (3.16)

Note 1 to entry: Noncompliance can be a single or a multiple event and may or may not be the result of a

nonconformity (3.33).
3.19
compliance culture

values, ethics and beliefs that exist throughout an organization (3.1) and interact with the

organization’s structures and control systems to produce behavioural norms that are conducive to

compliance (3.17) outcomes
3.20
code

statement of practice developed internally or by an international, national or industry body or other

organization (3.1)
Note 1 to entry: The code may be mandatory or voluntary.
3.21
organizational and industry standards

documented codes (3.20), good practices, charters , technical and industry standards deemed by an

organization (3.1) to be relevant
3.22
regulatory authority

organization (3.1) responsible for regulating or enforcing compliance (3.17) with legislative and other

requirements (3.13)
3.23
competence
ability to apply knowledge and skills to achieve intended results
© ISO 2014 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO 19600:2014(E)
3.24
documented information

information required to be controlled and maintained by an organization (3.1) and the medium on which

it is contained

Note 1 to entry: Documented information can be in any format and media and from any source.

Note 2 to entry: Documented information can refer to:
— the management system (3.7), including related processes (3.10);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
3.25
procedure
specified way to carry out an activity or process (3.10)
3.26
performance
measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to the management of activities, processes (3.10), products (including

services), systems or organizations (3.1).
3.27
continual improvement
recurring activity or process (3.10) to enhance performance (3.26)
3.28
outsource (verb)

make an arrangement where an external organization (3.1) performs part of an organization’s function

or process (3.10)

Note 1 to entry: An external organization is outside the management system (3.7), although the outsourced

function or process is within the scope.
3.29
monitoring
determining the status of a system, a process (3.10) or an activity

Note 1 to entry: To determine the status there may be a need to check, supervise or critically observe.

Note 2 to entry: Monitoring is not a once-only activity, but a process of regularly or continuously observing a situation.

3.30
measurement
process (3.10) to determine a value
3.31
audit

systematic, independent and documented process (3.10) for obtaining audit evidence and evaluating it

objectively to determine the extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),

and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
4 © ISO 2014 – All rights reserved
---------------------- Page: 10 ----------------------
ISO 19600:2014(E)

Note 3 to entry: Independence can be demonstrated by the freedom from responsibility for the activity being

audited or freedom from bias and conflict of interest.
3.32
conformity
fulfilment of a management system requirement (3.13)
3.33
nonconformity
non-fulfilment of a management system requirement (3.13)
Note 1 to entry: A nonconformity is not necessarily a noncompliance (3.18).
3.34
correction
action to eliminate a detected nonconformity (3.33) or a noncompliance (3.18)
3.35
corrective action

action to eliminate the cause of a nonconformity (3.33) or a noncompliance (3.18) and to prevent recurrence

4 Context of the organization
4.1 Understanding the organization and its context

The organization should determine external and internal issues, such as those related to compliance

risks, that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its

compliance management system. In doing so, the organization should consider a broad range of external

and internal aspects, such as the regulatory, social and cultural contexts, the economic situation and the

internal policies, procedures, processes and resources.
4.2 Understanding the needs and expectations of interested parties
The organization should determine:
— the interested parties that are relevant to the compliance management system;
— the requirements of these interested parties.
4.3 Determining the scope of the compliance management system

The organization should determine the boundaries and applicability of the compliance management

system to establish its scope.

NOTE The scope of the compliance management system is intended to clarify the geographical and/or

organizational boundaries to which the compliance management system will apply, especially if the organization

is a part of a larger organization at a given location.
When determining this scope, the organization should consider:
— the external and internal issues referred to in 4.1;
— the requirements referred to in 4.2 and 4.5.1.
The scope should be readily available as documented information.
© ISO 2014 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO 19600:2014(E)
4.4 Compliance management system and principles of good governance

The organization should establish, develop, implement, evaluate, maintain and continually improve a

compliance management system, including the processes needed and their interactions, in accordance

with this International Standard, taking into consideration the following governance principles:

— direct access of the compliance function to the governing body;
— independence of the compliance function;

— appropriate authority and adequate resources allocated to the compliance function.

The compliance management system should reflect the organization’s values, objectives, strategy and

compliance risks.
4.5 Compliance obligations
4.5.1 Identification of compliance obligations

The organization should systematically identify its compliance obligations and their implications

for its activities, products and services. The organization should take these obligations into account

in establishing, developing, implementing, evaluating, maintaining and improving its compliance

management system.

The organization should document its compliance obligations in a manner that is appropriate to its size,

complexity, structure and operations.

Sources of compliance obligations should include compliance requirements and can include

compliance commitments.
EXAMPLE 1 Examples of compliance requirements include:
— laws and regulations;
— permits, licences or other forms of authorization;
— orders, rules or guidance issued by regulatory agencies;
— judgments of courts or administrative tribunals;
— treaties, conventions and protocols.
EXAMPLE 2 Examples of compliance commitments include:
— agreements with community groups or non-governmental organizations;
— agreements with public authorities and customers;
— organizational requirements, such as policies and procedures;
— voluntary principles or codes of practice;
— voluntary labelling or environmental commitments;
— obligations arising under contractual arrangements with the organization;
— relevant organizational and industry standards.
4.5.2 Maintenance of compliance obligations

Organizations should have processes in place to identify new and changed laws, regulations, codes and

other compliance obligations to ensure on-going compliance. Organizations should have processes to

6 © ISO 2014 – All rights reserved
---------------------- Page: 12 ----------------------
ISO 19600:2014(E)

evaluate the impact of the identified changes and implement any changes in the management of the

compliance obligations.

EXAMPLE Examples of processes to obtain information on changes to laws and other compliance

obligations include:
— being on the mailing lists of relevant regulators;
— membership of professional groups;
— subscribing to relevant information services;
— attending industry forums and seminars;
— monitoring the websites of regulators;
— meeting with regulators;
— arrangements with legal advisors;

— monitoring the sources of the compliance obligations (e.g. regulatory pronouncements and court decisions).

4.6 Identification, anal
...

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Sistemi za upravljanje skladnosti - SmerniceSystèmes de management de la compliance - Lignes directricesCompliance management systems - Guidelines03.120.01Kakovost na splošnoQuality in general03.100.70Sistemi vodenjaManagement systemsICS:Ta slovenski standard je istoveten z:ISO 19600:2014SIST ISO 19600:2016en01-december-2016SIST ISO 19600:2016SLOVENSKI

STANDARD
SIST ISO 19600:2016

© ISO 2014Compliance management systems — GuidelinesSystèmes de management de la conformité — Lignes directricesINTERNATIONAL STANDARDISO19600First edition2014-12-15Reference numberISO 19600:2014(E)SIST ISO 19600:2016

ISO 19600:2014(E) ii © ISO 2014 – All rights reservedCOPYRIGHT PROTECTED DOCUMENT©

ISO 2014All rights reservedä Unless otherwise speci Ðiedá no part of this publication may be reproduced or utilized otherwise in any form or by any meansá electronic or mechanicalá including photocopyingá or posting on the internet or an intranetá without prior written permissionä Permission can be requested from either ISO at the address below or ISOïs member body in the country of the requesteräISO copyright of ÐiceTel. + 41 22 749 01 11Fax

v s
t t
y v {
r {

v yEæmail copyright 7isoäorgWeb www.iso.orgPublished in SwitzerlandSIST ISO 19600:2016

ISO 19600:2014(E) Contents PageForeword ........................................................................................................................................................................................................................................ivIntroduction ..................................................................................................................................................................................................................................v1 Scope .................................................................................................................................................................................................................................12 Normative references ......................................................................................................................................................................................1uTermsanddeÐinition ........................................................................................................................................................................................14 Context of the organization .......................................................................................................................................................................5 vä s Understanding the organization and its context .......................................................................................................5 vä t Understanding the needs and expectations of interested parties ..............................................................5 vä u Determining the scope of the compliance management system .................................................................5 vä v Compliance management system and principles of good governance ...................................................6 vä w Compliance obligations ...................................................................................................................................................................6 vä x Identi Ðicationá analysis and evaluation of compliance risks ............................................................................75 Leadership ..................................................................................................................................................................................................................8 wä s Leadership and commitment .....................................................................................................................................................8 wä t Compliance policy ................................................................................................................................................................................9 wä u Organizational rolesá responsibilities and authorities.......................................................................................106 Planning ......................................................................................................................................................................................................................13 xä s Actions to address compliance risks .................................................................................................................................13 xä t Compliance objectives and planning to achieve them .......................................................................................147 Support ........................................................................................................................................................................................................................147.1 Resources ..................................................................................................................................................................................................14 yä t Competence and training ............................................................................................................................................................14 yä u Awareness ................................................................................................................................................................................................16 yä v Communication ...................................................................................................................................................................................17 yä w Documented information ............................................................................................................................................................188 Operation ..................................................................................................................................................................................................................19 zä s Operational planning and control .......................................................................................................................................19 zä t Establishing controls and procedures .............................................................................................................................198.3 Outsourced processes ....................................................................................................................................................................209 Performance evaluation ............................................................................................................................................................................21 {ä s Monitoringá measurementá analysis and evaluation ............................................................................................219.2 Audit ..............................................................................................................................................................................................................25 {ä u Management review ........................................................................................................................................................................2510 Improvement .........................................................................................................................................................................................................26 s rä s Nonconformityá noncompliance and corrective action .....................................................................................26 s rä t Continual improvement ...............................................................................................................................................................27Bibliography .............................................................................................................................................................................................................................28© ISO 2014 – All rights reserved iiiSIST ISO 19600:2016

ISO 19600:2014(E)Forewordthrough ISO technical committeesä Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committeeä International organizationsá governmental and nonægovernmentalá in liaison with ISOá also take part in the workä electrotechnical standardizationäThe procedures used to develop this document and those intended for its further maintenance are

sä In particular the different approval criteria needed for the different types of ISO documents should be notedä This document was drafted in accordance with the

Directivesá Part www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rightsä ISO shall not be held responsible for identifying any or all such patent rightsä Details of any www.iso.).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsementäFor an explanation on the meaning of ISO speci Ðic terms and expressions related to conformity assessmentá as well as information about ISOïs adherence to the WTO principles in the Technical Barriers Foreword æ Supplementary informationThe committee responsible for this document is Project Committee ISO/PC

t y sá Compliance management systems. iv © ISO 2014 – All rights reservedSIST ISO 19600:2016

ISO 19600:2014(E)IntroductionOrganizations that aim to be successful in the long term need to maintain a culture of integrity and complianceá and to consider the needs and expectations of stakeholdersä Integrity and compliance are therefore not only the basisá but also an opportunityá for a successful and sustainable organizationäCompliance is an outcome of an organization meeting its obligationsá and is made sustainable by embedding it in the culture of the organization and in the behaviour and attitude of people working for itä While maintaining its independenceá it is preferable if compliance management is integrated with the organizationïs

Ðinancialá riská qualityá environmental and health and safety management processes and its operational requirements and proceduresäAn effectiveá organizationæwide compliance management system enables an organization to demonstrate its commitment to compliance with relevant lawsá including legislative requirementsá industry codes and organizational standardsá as well as standards of good corporate governanceá best practicesá ethics and community expectationsäAn organizationïs approach to compliance is ideally shaped by the leadership applying core values and generally accepted corporate governanceá ethical and community standardsä Embedding compliance in the behaviour of the people working for an organization depends above all on leadership at all levels and clear values of an organizationá as well as an acknowledgement and implementation of measures to promote compliant behaviourä If this is not the case at all levels of an organizationá there is a risk of noncomplianceäIn a number of jurisdictionsá the courts have considered an organizationïs commitment to compliance through its compliance management system when determining the appropriate penalty to be imposed for contraventions of relevant lawsä Thereforeá regulatory and judicial bodies can also bene Ðit from this International Standard as a benchmarkäOrganizations are increasingly convinced that by applying binding values and appropriate compliance managementá they can safeguard their integrity and avoid or minimize noncompliance with the lawä Integrity and effective compliance are therefore key elements of goodá diligent managementä Compliance also contributes to the socially responsible behaviour of organizationsäThis International Standard does not specify requirementsá but provides guidance on compliance management systems and recommended practicesä The guidance in this International Standard is intended to be adaptableá and the use of this guidance can differ depending on the size and level of maturity of an organizationïs compliance management system and on the contextá nature and complexity of the organizationïs activitiesá including its compliance policy and objectivesäThe

Ðlowchart in Figure 1 is consistent with other management systems and is based on the continual

© ISO 2014 – All rights reserved vSIST ISO 19600:2016

ISO 19600:2014(E)(PPEHPWFSOBODFQSJODJQMFT*EFOUJGJDBUJPOPGFYUFSOBMBOEJOUFSOBMJTTVFT*EFOUJGJDBUJPOPGJOUFSFTUFEQBSUJFTSFRVJSFNFOUT1MBOOJOHUPBEESFTTDPNQMJBODFSJTLTBOEUPBDIJFWFPCKFDUJWFT0QFSBUJPOBMQMBOOJOHBOEDPOUSPMPGDPNQMJBODFSJTLT1FSGPSNBODFFWBMVBUJPOBOEDPNQMJBODFSFQPSUJOH.BOBHJOHOPODPNQMJBODFTBOEDPOUJOVBMJNQSPWFNFOU&TUBCMJTI*NQMFNFOU&WBMVBUF.BJOUBJO%FUFSNJOJOHUIFTDPQFBOEFTUBCMJTIJOHUIFDPNQMJBODFNBOBHFNFOUTZTUFN*EFOUJGJDBUJPOPGDPNQMJBODFPCMJHBUJPOTBOEFWBMVBUJOHDPNQMJBODFSJTLT-FBEFSTIJQDPNNJUNFOU*OEFQFOEFOUDPNQMJBODFGVODUJPO3FTQPOTJCJMJUJFTBUBMMMFWFMT4VQQPSUGVODUJPOT&TUBCMJTIJOHDPNQMJBODFQPMJDZ%FWFMPQ*NQSPWFFigure 1 — Flowchart of a compliance management systemTfor management systemsä In addition to its generic guidance on a compliance management systemá this International Standard also provides a framework to assist in the implementation of speci Ðic complianceærelated requirements in any management systemäOrganizations that have not adopted management system standards or a compliance management framework can easily adopt this International Standard as standæalone guidance within their organizationäThis International Standard is suitable to enhance the complianceærelated requirements in other management systems and to assist an organization in improving the overall management of all its compliance obligationsäISO

{ r r sá ISO
s v r r sá ISO
u s r r rá ISO
vi © ISO 2014 – All rights reservedSIST ISO 19600:2016

Compliance management systems — Guidelines1 ScopeThis International Standard provides guidance for establishingá developingá implementingá evaluatingá maintaining and improving an effective and responsive compliance management system within an organizationäThe guidelines on compliance management systems are applicable to all types of organizationsä The extent of the application of these guidelines depends on the sizeá structureá nature and complexity of the organizationä This International Standard is based on the principles of good governanceá proportionalityá transparency and sustainabilityä2 Normative referencesThere are no normative referencesäuTermsanddeÐinitionFor the purpose of this documentá the following terms and de Ðinitions applyä3.1organizationperson or group of people that has its own functions with responsibilitiesá authorities and relationships to achieve its objectives (3.9)Note

s to entryã The concept of organization includesá but is not limited to soleætraderá companyá corporationá

Ðirmá enterpriseá authorityá partnershipá charity or institutioná or part or combination thereofá whether incorporated or notá public or privateä3.2interested party (preferred term)stakeholder person or organization (3.1decision or activity3.3top managementperson or group of people who directs and controls an organization (3.1Note

s to entryã Top management has the power to delegate authority and provide resources within the organizationäNote

t to entryã If the scope of the management system (3.7management refers to those who direct and control that part of the organizationä3.4governing bodyperson or group of people that governs an organization (3.1top management (3.33.5employeeindividual in a relationship recognized as an employment relationship in national law or practiceINTERNATIONAL STANDARD ISO 19600:2014(E)© ISO 2014 – All rights reserved 1SIST ISO 19600:2016

ISO 19600:2014(E)3.6compliance functioncompliance (3.17Note

s to entryã Preferably one individual will be assigned overall responsibility for compliance (3.173.7management systemset of interrelated or interacting elements of an organization (3.1policies (3.8objectives (3.9processes (3.10Note

s to entryã A management system can address a single discipline or several disciplinesäNote

t to entryã The system elements include the organizationïs structureá roles and responsibilitiesá planningá operationá etcäNote

u to entryã The scope of a management system may include the whole of the organizationá speci Ðic and identi Ðied functions of the organizationá speci Ðic and identi Ðied sections of the organizationá or one or more functions across a group of organizationsä3.8policyintentions and direction of an organization (3.1top management (3.7)3.9objectiveresult to be achievedNote

s to entryã Note
t to entryã Oprocess (3.10)).Note

u to entryã An objective can be expressed in other waysá eägä as an intended outcomeá a purposeá an operational Note

v to entryã In the context of compliance management systemsá compliance objectives are set by the organizationá consistent with the compliance policyá to achieve speci Ðic resultsä3.10processset of interrelated or interacting activities which transforms inputs into outputs3.11riskeffect of uncertainty on objectives (3.9)Note

s to entryã Note

t to entryã Uncertainty is the stateá even partialá of de Ðiciency of information related toá understanding or knowledge ofá an eventá its consequenceá or likelihoodäNote

u to entryã R Guide
y uã t r r {á
Guide Note
v to entryã R Guide
y3.12compliance riskeffect of uncertainty on compliance objectives (3.9)Note

s to entryã Compliance risk can be characterized by the likelihood of occurrence and the consequences of noncompliance (3.18compliance obligations (3.16). 2 © ISO 2014 – All rights reservedSIST ISO 19600:2016

ISO 19600:2014(E)3.13requirementneed or expectation that is statedá generally implied or obligatoryNote

s to entryã òGenerally impliedó means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is impliedäNote

t to entryã A speci Ðied requirement is one that is statedá for example in documented informationä3.14compliance requirementrequirement (3.13organization (3.13.15compliance commitmentrequirement (3.13organization (3.13.16compliance obligationcompliance requirement (3.14) or compliance commitment (3.15)3.17compliancemeeting all the organizationïs compliance obligations (3.16)Note

s to entryã Compliance is made sustained by embedding it in the culture of an organization (3.1behaviour and attitude of people working for itä3.18noncompliancenonæful Ðilment of a compliance obligation (3.16)Note

s to entryã Noncompliance can be a single or a multiple event and may or may not be the result of a nonconformity (3.33).3.19compliance culturevaluesá ethics and beliefs that exist throughout an organization (3.1organizationïs structures and control systems to produce behavioural norms that are conducive to compliance (3.17) outcomes3.20codestatement of practice developed internally or by an internationalá national or industry body or other organization (3.1)Note

s to entryã The code may be mandatory or voluntaryä3.21organizational and industry standardsdocumented codes (3.20organization (3.13.22regulatory authorityorganization (3.1compliance (3.17requirements (3.13)3.23competenceability to apply knowledge and skills to achieve intended results © ISO 2014 – All rights reserved 3SIST ISO 19600:2016

ISO 19600:2014(E)3.24documented informationinformation required to be controlled and maintained by an organization (3.1it is containedNote

s to entryã Documented information can be in any format and media and from any sourceäNote

t to entryã Documented information can refer toã
the management system (3.7processes (3.10);

3.25procedurespeci Ðied way to carry out an activity or process (3.10)3.26performancemeasurable resultNote

s to entryã Performance can relate either to quantitative or qualitative
ÐindingsäNote

t to entryã Performance can relate to the management of activitiesá processes (3.10organizations (3.1).3.27continual improvementrecurring activity or process (3.10performance (3.26)3.28outsource (verb)make an arrangement where an external organization (3.1or process (3.10)Note

s to entryã An external organization is outside the management system (3.7function or process is within the scope.3.29monitoringdetermining the status of a systemá a process (3.10Note

s to entryã To determine the status there may be a need to checká supervise or critically observeäNote

t to entryã Monitoring is not a onceæonly activityá but a process of regularly or continuously observing a situationä3.30measurementprocess (3.103.31auditsystematicá independent and documented process (3.10objectively to determine the extent to which the audit criteria are ful ÐilledNote

s to entryã ANote
t to entryã òAudit evidenceó and òaudit criteriaó are de Ðined in ISO
s { r s sä 4 © ISO 2014 – All rights reservedSIST ISO 19600:2016
ISO 19600:2014(E)Note

u to entryã Independence can be demonstrated by the freedom from responsibility for the activity being audited or freedom from bias and con Ðlict of interestä3.32conformityful Ðilment of a management system requirement (3.13)3.33nonconformitynonæful Ðilment of a management system requirement (3.13)Note

s to entryã A nonconformity is not necessarily a noncompliance (3.18).3.34correctionaction to eliminate a detected nonconformity (3.33noncompliance (3.18)3.35corrective actionaction to eliminate the cause of a nonconformity (3.33noncompliance (3.184 Context of the organization4.1 Understanding the organization and its contextThe organization should determine external and internal issuesá such as those related to compliance compliance management systemä In doing soá the organization should consider a broad range of external and internal aspectsá such as the regulatoryá social and cultural contextsá the economic situation and the internal policiesá proceduresá processes and resourcesä4.2 Understanding the needs and expectations of interested partiesThe organization should determineã the interested parties that are relevant to the compliance management systemâ the requirements of these interested partiesä4.3 Determining the scope of the compliance management systemThe organization should determine the boundaries and applicability of the compliance management system to establish its scopeäNOTE Torganizational boundaries to which the compliance management system will applyá especially if the organization is a part of a larger organization at a given locationäWhen determining this scopeá the organization should considerã the external and internal issues referred to in 4.1; the requirements referred to in 4.2 and 4.5.1.The scope should be readily available as documented informationä © ISO 2014 – All rights reserved 5SIST ISO 19600:2016

ISO 19600:2014(E)4.4 Compliance management system and principles of good governanceThe organization should establishá developá implementá evaluateá maintain and continually improve a compliance management systemá including the processes needed and their interactionsá in accordance with this International Standardá taking into consideration the following governance principlesã direct access of the compliance function to the governing bodyâ independence of the compliance functionâ appropriate authority and adequate resources allocated to the compliance functionäThe compliance management system should re Ðlect the organizationïs valuesá objectivesá strategy and compliance risksä4.5 Compliance obligationsväwäsIdentiÐicationofcomplianceobligationsThe organization should systematically identify its compliance obligations and their implications for its activitiesá products and servicesä The organization should take these obligations into account in establishingá developingá implementingá evaluatingá maintaining and improving its compliance management systemäThe organization should document its compliance obligations in a manner that is appropriate to its sizeá complexityá structure and operationsäSources of compliance obligations should include compliance requirements and can include compliance commitmentsäEXAMPLE

s Examples of compliance requirements includeã
laws and regulationsâ
permitsá licences or other forms of authorizationâ
ordersá rules or guidance issued by regulatory agenciesâ
judgments of courts or administrative tribunalsâ
treatiesá conventions and protocolsäEXAMPLE
t Examples of compliance commitments includeã
agreements with community groups or nonægovernmental organizationsâ
agreements with public authorities and customersâ
organizational requirementsá such as policies and proceduresâ
voluntary principles or codes of practiceâ
voluntary labelling or environmental commitmentsâ
obligations arising under contractual arrangements with the organizationâ

relevant organizational and industry standardsä4.5.2 Maintenance of compliance obligationsOrganizations should have processes in place to identify new and changed lawsá regulationsá codes and other compliance obligations to ensure onægoing complianceä Organizations should have processes to

6 © ISO 2014 – All rights reservedSIST ISO 19600:2016

ISO 19600:2014(E)evaluate the impact of the identi Ðied changes and implement any changes in the management of the compliance obligationsäEXAMPLE Examples of processes to obtain information on changes to laws and other compliance obligations includeã

being on the mailing lists of relevant regulatorsâ
membership of professional groupsâ
subscribing to relevant information servicesâ
attending industry forums and seminarsâ
monitoring the websites of regulatorsâ
meeting with regulatorsâ
arrangements with legal advisorsâ

växIdentiÐicationáanalysisandevaluationofcompliancerisksThe organization should identify and evaluate its compliance risksä This evaluation can be based on a formal compliance risk assessment or conducted via alternative approachesä Compliance risk assessment constitutes the basis for the implementation of the compliance management system and the planned allocation of appropriate and adequate resources and processes to manage identi Ðied compliance risksäThe organization should identify compliance risks by relating its compliance obligations to its activitiesá productsá services and relevant aspects of its operations in order to identify situations where noncompliance can occurä The organization should identify the causes for and consequences of noncomplianceäThe organization should analyse compliance risks by considering causes and sources of noncompliance and the severity of their consequencesá as well as the likelihood that noncompliance and associated consequences can occurä Consequences can includeá for exampleá personal and environmental harmá economic lossá reputational harm and administrative liabilityäRisk evaluation involves comparing the level of compliance risk found during the analysis process with the level of compliance risk the organization is able and willing to acceptä Based on this comparisoná priorities can be set as a basis for determining the need for implementing controls and the extent of these controls (see 6.1).The compliance risks should be reassessed periodically and whenever there areã new or changed activitiesá products or servicesâ changes to the structure or strategy of the organizationâ signi Ðicant external changesá such as

Ðinancialæeconomic circumstancesá market conditionsá liabilities and client relationshipsâ c4.5); noncNOTE

s The extent and level of detail of the compliance risk assessment are dependent on the risk situationá NOTE

t The riskæbased approach to compliance management does not mean that for low compliance risk situationsá noncompliance is accepted by the organizationä It assists organizations in focussing primary attention and resources on higher risks as a priorityá and ultimately will cover all compliance risksä All identi Ðied compliance

© ISO 2014 – All rights reserved 7SIST ISO 19600:2016
ISO 19600:2014(E)NOTE
u ISO

u s r r r provides detailed guidance on risk assessmentä5 Leadership5.1 Leadership and commitmentThe governing body and top management should demonstrate leadership and commitment with respect to the compliance management system byã establishing and upholding the core values of the organizationâ ensuring that the compliance policy and compliance objectives are established and are consistent 6.2); ensuring that policiesá procedures and processes are developed and implemented to achieve compliance objectivesâ ensuring that the resources needed for the compliance management system are availableá allocated and assignedâ ensuring the integration of the compliance management system requirements into the organizationïs business processes; communicating the importance of an effective compliance management system and the importance of conforming to the compliance management system requirementsâ directing and supporting persons to contribute to the effectiveness of the compliance management systemâ supporting other relevant management roles to demonstrate their leadership as it applies to their areas of compliance responsibilityâ ensuring alignment between operational targets and compliance obligationsâ establishing and maintaining accountability mechanismsá including timely reporting on compliance mattersá including noncomplianceâ e promoting continual improvementäEXAMPLE Effective compliance requires an active commitment from the governing body and top management that permeates the whole organizationä The level of commitment is indicated by the degree to whichã

the governin
...

NORME ISO
INTERNATIONALE 19600
Première édition
2014-12-15
Systèmes de management de la
compliance — Lignes directrices
Compliance management systems — Guidelines
Numéro de référence
ISO 19600:2014(F)
ISO 2014
---------------------- Page: 1 ----------------------
ISO 19600:2014(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2014

Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni utilisée

sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie, l’affichage sur

l’internet ou sur un Intranet, sans autorisation écrite préalable. Les demandes d’autorisation peuvent être adressées à l’ISO à

l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Publié en Suisse
ii © ISO 2014 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO 19600:2014(F)
Sommaire Page

Avant-propos ................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Domaine d’application ................................................................................................................................................................................... 1

2 Références normatives ................................................................................................................................................................................... 1

3 Termes et définitions ....................................................................................................................................................................................... 1

4 Contexte de l’organisme ................................................................................................................................................................................ 5

4.1 Connaissance de l’organisme et contexte ........................................................................................................................ 5

4.2 Compréhension des besoins et des attentes des parties intéressées ...................................................... 5

4.3 Détermination du périmètre du système de management de la compliance ................................... 6

4.4 Système de management de la compliance et principes de bonne gouvernance .......................... 6

4.5 Obligations de compliance ............................................................................................................................................................ 6

4.5.1 Identification des obligations de compliance ......................................................................................... 6

4.5.2 Tenue à jour des obligations de compliance ............................................................................................ 7

4.6 Identification, analyse et évaluation des risques liés à la compliance .................................................... 7

5 Leadership .................................................................................................................................................................................................................. 8

5.1 Leadership et engagement............................................................................................................................................................ 8

5.2 Politique de compliance .................................................................................................................................................................. 9

5.2.1 Généralités ............................................................................................................................................................................ 9

5.2.2 Développement ..............................................................................................................................................................10

5.3 Rôles, responsabilités et autorités au sein de l’organisme ............................................................................10

5.3.1 Généralités .........................................................................................................................................................................10

5.3.2 Attribution des responsabilités pour la compliance au sein de l’organisme ............11

5.3.3 Rôle et responsabilité de l’organe directeur et de la direction .............................................11

5.3.4 Fonction en charge de la compliance ..........................................................................................................12

5.3.5 Responsabilités du personnel d’encadrement ....................................................................................13

5.3.6 Responsabilité des employés .............................................................................................................................14

6 Planification ...........................................................................................................................................................................................................14

6.1 Actions pour traiter les risques liés à la compliance ...........................................................................................14

6.2 Objectifs de compliance et planification pour les atteindre .........................................................................14

7 Soutien .........................................................................................................................................................................................................................15

7.1 Ressources ...............................................................................................................................................................................................15

7.2 Compétences et formation .........................................................................................................................................................15

7.2.1 Compétences ....................................................................................................................................................................15

7.2.2 Formation ...................................................................... ......................................................................................................16

7.3 Sensibilisation ......................................................................................................................................................................................17

7.3.1 Généralités .........................................................................................................................................................................17

7.3.2 Comportements .............................................................................................................................................................17

7.4 Communication ...................................................................................................................................................................................19

7.4.1 Généralités .........................................................................................................................................................................19

7.4.2 Communication interne ..........................................................................................................................................19

7.4.3 Communication externe .........................................................................................................................................19

7.5 Informations documentées .......................................................................................................................................................19

7.5.1 Généralités .........................................................................................................................................................................19

7.5.2 Mise en place et mise à jour ................................................................................................................................20

7.5.3 Maîtrise des informations documentées ..................................................................................................20

8 Fonctionnement .................................................................................................................................................................................................21

8.1 Planification et maîtrise opérationnelles ......................................................................................................................21

8.2 Établissement des contrôles et des procédures ......................................................................................................21

8.3 Processus externalisés ..................................................................................................................................................................22

9 Évaluation des performances ...............................................................................................................................................................22

© ISO 2014 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO 19600:2014(F)

9.1 Surveillance, mesure, analyse et évaluation ...............................................................................................................22

9.1.1 Généralités .........................................................................................................................................................................22

9.1.2 Surveillance .......................................................................................................................................................................23

9.1.3 Sources de retour d’informations sur les performances de compliance ......................23

9.1.4 Méthodes de collecte d’informations ..........................................................................................................24

9.1.5 Analyse et classification des informations .............................................................................................24

9.1.6 Mise en place des indicateurs ............................................................................................................................25

9.1.7 Communication d’informations sur la compliance .........................................................................25

9.1.8 Contenu des rapports sur la compliance .................................................................................................26

9.1.9 Conservation des enregistrements ...............................................................................................................26

9.2 Audit ..............................................................................................................................................................................................................27

9.3 Revue de direction ............................................................................................................................................................................27

10 Amélioration ..........................................................................................................................................................................................................28

10.1 Non-conformité, non-compliance et actions correctives .................................................................................28

10.1.1 Généralités .........................................................................................................................................................................28

10.1.2 Remontée des informations ................................................................................................................................29

10.2 Amélioration continue ...................................................................................................................................................................30

Bibliographie ...........................................................................................................................................................................................................................31

iv © ISO 2014 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO 19600:2014(F)
Avant-propos

L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes

nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est

en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude

a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,

gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.

L’ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui concerne

la normalisation électrotechnique.

Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont

décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier de prendre note des différents

critères d’approbation requis pour les différents types de documents ISO. Le présent document a été

rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2 (voir www.

iso.org/directives).

L’attention est appelée sur le fait que certains des éléments du présent document peuvent faire l’objet de

droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable

de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant les

références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de l’élaboration

du document sont indiqués dans l’Introduction et/ou dans la liste des déclarations de brevets reçues par

l’ISO (voir www.iso.org/brevets).

Les appellations commerciales éventuellement mentionnées dans le présent document sont données

pour information, par souci de commodité, à l’intention des utilisateurs et ne sauraient constituer un

engagement.

Pour une explication de la signification des termes et expressions spécifiques de l’ISO liés à l’évaluation de

la conformité, ou pour toute information au sujet de l’adhésion de l’ISO aux principes de l’OMC concernant

les obstacles techniques au commerce (OTC), voir le lien suivant: Avant-propos — Informations

supplémentaires.

Le comité chargé de l’élaboration du présent document est le Comité de Projet ISO/PC 271, Systèmes de

management de la conformité.
© ISO 2014 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO 19600:2014(F)
Introduction

Les organismes qui aspirent à garantir leur réussite sur le long terme doivent entretenir une culture

d’intégrité et de compliance et prendre en compte les besoins et attentes des parties prenantes. L’intégrité

et la compliance ne constituent donc pas seulement un prérequis mais également une opportunité pour

un organisme florissant et durable.

La compliance est un résultat d’un organisme qui respecte ses obligations. La pérennité de la compliance

est assurée par son intégration dans la culture de l’organisme ainsi que dans le comportement et la

conduite des personnes qui travaillent en son sein. Tout en gardant son indépendance, il est préférable

que le management de la compliance soit intégré aux processus de management de la finance, des risques,

de la qualité, de l’environnement et de la santé et de la sécurité de l’organisme ainsi qu’à ses exigences

et procédures opérationnelles.

Un système de management de la compliance efficace pour un organisme dans son ensemble permet à

cette dernière de démontrer son engagement pour le respect de la législation en vigueur, ceci incluant

les exigences légales, les codes industriels et les normes organisationnelles, ainsi que les standards de

bonne gouvernance d’entreprise, les bonnes pratiques, l’éthique et les attentes des parties intéressées.

En ce qui concerne la compliance, l’approche d’un organisme est idéalement définie par un leadership qui

applique ses valeurs fondamentales et les normes communément admises de gouvernance d’entreprise,

d’éthique et communautaires. Intégrer la compliance dans le comportement des personnes qui travaillent

pour un organisme dépend avant tout d’un leadership à tous les niveaux et de valeurs claires pour cet

organisme, ainsi que de la reconnaissance et de la mise en œuvre de mesures pour promouvoir une

attitude de compliance. Si cela n’est pas le cas à tous les niveaux d’un organisme, il y a risque de non-

compliance.

Dans bon nombre de juridictions, pour déterminer la sanction appropriée à imposer en cas de non-

respect des lois en vigueur, les tribunaux ont pris en compte l’engagement d’un organisme pour la

compliance reflété par son système de management de la compliance. Par conséquent, les organismes de

réglementation et judiciaire peuvent également bénéficier de la présente Norme internationale comme

valeur de référence.

Les organismes sont de plus en plus convaincus du fait que l’application de valeurs engageantes et un

management approprié de la compliance leur permettront de préserver leur intégrité et d’éviter ou de

réduire les risques de non-respect de la loi. L’intégrité et une compliance efficaces sont donc des éléments

clés pour un management avisé. La compliance contribue également au comportement socialement

responsable des organismes.

La présente Norme internationale ne spécifie pas d’exigences, mais fournit des lignes directrices

concernant les systèmes de management de la compliance et des pratiques recommandées. Les lignes

directrices fournies dans la présente Norme internationale se veulent flexibles et l’utilisation de ces lignes

directrices peut être différente selon la taille et le niveau de maturité du système de management de la

compliance d’un organisme et selon le contexte, la nature et la complexité des activités de l’organisme, y

compris sa politique et ses objectifs en matière de compliance.

L’organigramme de la Figure 1 est cohérent avec d’autres systèmes de management et est fondé sur le

principe de l’amélioration continue (« Planifier-Mettre en œuvre-Contrôler-Agir »).

vi © ISO 2014 – Tous droits réservés
---------------------- Page: 6 ----------------------
ISO 19600:2014(F)
Figure 1 — Schéma d’un système de management de la compliance

La présente Norme internationale a adopté la « structure de niveau supérieur » (HLS) (c’est-à-dire, l’ordre

des paragraphes, le texte de base identique et les termes et définitions de base communs) élaborées

par l’ISO pour améliorer l’alignement entre ses diverses Normes internationales sur les systèmes de

management. Outre ses recommandations générales sur le système de management de la compliance,

la présente Norme internationale fournit également un cadre pour aider à la mise en œuvre dans tout

système de management d’exigences spécifiques liées à la compliance.

Les organismes qui n’ont pas adopté de norme de systèmes de management, ou de cadre de management

de la compliance, peuvent aisément adopter la présente Norme internationale comme lignes directrices

autonomes au sein de leur organisme.
© ISO 2014 – Tous droits réservés vii
---------------------- Page: 7 ----------------------
ISO 19600:2014(F)

La présente Norme internationale est à même d’améliorer les exigences liées à la compliance dans d’autres

systèmes de management et d’aider un organisme à améliorer le management dans son ensemble de

toutes ses obligations de compliance.

La présente Norme internationale peut être combinée avec des normes de systèmes de management

existantes (par exemple l’ISO 9001, l’ISO 14001, l’ISO 22000) et des lignes directrices génériques (par

exemple l’ISO 31000, l’ISO 26000).
viii © ISO 2014 – Tous droits réservés
---------------------- Page: 8 ----------------------
NORME INTERNATIONALE ISO 19600:2014(F)
Systèmes de management de la compliance — Lignes
directrices
1 Domaine d’application

La présente Norme internationale fournit des lignes directrices relatives à l’établissement, au

développement, à la mise en œuvre, à l’évaluation, à la maintenance et à l’amélioration d’un système de

management de la compliance efficace et réactif au sein d’un organisme.

Les lignes directrices concernant les systèmes de management de la compliance sont applicables à

tous les types d’organismes. L’étendue de l’application de ces lignes directrices dépend de la taille, de la

structure, de la nature et de la complexité de l’organisme. La présente Norme internationale est basée

sur les principes de bonne gouvernance, de proportionnalité, de transparence et de durabilité.

2 Références normatives
Il n’y a aucune référence normative.
3 Termes et définitions

Pour les besoins du présent document, les termes et définitions suivants s’appliquent.

3.1
organisme

personne ou groupe de personnes ayant sa propre structure fonctionnelle avec des responsabilités,

autorités et relations en vue d’atteindre ses objectifs (3.9)

Note 1 à l’article: Le concept d’organisme comprend, sans toutefois s’y limiter, le travailleur indépendant, la

compagnie, société, firme, entreprise, autorité, le partenariat, l’organisme caritatif ou institution, ou une partie

ou une combinaison des entités précédentes, à responsabilité limitée ou d’un autre statut, de droit public ou privé.

3.2
partie intéressée (terme préféré)
partie prenante (terme admis)

personne ou organisme (3.1) qui peut avoir une incidence, être affectée ou se sentir affectée par une

décision ou une activité
3.3
direction

personne ou groupe de personnes qui dirige et contrôle un organisme (3.1) au plus haut niveau

Note 1 à l’article: La direction a le pouvoir de déléguer son autorité et de fournir des ressources au sein de

l’organisme.

Note 2 à l’article: Si le domaine d’application du système de management (3.7) traite uniquement une partie de

l’organisme, alors la direction se réfère à ceux qui dirigent et contrôlent cette partie de l’organisme.

3.4
organe directeur

personne ou groupe de personnes qui administre un organisme (3.1), fixe les orientations et à qui la

direction (3.3) rend compte
© ISO 2014 – Tous droits réservés 1
---------------------- Page: 9 ----------------------
ISO 19600:2014(F)
3.5
employé

individu placé dans une relation reconnue comme étant une relation de travail, dans la législation

nationale ou dans la pratique
3.6
fonction en charge de la compliance
personne(s) chargée(s) du management de la compliance (3.17)

Note 1 à l’article: Il est préférable que la responsabilité globale du management de la compliance (3.17) soit confiée

à une seule personne.
3.7
système de management

ensemble d’éléments corrélés ou interactifs d’un organisme (3.1), utilisés pour établir des politiques (3.8)

et des objectifs (3.9) et des processus (3.10) pour atteindre ces objectifs

Note 1 à l’article: Un système de management peut aborder une seule ou plusieurs disciplines.

Note 2 à l’article: Les éléments du système comprennent la structure organisationnelle, les rôles et responsabilités,

la planification, le fonctionnement, etc.

Note 3 à l’article: Le domaine d’application d’un système de management peut comprendre l’ensemble de

l’organisme, des fonctions spécifiques et identifiées de l’organisme, des sections spécifiques et identifiées de

l’organisme, ou une ou plusieurs fonctions dans un groupe d’organismes.
3.8
politique

intentions et orientations d’un organisme (3.1), telles qu’elles sont officiellement formulées par sa

direction (3.7)
3.9
objectif
résultat à atteindre

Note 1 à l’article: Un objectif peut être stratégique, tactique et/ou opérationnel.

Note 2 à l’article: Les objectifs peuvent être relatifs à différentes disciplines (telles que la finance, la santé et

sécurité, et les buts environnementaux) et ils peuvent s’appliquer à divers niveaux (tels que stratégie, organisation

dans son ensemble, projet, produit et processus (3.10)).

Note 3 à l’article: Un objectif peut être exprimé par d’autres façons, par exemple par un résultat escompté, un

besoin, un critère opérationnel, en tant qu’objectif de compliance ou par l’utilisation d’autres termes ayant la

même signification (par exemple fin, but ou cible).

Note 4 à l’article: Dans le contexte des normes de systèmes de management de la compliance, les objectifs de

compliance sont établis par l’organisme, en cohérence avec sa politique en matière de compliance, en vue d’obtenir

des résultats spécifiques.
3.10
processus

ensemble d’activités corrélées ou interactives qui transforme des éléments d’entrée en éléments de

sortie
3.11
risque
effet de l’incertitude sur l’atteinte des objectifs (3.9)

Note 1 à l’article: Un effet est un écart, positif ou négatif, par rapport à une attente.

Note 2 à l’article: L’incertitude est l’état, même partiel, de défaut d’information concernant la compréhension ou la

connaissance d’un événement, de ses conséquences ou de sa vraisemblance.
2 © ISO 2014 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO 19600:2014(F)

Note 3 à l’article: Un risque est souvent caractérisé en référence à des « événements » potentiels ((tels que

définis dans le ISO Guide 73:2009, 3.5.1.3) et des « conséquences » potentielles (telles que définies dans le

le ISO Guide 73:2009, 3.6.1.3), ou une combinaison des deux.

Note 4 à l’article: Un risque est souvent exprimé en termes de combinaison des conséquences d’un événement

(incluant des changements de circonstances) et de sa « vraisemblance » associée d’occurrence (telle que définie

dans le ISO Guide 73:2009, 3.6.1.1).
3.12
risque lié à la compliance
effet de l’incertitude sur les objectifs (3.9) en matière de compliance

Note 1 à l’article: Le risque lié à la compliance peut être caractérisé par la vraisemblance d’occurrence et les

conséquences de la non-compliance (3.18) aux obligations de compliance (3.16) de l’organisme.

3.13
exigence
besoin ou attente qui est formulé, généralement implicite ou obligatoire

Note 1 à l’article: « Généralement implicite » signifie qu’il est habituel ou de pratique commune pour l’organisme

et les parties intéressées que le besoin ou l’attente à prendre en considération soit implicite.

Note 2 à l’article: Une exigence spécifiée est une exigence imposée, par exemple dans une information documentée.

3.14
exigence de compliance
exigence (3.13) à laquelle un organisme (3.1) doit se conformer
3.15
engagement de compliance
exigence (3.13) à laquelle un organisme (3.1) choisit de se conformer
3.16
obligation de compliance
exigence de compliance (3.14) ou engagement de compliance (3.15)
3.17
compliance
respect de toutes les obligations de compliance (3.16) d’un organisme

Note 1 à l’article: On pérennise la compliance en l’intégrant dans la culture d’un organisme (3.1) ainsi que dans le

comportement et l’attitude des personnes travaillant au sein de cet organisme.
3.18
non-compliance
non-respect d’une obligation de compliance (3.16)

Note 1 à l’article: La non-compliance peut être un événement unique ou répété et il peut ou non être le résultat

d’une non-conformité (3.33).
3.19
culture de la compliance

les valeurs, l’éthique et les convictions qui existent au sein d’un organisme (3.1) et interagissent avec

les structures fonctionnelles et les systèmes de contrôle de l’organisme pour produire des normes

comportementales conduisant aux résultats de compliance (3.17)
3.20
code

énoncé d’une pratique établie en interne ou par un organisme international, national ou sectoriel ou un

autre organisme (3.1)

Note 1 à l’article: Le code peut être à caractère obligatoire ou à adhésion volontaire.

© ISO 2014 – Tous droits réservés 3
---------------------- Page: 11 ----------------------
ISO 19600:2014(F)
3.21
normes organisationnelles et sectorielles

ensemble documenté de codes (3.20), bonnes pratiques, chartes, normes techniques et sectorielles

jugées pertinents par un organisme (3.1)
3.22
autorité réglementaire

organisme (3.1) chargée de régir ou de faire appliquer la compliance (3.17) aux exigences (3.17) légales

et autres
3.23
compétence

capacité à mettre en pratique des connaissances et un savoir-faire pour obtenir les résultats escomptés

3.24
information documentée

information qui nécessite d’être contrôlée et tenue à jour par un organisme (3.1) et le format sur lequel

elle est contenue

Note 1 à l’article: Les informations documentées peuvent se présenter dans tout format et sur tout support et

provenir de toute source.
Note 2 à l’article: Les informations documentées peuvent se rapporter:
— au système de management (3.7), y compris les processus (3.10) associés;

— aux informations créées en vue du fonctionnement de l’organisme (documentation);

— aux preuves des résultats obtenus (enregistrements).
3.25
procédure
manière spécifiée de réaliser une activité ou un processus (3.10)
3.26
performance
résultat mesurable
...

SLOVENSKI SIST ISO 19600
STANDARD december 2016
Sistemi upravljanja skladnosti – Smernice
Compliance management systems – Guidelines
Systèmes de management de la compliance – Lignes directrices
Referenčna oznaka
ICS 03.100.70; 03.120.01 SIST ISO 19600:2016 (sl, en)
Nadaljevanje na straneh od 2 do 49

© 2017-02. Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST ISO 19600 : 2016
NACIONALNI UVOD

Standard SIST ISO 19600 (sl, en), Sistemi upravljanja skladnosti – Smernice, 2016, ima status

slovenskega standarda in je istoveten mednarodnemu standardu ISO 19600, Compliance

management systems – Guidelines, 2014.
NACIONALNI PREDGOVOR

Besedilo standarda ISO 19600:2014 je pripravil projektni odbor ISO/PC 271 Sistemi upravljanja

skladnosti. Slovenski standard SIST ISO 19600:2016 je prevod angleškega besedila mednarodnega

standarda ISO 19600:2014. V primeru spora glede besedila slovenskega prevoda v tem standardu je

odločilen izvirni evropski standard v angleškem jeziku. Slovensko-angleško izdajo standarda je

pripravil Evropski inštitut za skladnost in etiko poslovanja v sodelovanju s SIST/TC VZK Vodenje in

zagotavljanje kakovosti.

Odločitev za privzem tega standarda je 8. julija 2016 sprejel SIST/TC VZK Vodenje in zagotavljanje

kakovosti.
ZVEZE S STANDARDI

S privzemom tega evropskega standarda veljajo za omejeni namen referenčnih standardov vsi

standardi, navedeni v izvirniku, razen standardov, ki so že sprejeti v nacionalno standardizacijo:

SIST EN ISO 9001:2015 (sl,en) Sistemi vodenja kakovosti – Zahteve (ISO 9001:2015)

SIST ISO 10002:2014 (en) Vodenje kakovosti – Zadovoljstvo odjemalcev – Smernice za

ravnanje s pritožbami v organizacijah

SIST EN ISO 14001:2015 (sl,en) Sistemi ravnanja z okoljem – Zahteve z navodili za uporabo (ISO

14001:2015)

SIST EN ISO 19011:2011 (sl,en) Smernice za presojanje sistemov vodenja (ISO 19011:2011)

SIST ISO 31000:2011 (sl,en) Obvladovanje tveganja – Načela in smernice
SIST ISO 26000:2010 (sl,en) Napotki za družbeno odgovornost.
OSNOVA ZA IZDAJO STANDARDA
– Privzem standarda ISO 19600:2014
OPOMBI
– Povsod, kjer se v besedilu standarda uporablja izraz "mednarodni standard", v
SIST ISO 19600:2016 to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
---------------------- Page: 2 ----------------------
SIST ISO 19600 : 2016
Vsebina Stran Contents Page

Predgovor ......................................................... 5 Foreword ...........................................................5

Uvod ................................................................. 6 Introduction ........................................................6

1 Področje uporabe ......................................... 9 1 Scope ............................................................9

2 Zveza s standardi ......................................... 9 2 Normative references ....................................9

3 Izrazi in definicije .......................................... 9 3 Terms and definitions ....................................9

4 Kontekst organizacije ................................. 15 4 Context of the organization .........................15

4.1 Razumevanje organizacije in njenega 4.1 Understanding the organization and its

konteksta ................................................. 15 context .....................................................15

4.2 Razumevanje potreb in pričakovanj 4.2 Understanding the needs and expectations

zainteresiranih strani ............................... 15 of interested parties .................................15

4.3 Opredeljevanje področja uporabe 4.3 Determining the scope of the compliance

sistema upravljanja skladnosti ................ 15 management system ...............................15

4.4 Sistem upravljanja skladnosti in načela 4.4 Compliance management system and

dobrega upravljanja ................................ 15 principles of good governance ................15

4.5 Obveze glede skladnosti ......................... 16 4.5 Compliance obligations ...........................16

4.6 Identificiranje, analiza in vrednotenje 4.6 Identification, analysis and evaluation of

tveganj skladnosti ................................... 17 compliance risks ......................................17

5 Voditeljstvo ................................................. 18 5 Leadership ...................................................18

5.1 Voditeljstvo in zavezanost ....................... 18 5.1 Leadership and commitment ....................18

5.2 Politika skladnosti .................................... 20 5.2 Compliance policy ....................................20

5.3 Organizacijske vloge, odgovornosti in 5.3 Organizational roles, responsibilities and

pooblastila ............................................... 22 authorities ................................................22

6 Planiranje .................................................... 27 6 Planning ......................................................27

6.1 Ukrepi za obravnavanje tveganj 6.1 Actions to address compliance risks ........27

skladnosti ................................................ 27

6.2 Cilji skladnosti in planiranje njihovega 6.2 Compliance objectives and planning to

doseganja ............................................... 28 achieve them ...........................................28

7 Podpora ...................................................... 28 7 Support ........................................................28

7.1 Viri ............................................................ 28 7.1 Resources ................................................28

7.2 Kompetentnost in usposabljanje ............. 29 7.2 Competence and training .........................29

7.3 Ozaveščenost .......................................... 31 7.3 Awareness ................................................31

7.4 Komuniciranje .......................................... 33 7.4 Communication ........................................33

7.5 Dokumentirane informacije ...................... 34 7.5 Documented information ..........................34

8 Delovanje .................................................... 36 8 Operation .....................................................36

8.1 Planiranje in obvladovanje delovanja ...... 36 8.1 Operational planning and control .............36

8.2 Vzpostavitev ukrepov obvladovanja in 8.2 Establishing controls and procedures ......36

postopkov ................................................ 36

8.3 Oddajanje procesov v izvajanje zunanjim 8.3 Outsourced processes .............................37

ponudnikom ............................................ 37

9 Vrednotenje izvedbe ................................... 38 9 Performance evaluation ..............................38

9.1 Nadzorovanje, merjenje, analiziranje in 9.1 Monitoring, measurement, analysis and

vrednotenje ............................................. 38 evaluation ................................................38

---------------------- Page: 3 ----------------------
SIST ISO 19600 : 2016

9.2 Presoja..................................................... 44 9.2 Audit .........................................................44

9.3 Vodstveni pregled .................................... 45 9.3 Management review .................................45

10 Izboljševanje ............................................. 46 10 Improvement .............................................46

10.1 Neskladnost z zahtevami sistema 10.1 Nonconformity, noncompliance and

vodenja, neskladnost in korektivni corrective action ....................................46

ukrepi ...................................................... 46

10.2 Nenehno izboljševanje .......................... 48 10.2 Continual improvement ..........................48

Literatura ......................................................... 49 Bibliography .....................................................49

---------------------- Page: 4 ----------------------
SIST ISO 19600 : 2016
Foreword
Predgovor

Mednarodna organizacija za standardizacijo ISO (the International Organization for

(ISO) je svetovna zveza nacionalnih organov za Standardization) is a worldwide federation of

standarde (članov ISO). Mednarodne standarde national standards bodies (ISO member bodies).

po navadi pripravljajo tehnični odbori ISO. Vsak The work of preparing International Standards is

član, ki ga zanima področje, za katero je bil normally carried out through ISO technical

ustanovljen tehnični odbor, ima pravico biti committees. Each member body interested in a

zastopan v tem odboru. Pri delu sodelujejo tudi subject for which a technical committee has been

mednarodne vladne in nevladne organizacije, established has the right to be represented on

povezane z ISO. V vseh zadevah, ki so that committee. International organizations,

povezane s standardizacijo na področju governmental and non-governmental, in liaison

elektrotehnike, ISO tesno sodeluje z with ISO, also take part in the work. ISO

Mednarodno elektrotehniško komisijo (IEC). collaborates closely with the International

Electrotechnical Commission (IEC) on all matters
of electrotechnical standardization.

Postopki, ki so bili uporabljeni pri pripravi tega The procedures used to develop this document

dokumenta, in tisti, ki so namenjeni njegovemu and those intended for its further maintenance

nadaljnjemu vzdrževanju, so opisani v 1. delu are described in the ISO/IEC Directives, Part 1.

Direktiv ISO/IEC. Zlasti je treba opozoriti na In particular the different approval criteria

različna merila za sprejem, zahtevana za needed for the different types of ISO

različne vrste dokumentov ISO. Ta dokument je documents should be noted. This document

bil pripravljen v skladu z uredniškimi pravili was drafted in accordance with the editorial

2. dela Direktiv ISO/IEC rules of the ISO/IEC Directives, Part 2 (see
(glej www.iso.org/directives). www.iso.org/directives).

Opozoriti je treba na možnost, da je nekaj Attention is drawn to the possibility that some of

elementov tega dokumenta lahko predmet the elements of this document may be the

patentnih pravic. ISO ne prevzema subject of patent rights. ISO shall not be held

odgovornosti za identifikacijo katerihkoli ali responsible for identifying any or all such

vseh takih patentnih pravic. Podrobnosti o patent rights. Details of any patent rights

katerihkoli patentnih pravicah, ugotovljenih pri identified during the development of the

pripravi dokumenta, bodo navedene v Uvodu document will be in the Introduction and/or on

in/ali na seznamu prejetih patentnih prijav ISO the ISO list of patent declarations received

(glej www.iso.org/patents). (see www.iso.org/patents).
Blagovne znamke, uporabljene v tem Any trade name used in this document is

dokumentu, so podane samo kot informacija za information given for the convenience of users

uporabnike in ne pomenijo odobritve. and does not constitute an endorsement.

Za razlago pomena besed in izrazov, ki jih For an explanation on the meaning of ISO

uporablja ISO in se nanašajo na ugotavljanje specific terms and expressions related to

skladnosti, ter tudi za informacije, kako ISO conformity assessment, as well as information

upošteva načela Svetovne trgovinske about ISO's adherence to the WTO principles in

organizacije o tehničnih ovirah v trgovini the Technical Barriers to Trade (TBT) see the

(WTO/TBT), glej obrazložitev na spletnem following URL: Foreword – Supplementary
naslovu: Foreword – Supplementary Information. information

Odbor, ki je odgovoren za ta dokument, je The committee responsible for this document is

projektni odbor ISO/PC 271 Sistemi upravljanja Project Committee ISO/PC 271, Compliance

skladnosti. management systems.
---------------------- Page: 5 ----------------------
SIST ISO 19600 : 2016
Uvod Introduction

Organizacije, ki si prizadevajo biti dolgoročno Organizations that aim to be successful in the

uspešne, morajo vzdrževati kulturo integritete in long term need to maintain a culture of integrity

skladnosti ter upoštevati potrebe in priča- and compliance, and to consider the needs and

kovanja deležnikov. Integriteta in skladnost torej expectations of stakeholders. Integrity and

nista le osnova, ampak tudi priložnost za compliance are therefore not only the basis, but

uspešno in trajnostno organizacijo. also an opportunity, for a successful and
sustainable organization.

Skladnost je rezultat organizacije, ki izpolnjuje Compliance is an outcome of an organization

svoje obveze, in postane trajnostna, ko se meeting its obligations, and is made sustainable

vgradi v kulturo organizacije ter v ravnanje in by embedding it in the culture of the organization

odnos ljudi, ki zanjo delajo. Medtem ko je treba and in the behaviour and attitude of people

vzdrževati neodvisnost upravljanja skladnosti, working for it. While maintaining its independence,

je zaželeno, da je upravljanje skladnosti hkrati it is preferable if compliance management is

vključeno v procese upravljanja financ, tveganj, integrated with the organization’s financial, risk,

kakovosti, okolja, zdravja in varnosti pri delu v quality, environmental and health and safety

organizaciji ter v njene operativne zahteve in management processes and its operational

postopke. requirements and procedures.

Uspešen sistem upravljanja skladnosti v celotni An effective, organization-wide compliance

organizaciji omogoča, da organizacija pokaže management system enables an organization

svojo zavezanost skladnosti z ustreznimi to demonstrate its commitment to compliance

zakoni, vključno z zakonodajnimi zahtevami, with relevant laws, including legislative

panožnimi kodeksi in organizacijskimi stan- requirements, industry codes and organi-

dardi, ter tudi s standardi dobrega upravljanja zational standards, as well as standards of

družb, najboljšimi praksami, etiko in priča- good corporate governance, best practices,

kovanji skupnosti. ethics and community expectations.

Organizacija lahko najbolje oblikuje svoj pristop An organization’s approach to compliance is

k skladnosti tako, da njeno voditeljstvo upo- ideally shaped by the leadership applying core

rablja temeljne vrednote in splošno sprejete values and generally accepted corporate

standarde upravljanja podjetij, etične standarde governance, ethical and community standards.

in standarde skupnosti. Vključevanje skladnosti Embedding compliance in the behaviour of the

v ravnanje ljudi, zaposlenih v organizaciji, je people working for an organization depends

predvsem odvisno od voditeljstva na vseh above all on leadership at all levels and clear

ravneh in od jasnih vrednot organizacije, prav values of an organization, as well as an

tako pa tudi od potrditve in izvajanja ukrepov za acknowledgement and implementation of

spodbujanje skladnega ravnanja. Če se to ne measures to promote compliant behaviour. If

izvaja na vseh ravneh organizacije, je prisotno this is not the case at all levels of an

tveganje za neskladnosti. organization, there is a risk of noncompliance.

V številnih pravnih ureditvah so sodišča pri In a number of jurisdictions, the courts have

določanju ustrezne kazni za kršitev relevantnih considered an organization’s commitment to

zakonov upoštevala zavezanost organizacije compliance through its compliance manage-

skladnosti na podlagi njenega sistema ment system when determining the appropriate

upravljanja skladnosti. Zato lahko ta medna- penalty to be imposed for contraventions of

rodni standard koristi tudi regulatornim in relevant laws. Therefore, regulatory and judicial

pravosodnim organom ter jim služi kot merilo. bodies can also benefit from this International

Standard as a benchmark.

V organizacijah vse bolj prevladuje prepričanje, Organizations are increasingly convinced that

da lahko z uporabo zavezujočih vrednot in z by applying binding values and appropriate

ustreznim upravljanjem skladnosti zaščitijo compliance management, they can safeguard

svojo integriteto in se izognejo ali zmanjšajo their integrity and avoid or minimize

neskladnost z zakonom. Torej sta integriteta in noncompliance with the law. Integrity and

uspešno zagotavljanje skladnosti ključna ele- effective compliance are therefore key elements

menta dobrega, skrbnega vodenja. Skladnost of good, diligent management. Compliance also

---------------------- Page: 6 ----------------------
SIST ISO 19600 : 2016

prav tako prispeva k družbeno odgovornemu contributes to the socially responsible

ravnanju organizacij. behaviour of organizations.

Ta mednarodni standard ne določa zahtev, This International Standard does not specify

temveč daje navodila za sisteme upravljanja requirements, but provides guidance on comp-

skladnosti in priporočljive prakse. Namen liance management systems and recommen-

navodil v tem mednarodnem standardu je, da ded practices. The guidance in this International

so prilagodljiva in da se njihova uporaba lahko Standard is intended to be adaptable, and the

razlikuje glede na obseg uporabe in stopnjo use of this guidance can differ depending on

razvitosti sistema upravljanja skladnosti v the size and level of maturity of an orga-

organizaciji ter glede na kontekst, naravo in nization’s compliance management system and

kompleksnost dejavnosti organizacije, vključno on the context, nature and complexity of the

z njeno politiko in cilji skladnosti. organization’s activities, including its complian-

ce policy and objectives.

Diagram v sliki 1 je skladen z drugimi sistemi The flowchart in Figure 1 is consistent with

vodenja in temelji na načelu nenehnega other management systems and is based on

izboljševanja ("planiraj-izvedi-preveri-ukrepaj"). the continual improvement principle (“Plan-Do-

Check-Act”).
Slika 1: Diagram sistema upravljanja Figure 1 – Flowchart of a compliance
skladnosti management system
---------------------- Page: 7 ----------------------
SIST ISO 19600 : 2016

Ta mednarodni standard uporablja "poenoteno This International Standard has adopted the

strukturo" (npr. zaporedje točk, skupno besedilo “high-level structure” (i.e. clause sequence,

in skupno terminologijo), ki jo je razvil ISO za common text and common terminology)

izboljšanje usklajenosti med svojimi developed by ISO to improve alignment among

mednarodnimi standardi za sisteme vodenja. its International Standards for management

Poleg splošnih navodil za sistem upravljanja systems. In addition to its generic guidance on

skladnosti pa ta mednarodni standard določa a compliance management system, this

tudi okvir, ki pomaga pri izvajanju posebnih International Standard also provides a

zahtev v zvezi s skladnostjo v vsakem sistemu framework to assist in the implementation of

vodenja. specific compliance-related requirements in any
management system.

Organizacije, ki še niso privzele standardov za Organizations that have not adopted

sistem upravljanja ali okvira upravljanja management system standards or a

skladnosti, lahko v svoji organizaciji preprosto compliance management framework can easily

privzamejo ta mednarodni standard kot adopt this International Standard as stand-

samostojno navodilo. alone guidance within their organization.
Ta mednarodni standard je primeren za This International Standard is suitable to

razširitev zahtev, povezanih s skladnostjo, v enhance the compliance-related requirements

druge sisteme vodenja in kot pomoč in other management systems and to assist an

organizaciji pri izboljševanju celotnega vodenja organization in improving the overall

njenih obvez glede skladnosti. management of all its compliance obligations.

Ta mednarodni standard je mogoče združiti z This International Standard can be combined with

obstoječimi standardi za sistem vodenja (npr. existing management system standards (e.g. ISO

ISO 9001, ISO 14001, ISO 22000) in splošnimi 9001, ISO 14001, ISO 22000) and generic

smernicami (npr. ISO 31000, ISO 26000). guidelines (e.g. ISO 31000, ISO 26000).
---------------------- Page: 8 ----------------------
SIST ISO 19600 : 2016
Sistemi upravljanja skladnosti – Compliance management systems –
Smernice Guidelines
1 Področje uporabe 1 Scope

Ta mednarodni standard daje napotke za This International Standard provides guidance

vzpostavitev, razvijanje, izvajanje, vrednotenje, for establishing, developing, implementing,

vzdrževanje in izboljševanje uspešnega in evaluating, maintaining and improving an

odzivnega sistema upravljanja skladnosti v effective and responsive compliance
organizaciji. management system within an organization.

Smernice za sisteme upravljanja skladnosti The guidelines on compliance management

lahko uporabljajo organizacije vseh vrst. Obseg systems are applicable to all types of

uporabe teh smernic je odvisen od velikosti, organizations. The extent of the application of

strukture, narave in kompleksnosti organizacije. these guidelines depends on the size, structure,

Ta mednarodni standard temelji na načelih nature and complexity of the organization. This

dobrega upravljanja, sorazmernosti, trans- International Standard is based on the

parentnosti in trajnostnosti. principles of good governance, proportionality,
transparency and sustainability.
2 Zveza s standardi 2 Normative references
Standard ne vključuje nobenega normativnega There are no normative references.
sklicevanja.
3 Izrazi in definicije 3 Terms and definitions

V tem dokumentu se uporabljajo naslednji izrazi For the purpose of this document, the following

in definicije. terms and definitions apply.
3.1 3.1
organizacija organization

oseba ali skupina ljudi, ki ima lastne funkcije z person or group of people that has its own

odgovornostmi, pooblastili in odnosi za functions with responsibilities, authorities and

doseganje svojih ciljev (3.9) relationships to achieve its objectives (3.9)

OPOMBA 1: Pojem organizacije med drugimi vključuje NOTE 1 to entry: The concept of organization includes, but

samostojne podjetnike, družbe, korporacije, is not limited to sole-trader, company,

firme, podjetja, organe oblasti, partnerstva, corporation, firm, enterprise, authority,

združenja, dobrodelne ustanove ali partnership, charity or institution, or part or

institucije, njihove dele ali kombinacije, ki so combination thereof, whether incorporated

lahko povezani ali nepovezani, javni ali or not, public or private.
zasebni.
3.2 3.2
zainteresirana stran (priporočen izraz) interested party (preferred term)
deležnik (priznan izraz) stakeholder (admitted term)

oseba ali organizacija (3.1), ki lahko vpliva na person or organization (3.1) that can affect, be

neko odločitev ali dejavnost, na katero lahko affected by, or perceive themselves to be

vpliva neka odločitev ali dejavnost ali ki domneva, affected by a decision or activity

da lahko neka odločitev ali dejavnost vpliva nanjo
3.3 3.3
najvišje vodstvo top management

oseba ali skupina ljudi, ki na najvišji ravni person or group of people who directs and

usmerja in obvladuje organizacijo (3.1) controls an organization (3.1) at the highest level

OPOMBA 1: Najvišje vodstvo je pristojno za prenos NOTE 1 to entry: Top management has the power to

pooblastil in zagotavljanje virov znotraj delegate authority and provide resources

organizacije. within the organization.
---------------------- Page: 9 ----------------------
SIST ISO 19600 : 2016

OPOMBA 2: Če obseg sistema vodenja (3.7) zajema NOTE 2 to entry: If the scope of the management system

samo del organizacije, potem je najvišje (3.7) covers only part of an organization

vodstvo tisto, ki usmerja in obvladuje ta del then top management refers to those who

organizacije. direct and control that part of the
organization.
3.4 3.4
organ upravljanja in nadzora governing body

oseba ali skupina ljudi, ki upravlja organizacijo person or group of people that governs an

(3.1), določa usmeritve in kateri je najvišje organization (3.1), sets directions and holds top

vodstvo (3.3) odgovorno management (3.3) to account
3.5 3.5
zaposleni employee

posameznik, ki je z organizacijo v razmerju, ki individual in a relationship recognized as an

ga nacionalna zakonodaja ali praksa prepoz- employment relationship in national law or

nava kot "delovno razmerje" practice
3.6 3.6
funkcija skladnosti compliance function

oseba(-e), ki je (so) odgovorna(-e) za person(s) with responsibility for compliance

upravljanje skladnosti (3.17) (3.17) management

OPOMBA 1: Zaželeno je, da se eni osebi dodeli celovita NOTE 1 to entry: Preferably one individual will be assigned

odgovornost za upravljanje skladnosti overall responsibility for compliance
(3.17). (3.17) management.
3.7 3.7
sistem vodenja management system

niz medsebojno povezanih ali medsebojno set of interrelated or interacting elements of an

odvisnih elementov organizacije (3.1) za organization (3.1) to establish policies (3.8) and

vzpostavitev politik (3.8) in ciljev (3.9) ter objectives (3.9) and processes (3.10) to

procesov (3.10) za doseganje teh ciljev achieve those objectives

OPOMBA 1: Sistem vodenja lahko vključuje eno ali več NOTE 1 to entry: A management system can address a

področij. single discipline or several disciplines.

OPOMBA 2: Elementi sistema vključujejo strukturo NOTE 2 to entry: The system elements include the

organizacije, vloge in odgovornosti, organization’s structure, roles and
planiranje, delovanje itd. responsibilities, planning, operation, etc.
NOTE 3 to entry: The scope of a management system may
OPOMBA 3: Obseg sistema vodenja lahko vključuje
celotno organizacijo, posebne in iden- include the whole of the organization,

tificirane funkcije organizacije, posebne in specific and identified functions of the

identificirane oddelke organizacije ali eno organization, specific and identified sections

ali več funkcij v skupini organizacij. of the organization, or one or more functions

across a group of organizations.
3.8 3.8
politika policy
namere in usmeritev organizacije (3.1), ki jih
intentions and direction of an organization (3.1) as

formalno izraža njeno najvišje vodstvo (3.7) formally expressed by its top management (3.7)

3.9 3.9
cilj objective
rezultat, ki naj bi bil dosežen result to be achieved

OPOMBA 1: Cilj je lahko strateški, taktični in/ali NOTE 1 to entry: An objective can be strategic, tactical

operativni. and/or operational.

OPOMBA 2: Cilji se lahko nanašajo na različna področja NOTE 2 to entry: Objectives can relate to different

(npr. finančni cilji, cilji varnosti in zdravja ter disciplines (such as financial, health and

okoljski cilji) in se lahko uporabljajo na safety, and environmental goals) and can

različnih ravneh (npr. strateški, po celotni apply at different levels (such as

organizaciji, projektni, na ravni izdelka in strategic, organization-wide, project,

procesa (3.10)). product and process (3.10)).
---------------------- Page: 10 ----------------------
SIST ISO 19600 : 2016

OPOMBA 3: Cilj se lahko izrazi tudi na drugačne načine, NOTE 3 to entry: An objective can be expressed in other

npr. kot predvideni izid, namen, operativno ways, e.g. as an intended outcome, a

merilo, kot cilj skladnosti ali z drugimi purpose, an operational criterion, as a

besedami s podobnim pomenom (npr. copliance objective or by the use of other
okvirni cilj, izvedbeni cilj ali tarča). words with similar meaning (e.g. aim,
goal, or target).

OPOMBA 4: V kontekstu sistemov upravljanja skladnosti NOTE 4 to entry: In the context of compliance management

organizacija v skladu s politiko skladnosti systems, compliance objectives are set

postavlja cilje skladnosti, da bi dosegla by the organization, consistent with the

specifične rezultate. compliance policy, to achieve specific
results.
3.10 3.10
proces process

skupek med seboj povezanih ali interaktivnih set of interrelated or interacting activities which

aktivnosti, ki uporabljajo vhode za doseganje transforms inputs into outputs
predvidenega rezultata
3.11 3.11
tveganje risk
effect of uncertainty on objectives (3.9)
učinek negotovosti ciljev (3.9)

OPOMBA 1: Učinek je odstopanje – pozitivno ali NOTE 1 to entry: An effect is a deviation from the expected

negativno – od pričakovanega. – positive or negative.

OPOMBA 2: Negotovost je stanje, tudi delno, pomanjkanja NOTE 2 to entry: Uncertainty is the state, even partial, of

informacij v zvezi z razumevanjem dogodka ali deficiency of information related to,

znanjem o dogodku, njegovi posledici ali understanding or knowledge of, an event,

verjetnosti. its consequence, or likelihood.

OPOMBA 3: Tveganje se pogosto označuje s sklicevanjem NOTE 3 to entry: Risk is often characterized by reference to

na možne dogodke (kot so opredeljeni v ISO potential “events” (as defined in ISO Guide

Vodilu 73:2009, točka 3.5.1.3) in posledice (kot 73:2009, 3.5.1.3) and “consequences” (as

so opredeljene v ISO Vodilu 73:2009, točka defined in ISO Guide 73:2009, 3.6.1.3), or a

3.6.1.3) ali na kombinacijo obojih. combination of these.

OPOMBA 4: Tveganje se pogosto izraža kot kombinacija NOTE 4 to entry: Risk is often expressed in terms of a

posledic nekega dogodka (vključno s combination of the consequences of an event

spremembami okoliščin) in pripadajoče (including changes in circumstances) and the

verjetnosti (kot je opredeljena v ISO Vodilu associated “likelihood” (as defined in ISO

73:2009, točka 3.6.1.1) nastanka. Guide 73:2009, 3.6
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.