See page 14

Meet Lynette Fons

Chief Compliance Officer and member of the Mayor’s Executive Staff, City of Houston

Meet Louis Perold

Compliance Officer,Pretoria, South Africa

See page 20

&

Compliance & EthicsProfessional

a publication of the society of corporate compliance and ethics www.corporatecompliance.org

June

2015

45Ten outrageous bribes from around the worldNitish Singh, Brendan Keating,

and Thomas Bussen

43Don’t let

ethics be left unsaid

Lyndsay C. Tanner

27Discovery in False Claims Act

cases when the government declines to intervene

Winston Y. Chan and Joseph Tartakovsky

37The science art of third-party due diligence

John Baird

+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 63

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

J

une

2015

Wylie

by A. Lillian Wylie

In December 2014, the International Organization for Standardization (ISO) published a new standard on

compliance management, ISO 19600:2014 —Compliance management systems. At just a few months old, it is too soon to tell how

the new standard will be viewed by the international Compliance community. Although there has been some press about the new publication in Australia (the new ISO standard is heavily based on the Australian standard for compliance programs), there appears to have been little notice from the rest of the

world. This may be because it was released during that period when compliance officers everywhere were busily planning their Christmas holidays, or it may suggest that unless or until the ISO standard is endorsed by national regulators it, will garner little attention.

Why an international standard?If adopted widely, the new ISO standard for compliance management systems could see the end of the current system of individual best practice guidance notes published by various local, national, and supra-national regulators. Currently there is a plethora of different regulator guidance notes on best practice compliance systems in circulation around the globe, varying by both subject matter (e.g., anti-bribery compliance, data protection, and privacy compliance) and industry (e.g., healthcare compliance, government vendor compliance). On the positive side, the variety of different guides means that the direction is usually well tailored to the situation at hand and is fit for purpose. Contra this, the sheer number of different guides in circulation makes it very difficult for companies working across multiple sectors or countries to know which one to adopt.

ISO 19600:2014 Compliance management systems: Guidelines

» There is currently a plethora of different regulator guidance notes on best practice compliance systems in circulation around the globe.

» If widely accepted, ISO 19600 would allow companies to authoritatively implement a single compliance template across their different operations.

» The courts will also play a role in the Compliance community’s acceptance of ISO 19600.

» ISO 19600 sets out a principles-based approach to compliance management systems and recommended practices.

» ISO 19600 has the potential to bring greater recognition, awareness, and stability to the global Compliance profession.

64 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

J

une

2015

What makes this current patchwork system workable is that in practice the different guides are generally fairly similar, all involving principles broadly along the lines of:

· Commitment from the top management down

· Adequate resourcing and training · Implementation · Ongoing review and continuous

improvement

Notwithstanding the similarity of the various guidances, if widely accepted, ISO 19600 would allow companies to authoritatively implement a single compliance template across their different operations. This would assist greatly in providing clarity of vision for the Compliance function, ease of communication to senior management, economies of scale in terms of resourcing, and provide the ISO stamp of quality assurance for companies that choose to become ISO-certified in compliance. Likewise, choosing to become an ISO-certified provider could become a significant advantage for companies in competitive scenarios, providing customers (who may be from different jurisdictions and have little understanding of local regulator requirements) with assurance that the company in question has a solid compliance program in place.

The process of adoption by international regulators will doubtless be lengthy however,

as regulators move to assess ISO 19600 against their current guidance, they will want to conduct a gap analysis and make recommendations to adopt or not. In the meantime however, we may see international companies take an early-adopter approach, reasoning that ISO 19600 is highly likely (for the reasons outlined above) to become global practice and, therefore, they should act now to be ahead of the game. Companies based in countries without strong regulator

guidance on a preferred approach to compliance programs may also choose to adopt ISO 19600 in lieu of using a foreign regulator’s approach as the threshold for best practice. Ultimately, the courts will also play a role in the Compliance community’s acceptance of ISO 19600. If we see a significant move in

judicial bodies to adopt the new ISO standard forward as a model of acceptable conduct, this will doubtless encourage companies to follow suit.

What does the new ISO 19600 cover?ISO 19600 does not set out a prescriptive approach to creating and implementing a compliance program. Rather, it sets out a principles-based approach to compliance management systems and recommended practices. This makes the standard adaptable to the size and level of maturity of an organization and is generally in line with the principles-based approach taken by regulators around the world.

ISO 19600 does not set out a prescriptive approach to creating and implementing a compliance program.

Rather, it sets out a principles-based

approach to compliance management systems and recommended practices.

+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 65

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

J

une

2015

ISO 19600 is structured into seven distinct parts:

· Context of the organization · Leadership · Planning · Support · Operation · Performance evaluation · Improvement

Each of these principles is then expanded into further sub-headings, discussed below.

The first emphasis of ISO 19600 is on understanding the organization at hand, and its context, needs, and requirements. This includes:

· Understanding the purpose and structure of the organization, political, social and economic environment, objectives, strategic direction, and organisational values;

· Evaluating the need and expectations of internal and external stakeholders;

· Determining the intended scope (including geographical and/or organisational boundaries) of the compliance management system;

· Structuring the compliance management system in line with good governance principles to ensure:• direct access of the Compliance

function to the governing body/board,• independence of the Compliance

function, and• appropriate authority and resources

allocated to the Compliance function. · Identifying and collating compliance

obligations (both mandatory and voluntary); and

· Identifying, analyzing, and evaluating compliance risks, including establishing an accepted organisational risk appetite for legal compliance risks. This should be a periodic and ongoing process.

The second emphasis of the ISO 19600 model is on leadership, including:

· The establishment and championing of a strong value-driven culture for the company;

· Commitment (both words and action) from the senior management team to the goals of the compliance program;

· Commitment of appropriate resources; · A clear, comprehensive compliance policy

endorsed by the executive; and · A clear outline and assignation of

organizational roles, responsibilities, and authorities (e.g., for the governing body/top management, the Compliance function, management, and employees).

The third element of the model, planning, ensures that:

· Compliance objectives should be consistent with the compliance policy, measurable, practicable, monitored, communicated, and updated as appropriate;

· The organization should clearly determine how to achieve these objectives, including resources required, responsibility, and target completion dates; and

· These efforts should be documented.

The fourth component considers the support necessary to implement a compliance management system, including:

· Adequate resources, including access to organisational infrastructure, finance and human resources, external advice, and contemporary reference material on best practice compliance and legal developments;

· Competence and training, including maintaining records;

· Organizational awareness of the compliance program, the role an individual plays in contributing to

66 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977

Com

pli

ance

& E

thic

s P

rofe

ssio

nal

J

une

2015

and maintaining the program, and the implications of not conforming with the compliance management system requirements;

· The development of a compliance culture via active, visible, consistent, and sustained commitment of the governing body and management towards a common published standard of behaviour; and

· The need for documented information regarding the operation of the compliance program.

The fifth element looks at the compliance management system in operation and the importance of:

· Operational planning and controls to manage identified compliance obligations;

· Integrating the compliance management system with existing business processes;

· Aligning operational targets with compliance obligations;

· Establishing controls and procedures; and · Ensuring that outsourced processes are

also subject to an appropriate degree of control and monitoring.

The sixth principle focuses on performance evaluation, including:

· Monitoring, measurement, analysis, and evaluation, including the development of measurable indicators to assist the organization in measuring the achievement of its compliance objectives (e.g., percentage of employees trained effectively);

· Auditing practices; and · Management review.

The seventh and final element considers: · Corrective action to be taken in the event of

nonconformity or non-compliance; and · Continual improvement.

Where to from here?There is no denying that having an interna-tional standard for compliance management systems has the potential to bring greater recog-nition, awareness, and stability to the global Compliance profession, and to benefit and create certainty for the vast majority of organisations who operate across borders in today’s globalised world. Whether this potential is realised, how-ever, will depend largely on the acceptance and promotion of the new ISO standard by influen-tial regulators and courts. We will await further developments with bated breath. ✵ A. Lillian Wylie (lillian.wylie@au.pttep.com) is the Compliance Officer at PTTEP Australasia Pty Ltd in West Perth, Australia.

Thank You!Has someone done something great for you, for the Compliance profession, or for SCCE?If you would like to give recognition by submitting a public “Thank You” to be printed in Compliance & Ethics Professional, please send it to liz.hergert @ corporatecompliance.org. Entries should be 50 words or fewer.