DIN ISO 19600-2016 Compliance management systems - Guidelines (ISO 19600 2014)《合规性管理系统 指南(ISO 19600-2014)》.pdf

1、December 2016 English price group 16No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS 03.100.02; 03.100.70!%n“2597525

2、www.din.deDIN ISO 19600Compliance management systems Guidelines (ISO 19600:2014),English translation of DIN ISO 19600:2016-12ComplianceManagementsysteme Leitlinien (ISO 19600:2014),Englische bersetzung von DIN ISO 19600:2016-12Systmes de management de la compliance Lignes directrices (ISO 19600:2014

3、),Traduction anglaise de DIN ISO 19600:2016-12www.beuth.deDocument comprises 33 pagesDTranslation by DIN-Sprachendienst.In case of doubt, the German-language original shall be considered authoritative.12.16 A comma is used as the decimal marker. Contents PageNational foreword 3Introduction .41 Scope

4、 . 62 Normative references 63 Terms and definition 64 Context of the organization 104.1 Understanding the organization and its context 104.2 Understanding the needs and expectations of interested parties .104.3 Determining the scope of the compliance management system 104.4 Compliance management sys

5、tem and principles of good governance 114.5 Compliance obligations 114.6 Identification, analysis and evaluation of compliance risks .125 Leadership .135.1 Leadership and commitment 135.2 Compliance policy .145.3 Organizational roles, responsibilities and authorities.156 Planning 186.1 Actions to ad

6、dress compliance risks . 186.2 Compliance objectives and planning to achieve them .197 Support 197.1 Resources 197.2 Competence and training 197.3 Awareness 217.4 Communication . 227.5 Documented information 238 Operation 248.1 Operational planning and control . 248.2 Establishing controls and proce

7、dures . 248.3 Outsourced processes 259 Performance evaluation 269.1 Monitoring, measurement, analysis and evaluation 269.2 Audit 309.3 Management review 3010 Improvement .3110.1 Nonconformity, noncompliance and corrective action .3110.2 Continual improvement . 32Bibliography .33DIN ISO 19600:2016-12

8、 2 National foreword This document (ISO 19600:2014) has been prepared by Technical Committee ISO/TMBG “Technical Management Board groups”. The responsible German body involved in its preparation was DIN-Normenausschuss Organisationsprozesse (DIN Standards Committee Organizational Processes), Working

9、 Committee NA 175-00-01 AA Compliance-Management. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. DIN and/or DKE shall not be held responsible for identifying any or all such patent rights. DIN ISO 19600:2016-12 3 IntroductionOrga

10、nizations that aim to be successful in the long term need to maintain a culture of integrity and compliance, and to consider the needs and expectations of stakeholders. Integrity and compliance are therefore not only the basis, but also an opportunity, for a successful and sustainable organization.C

11、ompliance is an outcome of an organization meeting its obligations, and is made sustainable by embedding it in the culture of the organization and in the behaviour and attitude of people working for it. While maintaining its independence, it is preferable if compliance management is integrated with

12、the organizations financial, risk, quality, environmental and health and safety management processes and its operational requirements and procedures.An effective, organization-wide compliance management system enables an organization to demonstrate its commitment to compliance with relevant laws, in

13、cluding legislative requirements, industry codes and organizational standards, as well as standards of good corporate governance, best practices, ethics and community expectations.An organizations approach to compliance is ideally shaped by the leadership applying core values and generally accepted

14、corporate governance, ethical and community standards. Embedding compliance in the behaviour of the people working for an organization depends above all on leadership at all levels and clear values of an organization, as well as an acknowledgement and implementation of measures to promote compliant

15、behaviour. If this is not the case at all levels of an organization, there is a risk of noncompliance.In a number of jurisdictions, the courts have considered an organizations commitment to compliance through its compliance management system when determining the appropriate penalty to be imposed for

16、 contraventions of relevant laws. Therefore, regulatory and judicial bodies can also benefit from this International Standard as a benchmark.Organizations are increasingly convinced that by applying binding values and appropriate compliance management, they can safeguard their integrity and avoid or

17、 minimize noncompliance with the law. Integrity and effective compliance are therefore key elements of good, diligent management. Compliance also contributes to the socially responsible behaviour of organizations.This International Standard does not specify requirements, but provides guidance on com

18、pliance management systems and recommended practices. The guidance in this International Standard is intended to be adaptable, and the use of this guidance can differ depending on the size and level of maturity of an organizations compliance management system and on the context, nature and complexit

19、y of the organizations activities, including its compliance policy and objectives.The flowchart in Figure 1 is consistent with other management systems and is based on the continual improvement principle (“Plan-Do-Check-Act”).DIN ISO 19600:2016-12 4 (PPEHPWFSOBODFQSJODJQMFT *EFOUJGJDBUJPOPGFYUFSOBMB

20、OEJOUFSOBMJTTVFT *EFOUJGJDBUJPOPGJOUFSFTUFEQBSUJFTSFRVJSFNFOUT 1MBOOJOHUPBEESFTTDPNQMJBODFSJTLTBOEUPBDIJFWFPCKFDUJWFT 0QFSBUJPOBMQMBOOJOHBOEDPOUSPMPGDPNQMJBODFSJTLT 1FSGPSNBODFFWBMVBUJPOBOEDPNQMJBODFSFQPSUJOH .BOBHJOHOPODPNQMJBODFTBOEDPOUJOVBMJNQSPWFNFOU information created in order for the organiza

21、tion to operate (documentation); evidence of results achieved (records).3.25procedurespecified way to carry out an activity or process (3.10)3.26performancemeasurable resultNote 1 to entry: Performance can relate either to quantitative or qualitative findings.Note 2 to entry: Performance can relate

22、to the management of activities, processes (3.10), products (including services), systems or organizations (3.1).3.27continual improvementrecurring activity or process (3.10) to enhance performance (3.26)3.28outsource (verb)make an arrangement where an external organization (3.1) performs part of an

23、 organizations function or process (3.10)Note 1 to entry: An external organization is outside the management system (3.7), although the outsourced function or process is within the scope.3.29monitoringdetermining the status of a system, a process (3.10) or an activityNote 1 to entry: To determine th

24、e status there may be a need to check, supervise or critically observe.Note 2 to entry: Monitoring is not a once-only activity, but a process of regularly or continuously observing a situation.3.30measurementprocess (3.10) to determine a value3.31auditsystematic, independent and documented process (

25、3.10) for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilledNote 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more

26、 disciplines).Note 2 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.DIN ISO 19600:2016-12 9 Note 3 to entry: Independence can be demonstrated by the freedom from responsibility for the activity being audited or freedom from bias and conflict of interest.3.32conformityfulfil

27、ment of a management system requirement (3.13)3.33nonconformitynon-fulfilment of a management system requirement (3.13)Note 1 to entry: A nonconformity is not necessarily a noncompliance (3.18).3.34correctionaction to eliminate a detected nonconformity (3.33) or a noncompliance (3.18)3.35corrective

28、actionaction to eliminate the cause of a nonconformity (3.33) or a noncompliance (3.18) and to prevent recurrence4 Context of the organization4.1 Understanding the organization and its contextThe organization should determine external and internal issues, such as those related to compliance risks, t

29、hat are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its compliance management system. In doing so, the organization should consider a broad range of external and internal aspects, such as the regulatory, social and cultural contexts, the economic situati

30、on and the internal policies, procedures, processes and resources.4.2 Understanding the needs and expectations of interested partiesThe organization should determine: the interested parties that are relevant to the compliance management system; the requirements of these interested parties.4.3 Determ

31、ining the scope of the compliance management systemThe organization should determine the boundaries and applicability of the compliance management system to establish its scope.NOTE The scope of the compliance management system is intended to clarify the geographical and/or organizational boundaries

32、 to which the compliance management system will apply, especially if the organization is a part of a larger organization at a given location.When determining this scope, the organization should consider: the external and internal issues referred to in 4.1; the requirements referred to in 4.2 and 4.5

33、.1.The scope should be readily available as documented information.DIN ISO 19600:2016-12 10 4.4 Compliance management system and principles of good governanceThe organization should establish, develop, implement, evaluate, maintain and continually improve a compliance management system, including th

34、e processes needed and their interactions, in accordance with this International Standard, taking into consideration the following governance principles: direct access of the compliance function to the governing body; independence of the compliance function; appropriate authority and adequate resour

35、ces allocated to the compliance function.The compliance management system should reflect the organizations values, objectives, strategy and compliance risks.4.5 Compliance obligations4.5.1 Identification of compliance obligationsThe organization should systematically identify its compliance obligati

36、ons and their implications for its activities, products and services. The organization should take these obligations into account in establishing, developing, implementing, evaluating, maintaining and improving its compliance management system.The organization should document its compliance obligati

37、ons in a manner that is appropriate to its size, complexity, structure and operations.Sources of compliance obligations should include compliance requirements and can include compliance commitments.EXAMPLE 1 Examples of compliance requirements include: laws and regulations; permits, licences or othe

38、r forms of authorization; orders, rules or guidance issued by regulatory agencies; judgments of courts or administrative tribunals; treaties, conventions and protocols.EXAMPLE 2 Examples of compliance commitments include: agreements with community groups or non-governmental organizations; agreements

39、 with public authorities and customers; organizational requirements, such as policies and procedures; voluntary principles or codes of practice; voluntary labelling or environmental commitments; obligations arising under contractual arrangements with the organization; relevant organizational and ind

40、ustry standards.4.5.2 Maintenance of compliance obligationsOrganizations should have processes in place to identify new and changed laws, regulations, codes and other compliance obligations to ensure on-going compliance. Organizations should have processes to DIN ISO 19600:2016-12 11 evaluate the im

41、pact of the identified changes and implement any changes in the management of the compliance obligations.EXAMPLE Examples of processes to obtain information on changes to laws and other compliance obligations include: being on the mailing lists of relevant regulators; membership of professional grou

42、ps; subscribing to relevant information services; attending industry forums and seminars; monitoring the websites of regulators; meeting with regulators; arrangements with legal advisors; monitoring the sources of the compliance obligations (e.g. regulatory pronouncements and court decisions).4.6 Id

43、entification, analysis and evaluation of compliance risksThe organization should identify and evaluate its compliance risks. This evaluation can be based on a formal compliance risk assessment or conducted via alternative approaches. Compliance risk assessment constitutes the basis for the implement

44、ation of the compliance management system and the planned allocation of appropriate and adequate resources and processes to manage identified compliance risks.The organization should identify compliance risks by relating its compliance obligations to its activities, products, services and relevant a

45、spects of its operations in order to identify situations where noncompliance can occur. The organization should identify the causes for and consequences of noncompliance.The organization should analyse compliance risks by considering causes and sources of noncompliance and the severity of their cons

46、equences, as well as the likelihood that noncompliance and associated consequences can occur. Consequences can include, for example, personal and environmental harm, economic loss, reputational harm and administrative liability.Risk evaluation involves comparing the level of compliance risk found during the analysis process with the level of compliance risk the organization is able and willing to accept. Based on this comparison, priorities can be set as a basis for determi