The Working Group (WG) on compliance management systems and ISO standards is co-chaired by Dominique Casutt. It started its activities in 2015 and counts ca. 60 members.
The WG aims at discussing the establishment, implementation, maintenance and continual improvement of best practice governance, risk, as well as compliance management systems. It focuses on the ISO Standards 37000 – Governance of Organizations, 37301– Compliance Management Systems and 31000 – Risk Management.
The WG also follows related matters such as independent auditing and certification of compliance management systems.
Regular lunch meetings, presentations and conference calls shall promote the exchange of know-how and the discussion of important developments and further networking among all those who share an interest in best practice compliance management based on transparent and auditable compliance management system standards.
Swiss CSR Reporting on Combatting Corruption: What does it mean for the Compliance Function / 13 June 2023
Under the title “Swiss CSR Reporting on Combatting Corruption: What does it mean for the Compliance Function?” the working group on CMS/ISO held a lunch-event in Zürich on 13 June 2023. The event was attended by 14 working group members and guests from in-house GRC and sustainability functions and compliance, intelligence, sustainability, and communications advisors.
In his farewell meeting as a co-chair of the working group, Daniel Bühr gave a short keynote speech on the New Non-financial Reporting and Due Diligence Obligations for Swiss Companies, i. e. the legal obligations in art. 964a et seq. Swiss Code of Obligations which have been effective since 1 January 2022 but have likely not been on top of the agenda of all compliance functions. See his presentation here.
Approximately 250 companies of public interest and FINMA-regulated financial institutions will be required to provide a first report on non-financial matters for 2023 in 2024, i. e. report on how they address environmental, social, labour, human rights, and anti-bribery matters. In order to comply with these obligations, affected companies will need to have a risk-based and effective management system in place and report on it publicly for 10 years (concept, diligence, measures, effectiveness, risk assessment and treatment and KPIs). In addition, companies dealing with conflict minerals or having a risk of child-labour in their upstream supply-chain, will be required to meet specific due diligence requirements, conduct an analysis, and potentially provide an annual report. The Swiss Code of Obligations explicitly requires these companies which have a reasonable suspicion to have a management system in place. Non-compliance with reporting and/or due diligence obligations may lead to criminal liability of the directors of the board (who are obliged to report).
The participants had a lively discussion on the very broad scope of application of the new legal obligations, the urgency for affected companies for a call to action and the severe consequences for all members of the board of directors in the event of non-compliance. However, many important details on how to comply with the new regimes in practice and how these will be affected by similar legal developments in Europe remain open. In any event, the compliance functions will have to ensure they remain up to speed on this hot topic which came to stay.
Webinar: ISO’s new GRC Standards / 17 February 2022
The discussion focused on the ISO’s new GRC Standards and The Big Move from Models and Programs to Management Systems and Independent Certification.
Our speakers Dominique Casutt, Daniel Bühr and Peter Jonas – Austrian Standards Plus GmbH, presented the evolving nature of organisational governance, compliance and whistleblowing management systems as well certification of compliance management systems. The presentations were followed by a lively discussion. Presentation slides from the speakers:
|ISO 37000 on Governance of Organizations – Introduction||Daniel Bühr|
|ISO 37000 on Governance of Organizations – Elements Focus: Oversight & Risk Governance||Daniel Bühr|
|ISO 37301 on Compliance Management Systems||Dominique Casutt|
|ISO 37002 on Whistleblowing Management Systems||Daniel Bühr|
|Independent Certification||Peter Jonas, Austrian Standards Plus GmbH|
Meeting of the WG on 4 June 2018
The Working Group CMS/ISO Standards focused in its meeting on 4 June 2018 on human resources management. In the end, compliance is all about people – therefore, ethical leadership and a culture of compliance and integrity are considered as key success factors of an effective compliance management system. Eva Häuselmann, ECS member and owner/managing partner of a company focusing on assessments and developments for business integrity opened the meeting with a presentation on “The missing link – How to connect the individual to the CMS”. Leading with integrity includes both being a moral person and promoting integrity in the team and throughout the company. There was a lively discussion on the importance of values, leadership and culture followed by a networking apéro.
The next meeting of the Working Group early next year will focus on recent international developments on ISO 19600 which is expected to be turned into a requirement standard. Working Group members will soon receive an invitation to join the meeting.
Meeting of the WG on 24 August 2017
The WG meeting was attended by 14 ECS members and guests.
Against the background that more and more companies are becoming certified under compliance management system standards (for instance Alstom Group, which became certified under the anti-bribery management system Standard ISO 37001), Daniel Bührshared his experience from independent compliance management system audits. In his experience, companies take such reviews and audits seriously and they see them as an opportunity to get an independent and unbiased feedback on the maturity of their compliance management system. Often such reviews and audits are the basis to address key governance, organizational and procedural questions.
Following this short introduction, Matthias Kiener, Partner, Advisory Forensic with KPMG, Zurich, introduced the participants to CMS audits under IDW Audit Standard 980 and the recent works on a Swiss CMS audit standard SAS 980 which is currently beeing established by expertSuisse. In his presentation, Matthias explained the ISO 19600 and the IDW Audit Standard 980 approach and the differences between them. Matthias then explained the three assessment typs under the IDW Audit Standard and the audit objectives and the key elements of a systematic best practice CMS. The discussion focused on the question how audits on non-mature organizations shall be conducted and how auditors can help organizations in the proper design and an effective implementation of a CMS. Also, the increased enforcement of the corporate criminal offense under Article 102 of the Swiss Criminal Code was discussed. The participants agreed that the exposure of companies that may have a bribery or money laundering risk, has significantly increased as a result of soaring SAR reports by banks. The discussion also touched on the critical role of senior management, which should not only take the risks of their companies in case of organisational compliance weaknesses but also their personal exposure into account. After expressing sincere thanks to Matthias Kiener for his interesting presentation, a “best practice” apéro took place.
Dominique Casutt and Daniel Bühr, Co-Chairs ECS Working Group CMS/ISO Standards
WG Compliance Management Systems/ISO – Event of 28 June 2016 on best practice risk management
With the catchy title “Is compliance a risk? How risk management can help you make risk-based compliance decisions” Stéphane Martin, founder and CEO of Smart Risk Consulting, held a presentation at the event of the ECS Working Group CMS/ISO on 28 June 2016.
Risk assessment and management is one of the key elements of any compliance management system and therefore subject to ISO 19600 on Compliance Management Systems. The section on risk management in ISO 19600 is, however, quite short. Therefore, it may prove very helpful to consider the specific ISO standard on Risk Management for further reference.
Stéphane provided in his well-structured and focused presentation not only a good overview of the key principles of the ISO 31000 standard on Risk Management but also shared his practical experience in risk management in a very hands-on and interactive manner. He elaborated on what may be considered a compliance-risk and in particular stressed the need to differentiate between its constituent elements cause, source, event and consequence – in order for risk management to be effective it is crucial to have a control in place for each cause.
The presentation was followed by a lively discussion on this hot topic and rounded off with some cold drinks.
ECS WG CMS/ISO discussed the ISO 19600 Principles of Good Governance
On 30 June the Working Group CMS/ISO met for the second time in Zürich and discussed the principles of good governance as set out in ISO 19600, in particular direct access to the governing body, independence of the compliance function, appropriate authority and adequate resources. After an introductory presentation the participants had a lively discussion on the subject matter followed by specific questions raised by Working Group members regarding ISO 19600.
It was agreed that the next meeting will take place in September. The first part of the meeting will be used to discuss the purpose of the Working Group and its envisaged output going forward; for the second part it is planned to invite a Chief Compliance Officer from an organisation which has already been certified according to ISO 19600 to share first-hand insights regarding the certification process. Date and agenda of the meeting will be announced in due time.
WG CMS/ISO 19600 plans second meeting on 30 June in Zurich
The Working Group CMS/ISO has scheduled its second in-person meeting for 30 June 17.00 to 19.00h in Zurich. The meeting agenda will be made available in due time. Suggestions from Working Group members or other interested parties are highly welcome.
Building on the first in-person meeting on 16 March which served the purpose of bringing interested members “up to speed” with regard to the new ISO 19600 standard on compliance management systems, the second meeting now aims at addressing specific areas of interest and possible queries.
Other ECS members or external individuals who are interested in attending the event are kindly requested to sign up for the Working Group (and a membership with ECS, if not yet a member). The Working Group has by now increased to more than 15 members.
First face to face meeting in Zurich on 16 March 2015
Basel, 24 March 2015. At the meeting of 16 March 2015 in Zurich, the ISO Standard 19600 and the certification concept of Austrian Standards were presented to the members of the WG (12 participants attending, 3 excused). The participants discussed the Standard and independent audits of Organizations with regard to their Compliance Management Systems. The participants agreed that ISO 19600 may become a benchmark because it is the first global standard on compliance management systems. Questions focused on the best approach to implement a compliance management system, in particular on how to secure Board and Top Management attention, buy-in and support. Also, the concept and benefits of certification were discussed.
The Working Group decided that it wants to act as the ECS point of contact for Compliance Management Systems and that it intends to meet bi-annually in person to further discuss CMS and ISO topics of common interest. A next meeting will be scheduled for the second half of June.
These are the upcoming dates for our Annual General Meetings:
Thursday, 21 March 2024
Thursday, 20 March 2025
If you are an ECS member, you are cordially invited to our Annual General Meetings! Each AGM is followed by discussion on current compliance topics and an networking Apèro.