The Role of ISO Standards in Governance, Risk and Compliance Management for Today s Business

Transcription

1 The Role of ISO Standards in Governance, Risk and Compliance Management for Today s Business HKQAA Symposium 2017 Dr Nigel H Croft May 2017 (C) Nigel H Croft All rights reserved 1

2 Governance The way in which an organization makes and implements decisions in pursuit of its objectives It is the glue which holds the organisation together, while risk management provides the resilience. Risk = The effect of uncertainty (on objectives / expected results) Resilience = ability of an organization to anticipate, prepare for, and respond and adapt to incremental change and sudden disruptions in order to survive and prosper (ISO 22316) (Taken from ISO 26000)

3 Some key ISO standards for Governance, Risk and Compliance Management ISO Risk management ISO Compliance Management* ISO Social Responsibility ISO Anti-bribery Management* ISO Business Continuity Management* ISO Supply chain security management ISO Asset Management* ISO Information security management* ISO/IEC IT Governance ISO Project, programme and portfolio governance ISO Governance for Human resource management ISO Organizational resilience * = Uses common ISO High-level structure May 2017 (C) Nigel H Croft All rights reserved 3

4 C O M M U N I C A T I O N & C O N S U L T A T I O N M O N I T O R & R E V I E W ESTABLISHING THE CONTEXT RISK ANALYSIS RISK EVALUATION RISK ASSESSMENT RISK TREATMENT RISK IDENTIFICATION 24 ISO 31000:2009 Process Overview

5 We should be turning uncertainty into an advantage! ISO 9001 Risk-based thinking Manage risks Maximise opportunities 5

6 If opportunity doesn t knock, then build a door! (c) TCA Global

7 What is ISO 19600? ISO Guidance document for Compliance management systems Compliance = Meeting all the requirements that an organization has to or chooses to comply with For example, legal and/or regulatory requirements (International, regional or local) For example, corporate governance criteria; industry codes of conduct etc ISO follows the same overall philosophy and structure as ISO 9001, but contains only Guidance ( should s, not shall s ) Not appropriate for certification, but could be included in corporate (internal) audits May 2017 (C) Nigel H Croft All rights reserved 7

8 Rationale for ISO An organization s approach to compliance is ideally shaped by the leadership applying core values and generally accepted corporate governance, ethical and community standards. Embedding compliance in the behaviour of the people working for an organization depends above all on leadership at all levels and clear values of an organization, as well as an acknowledgement and implementation of measures to promote compliant behaviour. May 2017 (C) Nigel H Croft All rights reserved 8

9 Mandatory and voluntary Compliance requirements (Mandatory) include: laws and regulations; permits, licences or other forms of authorization; orders, rules or guidance issued by regulatory agencies; judgments of courts or administrative tribunals; treaties, conventions and protocols. Compliance commitments ( Voluntary ) include: agreements with community groups or NGOs agreements with public authorities and customers; organizational requirements, such as policies and procedures; voluntary principles or codes of practice; voluntary labelling or environmental commitments; obligations arising under contractual arrangements with the organization; relevant organizational and industry standards. May 2017 (C) Nigel H Croft All rights reserved 9

10 ISO/TC 176/SC 2/ N1282 ISO Clause structure Plan Do Check Act 4 Context of organization 5 Leadership 6 Planning 7 Support 8 Operation 9 Performance and Evaluation 10 Improvement 4.1 Understanding context 4.2 Interested parties (Stakeholders) 4.3 Scope 4.4 CMS & Good governance principles 4.5 Compliance risk assessment 5.1 Leadership and commitment 5.2 Compliance Policy 5.3 Organizational roles, responsibilities and authorities 6.1 Actions to address compliance risks 6.2 Compliance objectives and planning 7.1 Resources 7.2 Competence & training 7.3 Awareness 7.4 Communication 7.5 Documented information 8.1 Operational planning and control 8.2 Controls & procedures 8.3 Outsourced processes 9.1 Monitoring, measurement, analysis and evaluation 9.2 Audit 9.3 Management review 10.1 Nonconformity, noncompliance and corrective action 10.2 Continual improvement 10

11 Compliance risks Analyse compliance risks by considering causes and sources of noncompliance Consider likelihood, and severity of the consequences Consequences can include, for example, personal and environmental harm, economic loss, reputational harm and administrative liability. OR May 2017 (C) Nigel H Croft All rights reserved 11

12 New ISO Standard on resilience ISO 22316:2017 Organizational resilience - Principles and attributes includes topics such as: quality management risk management asset management stakeholder and collaboration management reputation management; horizon scanning; environmental management health and safety fraud control; business continuity information, communications and technology (ICT) continuity cyber security change management; information security physical security; facilities management; emergency management; crisis management supply chain human resource planning; financial control; May 2017 (C) Nigel H Croft All rights reserved 12

13 ISO Model May 2017 (C) Nigel H Croft All rights reserved 13

14 Conclusions ISO standards can make many contributions to Governance, Risk and Compliance Management Just 2 examples: ISO provides guidance on compliance Mandatory (legal) requirements and/or Voluntary commitments Totally aligned with ISO 9001, etc New ISO promotes organizational resilience outcome of good business practice and effectively managing risk. May 2017 (C) Nigel H Croft All rights reserved 14

15 THANK YOU! May 2017 (C) Nigel H Croft All rights reserved 15