“The Role of ISO Standards in

Governance, Risk and

Compliance Management for

Today’s Business”

HKQAA Symposium 2017

Dr Nigel H Croft

(C) Nigel H Croft 2017 - All rights reserved 1 May 2017

Governance

“The way in which an organization

makes and implements decisions

in pursuit of its objectives”

It is the glue which holds the

organisation together, while risk

management provides the resilience.

Risk = “The effect of uncertainty” (on

objectives / expected results)

Resilience = ability of an organization

to anticipate, prepare for, and respond

and adapt to incremental change and

sudden disruptions in order to survive

and prosper (ISO 22316)

(Taken from ISO 26000)

May 2017 (C) Nigel H Croft 2017 - All rights reserved 3

Some key ISO standards for Governance,

Risk and Compliance Management

ISO 31000 Risk management

ISO 19600 Compliance Management*

ISO 26000 Social Responsibility

ISO 37001 Anti-bribery Management*

ISO 22301 Business Continuity Management*

ISO 28000 Supply chain security management

ISO 55001 Asset Management*

ISO 27001 Information security management*

ISO/IEC 38500 IT Governance

ISO 21505 Project, programme and portfolio governance

ISO 30408 Governance for Human resource management

ISO 22316 Organizational resilience

* = Uses common ISO “High-level structure”

C

O

M

M

U

N

I

C

A

T

I

O

N

&

C

O

N

S

U

L

T

A

T

I

O

N

M

O

N

I

T

O

R

&

R

E

V

I

E

W

ESTABLISHING THE CONTEXT

RISK ANALYSIS

RISK EVALUATION

RISK ASSESSMENT

RISK TREATMENT

RISK IDENTIFICATION

24

ISO 31000:2009 Process Overview

We should be turning

uncertainty into an advantage!

5

Manage risks

Maximise opportunities

ISO 9001 – “Risk-based thinking”

(c) TCA Global 2014 6

If opportunity

doesn’t knock,

then build

a door!

www.CartoonStock.com

www.CartoonStock.com

What is “ISO 19600”?

ISO Guidance document for Compliance

management systems

“Compliance” = “Meeting all the requirements that

an organization has to or chooses to comply with”

May 2017 (C) Nigel H Croft 2017 - All rights reserved 7

For example, legal and/or

regulatory requirements

(International, regional or local) For example, corporate governance

criteria; industry codes of conduct etc

ISO 19600 follows the same overall philosophy and structure as ISO 9001,

but contains only Guidance (“should’s”, not “shall’s”)

Not appropriate for certification, but could be included in corporate (internal)

audits

Rationale for ISO 19600

“An organization’s approach to

compliance is ideally shaped by the

leadership applying core values

and generally accepted

corporate governance, ethical

and community standards.”

Embedding compliance in the

behaviour of the people working

for an organization depends above

all on leadership at all levels and

clear values of an organization, as

well as an acknowledgement and

implementation of measures to

promote compliant behaviour.”

May 2017 (C) Nigel H Croft 2017 - All rights reserved 8

Mandatory and “voluntary”

“Compliance requirements” (Mandatory) include:

laws and regulations;

permits, licences or other forms of authorization;

orders, rules or guidance issued by regulatory agencies;

judgments of courts or administrative tribunals;

treaties, conventions and protocols.

“Compliance commitments” (“Voluntary”) include:

agreements with community groups or NGOs

agreements with public authorities and customers;

organizational requirements, such as policies and procedures;

voluntary principles or codes of practice;

voluntary labelling or environmental commitments;

obligations arising under contractual arrangements with the organization;

relevant organizational and industry standards.

May 2017 (C) Nigel H Croft 2017 - All rights reserved 9

ISO

/TC

17

6/S

C 2

/ N

12

82

10

Do Check Act Plan

4

Context of

organization

5

Leadership

6

Planning

8

Operation

9

Performance and

Evaluation

10

Improvement

4.1

Understanding

context

4.2

Interested parties

(Stakeholders)

4.3

Scope

4.4

CMS & Good

governance

principles

5.1

Leadership and

commitment

6.1

Actions to address

compliance risks

6.2

Compliance

objectives and

planning

9.1

Monitoring,

measurement,

analysis and

evaluation

10.1

Nonconformity,

noncompliance and

corrective action

10.2

Continual

improvement 5.3

Organizational

roles,

responsibilities and

authorities

8.1

Operational

planning and control

5.2

Compliance Policy 9.2

Audit

9.3

Management

review

7

Support

7.1

Resources

7.3

Awareness

7.4

Communication

7.5

Documented

information

7.2

Competence &

training

4.5

Compliance risk

assessment

8.2

Controls &

procedures

8.3

Outsourced

processes

ISO 19600 Clause structure

Compliance risks

Analyse compliance risks by considering causes and sources of

noncompliance

Consider likelihood, and severity of the consequences

Consequences can include, for example, personal and environmental

harm, economic loss, reputational harm and administrative liability.

OR

May 2017 (C) Nigel H Croft 2017 - All rights reserved 11

New ISO Standard on resilience

ISO 22316:2017 “Organizational resilience - Principles

and attributes” includes topics such as:

May 2017 (C) Nigel H Croft 2017 - All rights reserved 12

• quality management

• risk management

• asset management

• stakeholder and collaboration

management

• reputation management;

• horizon scanning;

• environmental management

• health and safety

• fraud control;

• business continuity

• information, communications and

technology (ICT) continuity

• cyber security

• change management;

• information security

• physical security;

• facilities management;

• emergency management;

• crisis management

• supply chain

• human resource planning;

• financial control;

ISO 22316 Model

May 2017 (C) Nigel H Croft 2017 - All rights reserved 13

Conclusions

ISO standards can make many contributions to

Governance, Risk and Compliance Management

Just 2 examples:

ISO 19600 provides guidance on compliance

Mandatory (legal) requirements and/or “Voluntary”

commitments

Totally aligned with ISO 9001, 14001 etc

New ISO 22316 promotes organizational resilience

outcome of good business practice and effectively

managing risk.

May 2017 (C) Nigel H Croft 2017 - All rights reserved 14

THANK YOU!

nhc@tcaglobal.org

(C) Nigel H Croft 2017 - All rights reserved 15 May 2017