WG CMS/ISO

The Working Group (WG) on compliance management systems and ISO standards is co-chaired by Dominique Casutt. It started its activities in 2015 and counts ca. 60 members.

The WG aims at discussing the establishment, implementation, maintenance and continual improvement of best practice governance, risk, as well as compliance management systems. It focuses on the ISO Standards 37000 – Governance of Organizations, 37301– Compliance Management Systems and 31000 – Risk Management.

The WG also follows related matters such as independent auditing and certification of compliance management systems.

Regular lunch meetings, presentations and conference calls shall promote the exchange of know-how and the discussion of important developments and further networking among all those who share an interest in best practice compliance management based on transparent and auditable compliance management system standards.

Upcoming events                 Past events 


Data Protection: How to ensure compliance with the new Swiss Data Protection Act / 10 September 2024

Lessons learned from getting SMEs ready for the new Swiss DPA.

The new Swiss Data Protection Act has been in force since 1 September 2023. Although it had long before been announced, many Swiss companies, in particular small and medium enterprises (SMEs), have been struggling to ensure compliance.

In our online meeting of 10 September 2024, Dr. Amir Ameri (Privacy, Cyber Security and Risk Management Advisor at Swisscom) presented the key learnings from getting small and medium size enterprises up to speed for compliance with the new Swiss Data Protection Act. Based on an assessment Swisscom conducted from March to December 2023, 143 control questions have been identified and grouped into eight themes. For Swiss SMEs 12 key measures have been identified to ensure compliance with the revised Swiss Data Protection Act. Purpose, transparency and consent are at the core of all processing activities throughout any data life cycle. Common weaknesses observed relate to the following three areas: (1) lack of data governance models and/or data processing & data protection frameworks, (2) lack of some fundamental processes and (3) technological impact. To address these weaknesses adequate policies (e.g. a data classification policy), frameworks (e.g. a risk assessment) and processes (e.g. a privacy impact assessment)  should be established and supported by appropriate technology. Overall, ISO 27001: 2022 regarding Information Security Management Systems (ISMS) should be considered as a global best-practice standard when planning and operating an ISMS Management System.

Amir’s very interesting presentation and sharing of insights was followed by a lively discussion among the 16 participants regarding hands-on examples on how to set up necessary policies and procedures in a risk-based and pragmatic approach.


Trainings tailored to the target group – wishful thinking? An interactive workshop / 13 November 2024

Prof. Christian Hauser, FHGR, and Dr. Helke Drenckhan, ComplianceDesigner, gave an insight into their interviews with companies which they conducted in the framework of a project supported by an Innosuisse check. The companies were asked about their approach to compliance training, how they reach their target audience and where they see potential for improvement. Reaching the relevant target group with the content that is important to them has been identified as a major challenge, especially for larger and international companies.

In the following hands-on workshop, the speakers did not only share their impressions from the interviews but triggered exciting discussions with the participants on what they would like to see in compliance training and what they think could be improved. Many thanks to everyone for the stimulating discussions and the many ideas! The speakers will follow up on these ideas and would be happy to hear from companies interested in supporting them in the next steps


Compliance Training: How to become a Legend. A concrete example of an engaging and effective compliance online training / 20 June 2024

Whereas we all know that compliance training is considered both a key requirement and a success factor of every compliance management system, we often struggle in getting training delivered in a way which is truly meaningful and makes an impact. Few companies only succeed in designing and delivering trainings which change behaviour. Not only content matters, also the training format should be tailored to the audience. And in the best case, training comes with a fun factor. In any event, compliance messages stick better if the audience buys in to the training. How can we overcome training fatigue, which today is considered one of the key reasons for training programs to fail? In other words, how can training be designed and delivered to be engaging?

In our online meeting of 20 June, Barbara Lustenberger (Senior Director Compliance at Infront Sports & Media AG) and Kevin Ruff (Associate Director at Infront Sports & Media AG) shared insights into how Infront successfully maximises engagement in compliance training by triggering both the competitive nature of people in a sports-related work environment and the playfulness inherent in most of us. Their inspiring presentation was followed by a lively discussion among the 14 participants regarding hands-on examples on how to overcome training fatigue and make compliance messages stick.


Swiss CSR Reporting on Combatting Corruption: What does it mean for the Compliance Function / 13 June 2023

Under the title “Swiss CSR Reporting on Combatting Corruption: What does it mean for the Compliance Function?” the working group on CMS/ISO held a lunch-event in Zürich on 13 June 2023. The event was attended by 14 working group members and guests from in-house GRC and sustainability functions and compliance, intelligence, sustainability, and communications advisors.

In his farewell meeting as a co-chair of the working group, Daniel Bühr gave a short keynote speech on the New Non-financial Reporting and Due Diligence Obligations for Swiss Companies, i. e. the legal obligations in art. 964a et seq. Swiss Code of Obligations which have been effective since 1 January 2022 but have likely not been on top of the agenda of all compliance functions. See his presentation here.

Approximately 250 companies of public interest and FINMA-regulated financial institutions will be required to provide a first report on non-financial matters for 2023 in 2024, i. e. report on how they address environmental, social, labour, human rights, and anti-bribery matters. In order to comply with these obligations, affected companies will need to have a risk-based and effective management system in place and report on it publicly for 10 years (concept, diligence, measures, effectiveness, risk assessment and treatment and KPIs). In addition, companies dealing with conflict minerals or having a risk of child-labour in their upstream supply-chain, will be required to meet specific due diligence requirements, conduct an analysis, and potentially provide an annual report. The Swiss Code of Obligations explicitly requires these companies which have a reasonable suspicion to have a management system in place. Non-compliance with reporting and/or due diligence obligations may lead to criminal liability of the directors of the board (who are obliged to report).

The participants had a lively discussion on the very broad scope of application of the new legal obligations, the urgency for affected companies for a call to action and the severe consequences for all members of the board of directors in the event of non-compliance. However, many important details on how to comply with the new regimes in practice and how these will be affected by similar legal developments in Europe remain open. In any event, the compliance functions will have to ensure they remain up to speed on this hot topic which came to stay.


Webinar: ISO’s new GRC Standards / 17 February 2022

The discussion focused on the ISO’s new GRC Standards and The Big Move from Models and Programs to Management Systems and Independent Certification.

Our speakers Dominique Casutt, Daniel Bühr and Peter Jonas – Austrian Standards Plus GmbH, presented the evolving nature of organisational governance, compliance and whistleblowing management systems as well certification of compliance management systems. The presentations were followed by a lively discussion. Presentation slides from the speakers:


Meeting of the WG on 4 June 2018

The Working Group CMS/ISO Standards focused in its meeting on 4 June 2018 on human resources management. In the end, compliance is all about people – therefore, ethical leadership and a culture of compliance and integrity are considered as key success factors of an effective compliance management system. Eva Häuselmann, ECS member and owner/managing partner of a company focusing on assessments and developments for business integrity opened the meeting with a presentation on “The missing link – How to connect the individual to the CMS”. Leading with integrity includes both being a moral person and promoting integrity in the team and throughout the company. There was a lively discussion on the importance of values, leadership and culture followed by a networking apéro.

The next meeting of the Working Group early next year will focus on recent international developments on ISO 19600 which is expected to be turned into a requirement standard. Working Group members will soon receive an invitation to join the meeting.


Meeting of the WG on  24 August 2017

The WG meeting was attended by 14 ECS members and guests.

Against the background that more and more companies are becoming certified under compliance management system standards (for instance Alstom Group, which became certified under the anti-bribery management system Standard ISO 37001), Daniel Bührshared his experience from independent compliance management system audits. In his experience, companies take such reviews and audits seriously and they see them as an opportunity to get an independent and unbiased feedback on the maturity of their compliance management system. Often such reviews and audits are the basis to address key governance, organizational and procedural questions.

Following this short introduction, Matthias Kiener, Partner, Advisory Forensic with KPMG, Zurich, introduced the participants to CMS audits under IDW Audit Standard 980 and the recent works on a Swiss CMS audit standard SAS 980 which is currently beeing established by expertSuisse. In his presentation, Matthias explained the ISO 19600 and the IDW Audit Standard 980 approach and the differences between them. Matthias then explained the three assessment typs under the IDW Audit Standard and the audit objectives and the key elements of a systematic best practice CMS. The discussion focused on the question how audits on non-mature organizations shall be conducted and how auditors can help organizations in the proper design and an effective implementation of a CMS. Also, the increased enforcement of the corporate criminal offense under Article 102 of the Swiss Criminal Code was discussed. The participants agreed that the exposure of companies that may have a bribery or money laundering risk, has significantly increased as a result of soaring SAR reports by banks. The discussion also touched on the critical role of senior management, which should not only take the risks of their companies in case of organisational compliance weaknesses but also their personal exposure into account. After expressing sincere thanks to Matthias Kiener for his interesting presentation, a “best practice” apéro took place.

Dominique Casutt and Daniel Bühr, Co-Chairs ECS Working Group CMS/ISO Standards


WG Compliance Management Systems/ISO – Event of 28 June 2016 on best practice risk management

With the catchy title “Is compliance a risk? How risk management can help you make risk-based compliance decisions” Stéphane Martin, founder and CEO of Smart Risk Consulting, held a presentation at the event of the ECS Working Group CMS/ISO on 28 June 2016.

Risk assessment and management is one of the key elements of any compliance management system and therefore subject to ISO 19600 on Compliance Management Systems. The section on risk management in ISO 19600 is, however, quite short. Therefore, it may prove very helpful to consider the specific ISO standard on Risk Management for further reference.

Stéphane provided in his well-structured and focused presentation not only a good overview of the key principles of the ISO 31000 standard on Risk Management but also shared his practical experience in risk management in a very hands-on and interactive manner. He elaborated on what may be considered a compliance-risk and in particular stressed the need to differentiate between its constituent elements cause, source, event and consequence – in order for risk management to be effective it is crucial to have a control in place for each cause.

The presentation was followed by a lively discussion on this hot topic and rounded off with some cold drinks.


ECS WG CMS/ISO discussed the ISO 19600 Principles of Good Governance

On 30 June the Working Group CMS/ISO met for the second time in Zürich and discussed the principles of good governance as set out in ISO 19600, in particular direct access to the governing body, independence of the compliance function, appropriate authority and adequate resources. After an introductory presentation the participants had a lively discussion on the subject matter followed by specific questions raised by Working Group members regarding ISO 19600.

It was agreed that the next meeting will take place in September. The first part of the meeting will be used to discuss the purpose of the Working Group and its envisaged output going forward; for the second part it is planned to invite a Chief Compliance Officer from an organisation which has already been certified according to ISO 19600 to share first-hand insights regarding the certification process. Date and agenda of the meeting will be announced in due time.


WG CMS/ISO 19600 plans second meeting on 30 June in Zurich

The Working Group CMS/ISO has scheduled its second in-person meeting for 30 June 17.00 to 19.00h in Zurich. The meeting agenda will be made available in due time. Suggestions from Working Group members or other interested parties are highly welcome.

Building on the first in-person meeting on 16 March which served the purpose of bringing interested members “up to speed” with regard to the new ISO 19600 standard on compliance management systems, the second meeting now aims at addressing specific areas of interest and possible queries.

Other ECS members or external individuals who are interested in attending the event are kindly requested to sign up for the Working Group (and a membership with ECS, if not yet a member). The Working Group has by now increased to more than 15 members.


First face to face meeting in Zurich on 16 March 2015

Basel, 24 March 2015. At the meeting of 16 March 2015 in Zurich, the ISO Standard 19600 and the certification concept of Austrian Standards were presented to the members of the WG (12 participants attending, 3 excused). The participants discussed the Standard and independent audits of Organizations with regard to their Compliance Management Systems. The participants agreed that ISO 19600 may become a benchmark because it is the first global standard on compliance management systems. Questions focused on the best approach to implement a compliance management system, in particular on how to secure Board and Top Management attention, buy-in and support. Also, the concept and benefits of certification were discussed.

The Working Group decided that it wants to act as the ECS point of contact for Compliance Management Systems and that it intends to meet bi-annually in person to further discuss CMS and ISO topics of common interest. A next meeting will be scheduled for the second half of June.

Contact

Dominique CasuttCo-Chair Working Group CMS/ISO
Details

These are the upcoming dates for our Annual General Meetings:

Thursday, 20 March 2025
Thursday, 19 March 2026

If you are an ECS member, you are cordially invited to our Annual General Meetings! Each AGM is followed by discussion on current compliance topics and an networking Apèro.