1 Scope
This document sets out the requirements and provides guidance for organisations to establish, develop, implement, evaluate, maintain and improve an effective compliance management system. This document applies to all types of organisations, regardless of their type, size, nature and whether they are public, private or not-for-profit. If there is no independent governance structure within the organisation, all the requirements for governance structures set out in this document apply to the top manager.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
Release
The following terms and definitions apply to this document.
3.1
Organisation
A person or group of persons who, for the purpose of achieving an objective (3.6), are organized by responsibilities, competencies and interrelationships into a function of their own.
Note 1: The concept of organisation includes, but is not limited to, individual operators. Group companies, firms, enterprises and institutions. administrative bodies, partnerships, charitable or research institutions, or a group of companies, firms, enterprises or institutions, administrative bodies, partnerships, charities or research institutions, or parts or combinations of the above. Whether or not it has legal personality, public or private.
Note 2: If the organisation is a component of a larger entity, the term 'organisation' refers only to this component within the scope of the compliance management system (3.4).
3.2
Interested party (preferred term) Stakeholder (permitted term)
A person or organisation that can influence, is influenced by, or perceives itself to be influenced by, a decision or activity (3.1).
4 Organisational environment
4.1 Understanding the organisation and its environment
The organisation should identify internal and external matters that are relevant to its purpose and that affect its ability to achieve the intended outcomes of the compliance management system.
4.2 Understand the needs and expectations of relevant parties
The organisation shall identify:
-the relevant stakeholders associated with the compliance management system; -the relevant needs of these stakeholders
-which needs will be addressed through the compliance management system.
4.3 Determine the scope of the compliance management system
The organisation should define the boundaries and applicability of the compliance management system in order to establish its scope.
Note: The scope of the compliance management system is intended to identify the main compliance risks faced by the organisation and the geographical and/or organisational boundaries to which the compliance management system applies, particularly where the organisation is part of a larger entity.
4.4 Compliance management system
The organisation shall establish, implement, maintain and continuously improve a compliance management system, including the required processes and their interactions, in accordance with the requirements of this document.
The compliance management system shall reflect the organisation's values, objectives, strategy and compliance risks and shall be integrated with the organisational environment (see 4.1). 4.5 Compliance obligations
The organisation should systematically identify compliance obligations arising from the organisation's activities, products and services, and assess their impact on operations. The organisation shall establish processes to:
a) Identify new and changed compliance obligations to ensure ongoing compliance;
b) evaluate the impact of the identified changed obligations and implement necessary adjustments to the management of compliance obligations. The organisation should maintain documented information on its compliance obligations.
4.6 Compliance risk assessment
The organisation shall identify, analyse and evaluate its compliance risks based on a compliance risk assessment.
The organisation shall identify compliance risks by relating its compliance obligations to relevant aspects of its activities, products, services and operations. The organisation should assess compliance risks associated with outsourced and third party processes.
The organisation should assess compliance risks on a regular basis and whenever there are significant changes in the organisational environment. The organisation should maintain documented information on compliance risk assessments and measures to address compliance risks.
5 Leadership Role
5.1 Leadership roles and commitment
5.1.1 Governance bodies and top managers
6 Planning
6.1 Responses to risks and opportunities
7 Support
7.1 Resources
The organisation shall identify and provide the resources required to establish, implement, maintain and continually improve the compliance management system.
8 Operation
8.1 Planning and control of operations
In order to meet the requirements and implement the measures identified in Chapter 6, the organisation shall plan, implement and control the required processes by:
--Establishing guidelines for the process;
--Controlling the process in accordance with the guidelines.
Documented information should be available to the extent necessary to confirm that the process has been implemented as planned.
The organisation should control planned changes and review the consequences of unintended changes and take steps to mitigate adverse effects where necessary. The organisation should ensure that externally supplied product processes or services are controlled in relation to the compliance management system.
Note: Outsourcing of the organisation's operations does not relieve the organisation of legal responsibility or compliance obligations.
The organisation shall ensure that third party processes are controlled and monitored. k
8.2 Establish controls and procedures
The organisation should implement controls to manage its compliance obligations and associated compliance risks. These controls should be maintained, periodically reviewed and tested to ensure their continued effectiveness.
Note: Testing controls is the implementation of activities designed to verify that controls are operating as intended, or cannot be circumvented, or are effective in reducing the consequences or likelihood of risk.
8.3 Raising Concerns
The organisation should establish, implement and maintain a reporting process that encourages and facilitates (where there are reasonable grounds to believe that the information is true) the reporting of attempted, suspected or actual breaches of compliance guidelines or compliance obligations.
8.4 Investigation process
The organisation shall develop, establish, implement and maintain processes to assess, evaluate, investigate and draw conclusions about reports of suspected or actual non-compliance. These processes shall ensure that decisions are made in a fair and impartial manner.
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1.1 General principles
The organisation shall monitor the compliance management system to ensure that compliance objectives are being met.
9.1.2 Sources of feedback on compliance performance
The organisation shall establish, implement, evaluate and maintain processes that enable it to seek and obtain feedback on compliance performance from multiple sources. The organisation should analyse and critically evaluate the information to identify the root causes of non-compliance, ensure that appropriate measures are taken, and reflect this information in the periodic risk assessments required by 4.6.
9.1.3 Development of indicators
The organisation should develop, implement and maintain an appropriate set of metrics to help the organisation evaluate the achievement of its compliance objectives and assess compliance performance.
9.1.4 Compliance Reporting
9.2 Internal Audits
9.2.1 General Guidelines
9.3 Management Review
9.3.1 General
The governance body and top management shall review the organisation's compliance management system at planned intervals to ensure the continued suitability, adequacy and effectiveness of the compliance management system.
10 Improvements
10.1 Continuous improvement
The organisation shall continually improve the suitability, adequacy and effectiveness of the compliance management system.
1 Scope
2 Normative references
3 Terms and definitions
4 Organisational environment
5 Leadership Role
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvements
1 Scope
This document sets out the requirements and provides guidance for organisations to establish, develop, implement, evaluate, maintain and improve an effective compliance management system. This document applies to all types of organisations, regardless of their type, size, nature and whether they are public, private or not-for-profit. If there is no independent governance structure within the organisation, all the requirements for governance structures set out in this document apply to the top manager.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
Release
The following terms and definitions apply to this document.
3.1
Organisation
A person or group of persons who, for the purpose of achieving an objective (3.6), are organized by responsibilities, competencies and interrelationships into a function of their own.
Note 1: The concept of organisation includes, but is not limited to, individual operators. Group companies, firms, enterprises and institutions. administrative bodies, partnerships, charitable or research institutions, or a group of companies, firms, enterprises or institutions, administrative bodies, partnerships, charities or research institutions, or parts or combinations of the above. Whether or not it has legal personality, public or private.
Note 2: If the organisation is a component of a larger entity, the term 'organisation' refers only to this component within the scope of the compliance management system (3.4).
3.2
Interested party (preferred term) Stakeholder (permitted term)
A person or organisation that can influence, is influenced by, or perceives itself to be influenced by, a decision or activity (3.1).
4 Organisational environment
4.1 Understanding the organisation and its environment
The organisation should identify internal and external matters that are relevant to its purpose and that affect its ability to achieve the intended outcomes of the compliance management system.
4.2 Understand the needs and expectations of relevant parties
The organisation shall identify:
-the relevant stakeholders associated with the compliance management system; -the relevant needs of these stakeholders
-which needs will be addressed through the compliance management system.
4.3 Determine the scope of the compliance management system
The organisation should define the boundaries and applicability of the compliance management system in order to establish its scope.
Note: The scope of the compliance management system is intended to identify the main compliance risks faced by the organisation and the geographical and/or organisational boundaries to which the compliance management system applies, particularly where the organisation is part of a larger entity.
4.4 Compliance management system
The organisation shall establish, implement, maintain and continuously improve a compliance management system, including the required processes and their interactions, in accordance with the requirements of this document.
The compliance management system shall reflect the organisation's values, objectives, strategy and compliance risks and shall be integrated with the organisational environment (see 4.1). 4.5 Compliance obligations
The organisation should systematically identify compliance obligations arising from the organisation's activities, products and services, and assess their impact on operations. The organisation shall establish processes to:
a) Identify new and changed compliance obligations to ensure ongoing compliance;
b) evaluate the impact of the identified changed obligations and implement necessary adjustments to the management of compliance obligations. The organisation should maintain documented information on its compliance obligations.
4.6 Compliance risk assessment
The organisation shall identify, analyse and evaluate its compliance risks based on a compliance risk assessment.
The organisation shall identify compliance risks by relating its compliance obligations to relevant aspects of its activities, products, services and operations. The organisation should assess compliance risks associated with outsourced and third party processes.
The organisation should assess compliance risks on a regular basis and whenever there are significant changes in the organisational environment. The organisation should maintain documented information on compliance risk assessments and measures to address compliance risks.
5 Leadership Role
5.1 Leadership roles and commitment
5.1.1 Governance bodies and top managers
6 Planning
6.1 Responses to risks and opportunities
7 Support
7.1 Resources
The organisation shall identify and provide the resources required to establish, implement, maintain and continually improve the compliance management system.
8 Operation
8.1 Planning and control of operations
In order to meet the requirements and implement the measures identified in Chapter 6, the organisation shall plan, implement and control the required processes by:
--Establishing guidelines for the process;
--Controlling the process in accordance with the guidelines.
Documented information should be available to the extent necessary to confirm that the process has been implemented as planned.
The organisation should control planned changes and review the consequences of unintended changes and take steps to mitigate adverse effects where necessary. The organisation should ensure that externally supplied product processes or services are controlled in relation to the compliance management system.
Note: Outsourcing of the organisation's operations does not relieve the organisation of legal responsibility or compliance obligations.
The organisation shall ensure that third party processes are controlled and monitored. k
8.2 Establish controls and procedures
The organisation should implement controls to manage its compliance obligations and associated compliance risks. These controls should be maintained, periodically reviewed and tested to ensure their continued effectiveness.
Note: Testing controls is the implementation of activities designed to verify that controls are operating as intended, or cannot be circumvented, or are effective in reducing the consequences or likelihood of risk.
8.3 Raising Concerns
The organisation should establish, implement and maintain a reporting process that encourages and facilitates (where there are reasonable grounds to believe that the information is true) the reporting of attempted, suspected or actual breaches of compliance guidelines or compliance obligations.
8.4 Investigation process
The organisation shall develop, establish, implement and maintain processes to assess, evaluate, investigate and draw conclusions about reports of suspected or actual non-compliance. These processes shall ensure that decisions are made in a fair and impartial manner.
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1.1 General principles
The organisation shall monitor the compliance management system to ensure that compliance objectives are being met.
9.1.2 Sources of feedback on compliance performance
The organisation shall establish, implement, evaluate and maintain processes that enable it to seek and obtain feedback on compliance performance from multiple sources. The organisation should analyse and critically evaluate the information to identify the root causes of non-compliance, ensure that appropriate measures are taken, and reflect this information in the periodic risk assessments required by 4.6.
9.1.3 Development of indicators
The organisation should develop, implement and maintain an appropriate set of metrics to help the organisation evaluate the achievement of its compliance objectives and assess compliance performance.
9.1.4 Compliance Reporting
9.2 Internal Audits
9.2.1 General Guidelines
9.3 Management Review
9.3.1 General
The governance body and top management shall review the organisation's compliance management system at planned intervals to ensure the continued suitability, adequacy and effectiveness of the compliance management system.
10 Improvements
10.1 Continuous improvement
The organisation shall continually improve the suitability, adequacy and effectiveness of the compliance management system.
Contents of GB/T 35770-2022
1 Scope
2 Normative references
3 Terms and definitions
4 Organisational environment
5 Leadership Role
6 Planning
7 Support
8 Operation
9 Performance evaluation
10 Improvements
