Compliance | Quizlet

Compliance

To follow the rules, & meeting all the organization's obligations (ISO STANDARD), symbol of a mature organisation

Compliance (for individuals)

relates to a law, rule, regulation or some other standard that tells you what to do, or how to behave. In some cases, it tells you what not to do and how not to behave.

Compliance (for organisations)

a formal program within an organization to a company that identifies whose specific rules that are applicable and establishes a framework or directive or strategy to ensure that the organization adheres to them.

Non-Compliance

non-fulfilment of compliance obligations, not complying with a statutory/regulatory requirement. Due to the lack of education, wrong priorities, lack of enforcement, etc.

Consequences/Problems --> Fines, Reputational damage, operational delays, accidents, etc.

Compliance Obligations

Requirements that an organization mandatorily has to comply with as well as those that an organization voluntarily chooses to comply with

Compliance Risk

likelihood of the occurrence and the consequence of noncompliance with to organisations compliance obligations

Compliance Function

person or group of persons with responsibility and authority for the operation of the compliance management system.

Compliance Culture

Requirements values, ethics, beliefs and conduct that exist throughout an organization and interact with the organization’s structures and control systems to produce behavioral norms that are conductive to compliance

depends on you risk appetite and the tone at the top

Non-compete Clause

prevents the former employee from working for a competitor or from starting a similar enterprise after resigning. (PERMANENT CONTRACT ONLY).

Non-Disclosure Agreement (NDA)

is a legal contract or part of a contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes but wish to restrict access to.

Sarbanes-Oxley Act (SOX) of 2002

imposed stricter regulations on financial reporting and corporate governance. Implemented after Enron scandal (largest bankruptcy in US history).

Tony Chocolonely (Teun van de Keuken)

after the discovery that big companies were involved in child labour and modern slavery. The mission is to make 100% slave-free chocolate for the entire chocolate industry and to create a more transparent and fair supply chain, with farmers earning a living wage.

- Five sourcing principles

- Tony's open chain

Marvin Bower

the father of modern management consulting

- A business of high principle generates greater drive and effectiveness because people know they can do the right thing decisively and with confidence. They know that any action that is even slightly unprincipled will be generally condemned

- A good compliance promotes good business

History of Modern Compliance

- Shaped by scandals, crises & systemic failures

- Based on laws and regulations

- Continuous improvement

Major Topics of Compliance

1. Health and Safety

2. Environmental Protection

3. Privacy and data protections

4. Financial & Tax

5. Corporate Governance and Ethics

6. Product and Industry-Specific

7. Cybersecurity and IT

8. Labor and Employment Law

Health and Safety (Major Topics of Compliance)

Ensures protection of workers and the public. (example: safety training, OSH Framework, hazard identification)

Environmental Protection (Major Topics of Compliance)

Minimizes environmental harm from business activities.(example: pollution control, sustainability regulations)

Privacy and data protections (Major Topics of Compliance)

Protect personal data and digital rights.(example: third-party data sharing, secure data sharing)

Financial & Tax (Major Topics of Compliance)

Ensure lawful financial conduct and accurate reporting.(example: anti-money laundering, payment processing and record keeping)

Corporate Governance Ethics (Major Topics of Compliance)

Focuses on ethical leadership, fairness, anti-corruption and transparency.(example: code of conduct, conflict of interest)

Product and Industry Specifics (Major Topics of Compliance)

Regulations tailored to your sector or product type.

Cybersecurity and IT (Major Topics of Compliance)

Protects information systems and critical infrastructure.(example: ISO, cyber incident response plan)

Labor and Employment Law (Major Topics of Compliance)

Ensures fair treatment and lawful employment practices.(example: working time, wages)

Why is Compliance important?

1. Avoid Legal Penalties (fines, sanctions, legal action)

2. Protects Employees, Customers and the Public (prevention of injuries/sickness, misuses of information and theft)

3. Builds Trust and Reputation (shows you are responsible)

4. Strengthen Internal Processes (standardization, identification of strengths and weaknesses)

5. Reduces Business Risk

6. Supports Long-Term Sustainability & Continuity (helps to keep up social/environmental standards)

Compliance Register

How do you prevent non-compliance?

To limit negative impacts of a company

Why is compliance management essential?

Top management

individuals or groups directing and controlling the organization at the highest level.

Interested parties

persons or organizations that can affect or be affected by the CMS.

Non-Conformity

when you don't comply with a requirement

Pareto Principle

A risk-based approach should be taken. Organizations should start with the identification of the most important compliance obligation that is relevant to the business and then focus on all the other compliance obligations.

ISO (NEN in NL)

International Standard Organisation

Certification

if an organization implements a management system based on a recognized standard and has been audited by an external organization, the organization is certified.

shall

Requirement indication

should

Recommendations indications

may

Indications permission

can

Indicates a possibility or capability

The Seven Elements of Compliance Management

1. Culture

2. Objectives

3. Organization

4. Risk Identification

5. Risk Mitigation

6. Monitoring

7. Communication

Manditory ('hard law')

- laws and regulations

- permits, licences or other forms of authorization

- orders, rules, or guidance issued by regulatory agencies

- judgements of courts or administrative tribunals

- protocols

Voluntarily ('soft law')

- agreement with community groups or non-governmental organizations

- agreement with public authorities and customers

- organizational requirements (policies, procedures)

- voluntary principles or codes of practice

- obligations arising under contractual arrangements with the organization

- relevant organizational and industry standards.

- no legal obligation to follow them (9001, 14001, 37301, 45001)

Quality Management System Example (Deming)

Plan-Do-Check-Act (PDCA)

The most hazardous industries (Health and Safety)

1. Agriculture

2. Construction

3. Forestry

4. Fishing

Contruction Sector

In 2022, 3286 (22,9) accidents at work. This happened in which sector?

EU regulations

direct legal effect

EU directive

needs to be implemented transposing into national law

Transposing

Translating EU law into national law

H&S Framework Directive/OSH Framework

- June 12th, 1989

- Integrated preventive approach

- Covers public and private sectors

- Contains general principles

- Encourages continuous improvement of health and safety

- The Directive aims to establish an equal level of safety and health for the benefit of all workers

Principles of Prevention (article 6 OSH)

(a) avoiding risks;

(b) evaluating the risks which cannot be avoided:

(c) combating the risks at source;

(d) adapting the work to the individual

(e) adapting to technical progress.

(f) replacing the dangerous by the non-dangerous or the less dangerous.

(g) developing a coherent overall prevention policy which covers technology, organization of work, working conditions, social relationships and the influence of factors related to the working environment.

(h) giving collective protective measures priority over individual protective measures.

(i) giving appropriate instructions to the worker

Other H&S Directives

- Directive on Workplace Requirements

- Directive on the use of work equipment

- Directive on the use of personal protective equipment

- Directive on risks arising from vibration

- Directive on risks from explosive atmospheres

- Directive on Major Accident hazards (Seveso)

Old approach

EU decides on standards --> Organisations comply

New approach

1. EU decides on essential requirements only

2. definition of detailed standards is made by European Standardization Organizations (ESO)

3. ESO develop a voluntary standard

- If a company follows standards --> presumption of conformity

- If a company does not follow standards --> they need proof that they conform with essential requirements

Non H&S Laws examples

- Regulation on the Classification, Labelling and Packaging of substances and mixtures (CLP)

- Registration, Evaluation, Authorization and Restriction of Chemicals (REACH)

Dutch Law System

- Directive (EU)

- Wet/Act

- Besluit/Decree

- Regeling/Regulation

= Harder to change, less detail

Hierarchy of Controls

Eliminate, Substitute, Isolate, Engineering, Admin, PPE

Every Sunday I Eat A Pizza

Netherlands Labour Authority (NLA)

works for fair, healthy and safe working conditions and socioeconomic security for everyone.

- Arbo Cataloge

Dutch Safety Board

- an independent administrative body, operates independently of the Dutch government and other parties.

- decides which occurrences and topics to investigate, mainly focuses on situations where citizens depend on parties such as the government, businesses or institutions for their safety.

- the aim of these investigations is not only to identify direct causes, but also to examine administrative processes that can influence safety.

- aims to learn from occurrences and make recommendations to improve safety.

- internationally, the plays a role in conducting safety investigations based on international treaties and European legislation

CIA Triad

1. Confidentially

2. Integrity

3. Availability

NIST framework functions

- Detect

- Recover

- Respond

- Protect

- Identify

NIS2 Directive

1. Risk Management Measures (proactively)

2. Incident Reporting (CSIRT)

3. Governance and Accountability

2 Categories Of Organisations (NIS2)

1. Essential Entities

2. Important Entities

Important Entities

Operate in moderately critical sectors (e.g. postal services, food, waste management).

- Supervised reactively (e.g. after a complaint or incident).

Essential Entities

Operate in highly critical sectors (e.g. energy, banking, digital infrastructure, healthcare).

- Subject to proactive supervision.

- will have supervision ALWAYS

BIO

Baseline for public sector information security

The Dutch "TOP" strategy in health & safety - Arbeidshygiënische strategie

Technical measures

Organizational measures

Personal protective equipment

GDPR

General Data Protection Regulation

Core Principles of GDPR

1. Transparency

2. Control

3. Accountability

Personal data

any information that can identify a person, directly or indirectly

- Even pseudonymized or aggregated data can be personal if re-identifiable

Processing

includes collecting, storing, organizing, altering, deleting, viewing, or transmitting personal data (Art. 4.2 GDPR)

- Manual and automatic actions both qualify — even printing a list or viewing a photo

- GDPR applies to the entire lifecycle of personal data, not just its collection

Key GDPR Roles

Controller, Processor, Recipient

Controllers

determines the purpose and means of processing, remain legally accountable for compliance — even when outsourcing

Processor

acts on behalf of the controller, without independent decision-making

Recipient

is any party to whom personal data is disclosed

Risk Mitigation

set up a program to achieve your objectives and adress your risks

performance

measureable event

corrective action

action to eliminate the cause(s) of a nonconformity and to prevent recurrence

audit

systematic and independent process for obtaining evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled

Scope Value Chain

EU fatal workplace accidents in 2022

22.9% - 3286

What approach the OSH Directive uses to promote workplace safety

An integrated preventive approach.

European Standardization Organizations (ESOs)

Bodies responsible for developing detailed voluntary standards based on essential EU requirements.

Presumption of Conformity

Companies that follow ESO standards are assumed to meet EU essential requirements automatically.

Non-H&S Laws

Regulations that, while not specifically health and safety laws, have implications for workplace safety and compliance, especially in handling hazardous substances.

ISO 27001/2.

Basis WBNI

- Process of risk assessment and risk treatment

GDPR in 4 Steps

1. Determine if personal data is processed

2. Confirm if GDPR applies.

3. Identify a lawful basis for processing.

4. Apply GDPR principles

If no to any step → non-compliance risks apply

• Transparency is required at all stages

a risk-based approach

Implementing security measures based on risk likelihood and potential harm

A Data Protection Impact Assessment

A process to assess high-risk data processing activities