Business Compliance Services | Compliance Management Consulting

Beginners’ Guide to CMS (Compliance Management System)

This Beginners’ Guide to Compliance Management System provides a step-by-step program for establishing, developing, implementing and maintaining an effective and responsive compliance management system within an organisation in accordance with the international standard for Compliance Management Systems (ISO 19600:2015). This standard has been adopted by Standards Australia and is used by government bodies, education institutions and major Australian entities to build a best practice system for compliance within their organisation.

This Guide is designed for organisations of all sizes, with a specific focus on helping small and medium enterprises meet their compliance obligations in an easy-to-implement, cost-effective and efficient manner.

If you are new to compliance, this best practice Guide to building a compliance management system provides you with comprehensive information on what you need to do to set up an internal system for complying with and meeting your legal and regulatory obligations and commitments.


  1. Introduction
  2. Program structure
  3. Compliance management system flowchart
  4. CMS development overview
  5. Compliance organisational structure
  6. Compliance management framework
  7. Compliance management policy
  8. Compliance obligations and commitments
  9. Compliance documentation
  10. Other high value content
  11. Central repository
  12. Establishing processes
  13. Compliance management procedures
  14. Compliance register schedule
  15. Operationalising the system
  16. Compliance training
  17. Reporting and analytics
  18. Continuous improvement
  19. CMS roadmap


Governance, risk and compliance (GRC) is an umbrella term covering an organisation’s approach to corporate governance, risk management and regulatory compliance. While this Beginners’ Guide relates to a step-by-step program for the development of a compliance management system, it also covers developing a governance framework and risk management system as related concepts that is required for an effective and responsive compliance management system.

In order to be effective, any compliance management program of an organisation requires good organisational culture. Implementing a good organisational culture always starts from the top – an ethical and risk aware management leads to an ethical and risk aware team. On the other hand, a poor corporate culture drives misconduct.

Hence, a large part of this Beginners’ Guide covers recommendations, tools and resources dedicated to building processes for developing core values for senior management and staff and for implementing these in practice.

Program structure

The step-by-step program is divided into 2 stages. This program structure can be used by any large or small organisation to build a compliance management system.

  1. Stage 1: Develop and implement a compliance management system
  2. Stage 2: Maintain and improve the system

Even if your organisation has a robust compliance management system, it is a good idea to review the system following our program structure as part of your continuous improvement process.

The length of time it takes to develop and implement a compliance management system depends on your resources, dedication to the program and size of your organisation. For clients on our compliance programs, many of our smaller clients implement the system very quickly (around 4-6 weeks) while others take a while longer to complete Stage 1. For organisations with larger teams and more stakeholders to consider, implementing a system from scratch may take up to a 6 months or more.

Stage 2 is an ongoing program with a focus on the continuous improvement of your compliance management system. If you are on our compliance programs, we provide regulatory monitoring services and supply updates on compliance documentation, schedule online compliance training sessions and review compliance performance with our clients. We also assist with our clients’ compliance roadmap, including reviewing and improving on staff compliance, technology, systems, processes, procedures and more.

Compliance management system flowchart

This compliance management system flowchart has been extracted from the Australian and international standard ISO 19600:2015. The step-by-step program follows the flowchart and adapts it for small businesses who do not have such a complex organisational structure.

CMS development overview

The remaining sections of our Beginners’ Guide outline the steps for developing, implementing, measuring and improving on the compliance management system with examples, templates and guides. You will need to determine an organisational structure for compliance, scope, establish policies and standards, create your documentation, schedule training and more. We recommend that you follow the steps outlined below as closely as possible so that Australian and international standard ISO 19600:2015 requirements for a compliance management system are met.

If you are on one of our compliance programs, all your compliance documentation templates will be supplied through your dedicated Workspace.

Implementation steps

The table below outlines in detail the implementation steps. The structure is flexible in that it is possible to work around your existing processes and improve on such processes rather than to start from scratch.

For those on our compliance programs, a copy of the table is available for download in your dedicated Workspace to allow you to track your progress.

Step 1: Create an organisational structure for compliance  
Step 2: Develop a compliance management framework  
Step 3: Develop a compliance management policy  
Step 4: Identify your compliance obligations and commitments  
Step 5: Create your compliance documentation  
Step 6: Create other other required high value content  
Step 7: Create a central document repository  
Step 8: Establish procedures and processes  
Step 9: Develop compliance management procedures  
Step 10: Set up a compliance register schedule  
Step 11: Operationalise the compliance management system  
Step 12: Schedule compliance training  
Step 13: Run performance reports and analytics  
Step 14: Establish continuous improvement processes  
Step 15: Implement a CMS roadmap  

Step 1: Compliance organisational structure

There are two main options for building a compliance function into your organisation:

  1. Embed the compliance function into every business unit within the organisation, or
  2. Create a separate compliance management function within the organisation (such as a Risk and Audit Committee or a appoint a Compliance Officer)

With the first option, compliance responsibility lies with every business unit (usually the team leader) and this may lead to greater enforcement of compliance requirements by the unit. However, having a compliance function in every business unit without a dedicated resource having oversight of compliance of the organisation means that each unit may have their own methods, processes and procedures for managing compliance and this may result in inconsistencies in both quality and performance.

In this respect, a best practice approach following the Australian and international standard ISO 19600:2015 requirements for a compliance management system is a generally a combination of both options, where a separate compliance management function is created within the organisation, with the function having oversight of compliance for the whole organisation but with each business unit being primarily responsible for compliance in their own teams.

Start ups and small businesses

For startups and small businesses, the compliance management function generally sits with the directors or the owners of the business. Nonetheless, it is a good idea for the directors or owners to appoint a compliance officer to manage and monitor the business’s compliance obligations and commitments. For financial services licence holders, the responsible manager can and is usually the organisation’s compliance officer.

Example ⇒ this is an example of a compliance organisation chart which includes a separate compliance management function within the organisation.

Step 2: Compliance management framework

A compliance management framework sets out the following:

  • an organisation’s approach to managing its compliance obligations and mitigating compliance risks, and
  • an overarching framework for policies, procedures, resources and tools used for identifying and managing compliance obligations.
Example ⇒ This is a compliance management framework template which you can use and adapt to suit your organisation.

Step 3: Compliance management policy

The next step is to create a compliance management policy that sets out the compliance organisation structure and compliance responsibilities of every individual within the organisation, from directors and owners to individual employees and contractors.

The compliance management policy should be appropriate for the size of your organisation and should be reviewed on a regular basis, at least once a year. The policy needs to cover the following:

  • scope of the compliance management system
  • application and context of the system
  • compliance organisational structure
  • degree of independence and autonomy of the compliance function
  • responsibility for managing and reporting on compliance issues
  • principles on which relationships with internal and external stakeholders will be managed
  • required standards of conduct and accountability
  • consequences of non-compliance

The compliance policy should be available as documented information, should be written in plain language and kept in a location accessible by all employees and staff within the organisation.

More information on creating a central document repository will be provided later in this Guide.

Example ⇒ This is a compliance management policy template which you can use and adapt to suit your organisation.

Step 4: Compliance obligations and commitments

The application of rules, regulations and laws to your organisation depends on your organisational structure, business activities, products, services and operational processes.

Examples of sources of compliance obligations include the following:

  • laws and regulations
  • orders, rules and guidance by regulatory bodies
  • permits, licences, other forms of authorisation e.g. ACL, AFSL
  • court or tribunal judgements
  • treaties, conventions, protocols

Examples of sources of compliance commitments include the following:

  • agreements with community groups, trade unions, non-governmental organisations
  • agreements with public authorities
  • agreements with customers, vendors and suppliers
  • contracts with employees, consultants and contractors
  • voluntary principles or codes of conduct
  • voluntary labelling or environmental commitments
  • relevant industry standards

Without knowing in advance every activity that may be conducted by your organisation, it is impossible to identify every obligation that may potentially apply to such activity at this stage. In addition, the changing economic and legal landscape in some areas of law (e.g. employment) means that meeting your compliance obligations now may not necessarily mean that the obligations remain the same or that the actions taken by you to comply will be sufficient for the future.

However, in building a compliance management system that meets Australian and international standard requirements, you are seeking to minimise the risk of non-compliance by putting in place a process for ensuring that new activities, products and services developed or offered have gone through a compliance checklist prior to such activity, product or service being released or launched.

In general, there are some legal and regulatory obligations that apply to every organisation doing business in Australia. In addition to such general obligations, regulations may apply to specific industries and specific entities.

Resources  Please refer to our guide on Guide To Identifying Your Compliance Obligations for instructions and resources.
Next ⇒ Compliance policy and procedure templates