In the current job environment, Artificial Intelligence (AI) skills are no long....
ISO 37301 and Human Behavior
Compliance should be an ongoing area of focus for all organizations that seek to succeed in the long term and maintain a positive reputation. Ensuring adherence to all compliance obligations, i.e., the requirements that the organization mandatorily has to comply as well as those that it voluntarily chooses to, safeguards the organization from financial penalties, societal scrutiny, and in more severe cases, from ceasing to exist.
As witnessed in the past few years, the complexity of regulations has increased in parallel with the complexity of business operations and transactions. Apart from the traditional laws that govern the boundaries of business, countries have enacted – and continue to enact – new laws that address bribery, data protection, and privacy, to name a few. All of these translate into additional requirements that an organization has to adhere. As such, managing compliance has become a task that requires a structured and organized approach. One of the mechanisms that aims to ensure a structured approach is a compliance managements system (CMS) based on ISO 37301:2021.
Although the benefits of a CMS sound good on paper, its implementation requires serious commitment from the organization. Even if a CMS is well designed, problems may occur due to persistent corporate norms that influence individual and collective decision-making. In addition, a CMS that is not paired with organizational values, risks being regarded an annoying process with nothing more than a series of box-checking routines.
In order to avoid establishing an ineffective CMS, an ethical managerial attitude and organizational culture of compliance is required. An ethical organization is one where its leadership, beginning with the governing body, are fully committed to compliance, values, and leading by example. The effectiveness of a CMS is curbed in an environment where employees see those in positions of power participate in wrongdoing and demonstrate unethical behavior.
Consequently, to demonstrate that the leadership is committed to compliance, ISO 37301 has requirements aimed directly at the governing body, top management, and middle management, listing specific responsibilities that these positions have vis-à-vis the CMS. Apart from these, the standard requires from the organization’s leadership to establish a positive compliance culture by applying a holistic approach. This approach requires that all members of the organization are involved in, and take part in the CMS. As a whole, the requirements aimed at the organization’s leadership can help leadership demonstrate that they are committed to compliance, which in turn nudges employees in the same direction.
Apart from the leadership’s commitment, however, ISO 37301 acknowledges the importance and contribution of personnel. As such, it sets out requirements with regard to responsibilities, competence, awareness, and communication which ensure that, when it comes to compliance, personnel are on the same page with the leadership of the organization.
An employment process which periodically reviews performance targets must be established as part as the CMS, as well as trainings which must be provided to personnel on a regular basis. Studies show that human behavior will certainly change if there are bonuses or incentives involved, and the standard sees the benefits these can have. Yet, it also recognizes the fact that performance bonuses and incentives can sometimes be counterproductive and cautions organizations by requiring from them a periodic review to verify that there are appropriate measures in place to prevent encouraging noncompliance.
In general, ISO 37301 promotes the adoption of training programs on the importance of compliance and risk management. Through these programs, personnel understand that the organization is committed to compliance and comprehend how important it is for them to act ethically. The training programs impact the employees’ communication skills and personal growth. Through this approach, personnel has a voice in the decision-making processes and understand that a compliance culture and effective CMS is constructed on their accountability rather than on external controls.
An effective CMS should position compliance in a larger ethical context and show consistency between espoused values and behaviors. A successful CMS not only focuses on establishing measures and controls that prevent noncompliance, it also shapes desired human behaviors.