Whitepaper on ISO 37301:2021

Introduction

The Merriam-Webster dictionary defines compliance as “the act or process of complying to a desire, demand, proposal, or regimen or to coercion” and as “conformity in fulfilling official requirements.” While these definitions may be sufficient to generally understand this term, the concept of compliance, as referred to in this whitepaper (and described in ISO 37301), is much wider. In the past, compliance activities in organizations were directed mainly toward avoiding legal repercussions of noncompliance, whereas nowadays compliance is seen as a duty for any organization. Furthermore, the concept now does not entail only legal compliance, but it has been expanded to include organizational requirements, voluntary commitments, codes of practice, industry standards, and so on.

As defined by ISO 37301, compliance is the outcome of meeting all the organization’s obligations set by legislation and government agencies or adhering to a set of guidelines or specifications established by standards or their own internal policies. However, compliance in an organization requires a sustainable culture based on values, integrity, and accountability.

As national, international, and industry-specific laws, rules, and regulatory requirements emerge regularly, it has become quite a challenge for organizations to keep up with compliance matters. To complicate things even more, the existing laws, regulations, and standards are frequently updated and changed, thus making compliance an ongoing process. Failing to comply with the rules can result in penalties and potential legal issues, financial and reputational damage, etc.

This is where the importance of a compliance management system (CMS) becomes apparent. A CMS based on the requirements of ISO 37301 ensures a consistent and structured approach to compliance. It allows organizations to shape culture, set policies, procedures, and controls necessary to manage the risks associated with noncompliance, such as fines, damage to reputation, etc.

The Development of ISO 37301

Influenced by the changing attitudes, the importance of compliance and the interest in compliance management in organizations has been increasing steadily over the years. As such, a robust way of managing compliance seems to be an imperative for many organizations.

Being aware of this need for compliance programs in organizations, ISO established a Project Committee to develop a compliance standard based on AS 3806-2006, as proposed by Standards Australia. In 2014, ISO 19600, Compliance management systems — Guidelines was published and recognized internationally as a best practice in compliance management. 

In September 2018, the work for the revision of ISO 19600 began. The first draft of ISO 37301 was approved in March 2020, while the final draft was approved in January 2021. The new standard ISO 37301, Compliance management systems — Requirements with guidance for use was published in April 2021, thus replacing ISO 19600.

What Is ISO 37301 and How It Differs from ISO 19600?

ISO 37301 specifies requirements and provides guidelines for establishing, developing, implementing, maintaining, and improving a CMS. The main purpose of this international standard is to help organizations establish the processes that allow them to comply with relevant laws, industry codes, and ethical and social responsibilities that organizations might have.

ISO 37301 has a similar clause structure compared to ISO 19600 — both standards have the high-level structure and are comprised of 10 clauses, of which 4 to 10 list the requirements for a CMS. However, one key difference between them is that organizations can claim conformance against the requirements of ISO 37301, whereas for ISO 19600 they could not. Unlike ISO 19600 which provided guidelines and was not meant for certification purposes (Type B standard), ISO 37301 provides requirements with guidance for use, meaning that its clauses are written with a directive language using the verbal form “shall” (Type A standard). Therefore, if organizations meet the requirements of ISO 37301, they can be certified against the standard through a conformity assessment body.

The differences between ISO 19600 and ISO ISO 37301 in clauses 4 to 10:

Clause 4 — Context of the organization of ISO 37301 expanded requirements when understanding the organization’s context, and a new requirement was added related to interested parties which requires organizations to determine which requirements of interested parties will be addressed through the CMS. In addition, principles of good governance and examples of compliance obligations and commitments have been moved to Annex A of the standard. In contrast to ISO 19600 which provided detailed guidelines on compliance risks, ISO 37301 has simplified requirements on compliance risk assessment. However, further details on conducting compliance risk assessments are outlined in Annex A of the standard.

Clause 5 — Leadership of ISO 37301 differs in terminology and the division of subclauses. It emphasizes the importance of the governing body and top management’s leadership and commitment toward the CMS. This clause requires the continuous involvement of the organization’s top management by establishing compliance policies, procedures, and objectives. In addition, top management is responsible for integrating the requirements of ISO 37301 into the organization’s core processes, communicating the importance of an effective CMS, and conforming to applicable requirements. 

Clause 6 — Planning of ISO 37301 lists a new requirement, the subclause 6.3 Planning of changes, which requires organizations to carry out changes to the CMS in a planned manner. The purpose of this requirement is to ensure that the effectiveness and integrity of the CMS is not compromised whenever the organization takes actions to change something in their CMS.

Clause 7 — Support has been simplified in ISO 37301. The majority of information provided in ISO 19600 has been moved to Annex A of ISO 37301. However, a new subclause 7.2.2 Employment process has been added, which specifies the requirements on how organizations must conduct the recruitment and employment process, including due diligence procedures, and disciplinary actions in case of noncompliance. In addition, clause 7.3 Awareness of ISO 37301 contains three new requirements which the organization’s personnel must be aware of. Thus, ISO 37301 requires organizations to raise their employees’ awareness regarding:

• The means of and procedures for raising compliance concerns
• How the compliance policy affects them and which compliance obligations they are required to meet
• The importance of supporting compliance culture

Clause 8 — Operation of ISO 37301 provides new requirements. Clause 8.3 Raising concerns is a new clause in ISO 37301 which is partially aligned with subclause 10.1.2 Escalation of ISO 19600. This clause requires organizations to establish reporting mechanisms, policies, and procedures, and inform all employees about their rights and protections when following them. In addition, ISO 37301 adds clause 8.4 Investigation processes, which specifies requirements on the investigation process of actual or suspected instances of noncompliance, including the responsibilities of investigators, outcomes of the investigation, and reporting and retaining documented information as evidence of the investigation.

Clause 9 — Performance evaluation of ISO 37301 provides simplified requirements, as most of the content pertaining to this clause in ISO 19600 has been moved to Annex A of ISO 37301. In addition, ISO 37301 specifies requirements for internal audit, compared to ISO 19600 where the term audit was generalized. Another difference between the two standards can be found in clause 9.3 Management review. ISO 37301 indicates that both governing body and top management must review the CMS, whereas ISO 19600 mentions only the top management as responsible for conducting this process.

Clause 10 — Improvement of ISO 37301 differs in chronological structure of the subclauses when compared to ISO 19600. The content of clause 10.1.2 Escalation of ISO 19600 has been distributed in clause 8 Operation and Annex A of ISO 37301.

Leadership and Culture

An organization’s approach to compliance is ideally shaped by ongoing commitment from the governing body and top management promoting ethical conduct and compliance culture. Their way of dealing with risks and issues that affect vital interests, sends a clear message for the rest of the organization about acceptable behaviors and sets the tone for the rest of the organization to follow. Setting the “tone at the top” is one of the critical factors for an effective CMS. Negligent attitude toward ethical conduct from those at the top prevents an organization from achieving a culture of compliance.

As mentioned above, ISO 37301 has specific requirements for the governing body, top management, and management with regard to compliance culture. They are required to demonstrate “an active, visible, consistent and sustained commitment.” In addition, behavior that undermines compliance must not be tolerated and, whenever possible, prevented.

An effective CMS cannot be achieved by simply implementing policies and procedures. Optimal efficiency and effectiveness cannot be achieved in an environment that does not foster desired behaviors and fails to prevent undesired actions. The organization should continually promote strong ethics, provide awareness and training programs to ensure appropriate compliance management. Therefore, leadership at all levels, clear values, and embedded compliance in the behavior of each individual working for the organization are imperative for an effective CMS.

Responsibility for Compliance

A crucial element for the proper functioning and success of a CMS is how practice-oriented, efficiently, and sustainably is the management system designed and built. Therefore, compliance should be implemented, understood, and practiced at all levels of the organization. In this way, employees will be able to properly understand the objectives and perform their daily actions in alignment with those objectives.

As stated in ISO 37301, the governing body and top management have a crucial role when it comes to compliance. In this regard, they determine whether the organization is set up as required and in accordance with the laws and regulations applicable. In addition, it is their responsibility to define the organizational objectives, and ensure that the personnel have the necessary resources to develop, implement, maintain, and continually improve the CMS.

To make sure that the employees are aware of the procedures that must be followed, top management is responsible for establishing internal rules such as guidelines for action, process definitions, or codes of conduct to help them understand the processes and be prepared to take any action needed to ensure compliance.

Apart from requirements, it is crucial to understand compliance commitments such as the contractual requirements with the customers. These commitments are reflected in the form of contracts, norms, and standards. In many cases they are conditions that do not have a direct relationship, and the failure of which may have a negative impact on the organization. Thus, following the requirements of the standard and other compliance obligations of the organization reduces the likelihood of noncompliance.

Sustaining the CMS through Employee Training

Sustainability of the CMS can be ensured by embedding compliance into the corporate culture. To ensure this, ISO 37301 emphasized on regular employee training to raise their awareness with regard to their compliance duties and functionalities of the CMS.

Compliance Controls and Procedures

Compliance controls and procedures must be implemented for the organization to be able to meet their compliance requirements. 

The benefits of implementing strong and proper compliance controls include:

• Reduced noncompliance risk
• Protection against risk of fraud, corruption, and bribery
• Keeping compliance risks to acceptable levels
• Documented information as evidence of compliance 
• Reporting accuracy throughout the organization
• Generation of data that can be used for measuring and improving the effectiveness of processes

Compliance controls aim to help organizations meet their objectives with regard to efficiency and effectiveness, appropriate reporting, and adherence to compliance obligations. While the type of controls to be implemented will depend on the specific type of the organization, the controls should be capable of operating as intended and they should help the organization achieve the expected results. It is up to the organization to ensure that all externally provided products and services relevant to the CMS are controlled to the necessary extent and in a timely manner. 

Compliance controls can include:

• Automated processes
• Yearly compliance plans approved by relevant functions
• Ongoing communication regarding the compliance obligations and expected behavior of employees toward compliance
• Personnel performance plans
• Segregation of roles and responsibilities
• Work instructions
• Compliance risk assessments and audits
• Demonstration of management commitment toward an effective CMS

The establishment of a process for raising concerns, which is required by ISO 37301, will also help the organization with the management of their compliance obligations. The process should be accessible by all employees and it should also allow anonymous reporting.

Lastly, the implementation of an investigation process according to the requirements of clause 8.4 Investigation processes, will allow organizations to examine in detail actual or suspected cases of noncompliance. However, in order to be reliable, such an investigative process would require qualified and competent personnel that acts independently and objectively throughout the investigation process.

The Implementation of a CMS Based on ISO 37301

ISO 37301 presents the Plan-Do-Check-Act (PDCA) cycle for organizations to follow in order to effectively implement the CMS. The purpose of the cycle is to improve the processes of the organization and make it easier for them to establish a CMS within their business. The figure below provides an overview of the elements of a CMS.

Figure 1 — Elements of a compliance management system

Source: ISO 37301:2021

PECB has developed a methodology based on best practices for implementing a management system, known as the “Integrated Implementation Methodology for Management Systems and Standards (IMS2).” This methodology is also based on the Plan, Do, Check, Act (PDCA) cycle, and guidelines of ISO standards and meets the requirements of ISO 37301.

Organizations can implement the CMS as a stand-alone system, or they can integrate it with other management systems. Integration allows the organization to meet the requirements of two or more management systems. As such, a CMS can be integrated with a quality management system, information security management system, etc. It can also be aligned with other management standards, such as ISO 31000 and ISO 26000. The implementation of an integrated management system (IMS) is recommended in cases when organizations manage several compliance frameworks simultaneously. An IMS integrates all the components of a business into a coherent system which enables organizations to achieve their purpose and mission.

Since ISO 37301 is applicable for all types of organization, be they private, public, or not-for-profit, the CMS can be implemented in such a way that enables adherence not only to laws and regulatory requirements but also to industry codes, good governance, best practices, and community expectations. 

Figure 2 — Intertwining of the CMS with various sources of compliance requirements

Source: B M Zahid ul Haque

The Benefits of a CMS Based on ISO 37301

An effective CMS allows organizations to comply with relevant laws and regulations, international standards, industry practices, and codes of conduct. It ensures commitment to good norms of corporate governance, best practices, and ethical principles. In addition, implementation of a CMS secures an advantage when signing new partnership contracts and improving the reputation of the organization.

The key benefits of implementing a CMS based on ISO 37301 include:

• Improved business opportunities and sustainability
• Enhanced operational effectiveness
• Competitive advantage
• Effective and efficient management of compliance risks
• Increased confidence of third parties in the organization’s capacity
• Improved compliance culture, awareness, and a positive impact on reputation

Conclusion

For organizations that have been using the guidelines of ISO 19600, the upgrade to a CMS based on ISO 37301 should be a logical and relatively easy next step.

Organizations that are certified against other ISO standards may find ISO 37301 an ideal opportunity to improve the integration of their systems across different regulatory and industry codes.

Regardless of the situation, context, industry, or maturity of the organization, adhering to compliance obligations is mandatory. Thus, compliance is a critical part of organizations. A CMS based on ISO 37301 can make a difference for organizations competing in today’s dynamic business environment.

PECB Certified ISO 37301 Training Courses Available

Enhance your knowledge and advance your career by participating in our ISO 37301 training courses. If you are a compliance officer, auditor, legal expert, risk manager, or simply want to pursue a career in compliance management, check the training courses below and find the one that suits you best.

Principal Author

Donika Gashi Fazlija, PECB

Vesa Hyseni, PECB

Contributors

Arturo Salazar Lavado, Nexa Resources (Brazil)  

B M Zahid ul Haque, BRAC bank Ltd (Bangladesh) 

Brian Henry, The Caridon Group (Australia) 

Carlos Flores, CONCEPTA TRAINING - GRUPO CONCEPTA (Peru)

Chidinma Agusiegbe, PricewaterhouseCoopers (PwC) (Nigeria)

Egzon Bunjaku, PECB 

Fernando Cevallos, F&C Consulting Group (Mexico) 

Juan Davila, Pragmatic SA (Peru) 

Julie Methven, The Compliance Academy (South Africa)

Miguel Roca, Obremo S.L. (Spain)

Nadia Sarah, PT. Mitra Prakarsa Cemerlang (Indonesia) 

Pauline Arifin (Ms), PT Mitra Juang Mandiri (SustaIN) (Indonesia)

Pedro Roberto Chale Paucar, Prime Profesional SAC (Peru) 

Pedro Solis, Qroma (Peru)   

Pierre Brien, Solutions anti-corruption (Canada) 

Silvija Vig, CODUPO Compliance (Croatia) 

Sylvestre Araba, Sil2 Sarl (Bénin) 

Vitalis Nkwenti, Naveg Technologies (South Africa)