ISO 37301 – What organisations need to know about the CMS standard
Everything you need to know about the new international standard in compliance management: the ISO 37301.
In a major development for compliance, a new set of global standards for compliance management systems (CMS), the ISO 37301, has been developed and implemented by the International Organization for Standardization (ISO), the independent, non-governmental body.
As corporate compliance remains one of the highest risk concerns for management, a robust compliance program is key to maintaining integrity and trust within an organisation and with stakeholders. This internationally recognised standard provides a comprehensive set of requirements and guidelines for creating such a system.
The ISO 37301 framework, published in April 2021, provides a certifiable global benchmark for compliance systems. What benefits will it bring to compliance procedures for organisations? And what will businesses need to do to conform to the new standard in compliance management?
A history of best practice in compliance management
Until this year, ISO 19600 was the recognised international standard for best practice in compliance management. First introduced in 2014 and valid in more than 160 countries, it provided a detailed guideline standard for effective compliance programs. With the publication of ISO 37301 this April, the ISO 19600 is withdrawn and becomes obsolete.
What are the key differences of ISO 37301 to ISO 19600?
Despite the comprehensive nature of ISO 19600, this former standard outlined only recommendations, and did not set out requirements. In other words, according to the ISO Standards criteria, it was a Type B Management System Standards (MSS). In contrast, the ISO 37301 is a Type A MSS. It is therefore a certification standard and certifiable by every accredited auditor.
The standard is applicable to all types of organizations, irrespective of their size, industry, risk exposure or global footprint. Including the following:
- Private organisations, including separate business units and subsidiaries.
- Public organisations, including administrations and political parties.
- Non-profit organisations, including NGOs and charities.
Notably, the ISO 37301 is flexible in its requirements and recognises that each and every organisation is responsible for determining the needs of their own compliance platform and how to ultimately implement the recommended practices.
As many of the core elements of ISO 19600 have been maintained and incorporated into the new standard, any organisation that had already followed or implemented the guidelines of ISO 19600 will already have made strong headway in complying with ISO 37301.
What do you need to know about ISO 37301?
Most importantly, ISO 37301 describes in detail how to configure a compliance management system in order to satisfy international legal norms and regulations. This standard also stipulates compliance with social and ethical values.
Similar to other ISO principles for management systems, such as the ISO 37001 standard for anti-bribery management systems, the ISO 37301 draws on the established ISO principle of “Plan-Do-Check-Act” (PDCA) which requires that certified companies operate within a continuous improvement process cycle. The ISO 37301 encourages companies to focus on the systematic implementation of an organisation-wide compliance system.
A key passage in the documentation provides an insightful summary:
“The compliance management system should be based on the principles of good governance, proportionality, integrity, transparency, accountability and sustainability.”
First steps to creating a compliance management system
Embedded in the standard are a number of key requirements for setting up an effective and efficient compliance management system, including the following:
- Identifying interested parties who need to be accounted for in the compliance management system, ranging from government agencies and regulatory bodies to business associates and employees.
- Determining the context of the organisation and putting in place processes that identify compliance obligations and compliance risks to ensure ongoing compliance.
- Ensuring top management and governing bodies uphold the values of the organisation and support all policies, processes and procedures that are essential to achieve compliance objectives.
- Introducing monitoring mechanisms to establish measurement within the business, as well as assessing the compliance management program on the basis of the implemented controls and measure the findings.
- Monitoring and investigating cases of non-compliance on a regular and consistent basis.
In addition, prior to hiring personnel or promoting existing personnel, organisations are required to undertake due diligence, including reference or background checks.
What’s new in ISO 37301: whistleblowing policies
A key objective of the ISO 37301 is to support organisations in creating a positive culture of compliance. An important section in the new requirements therefore focuses on best practice for establishing a company-wide whistleblowing policy. Unlike ISO 19600, the new standards for compliance management systems also strengthens whistleblowing protection and procedures.
The key principles for whistleblowing processes as outlined in ISO 37301 can be summarised as follows:
- Timely and thorough investigation of any allegations or suspicions of misconduct by the organization, its personnel or relevant third parties.
- Visible and accessible whistleblowing system to all staff and relevant parties.
- Confidential and anonymous reporting procedures and system to allow whistleblowers to retain their anonymity if they so wish.
- Fair and independent investigation of any allegations.
- Written and complete documentation of any response to whistleblowing allegations, including disciplinary or remediation measures.
- Clear and insightful details of any lessons learned from a whistleblowing incident, as well as documentation of any changes to the compliance management system as a result of the incident.
Find out more about the upcoming ISO 37002 standard for whistleblowing systems.
Why do we need a uniform standard for a CMS?
Keeping up to date with all the requirements for compliance is an ongoing process that needs to be monitored continuously in a structured and targeted way. An effective and efficient CMS supports organisations in determining, monitoring and tracking the relevant requirements to improve compliance across an organisation.
It’s important not to underestimate the value of compliance management systems. Being able to demonstrate that your company has implemented a set of recognised compliance processes is invaluable to all interested parties, from employees to suppliers, judges and governments. It helps ensure and demonstrate that your organisation and staff operate in accordance with all applicable laws, regulations, industry codes, voluntary standards and codes of conduct. It provides assurance that you have in place all the necessary measures to prevent or lower the risk of corruption.
Since the ISO 37301 sets a clear and comprehensive global benchmark for state-of-the-art compliance management systems, organisations that fail to follow the standards may lose out to companies who implement them. And for good reason. Ultimately, a comprehensive and certified CMS demonstrates a firm commitment to company-wide good governance and ethical practice.
Key principles of establishing an effective ABC programme