In a world that is more and more connected, and with trade flows stretching far beyond the borders of an organization’s headquarters, the world of compliance becomes increasingly complex. Regulators and supervisors are holding organizations responsible not only for the actions of their own employees but also for the actions of agents and suppliers. Just contractually obliging subsidiaries, agents or suppliers to have a compliance program might not be enough to reduce the risk of noncompliance. In the absence of certainty, it is up to the company to weigh ethical decisions and blaze the trail themselves.
Long-lasting economic success is strongly correlated with a culture of integrity and compliance. The first step — design and implement a systematic compliance program — is a hurdle many organizations already have taken. However, implementing a management system by continuously learning from past experiences and best practices remains a challenge to be addressed for most organizations.
The journey from a compliance program to a compliance management system may be a daunting one without having guidance from experts in the field. That’s why the International Organization for Standardization (ISO) published a new certifiable standard for compliance management systems in April 2021: ISO 37301.
A new standard for compliance management systems
People familiar with ISO may read the previous paragraph and ask: “what about ISO 19600 and ISO 37001?” The answer is simple: ISO 37301 aims to replace ISO 19600, which served as a guideline for compliance management systems. Both ISO standards are based on the same principles, risk-based approach and focus on holistic compliance management systems; however, only ISO 37301 is officially certifiable. That is good news for all organizations who already use the guidance in ISO 19600 to build their compliance management system; if implemented correctly, their compliance management system probably has all the key elements required to be in line with ISO 37301.
ISO 37301 was designed by a committee of professionals and experts from many different countries and has the support of the majority of ISO member nations. It provides trust that risks are regularly assessed, business partners are screened (based on a risk-based approach), that the organization has a working system to raise concerns and that in case of nonconformities, the organization is improving their systems.
The standard outlines significant and mandatory components of corporate compliance programs. Even though there is a high degree of criticism that corporate compliance programs are developing into a “check-the-box” exercise while ISO 37301 is being applied, the standard itself offers a high level of flexibility to design, implement and operate an organization-centric, specific compliance program that is fulfilling the needs of the individual corporation.
Furthermore, ISO 37301 has a strong relationship with ISO 37001, which was launched in 2016. ISO 37001 is focused on anti-bribery management systems, as part of the compliance management system. For organizations that are already considering certifying their compliance management system against the ISO 37001 standard, they could save time and costs by implementing ISO 37301 at the same time.
The key elements of an ISO 37301 compliance management system
The standard is based on well-established and globally recognized principles of good governance, proportionality, transparency and sustainability.
It can be drilled down to the following building blocks: