5 minute read 26 Oct 2021
Woman working and taking care of the plants in bonsai greenhouse center

How ISO 37301 will affect global compliance programs

Authors
Brenton Steenkamp

Partner, Forensic & Integrity Services, EY Advisory Netherlands LLP; EY Western Europe and Magreb Forensic & Integrity Services Leader

Tenacious. Honest. Driven. Loves people, enjoys working hard, and travels widely.

Andreas Pyrcek

Partner, Forensic & Integrity Services, Ernst & Young GmbH Wirtschaftsprüfungsgesellschaft; EY Global Forensics Integrity, Compliance & Ethics Leader; Global Forensics Sector Leader Technology, Media & Entertainment and Telecommunications

Trusted advisor for proactive compliance, ethics and integrity challenges as well as in responding to fraud, bribery and corruption globally.

5 minute read 26 Oct 2021
Related topics Assurance Forensics Risk

Organizations can build trust through a standardized compliance management system.

In brief
  • The International Organization for Standardization published a new standard, ISO 37301, which sets requirements related to compliance management systems.
  • The launch of ISO 37301 is a next step toward standardization, which could impact compliance departments of internationally operating organizations.

In a world that is more and more connected, and with trade flows stretching far beyond the borders of an organization’s headquarters, the world of compliance becomes increasingly complex. Regulators and supervisors are holding organizations responsible not only for the actions of their own employees but also for the actions of agents and suppliers. Just contractually obliging subsidiaries, agents or suppliers to have a compliance program might not be enough to reduce the risk of noncompliance. In the absence of certainty, it is up to the company to weigh ethical decisions and blaze the trail themselves.

Long-lasting economic success is strongly correlated with a culture of integrity and compliance. The first step — design and implement a systematic compliance program — is a hurdle many organizations already have taken. However, implementing a management system by continuously learning from past experiences and best practices remains a challenge to be addressed for most organizations.

The journey from a compliance program to a compliance management system may be a daunting one without having guidance from experts in the field. That’s why the International Organization for Standardization (ISO) published a new certifiable standard for compliance management systems in April 2021: ISO 37301.

A new standard for compliance management systems

People familiar with ISO may read the previous paragraph and ask: “what about ISO 19600 and ISO 37001?” The answer is simple: ISO 37301 aims to replace ISO 19600, which served as a guideline for compliance management systems. Both ISO standards are based on the same principles, risk-based approach and focus on holistic compliance management systems; however, only ISO 37301 is officially certifiable. That is good news for all organizations who already use the guidance in ISO 19600 to build their compliance management system; if implemented correctly, their compliance management system probably has all the key elements required to be in line with ISO 37301.

ISO 37301 was designed by a committee of professionals and experts from many different countries and has the support of the majority of ISO member nations. It provides trust that risks are regularly assessed, business partners are screened (based on a risk-based approach), that the organization has a working system to raise concerns and that in case of nonconformities, the organization is improving their systems.

The standard outlines significant and mandatory components of corporate compliance programs. Even though there is a high degree of criticism that corporate compliance programs are developing into a “check-the-box” exercise while ISO 37301 is being applied, the standard itself offers a high level of flexibility to design, implement and operate an organization-centric, specific compliance program that is fulfilling the needs of the individual corporation.

Furthermore, ISO 37301 has a strong relationship with ISO 37001, which was launched in 2016. ISO 37001 is focused on anti-bribery management systems, as part of the compliance management system. For organizations that are already considering certifying their compliance management system against the ISO 37001 standard, they could save time and costs by implementing ISO 37301 at the same time.

The key elements of an ISO 37301 compliance management system

The standard is based on well-established and globally recognized principles of good governance, proportionality, transparency and sustainability.

It can be drilled down to the following building blocks:

Key elements of an ISO 37301 compliance

A standard that can be tailored to organizations of any shape or form

Every organization needs to comply with laws and regulations. However, smaller companies might be demotivated by the notion of building a compliance management system that is similar to the ones large multinationals use. Therefore, ISO 37301 is designed with the intention to be applicable to all organizations, regardless of type, size and nature of activity and whether in the public, private or not-for-profit sectors.

Based on the size or nature of the organization, some risks can be lower or higher. Organizations can make the decision to focus on certain risk categories and accept the risks involved with the others. Also, the compliance function under ISO 37301 does not need to be a full-time position — it needs to be adequate relative to the size of the operations. There is a possibility to have only a fraction of a full-time employee’s time or outsource the compliance function entirely.

Better prepare than repair

Adopting ISO 37301 has many advantages for organizations across industries irrespective of size, complexity of operations and varying geographies that impact several external and internal aspects. Whether an organization chooses to certify its compliance management system or uses it as a starting point to implement a compliance program that meets international standards, implementation may allow an organization to:

  • Provide a competitive advantage in public procurement contracts
  • Enable a reliable audit trail in case of an investigation or review
  • Demonstrate to regulators the existence of a compliance program
  • Streamline processes and policies in line with the compliance requirements
  • Benchmark the compliance program against international standards
  • Fulfill requirements of business partners such as funding agencies, multilaterals, customers and governments
  • Enable confirmation by an independent assessor regarding the organization’s compliance framework
  • Enhance the perception and overall vigilance mechanism of the organization
  • Increase awareness among employees and third parties

ISO 37301 has the potential to become the single international standard for compliance management systems. The core elements are not new, but brought together in this standard, they form a solid base for organizations of any size and from any sector or country to lift their compliance efforts to the next level. For organizations that intend to be proactive and mitigate compliance risks, ISO 37301 gap analysis, based on the draft version, can help evaluate areas of improvement of compliance efforts. Now the standard has come into effect, it’s expected that the organizations who are well prepared will be the first to gain certification.

Summary

A new international standard has been launched that sets out requirements for compliance management systems. The standard, ISO 37301, can be viewed as the next step in further consolidating international standardization of compliance programs. A standardized compliance management system has multiple upsides. ISO 37301 provides companies with a practical structure for a dynamic compliance program. It demonstrates that leadership appreciates that compliance needs continuous attention and improvement, as well as provides a benchmark for the compliance program against an international standard.

About this article

Authors
Brenton Steenkamp

Partner, Forensic & Integrity Services, EY Advisory Netherlands LLP; EY Western Europe and Magreb Forensic & Integrity Services Leader

Tenacious. Honest. Driven. Loves people, enjoys working hard, and travels widely.

Andreas Pyrcek

Partner, Forensic & Integrity Services, Ernst & Young GmbH Wirtschaftsprüfungsgesellschaft; EY Global Forensics Integrity, Compliance & Ethics Leader; Global Forensics Sector Leader Technology, Media & Entertainment and Telecommunications

Trusted advisor for proactive compliance, ethics and integrity challenges as well as in responding to fraud, bribery and corruption globally.

Related topics Assurance Forensics Risk