The new ISO 37301 Standard on Compliance Management Systems – A Game Changer?
Creating an ISO standard is a long and arduous process that typically entails many years of completed stages and a lot of hard work by drafting teams before it is ready for publication. For ISO 37301, this process began a few years before the publication of ISO 19600 Compliance management systems – Guidelines in 2014 and has just reached publication at the start of 2021. This means that the standard has now been approved, allowing organisations to be audited and certified against it by third parties like ETHIC Intelligence. In coordination with the publication of ISO 37301, we would like to share our takeaways of the major changes that were made to the previous ISO 19600 chapters and what they mean for your organisation.
Purpose – Creating the Opportunity for Certification
The most obvious value and the reason a new compliance management system standard was required in the first place, ISO 37301 builds upon the reference text of its predecessor by replacing the word “should” by “shall”. Although this sounds like a minute detail, the change in wording is what makes certification possible. Instead of acting as a set of guidelines which compliance professionals can read and choose which points they feel are valuable enough to implement, ISO 37301 lays out requirements which must be met if an organisation wants to communicate to shareholders that their compliance management system meets the industry’s standard of best practices. This then allows third party auditors, like ETHIC Intelligence, to audit the compliance management system and determine if it has in fact been built according to ISO 37301’s requirements.
Context of the Organisation – Building "fit for purpose" Systems
The new cornerstone of all ISO management system standards, the “context of the organisation” is an integral part of what ISO calls their “high-level structure.” It is built upon the understanding that no two organisations are exactly the same, with each requiring a unique system to fits their needs. ISO 37301 incorporates this into the comprehensive requirements which were already in place for ISO 19600 by requiring that organisations conduct a thorough analysis, which must include a risk assessment, of their business and operational environment (such as interested parties, compliance obligations, etc.). This analysis can then be relied upon to help the organisation define the scope of their compliance management system based on the risks identified in the assessment.
Within the already established context of the organisation guidelines for ISO 19600, organisations were suggested to conduct an identification of compliance risks, which could be done either through a compliance risk assessment or “via alternative approaches”. ISO 37301 requires a formal compliance risk assessment which will encourage organisations to prioritise risks and properly allocate resources and time towards the compliance areas where they've identified that most of their risk lies. For example, a compliance management system might include very strong AML and data privacy programmes, but that doesn’t really help if the biggest compliance risk for the organisation is within export control.
What makes ISO 37301 different from other ISO management systems in the area of compliance (the existing ISO 37001 and future management system standards applying to compliance subsections, like for example anti-fraud) that also have this “context of the organisation” cornerstone, is the magnitude of compliance subsections that it can include when compared to something like ISO 37001 for anti-bribery. This requires that organisations conduct a general risk assessment to identify which compliance areas present them with the most risk, and an assessment to identify risks in those applicable compliance subsections. While this is critical for building a high-functioning compliance management system, the requirements of “having controls in place” are also too broad to make a substantial impact within each compliance subsection. Therefore, as an example, an organisation for which the biggest compliance risk is bribery, will ideally implement both an overall management system compliant with ISO 37301 and a specific anti-bribery management system compliant with ISO 37001.
Compliance Culture & Governance – A Distribution of Responsibility
Perhaps the largest technical evolution that occurred between the two standards, ISO 37301’s Chapter 5 has placed a stronger emphasis on how an organisation handles its compliance culture. This means that the responsibility for making a compliance system run effectively has been disseminated throughout every department, although the compliance department is still in charge of the system’s overall management.
Despite the obvious fact that compliance professionals have more experience in compliance matters than their colleagues, they cannot always be on the ground helping staff to make the correct decisions in the event that a compliance issue presents itself. By including staff into the system whose primary function is not compliance, the relationship dynamic changes from one of enforcer and subjugated to a much healthier team dynamic, uniting towards the goal of making their compliance system effective. This shift in dynamic has proven effective with other ISO standards, with results supporting the instinctual assumption that it is easier to accomplish a system’s goals through a collaborative effort. These past results made ISO 37301 drafting team’s decision to strengthen this particular component of the standard an obvious one.
Employment Process – Requirements to Decrease Organisational Risk
During their study of improvements that could be made upon ISO 19600, compliance experts from the ISO Drafting Committee identified a specific risk that organisations needed protection against. Chapter 7 has increased focus on employment processes and adds requirements for risk-based due diligence measures prior to hiring, transfer, or promotion. The chapter also provides clarity in employee management, setting forth specific requirements related to conditions of employment and disciplinary measures in the event the organisation’s compliance obligations are violated.
Already a best practice in a number of countries, many professionals will appreciate that the reasoning behind these requirements is to ensure that the employment process is much more transparent and systematic, particularly for those functions which are exposed to higher compliance risk. Organisations are often exposed to risk because they are unaware of the previous legal or other problems of their current or potential employees. Implementation of these policies eliminates guesswork and gives employees a code to which they can refer when making decisions on employment process matters like which potential or current employees requires light or enhanced due diligence, how to handle an issue that was found, or disciplinary actions to take if an incident occurs in the future.
Raising Concerns & Investigations – An Emphasis on Whistleblower Protection
Fully re-writing chapters 8.3 and 8.4, the drafting team felt that these sections of the standard needed wholesale changes with a significant (and in our opinion justified) emphasis placed on the usage of whistleblowing tools. The new text is completely focused on ensuring the effectiveness of these tools and the subsequent investigation process when necessary.
A potential precursor to the emphasis that ISO is placing on whistleblowing with ISO 37002, this area of compliance is critical to ensuring the success of future management systems. As we previously mentioned, organisations can hire a best-in-class compliance team and have a phenomenal certified system, but these efforts can be for naught if there isn’t organisational buy-in. Protecting whistleblowers who signal an issue to the compliance team is the first step towards achieving this buy-in and will improve the identification of any potential issues that may occur within an organisation.
Certification against this standard presents the only opportunity to test your compliance management system against an external benchmark (unless you wait for the more risky and potentially expensive government agency investigation). Passing this test demonstrates the effectiveness of your system to your clients and stakeholders, with data suggesting that this recognition often results in increased profits. Though the path towards achieving certification may seem overwhelming, ETHIC Intelligence has developed a complete suite of services that can guide your organisation throughout the entire process. Consider these tools depending on your current programme and organisational competencies.
- Training – for organisations that are interested in acquiring a thorough knowledge of the standard which they can use to convert their current compliance programme into a management system that meets ISO 37301’s requirements
- Readiness Assessment (gap analysis) – the first step towards certification, for organisations that would like to identify changes that need to be made to their current programme or system in order to meet ISO 37301’s requirements
- Pre-Audit- for organisations that are confident that they currently possess a compliance management system which should meet ISO 37301’s requirements, but would like to be more confident in the audit process