What to expect from the eagerly anticipated ISO 37301?
Compliance professionals throughout the world are eagerly awaiting the imminent publication of ISO’s new standard on Compliance Management Systems, ISO 37301. Following the release of ISO 37001 for anti-bribery management systems in 2016, this will be the second certifiable standard in the area of compliance. We believe, however, that this new standard will receive greater importance and wider adoption than the earlier ISO 37001:2016. This is because although anti-bribery is one of the main compliance areas for many companies, it does not equal the importance given to other compliance issues by most organisations across the globe. As organisations implement programmes for general compliance, ISO 37301 will set a global benchmark in these areas thus increasing its reach to a wider audience.
Structured on ISO’s formula and previous standard
When drafting the new ISO 37301 standard, the committee relied heavily on the previous standard for Compliance Management Systems, ISO 19600, as a guide. Created in 2014, this original framework was meant to set an industry precedent with its non-certifiable guidelines. Organisations could then process its value and begin restructuring their compliance management systems to adhere to the new standard. Now six years later, ISO has decided that it would be more effective and valuable if organisations could actually prove that they have committed to following the global standard for compliance management by implementing the certifiable requirements of the soon to be released ISO 37301 standard.
Parallels can also be drawn between ISO 37301 and the aforementioned ISO 37001 standard on anti-bribery management systems, which might make the value of the standard and its implementation easier to understand. Drafted by ISO, both standards follow the organisation’s principles of Plan-Do-Check-Act (PDCA). This means that like ISO 37001, ISO 37301 will operate as a cycle of continual improvement, with risk‐based thinking at each stage. When selecting their drafting teams, ISO ensures the teams or working groups include a variety of perspectives so that the needs of all types of organisation are considered. We can therefore expect ISO 37301 to be suitable for all organisations, regardless of type, size, sector, or activity. Organisations and particularly compliance departments that are already familiar with these principles through ISO 37001 will find the development and implemention of a system that is compliant with the requirements of ISO 37301 to be much easier.
What will it deliver?
Though its predecessor offered important guidance to organisations, the opportunity to certify their general compliance management system is crucial for those that wish to leverage it as an organisational asset which differentiates them from competitors and makes an impression on stakeholders.
The all-encompassing nature of compliance management systems offers the promise of far reaching improvements throughout an organisation. The management of compliance areas such as money laundering, data privacy, sanctions, export control, and fraud will all have to meet the minimum requirements that are set forth within the standard. Based on previous ISO standards this means that all of these areas will not only have to be established, developed, and implemented correctly, but also evaluated and maintained to achieve the standard’s required continual improvement. We can therefore look forward to not only more effective overall compliance, but also more effective cogs that make this critical system run.
Why should we get certified for both standards when we can just certify our overall compliance management system? Industry professionals might use this logic to conclude that the publication of ISO 37301 will make ISO 37001 irrelevant. However, ISO 37001 and future ISO compliance standards still offer substantial value which lies in their greater attention to detail concerning specific operational controls. Unlike 37301, it also demonstrates the strength of your anti-bribery management system specifically, which is one of the most important areas of an overall compliance management system. Due to the same ISO base structure of the two standards, it is also possible to integrate them and conduct an integrated certification. This plan would reduce the total audit duration time and effort that would normally be required to achieve them separately. Therefore, ISO 37001 remains an important standard both for companies that have already certified and those that have not.
Based on the principles of good governance, proportionality, transparency, and sustainability, we anticipate the new standard to include the following additions to ISO 19600:
- Inclusion of the employment process (due diligence before hiring and promotion; disciplinary action in case compliance obligations are violated)
- Further strengthening of employee reporting (“whistleblowing”) and employee protection
- An outline of the principles for investigation processes
One of the most significant risks that organisations face is inadequate corporate compliance, which is often identified through regular risk assessments. The implementation and certification of an internationally recognised compliance programme will ensure organisations maintain integrity in a systematic, structured manner that meets international best practices.
A significant global adoption
There have been pushbacks on ISO 37001 certification since its publication in 2016, because of a lack of understanding of the value that converting to an anti-bribery management system and certifying it brings. This is highlighted by its limited adoption throughout the world, with the last ISO Survey showing 800 certificates globally. However, we believe that the wider appeal of ISO 37301 will result in quicker adoption with much higher overall global numbers. We expect these numbers to be similar to ISO 50001 for energy management systems, which has more than 18,000 total valid certificates. This prediction is based on ISO 37301’s similar broad application and its status as a non-mandatory standard but one which offers requirements with guidance for use.
Certification against this standard presents the only opportunity to test your compliance management system against an external benchmark (unless you wait for the more risky and potentially expensive government agency investigation), demonstrating its effectiveness to your clients and stakeholders. As compliance experts, we have been involved in the creation of this standard by offering suggestions which have been applied to the final draft (particularly in relation to the role of the compliance risk assessment). When the final draft is published in the coming days, interested customers can anticipate ETHIC Intelligence training sessions and readiness assessments (or gap analysis) to help them prepare for future certification.