This new standard updates and replaces ISO 19600 and provides an excellent framework for compliance management in a modern organization.
ISO 37301 is an international standard that sets out the requirements for establishing, implementing, maintaining, and improving an effective compliance management system (CMS) within an organization. The standard was published in 2021 and is the successor to ISO 19600, which was first published in 2014.
The relatively new ISO 37301 is an international benchmark and a certifiable standard to assess the design and operation of ethics and compliance programs. Compliance is the foundation of a sound business, and getting it right from the onset will prevent numerous headaches and problems down the road.
ISO 37301 links various ISO standards such as ISO 3700 for Governance, 37301 for Compliance, and ISO 37002 for Whistleblowing. ISO 37301 replaces ISO 19600 (see our webinar on ISO 19600). The goal of ISO 37301 is to harmonize compliance controls in policies and procedures, and help organizations build a comprehensive compliance program across the entire enterprise.
The standard, in the same vein as other ISO standards, defines compliance as meeting obligations which include external obligations imposed by government and agencies as well as internal obligations that an organization has given itself. Anything that an organization has decided to do becomes an obligation. This is impacting many organizations who have made public ESG commitments and now the SEC in the US is actively enforcing compliance to those voluntary commitments – making them mandatory.
The ISO 37301 standard provides a framework for organizations of all sizes and types to manage their compliance risks and ensure that they are operating within legal, ethical, and social boundaries. The standard is based on the Plan-Do-Check-Act (PDCA) cycle, which is a continuous improvement process used in many management systems.
Key ISO 37301 Pillars
This ISO standard takes a similar approach to other ISO standards, but focuses on compliance management. The standard covers several key areas, including:
- Leadership and commitment: Top management should demonstrate a clear commitment to compliance management and allocate the necessary resources to establish and maintain an effective CMS.
- Context of the organization: Organizations should identify and analyze their internal and external context to understand the compliance risks they face and how they can manage them.
- Compliance management system: Organizations should establish, implement, maintain, and continually improve a CMS that is appropriate to their size, complexity, and nature of activities.
- Compliance management program: Organizations should define their compliance objectives and develop a compliance management program that includes policies, procedures, controls, and training.
- Monitoring and review: Organizations should monitor and review their compliance management system to ensure that it remains effective and is adapted to changing circumstances.
- Continual improvement: Organizations should continually improve their compliance management system and program by using the results of their monitoring and review activities to identify areas for improvement.
Under this standard, it is critical that organizations implement and update a compliance register that centralizes all obligations and distributes responsibilities throughout the organization. It is critical to then embed the responsibilities for compliance into policies and job descriptions. There should be performance reviews and incentives to ensure people are motivated to stay on top of their compliance obligations. Failure to meet compliance obligations or violations must have consequences for staff and contractors. That being said, an organization must assess competence of potential hires or promotions to meet their compliance obligations. An organization must have a strong whistleblowing system in place with hotlines and assured anonymity. There must be anti-retaliation controls in place. The people and cultural elements of your compliance program is ultimately the most critical piece. No software or system can replace what people do when confronted with compliance challenges.
Ultimately, an organization must link objectives, obligations, risks, and policies together to create a robust matrix. The challenges with some of these matrices can be the ongoing maintenance, it is therefore critical to build this progressively and start with something lightweight. The key is to have protocols and systems in place for high risk events and to be materially ready for challenges.
The scope of your compliance program must include your business activities as well as the products and services you sell. You should be doing ongoing risk assessments and issuing corrective actions based on the changing landscape of regulatory requirements and your own business changes. If you are going through mergers or acquisitions, due diligence should be expanded to capture compliance obligations in a robust manner. Management must take an active role and communicate the importance and the risks to all relevant parts of the organization. Ongoing assessment of the effectiveness of the overall program, relying on hard data as much as possible, is now an essential part of ISO 37301.
There is no better time than now for organizations to study and implement ISO 37301 to improve their compliance programs and stay ahead of the curve. Overall, ISO 37301 provides a comprehensive framework for organizations to manage their compliance risks and improve their overall compliance performance. By implementing the standard’s requirements, organizations can demonstrate their commitment to compliance and gain the trust and confidence of their stakeholders.
See a good overview of the upcoming changes in slide format here.
If you need help implementing a Comprehensive Compliance program for your organization and your stakeholders, please contact us at email@example.com of at +1-888-608-7511