ISO 37301 Blog Post Series
- ISO 37301 Compliance Management Systems – Key Elements
- What are the main differences between ISO 19600 and ISO 37301?
- From managing obligations to managed obligations
- How to implement ISO 37301
- Buying down risk using standardized compliance management systems
- ISO 37301 Free Checklist
ISO 37301 replaces and improves on ISO 19600, what are the key differences?
ISO 19600 and ISO 37301 are both standards that provide guidance on compliance management systems. However, there are several key differences between the two standards.
Requirements, not guidelines: now certifiable
ISO 19600 provides guidance on the establishment, implementation, and maintenance of a compliance management system, while ISO 37301 provides requirements for such a system. ISO 37301 is much more prescriptive than ISO 19600 and outlines specific elements that should be included in a compliance management system. This enables the inclusion of impartial third parties to certify that both boards and companies have carried out their due diligence and fulfilled their duty of care, implemented necessary controls and measures to reduce potential risks, and established a system of supervision and monitoring that enables the identification of potential irregularities and facilitates appropriate investigations.
This means that ISO 37301 is now a certifiable standard, your organization can seek certification through a recognized company.
Take a risk based approach
ISO 37301 places a greater emphasis on risk assessment than ISO 19600. ISO 37301 requires organizations to identify, assess, and prioritize compliance risks, while ISO 19600 only recommends that organizations consider compliance risks in their compliance management system.
Since the publication of ISO 9001 Quality management systems — Requirements, an integrated management framework has been formed, where the specific aspects of something are also standardized in the global system, the same one that standardizes the characteristics of ampoules, voltage, the acronyms of countries or the limits of tolerance to nuclear radiation.
In this case the standard is based on ISO 31000 Risk management — Guidelines for risk identification and ISO 31010 Risk management — Risk assessment techniques for evaluation.
Internal and external context: ISO 37301 requires organizations to consider both their internal and external context when developing their compliance management system. This includes factors such as the organization’s culture, values, and stakeholders. ISO 19600 only requires organizations to consider the external context.
The newly established standard acknowledges that companies are social actors that operate within a broader system and are influenced by various societal factors. As a result, it requires a more thorough examination of the socio-political environment and considers factors such as competition, socio-economic conditions, and territorial variables.
Finally, the most important aspect. The culture of compliance is at the heart of this new standard. The promotion of an ethical culture based on values, where everyone knows their responsibilities and roles, and involves the entire organization is a critical step to ensuring a resilient organization that will minimize compliance disruption. We wrote about the importance of culture in the Carnival Cruise line case study. This is more true than ever, you must get culture aligned with your objectives or you will face constant internal organizational battles.
Whistle blowing and reporting channels are critical to detecting compliance issues. The new standard outlines specific requirements to ensure the effectiveness of these tools and active promotion of a culture where the responsibility for compliance is on every member of the organization.
ISO 37301 requires organizations to establish and maintain a compliance performance evaluation process, which includes monitoring and measuring compliance performance, analyzing the results, and taking corrective actions as necessary. ISO 19600 only recommends that organizations evaluate the effectiveness of their compliance management system.
Supplier and Third-party management
ISO 37301 includes specific requirements for managing compliance risks associated with third-party relationships, while ISO 19600 only recommends that organizations consider third-party risks in their compliance management system. With regulators casting a wider and wider net, getting compliance visibility in your supply chain and partners will become more critical than ever. This standard helps kick-start that process with a set of requirements that will set you on the right track.
Overall, ISO 37301 is more comprehensive and prescriptive than ISO 19600, and places a greater emphasis on risk assessment and performance evaluation. Organizations that have implemented ISO 19600 may find it easier to transition to ISO 37301, as many of the key concepts are similar. However, organizations will need to carefully review the specific requirements of ISO 37301 to ensure that their compliance management system meets the standard’s requirements.