The ISO 37301 framework, published in April 2021, provides a certifiable global benchmark for compliant systems. How will it benefit an organization's compliance program? What does a business need to do to meet the new standards for compliance management?

Until this year, ISO 19600 was the recognized international standard for best practices in compliance management. First launched in 2014 and available in more than 160 countries, it provides detailed guidelines for effective compliance programs. With the release of ISO 37301 in April this year, ISO 19600 was withdrawn and obsolete.

Despite the comprehensive nature of ISO 19600, this previous standard only outlines recommendations, not requirements. In other words, it is a Type B Management System Standard (MSS) according to the ISO standard. In contrast, ISO 37301 is a Type A MSS. Therefore, it is a certification standard that can be certified by every accredited auditor.

The standard applies to all types of organizations, regardless of size, industry, risk exposure or global footprint. Includes the following:

• Private organizations, including independent business units and subsidiaries.

• Public organizations, including the executive branch and political parties.

• Non-profit organizations, including NGOs and charities.

Notably, ISO 37301's requirements are flexible and acknowledge that it is the responsibility of each organization to determine its own compliance management system needs and how to ultimately implement recommended practices.

Since many of the core elements of ISO 19600 have been maintained and incorporated into the new standard, any organization that has followed or implemented the ISO 19600 guidelines will make significant progress in complying with ISO 37301.

Most importantly, ISO 37301 describes in detail how to configure a compliance management system to meet international legal norms and regulations. The standard also stipulates adherence to social and ethical values.

Similar to other ISO principles for management systems, such as the ISO 37001 standard for anti-bribery management systems, ISO 37301 draws on the established ISO principle Plan-Do-Check-Act (PDCA), which requires certified companies to operate in Continuous improvement process cycle. ISO 37301 encourages companies to focus on systematically implementing an organization-wide compliance system.

Key passages in the documentation provide insightful summaries:

"A compliance management system should be based on the principles of good governance, proportionality, integrity, transparency, accountability and sustainability."

Embedded in the standard are some key requirements for establishing an effective and efficient compliance management system, including:

• Identify relevant parties that need to be considered in the compliance management system, from government agencies and regulators to business partners and employees.

• Determine the organization's environment and develop processes to identify compliance obligations and compliance risks to ensure ongoing compliance.

• Ensure that top management and governance bodies uphold the organization's values and support all policies, processes and procedures critical to achieving compliance objectives.

• Introduce monitoring mechanisms to establish metrics across the business and evaluate compliance management programs and measure findings against implemented controls.

• Regular and consistent monitoring and investigation of non- compliance cases.

Additionally, organizations must conduct due diligence, including reference or background checks, before hiring people or promoting existing ones.

A key objective of ISO 37301 is to support organizations in creating a positive compliance culture. As such, a significant part of the new requirements focuses on best practices for developing company-wide whistleblower policies . Unlike ISO 19600, the new standard for compliance management systems also strengthens whistleblower protections and procedures.

The key principles of the whistleblower process outlined in ISO 37301 can be summarized as follows:

• Promptly and thoroughly  investigate any allegations or suspicions of wrongdoing by the organization, its personnel or related third parties.

• A whistleblower system visible and accessible to all employees and interested parties .

• Confidential and anonymous reporting procedures and systems that allow whistleblowers to remain anonymous if they so desire .

• Conduct an impartial and independent investigation of any allegations.

• Written and complete records of any responses to reported allegations , including disciplinary action or remedies.

• Clear and insightful details of any lessons learned from reporting the incident, as well as documentation of any changes to the compliance management system that resulted from the incident.

Learn more about the upcoming ISO 37002 standard for whistleblowing systems.