Original Article: https://safetyculture.com/topics/iso-37301/

What is ISO 37301:2021?

ISO 37301:2021 provides requirements for developing, implementing, evaluating, maintaining, and improving an organization’s effective Compliance Management Systems (CMS). Organizations of all sizes and types face an increasing number and variety of compliance risks. Many organizations have established Compliance Management Systems (CMSs) to manage these risks.

Benefits of Implementing ISO 37301

By using a CMS based on ISO 37301:2021, organizations will be able to:

  • Get a third-party company to check that their CMS meets international standards.
  • Help create a positive culture of compliance within your organization.
  • Address compliance concerns quickly and effectively.
  • Maintain a positive reputation and ethical integrity by preventing and detecting unethical conduct.
  • Grow your business and become more sustainable.
  • Weigh the needs and wants of those inside and outside your organization who have a stake in this decision.
  • Develop beneficial relationships with those who enforce the rules.
  • Improve confidence in the organization’s ability to succeed long-term.
  • Create customer trust and loyalty.

Improve your GRC management

Simplify risk management and compliance with our centralized platform, designed to integrate and automate processes for optimal governance.Explore now

What are the Key Differences Between ISO 37301 and ISO 19600?

ISO 19600, initially published in 2014, was replaced by the new ISO 37301 standard in April 2021. Although ISO 19600 was very comprehensive, it only gave recommendations instead of requirements. The ISO Standards classification system made it a Type B Management System Standard (MSS). In contrast, ISO 37301 is a Type A MSS and can be certified by any accredited auditor.

Organizations of all sizes, industries, and risk exposures can benefit from it. It includes:

  • Private businesses, including those with multiple divisions and subsidiaries
  • Public organizations, such as administrations and political parties
  • Non-profit organizations, including charities

It’s worth mentioning that ISO 37301 is easily adaptable to each organization’s requirements. It also acknowledges that every company is responsible for deciding what they need from a compliance management system and how to implement the recommended practices.

7 Key Elements of ISO 37301 Compliance Management System

7 Key Elements of ISO 37301 Compliance Management System

The standard is based on excellent, globally recognized principles, including good governance, proportionality, transparency, and sustainability. Specifically, it falls into the following categories:

  1. Context of the Organization – Understanding the organization, stakeholders’ expectations, the strategy and system in place, and how risks are assessed is essential for success.
  2. Leadership – It includes the governing body, anti-bribery policy, compliance function, roles, and responsibilities.
  3. Planning – Address risks, opportunities, and anti-bribery or anti-corruption objectives through compliance activities and planning.
  4. Support – Include resources, training, communication, and documentation that enable staff to know their responsibilities and have the required skills.
  5. Operation – Commitments, gifts, hospitality, donations, and investigations are all due diligence measures that help prevent bribery and corruption.
  6. Performance Evaluation – To ensure the company is running smoothly, regularly check things like progress, performance, and compliance through measures like internal audit and management review.
  7. Improvement – It includes some nonconformity and corrective actions, and program improvement.

Steps to Create a Compliance Management System

The standard outlines critical requirements for setting up a compliance management system, including the following:

Identifying Interested Parties

It should begin by identifying the interested parties that will be involved in the process. It may include government agencies, regulatory bodies, external business associates, and employees.

Following the identification of stakeholders, it is essential to define their roles within the system and develop strategies for engaging with them regularly. It may also be helpful to track their interactions with the compliance management system over time, such as how often they access relevant resources or provide feedback on existing processes.

Determining the Context of the Organization

Analyze the organization’s current context and identify existing compliance obligations or risks. It may involve auditing existing systems and processes, evaluating the organization’s culture and values, and consulting with internal stakeholders or external regulatory bodies.

Identifying these factors is an essential first step toward developing a comprehensive plan for implementing effective compliance processes that meet the organization’s unique requirements.

Ensuring Top Management

A robust CMS requires establishing clear policies and processes that reflect the values and mission of the organization. A strong governance structure should be in place to enforce these standards and monitor compliance across all areas of the organization.

Introducing Monitoring Mechanisms

It includes collecting and analyzing data related to all business areas, including compliance-related activities, policies, procedures, and controls. Developing metrics that reflect the performance of different parts of the organization is an effective way to do this.

Once these metrics have been established, assessing the compliance management program based on these measurements is essential. It involves analyzing how the implemented controls are performing to meet internal and external regulatory requirements and benchmarking against similar organizations or industry best practices.