What is ISO 37301?

ISO 37301 is a Type A management system standard that outlines the requirements and provides guidance for the establishment, development, implementation, evaluation, maintenance, and continuous improvement of a Compliance Management System (CMS). A CMS offers organizations a structured approach to meet all compliance obligations, including mandatory requirements like laws, regulations, court rulings, permits, licenses, as well as voluntary commitments like internal policies, procedures, codes of conduct, standards, and agreements with communities or non-governmental organizations (NGOs).

ISO 37301 is applicable to organizations of all types, sizes, and complexities of activities. The CMS is grounded in principles of integrity, good governance, proportionality, transparency, accountability, and sustainability.

Like many management system standards, ISO 37301 follows the High-Level Structure (HLS) established by ISO, which defines common terminology, definitions, and a clause sequence from 1 to 10. The requirements for the CMS are set out in clauses 4 to 10. This alignment with the HLS allows organizations to integrate CMS with other management systems or establish it as a standalone management system.

Hasn’t ISO already published a standard on compliance management systems?

Yes, ISO 19600 Compliance management systems — Guidelines was published in 2014. The key distinction between these two standards is that ISO 37301 allows organizations to obtain certification through a conformity assessment performed by an independent third party. ISO 37301 builds upon and expands the foundation laid by its predecessor, ISO 19600. Therefore, organizations that have established a CMS based on ISO 19600 have a head start in complying with ISO 37301’s requirements.

Why is ISO 37301 important for organizations?

For organizations aspiring to grow and achieve long-term success, consistent compliance with obligations is not just an option but a necessity. A CMS aligned with ISO 37301 equips organizations with a toolbox of policies, processes, and controls to instill a culture of compliance.

Organizations with an ISO 37301-based CMS commit to principles of corporate governance, ethical conduct, and good practices. While a CMS cannot completely eliminate the risk of noncompliance, ISO 37301’s requirements and guidance enhance an organization’s ability to identify and respond to noncompliance. In some jurisdictions, having a CMS in place serves as an indicator of an organization’s due diligence and dedication to compliance, potentially reducing legal liability and penalties for violations of relevant laws.

ISO 37301 incorporates requirements regarding competence, communication, and awareness. By adhering to these requirements, organizations ensure that the vision set by top management is translated into the actions and behaviors of managers and employees. The standard also mandates and encourages the establishment of concise, effective policies, procedures, and controls that set organizations on a path toward a compliance culture and uphold high standards of ethics and integrity.

ISO 37301 maps the journey toward compliance, starting with establishing the tone at the top of the organization. The commitment to fostering a culture of compliance is articulated through the organization’s governing body and top management, manifesting as a compliance policy and the setting of compliance objectives at various levels. Additionally, the governing body and top management are responsible for providing resources, establishing a compliance function, defining roles and responsibilities, and actively demonstrating their commitment to the CMS through actions and decisions.

Benefits of Implementing ISO 37301 in an Organization

By implementing a CMS based on ISO 37301, organizations can:

• Undergo a formal third-party conformity assessment for their CMS.
• Cultivate a positive culture of compliance.
• Promptly and effectively address compliance concerns.
• Safeguard their reputation and uphold their integrity by preventing and detecting unethical behavior.
• Enhance business opportunities and sustainability.
• Thoughtfully consider the requirements and expectations of internal and external stakeholders.
• Build robust and valuable relationships with regulators.
• Instill confidence in third parties regarding the organization’s ability to achieve sustained success.
• Foster customer trust and loyalty.