What will the recently adopted ISO 37301 bring?
Jean-Pierre Méan has spent his professional career entirely dedicated to the fight against corruption – with roles as a Chief Legal Officer in SGS, Landis&Gyr, and Alcan Aluminium and Chief Compliance Officer with EBRD and the SGS Group,
He has been President of the Swiss chapter of Transparency International. He also contributed to the development of international best practice as a member of the Anti-Corruption Commission of the International Chamber of Commerce, chairing the Task Force in charge of issuing the 2011 Edition of the ICC Rules on Combating Corruption. Jean-Pierre is also the representative of Switzerland in ISO committees. As such, he played an active role and participated in the writing of the ISO standard and chaired the working group on the competencies required of ISO 37001 auditors(ISO 17021-9). He is leading the Working Group on Anti-Bribery and has edited the ISO Handbook on ISO 37001 in course of publication. Follow Jean-Pierre’s news on the anti-corruption expert blog.
What is new in ISO 37301?
ISO Standard, 37301 – Compliance Management Systems, published in April 2021, is not entirely new: it was preceded by, and was a development of, ISO 19600 published under the same title. The significant difference between both standards is that ISO 19600 consisted of guidelines while ISO 37301 lists requirements for compliance management. Accordingly, ISO 19600 cannot be the object of an (accredited) certification while ISO 37301 can. The reference to accreditation is important in this respect because guidelines standards may be audited and certified privately but if they are, they will not enjoy the increased credibility of a certification delivered according to the procedure set forth by ISO and by the International Accreditation Forum (IAF) that aims at securing the impartiality and confidentiality of the audit as well as the competencies of the auditors. This is an important qualitative distinction between an accredited and a non-accredited certification.
What is the scope of the new standard?
ISO 37301 covers the implementation of a compliance management system and not, as is sometimes misunderstood, compliance with an organization’s statutory and reglementary obligations, although it is expected that the standard will assist organizations in improving the overall management of all their compliance obligations. This requires that organizations start by systematically identifying these obligations as well as their compliance risks, i.e. the likelihood of occurrence and the consequences of non-compliance.
What is the relationship of ISO 37301 with other existing or future standards?
The publication of ISO 373001 took place under the direct responsibility of the ISO Technical Committee on Governance of organizations (ISO/TC 309), the scope of which covers standardization in the field of governance relating to aspects of direction, control and accountability of organizations. Another standard has already been published under the responsibility of ISO/TC 309, ISO 37001 Anti-bribery management systems, and three further standards are in various stages of development: ISO 37000 Guidance for the governance of organizations, ISO 37002 Whistleblowing management systems and ISO 37007 Corporate Governance.
ISO 37301 follows the same (so-called high-level) structure as other ISO standards. This makes its integration with those other standards easier. ISO 37301 can thus be integrated into a quality management system according to ISO 9001. It can also be implemented along an anti-bribery management system according to ISO 37001. However, while there are convergences between both standards (e.g. on training, communication, raising concerns, controls, performance evaluation, etc.), these do not always have the same content. ISO 37001 further includes several operational requirements that are essential for an anti-bribery management system but not necessary for a compliance management system. This is e.g. the case of due diligence on business associates or employees or of procedures on gifts and hospitality that are important parts of an anti-bribery policy but are not systematically required for a compliance management system. On the other hand, the establishment of a compliance culture demonstrated at all levels of management “by an active, visible and sustained commitment towards a common standard of behavior and conduct that is required throughout the organization” is stated explicitly in ISO 37301 but is missing in ISO 37001 although there is a consensus that the organizations culture is also a key element of an anti-bribery management system.
What about auditing and certifying ISO 37301?
ISO 37301 can be audited and certified on its own. However, the divergences that exist with other standards mean that an audit and certification under ISO 37301 cannot be considered as including any other standard. In the specific case of ISO 37001, the divergences with ISO 37301 reflect what each standard can achieve: while ISO 37301 addresses compliance in general terms, only ISO 37001 can serve to demonstrate the implementation of anti-bribery measures. The same relationship shall exist between ISO 37301 and ISO 37002 on Whistleblowing; while procedures for raising concerns are required to be implemented under both ISO 37301 and (in some more detail) by ISO 37001, setting up such procedures is likely to be at least inspired by the guidelines (not requirements) of ISO 37002.
This notwithstanding, it will probably make sense to have both standards (ISO 37001 and ISO 37301) audited jointly because they overlap to some extent and also because they call for similar auditors’ competencies. They will together bring high assurance to stakeholders.