ISO 37301 Keys
Uploaded by
ScribdTranslationsISO 37301 Keys
Uploaded by
ScribdTranslationsKeys
from ISO 37301
of Management Systems
of Compliance
Index
0. Introduction.................................................................................................3
The importance of Compliance
2. From ISO 19600 to ISO 37301............................................................7
3. Relationship of ISO 37301 with other ISO standards................................8
4. Structure and work cycle of the standard ISO 37301..................9
5. 7 keys of ISO 37301.......................................................................13
6. How to implement a compliance management system..............15
7. The importance of Risk Maps in Compliance................16
Introduction
Corporate Compliance is already a part of all the organizations.
organizations with a vocation for sustainable success over time. A culture of-
Organizational culture based on ethics and the integrity of the entire corporation is key.
to survive in a world that is so competitive and with increasingly strict regulations
strict. From employees to customers, including shareholders
or the company's insurers, everyone must be part of compliance
business.
The new ISO 37301 has been developed to serve as a means of support.
for organizations that want to implement a Management System
Compliance, como también para aquellas que quieran mejorarlo y adaptarlo a
the new needs. This regulation, which substitutes theISO 19600allows
standardize a compliance system at a global level, something that was not possible
blue until now.
Thanks to this new regulation, compliance programs in companies
they will be able to follow similar structures. This standardization will be a big step
forward in the fight against corruption, fraud, money laundering
or the financing of terrorism. ISO 37301 is one of the best measures
for the prevention and fight against these crimes.
Aware of the importance that this regulation holds for professionals and
directors of Europe and Latin America, and in their commitment to promoting knowledge
specialized training in Compliance, from EALDE Business School we provide
at your disposal this guide on ISO 37301.
In this manual, you will discover the main updates of this standard, as well as
its structure and the steps that need to be taken for the correct implementation of
a compliance management system. The contents presented in this
documents are discussed in depth in the EAL training programs
DE Business School specialized in Compliance, Fraud, and Money Laundering.
online master's programs from our business school, in addition, cases are discussed
realities that experienced managers and auditors live in their day-to-day.
I wish for the contents of the whitepaper 'Key Points of ISO 37301 of Siste-
more of Compliance Management” are of your interest, and I encourage you to get to know our-
academic offer, which will allow you to acquire new direct skills and
take a leap in your professional career.
Enrique Farrás,
Director of EALDE Business School.
Whitepaper: Keys to ISO 37301 of Compliance Management Systems 3
4 Whitepaper: Keys of ISO 37301 of Compliance Management Systems
The importance of Compliance in the environment
business
TheComplianceintegrate the set of procedures and good practices adopted
by the organizations in order to identify and mitigate or eliminate potential risks
operations and legal. Normally, it is composed of internal mechanisms of pre-
prevention, management, control, monitoring and reaction.
Compliance is the way companies guarantee
that all its members, from employees to shareholders and
contrasts will comply with the regulations they are
some days.
Non-compliance with rules or guidelines can have serious criminal consequences.
economic and reputational for the company. The Compliance has the function of ensuring
ensuring to prevent these events, through transparency, good practices and the
ethical conduct.
The Penal Codes of many countries, including Spain, establish that the
legal entities have thecriminal responsibilityfor the crimes committed by them
same, as under their name. In addition, they must also respond in case there is
legal violations by their legal representatives.
Financial scandals are not something new. But in recent years, and especially,
Since the beginnings of the global crisis caused by the Covid-19 pandemic, there has been a resurgence
occur in areas that might be unthinkable for many. Corruption or fraud are
words have splashed onto major global corporations.
Whitepaper: Keys to ISO 37301 of Compliance Management Systems 5
Implementing a Compliance Management System is one of the ways that organizations...
Organizations, regardless of their nature or sector, should avoid or alleviate
the impact of responsibility and the consequences of sanctions. Furthermore, the Cor-
Corporate Compliance sets expectations among all employees, which can lead to
everyone together to achieve the company's objectives.
Among the main benefits of establishing a compliance system in a
the company is:
Avoid criminal convictions for employees or shareholders of the company by preventing
the commission of crimes.
Avoid judicial or administrative sanctions, such as monetary fines.
Improves the reputation and competitiveness of the organization. Any shareholder or so-
he/she will prefer to embark on a project that has ethical and compliance guarantees
lie.
Internal fraud is ended through the creation and implementation of policies.
the protocols focused on combating material deviations or fraud within
of the company.
Contribution to equality and social justice, enhancing individual effort and merits.
files of all the people who make up the organization.
6 Whitepaper: Keys of ISO 37301 Compliance Management Systems
2. The evolution from ISO 19600 to ISO 37301
ISO 19600, more than a standard, is a guideline that serves as assistance to organizations.
actions that want to implement a Compliance Management System. It was published
in December 2014 and reviewed later, in early 2018.
Seeing that the business market has evolved and transparency and codes
ecos are the order of the day, ISO saw that it was necessary to renew itself. For that reason, in
In April 2021, the standard ISO 37301:2021 Management Systems was published.
Compliance. The major novelty of this new standard is that it will allow certification of
culture of compliance of companies.
Currently, a moment of transition is being experienced,
moving from the guidelines of the ISO 19600 standard to certification
of Compliance thanks to ISO 37301.
The migration from one standard to another should not be complicated for organizations.
organizations that have strictly followed the guidelines of the old regulation.
For this reason, the Official Institute of Standardization anticipates that for companies the migration-
tion will be totally efficient.
Additionally, ISO 37301 places more importance on thereport channel(whistleblowing), from
a greater focus on the context of the organization and has as the basis of the QMS the cul-
Compliance tour. This new regulation also has a high-level structure.
transversely, which can be applied totally or partially to the organization.
Whitepaper: Keys of ISO 37301 on Compliance Management Systems 7
3. Relationship of ISO 37301 with other ISO standards
As it is a standard published by the International Organization for Standardization
(ISO), the text of ISO 37301 coincides in certain sections with other standards
ISO. Among them, we find the following:
ISO 9001: It is the key standard for implementing Quality Management Systems in the
Organizations.
ISO 14001: This ISO standard is used to implement Environmental Management Systems.
ISO 27001: Standard related to Information Security Management Systems
action.
ISO 31000: It is a key standard because it lays the foundations for a policy.
corporate oriented towards Risk Management.
ISO 19660: This standard contains guidance for implementing serious policies for Com-
Compliance in organizations derives from ISO 19600.
ISO 37001It is the standard for Anti-Bribery Management Systems. It is very related to
nothing with ISO 37301 because it is a fundamental regulation for Compliance
Corporate. It establishes how to implement an ethical corporate culture with the purpose
to avoid bribery.
COSO Report: Helps to assess and manage the risks of insurance companies.
All these regulations relate to the function of compliance.
Management and Risk Control in Compliance as outlined by the standard
ISO 37301. Therefore, a professional dedicated to this area should
to know in depth the content of each one of them.
8 Whitepaper: Keys of ISO 37301 on Compliance Management Systems
4. Structure and work cycle of the standard ISO 37301
The ISO 37301 standard has a high-level structure (HLS) with a total of 10
chapters that explain and detail how to implement a management system of Com-
compliance. In addition, it is based on a work cycle aimed at simplifying the implementation.
implementation of a compliance system in any type of company.
First of all, the standard includes an annex with a glossary of terms, definitions
and clauses that constitute the core of the ISO standard.
Next, the structure of the 10 chapters appears in the following order:
1. Scope: The requirements and guidelines for designing and implementing are specified.
evaluate, maintain and improve a QMS in any type of organization.
2. Regulatory references: Related to the document.
3. Terms and definitions: In which we find a glossary of terms that is
they should take into account when implementing ISO 37301. Among them
we highlight 'management system', 'requirement', 'effectiveness' or 'top management'.
4. Organization context: This point establishes the necessary guidelines for po-
to determine the internal and external environment, in order to detect what risks may arise
affect compliance. Among some of the detailed issues, it is worth highlighting the
legal, social, cultural and environmental context, the economic situation, the model of
business or the culture of compliance that has at the current moment. It will also be
it is necessary to understand the needs and expectations of all stakeholders,
likewise determine the scope of the Compliance management system and the system of
compliance management.
5. Leadership and commitment: In this part of the structure, it will be detailed how it will act.
senior management in the face of the implementation of the compliance management system, how
it will be the company's compliance culture, as well as defining its level of
commitment through policies.
Whitepaper: Keys of ISO 37301 Compliance Management Systems 9
6. Planning: This point of ISO 37301 serves to plan a QMS accordingly.
to the organization, considering all the information gathered in the previous points.
It is necessary to establish the necessary measures to address the risks.
trados, determine compliance objectives and carry out the planning to be able to
reach them in a coherent manner.
7. Support: This point serves for the organization to determine roles responsible for
business compliance and establish the tasks of the person or people in charge. It is
It is also necessary to detail all the information that will exist in this regard, how it will be...
will troll and update.
Operation: It will serve to establish the necessary controls and procedures for
that the company can ensure that the compliance obligations are managed
correctly and efficiently. Furthermore, it will be necessary to integrate research processes
action, in order to develop new measures and improve the actions already implemented.
9. Performance evaluation: In order to monitor, measure, analyze and evaluate
the compliance management system. Through audits, analyses, and reports of re-
it will be possible to measure if the QMS has been developed and implemented correctly
according to business needs.
10. Improvement: In moments of non-compliance or breach, it is important that the
organization establishes the reactions and actions, as well as the process for adoption
new corrective measures. This point aims to help companies to
create a continuous improvement system over time, suitable for the nature, size
and the company's sector and its Compliance plan.
10 Whitepaper: Keys to ISO 37301 of Compliance Management Systems
Work cycle of the ISO 37301 standard
Firstly, to follow the ISO 37301 work cycle, it is necessary to define some
specific objectives to achieve with the implementation of a QMS. The integrity of the
organization, build a more ethical culture, conformity, improve reputation
building values or improving ethics are some examples.
At this moment, it is equally important to define the principles
what will be the foundation of the SGC: integrity, good governance,
proportionality, transparency, accountability
and sustainability.
Finally, before starting the life cycle, it is necessary to have a good knowledge
of the organization and its context, in order to conduct a risk analysis. These
They can proceed from the legal and social environment, their locations, their digital context, finance-
closure, structural and environmental. Likewise, all stakeholders must be known,
who can be employees, shareholders, or opponents. By having all this information
collected, it will be easier to establish the necessary controls in an objective and measurable way.
means to strengthen the compliance system.
Once the principles and objectives are set, the following standard can be implemented.
of its structure.
Whitepaper: Keys of ISO 37301 of Compliance Management Systems 11
Planning
First of all, a planning of how the SGC will be implemented must be carried out:
the scope, the level of commitment of all participating parties must be determined
yes, the levels, the company's Compliance policy, roles and responsibilities,
risks and available budget.
The purpose of making a planning is that the proposed activities
be correct and effective for the company.
2) Do
The second step of the ISO 37301 work cycle is the implementation of the System.
of Compliance Management. For this, it is necessary to carry out the defined actions
in the planning. This moment is important to know the support of the senior management
action, to do a work of raising awareness, communicate with all interested parties
sadas in compliance plan and carry out all necessary procedures.
It is advisable to inform both through specific training and documentation.
to workers, such as shareholders or third-party contractors.
3) Verify
It is time to evaluate, to find out if the SGC developed and implemented
It works correctly. To verify it, there are several tools or steps to follow:
review of the top management of the SCG, internal audits, research processes and
It is even possible to conduct an external audit to obtain completely information.
objectives of the company's compliance plan.
4) To act
The last part of the life cycle of ISO 37301 is the action and review in order to
to achieve sustained improvement. When conducting the relevant evaluations and audits, it is
possible to identify possible faults, errors, and improvements that can be made.
At this point, the work cycle will restart through planning.
adding improvements or making the necessary changes to then implement
12 Whitepaper: Keys of ISO 37301 Compliance Management Systems
comment and, finally, verify how it was done the first time.
The life cycle is infinite, it must always be in operation to achieve
To implement a fully effective Compliance Management System that is capable
to avoid compliance risks and also function correctly in everything
moment.
5. The 7 keys of ISO 37301
ISO 37301 is based on 7 keys or requirements that serve to implement
to maintain, support, and improve a QMS in an organization. These are:
1) Organization Context
Defining the context, size, and nature of the organization is the starting point.
to be able to identify possible risks. At this point, it is important to identify the
contexto interno: socios y miembros, ac vidades y operaciones, naturaleza de sus ope-
portions and units over which it exercises control.
On the other hand, the external context must take into account the commitments and obligations.
legal actions to which it is subject, the sector in which it operates, and the extent of the
relationships with public officials.
2) Leadership
Defining the context, size, and nature of the organization is the starting point.
to be able to identify potential risks. At this point, it is important to identify the
internal context: partners and members, activities and operations, nature of their operations
rations and units over which it exercises control.
On the other hand, the external context must take into account commitments and obligations.
legal actions to which it is subject, the sector in which it operates, and the extent of the
relationships with public officials.
Whitepaper: Keys of ISO 37301 for Compliance Management Systems 13
3) Planning
For a Compliance Management System to work properly and ensure
compliance with ISO 37301, planning is key to minimizing risks
to those exposed to the organization. One of the ways to plan effectively
recently it is with therisk mapa tool that allows to gather all
the elements to analyze compliance risks and establish an action plan
effective.
Support
Both the QMS and the department responsible for its implementation must have
the support of senior management, as well as the other departments. For that, it must be
deploy the necessary resources to ensure that the system will function correctly
mind and will achieve the established objectives. Likewise, it is equally important
that all employees, regardless of their level, are informed and supported
the compliance plan developed by the company.
Each organization, according to its size, complexity, or structure, must assign
nor the financial or human resources that are necessary.
Operational Control
Operational control refers to the actions that should be proposed, implemented and
monitor to minimize compliance risks as much as possible. ISO 37301
It is recommended that the SGC also includes the control and monitoring of all those
activities that are delegated or outsourced to third parties.
14 Whitepaper: Keys of the ISO 37301 of Compliance Management Systems
6) Performance evaluation
Performance evaluation serves to establish control over obligations
acquired in the Compliance Management System, and in this way, to face
to the risks that may arise.
To carry out the evaluation, it is necessary to define some KPIs, monitoring methods and
of verification. In this way, to be able to carry out general tracking and control, collection
all the relevant information and finally, make an analysis and report on how it is
operating the compliance system.
Sustained improvement
A compliance management system must have sustained improvement over time.
to avoid possible vulnerabilities and strengthen itself. Thanks to the evaluation tasks,
It will be possible to find potential actions, objectives or activities to improve.
it is recommended that companies undergo audits,
both internal and external, in order to achieve excellence in their QMS.
6. How to implement a management system
of Compliance
To carry out the implementation of a Compliance Management System in a
company, the ISO 37301 establishes a work plan to follow.
First of all, it is necessary to define the objectives and principles that are contained with the
implementation or improvement of the QMS. These should be related in building a
culture of compliance, ethical values, improve the reputation and integrity of the organization
An organization. The principles include good governance, transparency, and sustainability.
sustainability of the company.
The next step is to perform a comprehensive risk analysis within the organization. One of
the best tools to carry it out is the risk map, since assessing the
probability and the impact of each one of them. At this point, it is necessary to have
it accounts for both internal and external risks.
Whitepaper: Claves de la ISO 37301 de Sistemas de Ges ón de Compliance 15
Once the risk analysis has been conducted, it will be necessary
verify and assess the controls that the company has
to detect possible violations of laws and regulations.
For this, it will be necessary to establish the strength of those in an objective and measurable way.
existing controls.
The definition of the operational protocols of the SGC is the next step. It is a mo-
very important to mention, as the company's policies on issues such as will be decided.
receiving gifts or how to respond to possible cases of bribery.
At the same time, it will be the time to create an improvement plan, with the objective of executing
take the necessary measures to eliminate or minimize each risk as much as possible. Likewise, it is
It is necessary to have the role of corporate compliance officer, so that it can be
In charge of executing the improvement plan and carrying out the corresponding follow-up.
Por otro lado, se deberá tenerplanes de formaciónpara que toda la organización co-
Know the concept of Compliance and how it will work in the company. This includes both
to the employees, as senior management and partners.
The organization must also identify a compliance officer.
Ra vo will need to establish a whistleblowing channel to be able to communicate the
reports and incidents that may be detected by members of the compliance area.
This involves creating evaluation and detection mechanisms for system deviations.
in order to design reaction actions with the aim of achieving the established objectives.
However, control cannot be reactive, but also preventive. For this reason,
internal inspections or audits of the SGC will be carried out periodically. In all
the process is very important the involvement of the upper management of the company, which
must periodically review the functioning of the system in a formal manner and propose
improvements to it.
16 Whitepaper: Keys of ISO 37301 of Compliance Management Systems
The last step, and not the least important, is to establish
a continuous improvement system of the Management System
of Compliance.
7. The importance of Risk Maps in Compliance
To assess and quantify the Compliance risk, a fundamental tool is
the risk map or heat map. With this tool, data will be collected visually.
the various existing compliance risks, as well as their likelihood of occurrence
the impact that each of them would have on the organization.
The risk map is very useful for the Compliance function, but it usually
ration requires a complex process, based on collecting verified information and
meticulous. Among the factors to consider when evaluating a risk map
we can find:
• Risk Inventory and description of them. As is obvious, to work
In a Compliance risk management process, the first step is to identify what they are
those risks.
• "Responsible" for each risk. This responsibility can be from a department.
whole or from a single responsible party, will depend on the activity of the company with the
that is related.
• Probability of occurrence of a negative event or noncompliance. The map of
heat must indicate what measure can produce the negative event. For this,
sufficient information must be gathered (based on consultations with the different areas
involved, sector organizations, external consultants, etc.) in order to be able to estimate
and communicate this probability.
• Impact of non-compliance: The multiplication of this risk impact with its
The probability of materializing can result in the measurement of that risk.
(Risk = Probability x Impact). In this way, we can obtain a relationship
of organized risks.
Whitepaper: Keys to ISO 37301 Compliance Management Systems 17
• Risk appetite of the organization: It is the level of risk that it is willing to...
to carry the organization and, in general, it should be marked by top management, since
What is this that decides which means are made available to mitigate a risk?
or another.
Representation of the risk map
The heat map is graphically represented based on the analysis of the previous fa...
stores. The graph must have, on the vertical axis, the probability of default
of each risk. For its part, the horizontal axis should include the impact of non-compliance.
I lie. Depending on the multiplication of both factors, the different boxes of the
maps will be drawn in one color or another, indicating whether the risk is low, moderate, high or
very tall.
From here, complete lists of risks can be created, which will appear
those responsible for the risks, and who reflect the situation of the organization very well
in terms of Compliance risks. These lists will be very useful to put
action plans against risks are underway.
18 Whitepaper: Claves de la ISO 37301 de Sistemas de Ges ón de Compliance
Example of a Compliance risk map:
The risk map is the perfect basis for establishing objectives and implementation
in the implementation of action plans, which also need to be monitored by
part of the Compliance area of the organization. This evolution has to be con-
so widely communicated, as is logical, to senior management.
