Posted: 13 Apr. 2021 05 min. read

Notable developments in the new ISO standard for Compliance Management Systems

A new international standard for compliance management systems (CMS) was published on April 13th 2021.  Known as ISO 37301, the standard replaces ISO 19600.  There are several new developments.

If your organisation is already aligned with ISO 19600, then it is important to understand the developments in ISO 37301.  We have no doubt that these developments will be embraced by organisations who aim to have a strong and robust CMS.

Seven key developments with the introduction of ISO 37301:

  1. Certification – ISO 37301 is articulated in directive language, such as ‘shall’ meaning that it is certifiable and that independent experts, regulators or courts may use the standard when assessing an organisation’s CMS.
  2. Conduct – The standard emphasises the importance of a common standard of behaviour and conduct that is required throughout the organisation to create and support compliance. Top management is required to prevent and not tolerate behaviour that compromises compliance.
  3. Compliance Culture - There is a requirement for consideration of aspects of diversity, potential barriers and the views of interested parties when establishing an organisation’s communication needs and processes.
  4. Compliance Ecosystem – There is an emphasis on the inter-related elements to managing compliance risk and there is recognition that compliance management is a cycle of continuous improvement.
  5. Organisational Context –The importance of organisational structure and the broader social and economic impact is recognised as fundamental when building a CMS.
  6. Compliance Governance and Leadership - The role and importance of levels of management below top management, in managing their compliance duties and creating appropriate internal rules, processes and structures to ensure compliance is emphasised. There is also increased focus on transparency and clear communication of the roles of top management.
  7. Raising Concerns - Whistleblowing tools and processes are encouraged as part of effective compliance management.  Organisations must ‘establish, implement and maintain’ a process to enable and encourage whistleblowing. The standard stipulates that such a process should be accessible, protect reporters from retaliation and reports should be treated with confidentiality.

What does this mean for you?

Organisations already aligned with ISO 19600 understand how a robust CMS helps to build sustainable businesses. At Deloitte, we believe that ISO 37301 takes the management of compliance risk to the next level, with practical, relevant and detailed guidance. The developments have been agreed to by subject-matter experts from around the world, who know exactly what industries need.  Deloitte’s compliance experts are on hand to help guide your organisation through the amendments, supporting your business to continue to have a strong and robust CMS.

How can Deloitte help? 

Deloitte has over 30 years’ experience supporting organisations to assess their compliance management systems against prior standards, advising required changes and assisting with implementation. We are also active committee members working with the Governance Risk and Compliance Institute (GRCI) who represent the International Federation of Compliance Associations (IFCA) in contributing to the draft development of ISO 37301.

Keep watching this space as we will be providing regular updates on the development of ISO 37301. If you require further information or other support with improving your compliance management system or preparing for ISO 37301, please contact us.   

Meet our authors

Angela Jaric

Angela Jaric

Partner, Risk Advisory

Angela is a Risk Advisory Partner at Deloitte who seeks to help the power and utilities sector embrace regulatory disruption through her deep and trusted relationships, her tenacity and fast adoption of tech-enabled solutions. Angela is a regulatory compliance and conduct risk professional with over 19 years of experience working in Australia and across the Asia Pacific region. She has a strong focus on helping clients navigate disruption in both regulatory and stakeholder expectations, and understand the impact of this change to business processes, controls, customers, third party relationships and operational performance. She has been working as a professional consultant for Tier 1 firms, with a solid foundation in governance, risk and compliance technical skills, team leadership and business development acumen.

Heather Loewenthal

Heather Loewenthal

Partner, Audit & Assurance

As part of the GRC team in Audit & Assurance, Heather’s focus is on Compliance operating models - design, implementation and embedding - including the development of RegTech solutions to achieve more with less. Over the last 20 plus years, Heather’s work at the C-suite level in financial services has included reviewing, designing, implementing and testing compliance operating models and advising boards and management on how to develop a positive compliance culture as well as negotiating and interacting with regulators, politicians and industry bodies across Europe, the Americas, Middle East, Africa and Australasia. If organisations plan to build resilience and increase profitability post the requirements flowing from the Royal Commission, they must take a different approach. Bolting-on people, processes and systems in the second line is not an answer but rather empowering the first line and utilising existing and new systems and new technologies (including Regtech) will have impact and sustainable outcomes. Without a cross-organisational approach and a positive compliance culture, change will be ineffective.