Compliance management with ISO 37301 - new international testing standard

CONTENT

• Compliance management from 2021: Insights and prospects
• Compliance management with ISO 37301 - relevancez and acceptance?
• Obligation of organizations to comply
• ISO 37301 - Implementing a compliance management system
• ISO 37301: Role in risk management
• Is the new standard certifiable?
• Acquire knowledge of ISO 37301 now
• Management systems sharpen the senses

Compliance management from 2021: insights...

Compliance management with ISO 37301:2021 - the official title of the new test standard is: "Compliance management systems - Requirements with guidance for application". However, it will still be some time before it becomes practically applicable. For all interested parties, however, the standard is a solid basis to prepare for future certifications.

... and prospects

The final ISO standard, which can be accredited and certified, was adopted in April 2021, replacing the previous guide to compliance management systems (CMS) ISO 19600 from 2014.

In the course of this publication, 

• in June 2020, the DIS on ISO 37000:2020 entitled "Guidance for governance of organizations", as well as
• in July 2020, the draft of DIN ISO 37002:2020, entitled "Guidance on information management systems."

These two standards, unlike ISO 37301 are not currently designed as a certification standard.

Incidentally, other sectoral, regional and industry-specific auditing standards are still available, including the ISO family of standards in the risk segments of occupational health and safety (ISO 45001), environmental management (ISO 14001) and quality management (ISO 9001), among others, which already contain compliance requirements in their respective contexts in the standard items "Binding commitments" and "Assessment of compliance".

Compliance management with ISO 37301 - relevance and acceptance?

As has already been observed in the past in the run-up to and after the publication of other management standards from the ISO world - e.g. ISO 9001 (quality management), ISO 14001 (environmental management) or ISO 45001 (occupational health and safety) - questions regarding, among other things, the relevance and acceptance of the future standard must also be clarified here.

The relevance of the new standard derives first of all from the fact that the International Organization for Standardization (ISO) deemed it necessary to develop and adopt such a standard. However, it is and remains a voluntary standard, so its relevance is closely linked to its future acceptance, and its acceptance in turn to its relevance.

The normative introduction and maintenance of a culture of integrity and compliance as an independent but at the same time integral component of a uniform management system is intended to ensure a long-term sustainable, socially responsible and successful organization.

It is particularly noteworthy that the standard already explicitly addresses in its introduction the possibility (opportunity) of each organization to "prove" compliance with its binding obligations through an effective and organization-wide Compliance Management System (CMS).

Commitment of organization to compliance

In addition, the new standard explicitly mentions in its introduction on page 7:

Already from this, but ultimately also from the standard's definitions of compliance (chap. 3.27) and compliance obligation (chap. 3.26), it is clear that the clear focus of this standard is on all legal compliance aspects of an organization, even if these have previously been part of risk identification and assessment in other segments of a unified and integrated management system. This is also the case with ISO 37301 on page 7:

The requirements for experts standardized here form the starting point and provide essential guidance for the creation of framework conditions with regard to the competence, technical knowledge and expertise of external and internal auditors (auditors). The same applies to the requirements for both the processes underlying the certification and the certification process itself. These are a reliable source of knowledge for the entire certification process and certificate issuance process for ISO 37301.

The acceptance of the new standard both by the immediate group of addressees to whom it is addressed and by all other interested parties who participate directly or indirectly in the fulfillment of its requirements will, as has already been observed with other ISO standards, be influenced by the following aspects, among others:

• the relevance of the standard in practice
• the competence, expertise and technical knowledge of the companies wishing to implement the standard in their company
• the competence, expertise and technical knowledge of external service providers who may support these organizations in this process
• the competence, expertise and technical knowledge of the testing organizations
• the competence, expertise and technical knowledge of internal and, above all, external auditors.

ISO 37301 - Implementing a compliance management system

The organizations and companies that want to implement this standard and participate in its benefits can study the standard in order to acquire the necessary competences, expertise and technical knowledge.

Insofar as the internal competence, expertise and technical knowledge available in the respective company are not sufficient in individual cases, external expertise can and should be called upon. There is extensive case law on the information procurement obligations that may exist and may have to be fulfilled, starting with the asphalt deepening ruling of the Reichsgericht in 1916 (RGZ 89 (1917) p. 136) and extending to various rulings by the Federal Court of Justice (BGH) in 2007 (14.05.2007 - II ZR 48/06, BB 2007/1801 and 16.07.2007 - II ZR 226/06, DStR 2007, 1641), among others.

In the context of the relevance of the standard, not least as an element of the avoidance and minimization of compliance risks, as well as the fact that currently with ISO 19600 from 2014 there is only a general guide to compliance management as well as the standard ISO 37301, this selection and decision should be made with great care.

ISO 37301: Role in risk management

It would be advantageous for this - as is generally customary and necessary in legally compliant subcontractor management for security in the supply chain to avoid accusations of organizational culpability in the form of selection or monitoring culpability - to include, among other things, the formulation of concrete requirements for the evidence to be provided of explicit compliance management expertise.

For this purpose, the future ISO 17021-13 could also be used as a suitable source of knowledge and reference document. In this respect, the Federal Court of Justice (BGH), inter alia, in its ISION decision of 20.09.2011 - II ZR 234/09, BB 2011, 2960 as well as the Higher Regional Court (OLG) Stuttgart of 25.11.2009 - 20 U 5/09, ZIP 2009, 2386ff have established corresponding guidelines here.

Compliance management with ISO 37301 - is the standard certifiable?

As with other certifiable ISO standards, this standard requires accreditation of the certification body by the Deutsche Akkreditierungsstelle GmbH (DAkkS). The certification body carries out the testing and evaluation of compliance with the requirements of the standard and, if the result is positive, will issue a certificate, i.e. a document in the sense of evidence.

With the ISO Standard 37301, which has been available in principle for certification since April 2021, the DAkkS can now, in accordance with its mandate, examine and evaluate whether

• whether the standard can be accredited at all, i.e. whether there is any demand at all for such testing, assessment and certification procedures, and
• then, if applicable, accept, process and decide on applications from organizations seeking accreditation for this standard.

The corresponding internal processes have not yet been completed at DAkkS, so that there is currently no certification body accredited for the standard by DAkkS.

Acquire knowledge of ISO 37301 now

Meeting certain requirements for the competence, expertise and technical knowledge of future internal and external auditors is also an essential criterion for the acceptance and relevance of the ISO standard. For them, it will initially be indispensable to acquire in-depth knowledge of DIN ISO 37301 and to be able to prove this with suitable evidence.

In addition, the series of standards for ISO 17021 (parts 1 to 12), which respectively contain the requirements for certification bodies and external auditors for quality management, environmental management and occupational health and safety management, among others, will be extended by a further part, the future ISO 17021-13. This will then contain corresponding requirements for the competence, expertise and technical knowledge of external auditors who want to audit and assess a compliance management system (CMS) in accordance with ISO 37301. The corresponding ISO committee began its work in March 2021 and is expected to have completed its work on the ISO 17021-13 standard by the end of 2021, so that it can then be adopted and published in 2022 at the latest.

Since the current DIN EN ISO 19011:2018 (Guide to the auditing of management systems) does not contain any specific requirements for internal auditors with regard to the relevant requirements, the future ISO 17021-13 would be usable as a source of knowledge and reference document for this group of persons.

The ISO standard 37301 - Conclusion

Due to its content and relevance, the new management system standard for compliance management ISO 37301 has a separate and cross-segment position in the previous ISO standards world, as it covers all compliance risks of a company beyond the related content and requirements of the previous management segments and at the same time brings certain relief elements.

As a result, all parties involved and other interested parties in the future processes of introduction, continuation, testing, evaluation and certification must meet high expectations and requirements for diligence in their respective preparation and realization.

Management systems sharpen the senses

For a long time, management systems have proven to be fundamental management tools: they provide the framework for consciously designing, controlling and monitoring processes. They create transparency and provide certainty of action. Especially in times of change, effective management systems are suitable for sharpening the view of the whole and supporting change processes. They stabilize work processes and systematically improve the quality of a company's own performance. However, management systems only become a key success factor when they are certified by the DQS. Our claim begins where checklists end. Take us at our word!