In April 2021, the international testing standard ISO 37301:2021, which has been awaited for a long time by the experts, was published in English. The new standard for compliance management systems has emerged from the systematic review of ISO 19600. The International Organization for Standardization (ISO) had commissioned a working group to consider options for a revision. Finally, in September 2018, it was agreed to revise ISO 19600 as a requirements standard as the new ISO 37301. DQS auditor Frank Machalz, a member of the DIN standards committees Organizational Processes and Governance and Compliance Management, provides an overview of the new set of rules from the ISO family of standards.
- Compliance management from 2021: Insights and prospects
- Compliance management with ISO 37301 - relevancez and acceptance?
- Obligation of organizations to comply
- ISO 37301 - Implementing a compliance management system
- ISO 37301: Role in risk management
- Is the new standard certifiable?
- Acquire knowledge of ISO 37301 now
- Management systems sharpen the senses
Compliance management from 2021: insights...
Compliance management with ISO 37301:2021 - the official title of the new test standard is: "Compliance management systems - Requirements with guidance for application". However, it will still be some time before it becomes practically applicable. For all interested parties, however, the standard is a solid basis to prepare for future certifications.
... and prospects
The final ISO standard, which can be accredited and certified, was adopted in April 2021, replacing the previous guide to compliance management systems (CMS) ISO 19600 from 2014.
In the course of this publication,
- in June 2020, the DIS on ISO 37000:2020 entitled "Guidance for governance of organizations", as well as
- in July 2020, the draft of DIN ISO 37002:2020, entitled "Guidance on information management systems."
These two standards, unlike ISO 37301 are not currently designed as a certification standard.
Incidentally, other sectoral, regional and industry-specific auditing standards are still available, including the ISO family of standards in the risk segments of occupational health and safety (ISO 45001), environmental management (ISO 14001) and quality management (ISO 9001), among others, which already contain compliance requirements in their respective contexts in the standard items "Binding commitments" and "Assessment of compliance".
Compliance management with ISO 37301 - relevance and acceptance?
As has already been observed in the past in the run-up to and after the publication of other management standards from the ISO world - e.g. ISO 9001 (quality management), ISO 14001 (environmental management) or ISO 45001 (occupational health and safety) - questions regarding, among other things, the relevance and acceptance of the future standard must also be clarified here.
The relevance of the new standard derives first of all from the fact that the International Organization for Standardization (ISO) deemed it necessary to develop and adopt such a standard. However, it is and remains a voluntary standard, so its relevance is closely linked to its future acceptance, and its acceptance in turn to its relevance.
The normative introduction and maintenance of a culture of integrity and compliance as an independent but at the same time integral component of a uniform management system is intended to ensure a long-term sustainable, socially responsible and successful organization.
It is particularly noteworthy that the standard already explicitly addresses in its introduction the possibility (opportunity) of each organization to "prove" compliance with its binding obligations through an effective and organization-wide Compliance Management System (CMS).
Commitment of organization to compliance
In addition, the new standard explicitly mentions in its introduction on page 7:
"Courts in various countries ... (have) considered an organization's obligation to comply through its compliance management system in the context of determining appropriate penalties for violations of applicable laws. For this reason, regulatory and judicial authorities may also benefit from this document as a reference."
Already from this, but ultimately also from the standard's definitions of compliance (chap. 3.27) and compliance obligation (chap. 3.26), it is clear that the clear focus of this standard is on all legal compliance aspects of an organization, even if these have previously been part of risk identification and assessment in other segments of a unified and integrated management system. This is also the case with ISO 37301 on page 7:
"This document is appropriate for elevating compliance-related requirements in other management systems and for assisting an organization in improving the overall management of its compliance obligations."
The requirements for experts standardized here form the starting point and provide essential guidance for the creation of framework conditions with regard to the competence, technical knowledge and expertise of external and internal auditors (auditors). The same applies to the requirements for both the processes underlying the certification and the certification process itself. These are a reliable source of knowledge for the entire certification process and certificate issuance process for ISO 37301.
The acceptance of the new standard both by the immediate group of addressees to whom it is addressed and by all other interested parties who participate directly or indirectly in the fulfillment of its requirements will, as has already been observed with other ISO standards, be influenced by the following aspects, among others:
- the relevance of the standard in practice
- the competence, expertise and technical knowledge of the companies wishing to implement the standard in their company
- the competence, expertise and technical knowledge of external service providers who may support these organizations in this process
- the competence, expertise and technical knowledge of the testing organizations
- the competence, expertise and technical knowledge of internal and, above all, external auditors.
ISO 37301 - Implementing a compliance management system
The organizations and companies that want to implement this standard and participate in its benefits can study the standard in order to acquire the necessary competences, expertise and technical knowledge.
The annex in particular contains valuable information and explanations on the individual aspects of the standard
Insofar as the internal competence, expertise and technical knowledge available in the respective company are not sufficient in individual cases, external expertise can and should be called upon. There is extensive case law on the information procurement obligations that may exist and may have to be fulfilled, starting with the asphalt deepening ruling of the Reichsgericht in 1916 (RGZ 89 (1917) p. 136) and extending to various rulings by the Federal Court of Justice (BGH) in 2007 (14.05.2007 - II ZR 48/06, BB 2007/1801 and 16.07.2007 - II ZR 226/06, DStR 2007, 1641), among others.
In the context of the relevance of the standard, not least as an element of the avoidance and minimization of compliance risks, as well as the fact that currently with ISO 19600 from 2014 there is only a general guide to compliance management as well as the standard ISO 37301, this selection and decision should be made with great care.
ISO 37301: Role in risk management
It would be advantageous for this - as is generally customary and necessary in legally compliant subcontractor management for security in the supply chain to avoid accusations of organizational culpability in the form of selection or monitoring culpability - to include, among other things, the formulation of concrete requirements for the evidence to be provided of explicit compliance management expertise.
For this purpose, the future ISO 17021-13 could also be used as a suitable source of knowledge and reference document. In this respect, the Federal Court of Justice (BGH), inter alia, in its ISION decision of 20.09.2011 - II ZR 234/09, BB 2011, 2960 as well as the Higher Regional Court (OLG) Stuttgart of 25.11.2009 - 20 U 5/09, ZIP 2009, 2386ff have established corresponding guidelines here.
Compliance management with ISO 37301 - is the standard certifiable?
As with other certifiable ISO standards, this standard requires accreditation of the certification body by the Deutsche Akkreditierungsstelle GmbH (DAkkS). The certification body carries out the testing and evaluation of compliance with the requirements of the standard and, if the result is positive, will issue a certificate, i.e. a document in the sense of evidence.
Who is the DAkkS?
DAkkS is the national accreditation body of the Federal Republic of Germany. According to Regulation (EC) No. 765/2008 and the Accreditation Body Act (AkkStelleG), it acts in the public interest as the sole service provider for accreditation in Germany.
The German Accreditation Body GmbH does not operate for profit. The shareholders of the GmbH are the Federal Republic of Germany, the Federal States of Bavaria, Hamburg and North Rhine-Westphalia as well as the economy represented by the Federation of German Industries (BDI).
In order to be able to perform its sovereign accreditation tasks, the DAkkS has been entrusted by the Federal Government. As an entrusted body, the DAkkS is subject to the supervision of the Federal Government.
With the ISO Standard 37301, which has been available in principle for certification since April 2021, the DAkkS can now, in accordance with its mandate, examine and evaluate whether
- whether the standard can be accredited at all, i.e. whether there is any demand at all for such testing, assessment and certification procedures, and
- then, if applicable, accept, process and decide on applications from organizations seeking accreditation for this standard.
The corresponding internal processes have not yet been completed at DAkkS, so that there is currently no certification body accredited for the standard by DAkkS.
Acquire knowledge of ISO 37301 now
Meeting certain requirements for the competence, expertise and technical knowledge of future internal and external auditors is also an essential criterion for the acceptance and relevance of the ISO standard. For them, it will initially be indispensable to acquire in-depth knowledge of DIN ISO 37301 and to be able to prove this with suitable evidence.
In addition, the series of standards for ISO 17021 (parts 1 to 12), which respectively contain the requirements for certification bodies and external auditors for quality management, environmental management and occupational health and safety management, among others, will be extended by a further part, the future ISO 17021-13. This will then contain corresponding requirements for the competence, expertise and technical knowledge of external auditors who want to audit and assess a compliance management system (CMS) in accordance with ISO 37301. The corresponding ISO committee began its work in March 2021 and is expected to have completed its work on the ISO 17021-13 standard by the end of 2021, so that it can then be adopted and published in 2022 at the latest.
Since the current DIN EN ISO 19011:2018 (Guide to the auditing of management systems) does not contain any specific requirements for internal auditors with regard to the relevant requirements, the future ISO 17021-13 would be usable as a source of knowledge and reference document for this group of persons.
The ISO standard 37301 - Conclusion
Due to its content and relevance, the new management system standard for compliance management ISO 37301 has a separate and cross-segment position in the previous ISO standards world, as it covers all compliance risks of a company beyond the related content and requirements of the previous management segments and at the same time brings certain relief elements.
As a result, all parties involved and other interested parties in the future processes of introduction, continuation, testing, evaluation and certification must meet high expectations and requirements for diligence in their respective preparation and realization.
Management systems sharpen the senses
For a long time, management systems have proven to be fundamental management tools: they provide the framework for consciously designing, controlling and monitoring processes. They create transparency and provide certainty of action. Especially in times of change, effective management systems are suitable for sharpening the view of the whole and supporting change processes. They stabilize work processes and systematically improve the quality of a company's own performance. However, management systems only become a key success factor when they are certified by the DQS. Our claim begins where checklists end. Take us at our word!
We are happy to answer your questions
Contact us - we will be happy to inform you about certification of your compliance management system.