Should I implement an anti-corruption management system or a compliance management system? What are the differences between the two standards and how can you determine which standard is more suitable for which company? We talk to Hans-Jürgen Fengler about these and other questions. He is an auditor for both ISO 37001 and ISO 37301 and is therefore exactly the right person to talk to.

Hans-Jürgen Fengler, thank you very much for taking the time for this interview! I would like to talk to you about the differences between the ISO 37001 and ISO 37301 standards. Could you please briefly explain to me what each of these standards refers to?

Hans-Jürgen Fengler: With pleasure. Both standards deal with the implementation of management systems to ensure compliance with laws and regulations. ISO 37001 focuses specifically on anticorruption. It provides a framework for identifying, assessing and eliminating corruption risks, while ISO 37301 takes a more comprehensive approach and covers all of an organization‘s compliance obligations. This includes laws, regulations, but also voluntary commitments such as the Global Compact or the B.A.U.M. Code.

And how does the introduction of such a management system as described in ISO 37301 work?

Hans-Jürgen Fengler: According to ISO 37301, an organization must define a process in which the greatest compliance risks are identified. A risk assessment is then carried out in order to determinewhere measures, policies etc. are necessary. The same must be done for ISO 37001 only for the topic of corruption. The system is regularly reviewed and continuously improved to ensure its effectiveness. In the end, certification by an accredited body can be sought. Then an auditor like myself comes along to analyze the management system and check for optimization potential. The key is to develop a tailor-made compliance management system that meets the specific requirements and risks of the organization and is continuously improved.

In other words, if compliance management shows that corruption is a major issue, then I have to turn to ISO 37001?

Hans-Jürgen Fengler: Yes, you can do that. ISO 37001 is all about corruption. This means that if corruption is the most relevant compliance risk, then you can concentrate on ISO 37001. However, if corruption is not the most relevant topic, then it makes more sense to introduce the compliance management system. It is also possible to use the contents of ISO 37001 to optimize the compliance management system with regard to anti-corruption and thus improve and concretize the management system as a whole. When deciding between ISO 37301 and ISO 37001, the question always arises: What do I want to demonstrate to my interested parties, what are their requirements? And what makes sense for me as an organization? In addition, there are countries where an anticorruption management system in accordance with ISO 37001 is also required by law for certain sectors, for example in the construction industry in Italy or for public limited companies on the French stock exchange. In these cases, the question does not arise, and ISO 37001 certification is mandatory.

The number 37301 comes after 37001. What is this designation all about?

Hans-Jürgen Fengler: ISO 37001 was already published in 2016, while ISO 37301 only came into force in 2021. The predecessor standard to ISO 37301, ISO 19600, was only designed as a guideline and did not contain any specific requirements, nor could an accredited certificate be issued. As ISO 37001 already bore the number 37001, the number 37301 was chosen for the new, more comprehensive standard. Everything published by ISO in the area of compliance management systems can be found in the 37000 series. And that is why ISO 37301 has also been classified here.

How suitable are ISO 37001 and ISO 37301 for organizations of different sizes, industries and geographical locations?

Hans-Jürgen Fengler: Basically, all ISO management system standards are suitable for all organizations of different sizes, industries and geographical locations. ISO 37001 and ISO 37301 are no exceptions. Chapter 4 “Context of the organization” specifies which company-specific requirements are associated with the management system in detail and what needs to be taken into account. In a large organization, there are more requirements than in a small organization. Of course, this all has a strong influence on the compliance requirements that need to be considered specifically.

An important factor in terms of geographical location is that the risk of corruption is higher in some countries than in others. Transparency International provides the Corruption Perception Index (CPI). This is made up of 13 individual indices, twelve independent institutions and expert interviews and indicates the risk of corruption in the various regions worldwide.

If I work in a country or in cooperation with a country in which the corruption risks are rated as high, then more detailed control mechanisms need to be installed than in a country in which the corruption risks are lower and I tend to have to check less. In other words, the geographical location has an influence on the specific design of the management system.

Is it mandatory to have the standards certified or is it sufficient to implement an appropriate management system?

Hans-Jürgen Fengler: Certification is of course optional. However, it can help companies to document their compliance obligations and prove them to stakeholders.

To what extent can the ISO 37001 and ISO 37301 standards be integrated with other management system standards such as ISO 9001?

Hans-Jürgen Fengler: Both standards are based on the High-Level Structure (HLS), resp. Harmonized Structure (HS) which is also used by other ISO management system standards. Integration is therefore possible in principle.

However, whether integration makes sense depends on the respective organization and its specific requirements.

Is it also possible to certify only certain parts or activities within the scope of the standards?

Hans-Jürgen Fengler: In principle, partial certification is possible. However, this is problematic in the case of compliance issues, as the requirements usually affect the entire organization. Certification of individual areas would therefore require artificial demarcations that are almost impossible to implement in practice.

Thank you very much for your interesting comments!

The interview was conducted by Constanze Illner.

Relevant articles and events

You may also be interested in this
Blog
compliance-header-blog-säulen gerichtsgebäude
Loading...

Compliance management in SMEs - Necessary or Optional?

Blog
dqs-informiert-header-blog-viele bunte buecher in regalen in bibliothek
Loading...

What does compliance mean?

Blog
compliance-header-blog-säulen gerichtsgebäude
Loading...

Effective compliance management reduces liability risks