

Investment in compliance management continues to grow exponentially. In Macquarie Group’s latest financial results, compliance spend amounted to 17% of net profit and is only expected to grow in years to come. In April 2021, ISO released the certifiable standard ISO 37301 on compliance management systems. With compliance on the move, should your next move be to get ISO 37301 certified?
In this blog we cover:
Listen to this episode of the GRC Professional Podcast:
Showing Evidence In ISO 37301
ISO 37301 includes requirements and guidance on compliance management systems and practices, designed to enable the organisation to meet its obligations. It was released in April 2021 and replaces ISO 19600.
While the content is very similar, the most important change is that ISO 37301 is a Type A or management standard, which means you can be certified against the standard. ISO 37301 replaces the word ‘may’ with ‘shall’ for the elements that must be in place to be certified.
Like all of ISO’s management standards, it includes what is required to conform while also being adaptable and applicable to organisations of any size.
The compliance management standard sets a high bar. Being certified against the standard builds confidence and trust with your stakeholders, internal and external, and demonstrates that you have a strong compliance system in place.
Instances of noncompliance and regulatory action are becoming increasingly common across multiple jurisdictions, with the financial news regularly featuring stories of heavy fines and other sanctions for breaches.
Certification goes beyond simply telling your business partners that you’ve got things in hand: the independent process gives them assurance the compliance management system is operating effectively. Certification gives you a competitive advantage through improved credibility and enhanced reputation.
Internal stakeholders including management and top governing bodies gain increased confidence that compliance outcomes are being well managed. Increased confidence allows you to push boundaries in pursuit of your commercial objectives. At Protecht we refer to this as the ‘licence to go faster’. We can do more with the confidence that compliance risks are being well managed.
The key elements that demonstrate a strong compliance system include:
All of these are interwoven into the overall compliance management system and support each other; strong leadership will commit resources; effective resources allow comprehensive monitoring and business partnerships; strong partnerships and processes help embed culture; consistently documented information allows for measurement; and reporting against objectives provides leadership with evidence on how the compliance management system is operating. Strengthening any element also strengthens the whole.
The first step is to identify whether there are, and who has authority to commit, adequate resources to bridge the gap to certification.
The second step is to conduct a gap analysis of the ISO 37301 standard against your current practice.
Leadership and commitment of the top governing body isn’t just best practice; it’s a requirement to conform to the standard. This may be the biggest challenge for compliance teams that are in the early part of their journey; that achieving compliance is an outcome of everyone’s efforts, not just the compliance team.
Your gap analysis should include an assessment of the tools that you are using to manage compliance:
Once you’ve conducted your gap analysis, you can develop a plan to address those gaps.
The standard requires you to have sufficient resources to establish, implement, maintain and improve your compliance management system, which includes technical resources. If you are limited to using spreadsheets, word processors and emails, you will find it difficult to maintain a compliance management system of any reasonable size.
Compliance management software can help provide a comprehensive compliance management capability designed to support your journey to conforming to the ISO 37301 standard, including:
Importantly these tools help you demonstrate that you have the documented information required by the standard, including version control and how information has changed over time.
In short, yes. It sets the standard for an effective compliance program, which is designed to deliver outcomes aligned with your compliance objectives. Many of the benefits outlined above can still be realised by demonstrating conformance to the standard.
Completing a gap analysis against the standard provides benchmark and a maturity pathway for your compliance program, even if you aren’t planning to be certified any time soon.
If you are interested in finding out more about ISO 37301 and how it could help your business, please listen to the latest GRC Professional Podcast featuring Protecht's Research & Content Lead, Michael Howell.
Join us later this month for our Managing Compliance Obligations Under ISO 37301 webinar. In this live session, we will demonstrate how Protecht.ERM and LexisNexis can help you implement a best practice compliance management system. Register for the webinar now.
If you would like to know more about how Protecht can help your business achieve sustainable compliance and risk operations, request a demo of our Protecht.ERM system now.
Protecht is an international company founded by some of the most accomplished risk professionals in the industry. Since 1999, we have delivered training, advisory and software solutions that intensify the Risk Management focus and discipline of government departments, corporations around the world.
312 Arizona Ave #334
Santa Monica
California 90401
United States
Toll free: +1 (833) 328 5471
info@protechtgroup.com
77 New Cavendish Street
The Harley Building
London W1W 6XB
United Kingdom
+44 (0) 20 3978 1360
info@protechtgroup.com