2. Your presenter
Jonathan Brun
President and founder of Nimonik inc., an
engineer by training with a passion building
world class compliance management
systems.
Based in Montreal, Canada
6. Why are we talking about ISO 37301:2022 and why now?
Webinar
Obligations and risk have
increased significantly
Need a robust system
to handle all of this
• ESG
• Sustainability
• Environmental / Climate
Change
• Cybersecurity
• Artificial Intelligence
• Others
7. Topics:
1. What is ISO 37301:2022?
2. Why should you use it?
3. Where does it fit in?
4. How does it work?
5. Key definitions
6. Key elements
7. Key implementation steps
8. Q&A
9. Introduction
• ISO 37301 is an international standard introduced in 2022 that
provides guidance on establishing, implementing, maintaining,
reviewing, and improving an effective compliance management
system.
• This standard helps organizations ensure they comply with legal
and ethical requirements, reduce the risk of non-compliance, and
improve their overall performance.
• ISO 37301 provides a framework for organizations to integrate
compliance into their business operations and to demonstrate
their commitment to ethical behavior and social responsibility.
• ISO 37301 replaces ISO 19600
1. WHAT IS ISO 37301:2022
10. Introduction
ISO 37301 builds on and replaces ISO 19600 (guidelines) with the following
differences:
• ISO 37301 is now a Type A management standard that is certifiable
compatible with other Type A Management System standards such as ISO
9001, 45001, 14001, etc.
• replaces should with shall statements (but not for everything)
• adds whistleblowing and expands culture and governance
• adds requirements for hiring or promoting staff to critical positions.
• adds assessment of staff in matters of regulatory compliance.
• provides description of what is considered a regulatory compliance culture.
• highlights the issues of independence, staffing and skills of Regulatory
Compliance to operate without interventions and with appropriate staff.
• identifies Code of Ethics and Conduct as a key element in determining and
controlling compliance.
1. WHAT IS ISO 37301:2022
12. You have these needs
ISO 37001 is applicable for organizations that:
• want to modernized their corporate compliance
efforts with industry best practices.
• need a compliance management system for
specific risk domains not currently covered by
a standard.
• need to better address obligations contained
within existing management systems.
• need an overarching assurance framework
across existing compliance management
systems (e.g., safety, security, environmental,
EHS, ESG, etc.)
2. WHY SHOULD YOU USE IT?
13. You want these benefits
ISO outlines the following benefits for this standard:
• improving business opportunities and sustainability.
• protecting and enhancing an organization’s reputation
and credibility.
• considering expectations of interested parties.
• demonstrating an organization’s commitment to
managing its compliance risks effectively and
efficiently.
• increasing the confidence of third parties in the
organization’s capacity to achieve sustained success.
• minimizing the risk of a contravention occurring with
the attendant costs and reputational damage.
2. WHY SHOULD YOU USE IT?
TRUST
“Organizations want to work and collaborate
with companies they can trust,”
“And trust is built on a company culture of doing
the right thing, where every employee
contributes because they understand and
believe in the importance of it. Central to this is
good leadership and clear values, which have to
come from the top.”
16. Where does it fit in with other standards
3. WHERE DOES IT FIT IN?
ISO 37301 is intended to work as a stand-alone system or in conjunction with others
ISO 37000 ISO 37301
Governance
Guidelines
Compliance
Management Systems
ISO 31000
Risk
Management Guidelines
ISO 19011
Audit
Management Guidelines
Topic Specific Standards
17. How is it the same as other ISO standards?
3. WHERE DOES IT FIT IN?
• follows Annex SL structure
• follows Type A MSS with respect to management system
requirements.
• is harmonized with other standards
• is voluntary
ISO 37301:
18. How is it different from other ISO standards?
3. WHERE DOES IT FIT IN?
Certifiable with Guidelines for Use
ISO 37301 is certifiable using accredited auditors.
Integration with Other Standards
ISO 37301 is designed to be used with other management systems
Risk Based Approach
ISO 37301 emphasizes a risk-based approach to compliance management.
Focus on Compliance
ISO 37301 is specifically designed to manage compliance risks.
19. Includes both requirements and recommendations
3. WHERE DOES IT FIT IN?
SHALL
Requirements
SHOULD
Recommendations
Recommendations are found in ANNEX A (Information)
Requirements are found in the body of the standard
21. Outcome Objectives
These are measures of effectiveness that need to be
specified in units meaningful to the stakeholders.
• Integrity
• Culture
• Conformity
• Reputation
• Value
• Ethics
Capabilities for the CMS to provide depend on what is
specified.
4. HOW DOES IT WORK?
22. Essential Behaviors
These principles define essential behaviors for achieving
compliance outcomes:
• Integrity
• Good Governance
• Proportionality
• Transparency
• Accountability
• Sustainability
These behaviors need to be present within the CMS and
reinforced by the organizational culture.
4. HOW DOES IT WORK?
23. Essential Processes
The CMS implements essential processes to achieve
compliance and risk objectives:
• PLAN: Commitment , Scope, Policy, Roles and
responsibilities, Obligations and Risks
• DO: Support, Competence and awareness,
Communication and training, Operations, Controls and
procedures, Documentation
• CHECK: Internal audit, Management review,
Monitoring and measurement, Raising concerns,
Investigation process
• ACT: Managing non-compliance, Continual
improvement
PDCA demonstrates how these processes interact with
each other. However, they may not happen in sequence. For
example, operating controls happen at the same time that
conformance is verified.
4. HOW DOES IT WORK?
24. Context
These define internal and external environmental factors
that need to be considered:
• Legal
• Social
• Cultural
• Digitalization
• Finance
• Structure
• Environment
• Interested parties
These factors are inputs into the planning process and
define the climate the CMS operates within.
4. HOW DOES IT WORK?
26. Contains Requirements and Recommendations
• Shall are mandatory requirements needed for certification
• Should are recommendations derived from ISO 19600 and placed in Annex A
5. KEY DEFINITIONS
33. How these concepts relate to each other
5. KEY DEFINITIONS
Policy Objectives
Obligations Risk
Culture
Uncertainty
COMPLIANCE
CONTEXT
Everything happens in the presence of uncertainty and culture
36. 4. Context of the organization
• This element emphasizes the importance of engaging
with stakeholders and understanding their needs and
expectations.
• This includes identifying the compliance obligations
and expectations that are relevant to the organization's
activities, products, and services along with the
internal and external factors that may impact its ability
to meet its compliance obligations.
• Key obligations include understanding the organization
and its context, the needs and expectations of interest
parties, and determining the scope of the compliance
management system.
6. KEY ELEMENTS
37. 4. Context of the organization
6. KEY ELEMENTS
4.6 Compliance risk assessment
4.5 Compliance obligations
4.4 Compliance management system
4.3 Determining the scope of compliance management
system
4.2 Understanding the needs and expectations of
interested parties
4.1 Understanding the organization and its context
38. 4. Context of the organization
6. KEY ELEMENTS
4.6 Compliance risk assessment
4.5 Compliance obligations
4.4 Compliance management system
4.3 Determining the scope of compliance management
system
4.2 Understanding the needs and expectations of
interested parties
4.1 Understanding the organization and its context
39. 4. Context of the organization
6. KEY ELEMENTS
4.6 Compliance risk assessment
4.5 Compliance obligations
4.4 Compliance management system
4.3 Determining the scope of compliance management
system
4.2 Understanding the needs and expectations of
interested parties
4.1 Understanding the organization and its context
40. 4. Context of the organization
6. KEY ELEMENTS
4.6 Compliance risk assessment
4.5 Compliance obligations
4.4 Compliance management system
4.3 Determining the scope of compliance management
system
4.2 Understanding the needs and expectations of
interested parties
4.1 Understanding the organization and its context
41. 4. Context of the organization
6. KEY ELEMENTS
4.6 Compliance risk assessment
4.5 Compliance obligations
4.4 Compliance management system
4.3 Determining the scope of compliance management
system
4.2 Understanding the needs and expectations of
interested parties
4.1 Understanding the organization and its context
42. 4. Context of the organization
6. KEY ELEMENTS
4.6 Compliance risk assessment
4.5 Compliance obligations
4.4 Compliance management system
4.3 Determining the scope of compliance management
system
4.2 Understanding the needs and expectations of
interested parties
4.1 Understanding the organization and its context
43. 5. Leadership
• Leadership and commitment are critical for the
success of the compliance management system.
• This element involves establishing a compliance
culture within the organization, defining a compliance
policy, assigning roles and responsibilities for
compliance, and providing the necessary resources
and support.
• Key obligations include demonstrating visible
leadership and commitment to compliance,
establishing clear lines of communication and
reporting, and promoting a culture of ethical behavior.
6. KEY ELEMENTS
44. 5. Leadership
6. KEY ELEMENTS
5.3 Roles, responsibilities and authorities
5.3.1 Governing
body and top
management
5.3.2
Compliance
function
5.3.3
Management
5.3.4 Personnel
5.2 Compliance Policy
5.1 Leadership and Commitment
5.1.1 Governing body
and top management
5.1.2 Compliance
culture
5.1.3 Compliance
governance
45. 5. Leadership
6. KEY ELEMENTS
5.3 Roles, responsibilities and authorities
5.3.1 Governing
body and top
management
5.3.2
Compliance
function
5.3.3
Management
5.3.4 Personnel
5.2 Compliance Policy
5.1 Leadership and Commitment
5.1.1 Governing body
and top management
5.1.2 Compliance
culture
5.1.3 Compliance
governance
46. 5. Leadership
6. KEY ELEMENTS
5.3 Roles, responsibilities and authorities
5.3.1 Governing
body and top
management
5.3.2
Compliance
function
5.3.3
Management
5.3.4 Personnel
5.2 Compliance Policy
5.1 Leadership and Commitment
5.1.1 Governing body
and top management
5.1.2 Compliance
culture
5.1.3 Compliance
governance
47. 5. Leadership
6. KEY ELEMENTS
5.3 Roles, responsibilities and authorities
5.3.1 Governing
body and top
management
5.3.2
Compliance
function
5.3.3
Management
5.3.4 Personnel
5.2 Compliance Policy
5.1 Leadership and Commitment
5.1.1 Governing body
and top management
5.1.2 Compliance
culture
5.1.3 Compliance
governance
48. 5. Leadership
6. KEY ELEMENTS
5.3 Roles, responsibilities and authorities
5.3.1 Governing
body and top
management
5.3.2
Compliance
function
5.3.3
Management
5.3.4 Personnel
5.2 Compliance Policy
5.1 Leadership and Commitment
5.1.1 Governing body
and top management
5.1.2 Compliance
culture
5.1.3 Compliance
governance
49. 5. Leadership
6. KEY ELEMENTS
5.3 Roles, responsibilities and authorities
5.3.1 Governing
body and top
management
5.3.2
Compliance
function
5.3.3
Management
5.3.4 Personnel
5.2 Compliance Policy
5.1 Leadership and Commitment
5.1.1 Governing body
and top management
5.1.2 Compliance
culture
5.1.3 Compliance
governance
50. 6. Planning
• It is important to develop a comprehensive plan
that integrates compliance into all areas of the
organization and that takes into account the
organization's values and culture.
• This elements involves planning for compliance by
conducting risk assessments, establishing
objectives and targets, and developing action
plans to address identified risks and opportunities.
• Key obligations include identifying legal and ethical
requirements that are applicable to the
organization, assessing the risks and impacts of
non-compliance, and establishing objectives and
targets that are measurable and achievable.
6. KEY ELEMENTS
51. 6. Planning
6. KEY ELEMENTS
6.3 Planning of changes
6.2 Compliance objectives and
planning to achieve them
6.1 Actions to address risks
and opportunities
52. 6. Planning
6. KEY ELEMENTS
6.3 Planning of changes
6.2 Compliance objectives and
planning to achieve them
6.1 Actions to address risks
and opportunities
53. 6. Planning
6. KEY ELEMENTS
6.3 Planning of changes
6.2 Compliance objectives and
planning to achieve them
6.1 Actions to address risks
and opportunities
54. 7. Support
• The support requirements emphasize the
importance of providing the necessary
resources and support to meet compliance
obligations effectively and efficiently.
• The element involves determining and
providing the resources and support needed
to establish, implement, maintain, and
continually improve the CMS.
• Key obligations include establishing
leadership and commitment to compliance,
adequate staffing, training and awareness
programs, communication channels, access
to compliance information, documentation
and record-keeping processes.
6. KEY ELEMENTS
55. 7. Support
6. KEY ELEMENTS
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
documented information
7.5.3 Control of documented
information
7.4 Communication
7.3 Awareness
7.2 Competence
7.2.1 General 7.2.2 Employment process 7.2.3 Training
7.1 Resources
56. 7. Support
6. KEY ELEMENTS
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
documented information
7.5.3 Control of documented
information
7.4 Communication
7.3 Awareness
7.2 Competence
7.2.1 General 7.2.2 Employment process 7.2.3 Training
7.1 Resources
57. 7. Support
6. KEY ELEMENTS
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
documented information
7.5.3 Control of documented
information
7.4 Communication
7.3 Awareness
7.2 Competence
7.2.1 General 7.2.2 Employment process 7.2.3 Training
7.1 Resources
58. 7. Support
6. KEY ELEMENTS
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
documented information
7.5.3 Control of documented
information
7.4 Communication
7.3 Awareness
7.2 Competence
7.2.1 General 7.2.2 Employment process 7.2.3 Training
7.1 Resources
59. 7. Support
6. KEY ELEMENTS
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
documented information
7.5.3 Control of documented
information
7.4 Communication
7.3 Awareness
7.2 Competence
7.2.1 General 7.2.2 Employment process 7.2.3 Training
7.1 Resources
60. 7. Support
6. KEY ELEMENTS
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
documented information
7.5.3 Control of documented
information
7.4 Communication
7.3 Awareness
7.2 Competence
7.2.1 General 7.2.2 Employment process 7.2.3 Training
7.1 Resources
61. 8. Operation
• It is important to involve all stakeholders in the
implementation process and to ensure that the
compliance management system is integrated into
all business processes.
• This element involves establishing controls,
communicating requirements, and providing
training and awareness to ensure compliance is
embedded in the organization's daily activities.
• Key obligations include establishing and
communicating policies and procedures, providing
training and awareness programs, and
implementing controls to ensure compliance.
6. KEY ELEMENTS
62. 8. Operation
6. KEY ELEMENTS
8.4 Investigation processes
8.3 Raising concerns
8.2 Establishing controls and
procedures
8.1 Operational planning and control
63. 8. Operation
6. KEY ELEMENTS
8.4 Investigation processes
8.3 Raising concerns
8.2 Establishing controls and
procedures
8.1 Operational planning and control
64. 9. Performance evaluation
• It is important to ensure that the evaluation
process is objective, independent, and based
on reliable data.
• The evaluation element involves monitoring
performance, conducting audits and reviews,
and analyzing data to ensure the compliance
management system remains effective.
• Key obligations include establishing
performance indicators, monitoring
compliance performance, conducting audits
and reviews, and analyzing data to identify
areas for improvement.
6. KEY ELEMENTS
65. 9. Performance evaluation
6. KEY ELEMENTS
9.3 Management review
9.3.1 General
9.3.2 Management review
inputs
9.3.3 Management review
results
9.2 Internal audit
9.2.1 General 9.2.2 Internal audit programme
9.1 Monitoring, measurement, analysis and
evaluation
9.1.1 General
9.1.2 Sources
of feedback on
compliance
performance
9.1.3
Development
of indicators
9.1.4
Compliance
reporting
9.1.5 Record-
keeping
66. 9. Performance evaluation
6. KEY ELEMENTS
9.3 Management review
9.3.1 General
9.3.2 Management review
inputs
9.3.3 Management review
results
9.2 Internal audit
9.2.1 General 9.2.2 Internal audit programme
9.1 Monitoring, measurement, analysis and
evaluation
9.1.1 General
9.1.2 Sources
of feedback on
compliance
performance
9.1.3
Development
of indicators
9.1.4
Compliance
reporting
9.1.5 Record-
keeping
67. 9. Performance evaluation
6. KEY ELEMENTS
9.3 Management review
9.3.1 General
9.3.2 Management review
inputs
9.3.3 Management review
results
9.2 Internal audit
9.2.1 General 9.2.2 Internal audit programme
9.1 Monitoring, measurement, analysis and
evaluation
9.1.1 General
9.1.2 Sources
of feedback on
compliance
performance
9.1.3
Development
of indicators
9.1.4
Compliance
reporting
9.1.5 Record-
keeping
68. 9. Performance evaluation
6. KEY ELEMENTS
9.3 Management review
9.3.1 General
9.3.2 Management review
inputs
9.3.3 Management review
results
9.2 Internal audit
9.2.1 General 9.2.2 Internal audit programme
9.1 Monitoring, measurement, analysis and
evaluation
9.1.1 General
9.1.2 Sources
of feedback on
compliance
performance
9.1.3
Development
of indicators
9.1.4
Compliance
reporting
9.1.5 Record-
keeping
69. 10. Improvement
• It is important to establish a culture of continual
improvement and to ensure that the compliance
management system is adapted to changing
circumstances.
• This element involves implementing corrective
and preventive actions, identifying opportunities
for improvement, and continuously improving
the compliance management system.
• Key obligations include establishing a process
for reporting and investigating non-compliance,
identifying opportunities for improvement, and
implementing corrective and preventive actions.
6. KEY ELEMENTS
70. 10. Improvement
6. KEY ELEMENTS
10.2 Nonconformity and
corrective action
10.1 Continual improvement
71. 10. Improvement
6. KEY ELEMENTS
10.2 Nonconformity and
corrective action
10.1 Continual improvement
72. Poll: Do you see many barriers to
implementing ISO 37301 at your
organization?
74. What to avoid
1. Lack of leadership commitment: Without leadership commitment, the compliance management system is likely to fail. The
leaders of the organization need to be fully committed to the implementation of the standard, provide the necessary
resources and support, and ensure that everyone in the organization understands the importance of compliance.
2. Overcomplicating the system: A compliance management system that is overly complex can be difficult to implement and
maintain. It's important to keep the system simple and focus on the key compliance risks facing the organization.
3. Failure to involve stakeholders: The compliance management system should involve all relevant stakeholders, including
employees, suppliers, customers, and regulators. Failure to involve these stakeholders can lead to resistance to the system
and a lack of buy-in.
4. Lack of communication: Communication is critical to the success of the compliance management system. It's important to
communicate the system's purpose, goals, and benefits to all stakeholders, and to keep them informed of progress and
changes.
5. Insufficient training: Employees need to be trained on the compliance management system, including their roles and
responsibilities, how to identify compliance risks, and how to report compliance violations. Without proper training,
employees may not understand the system, which can lead to non-compliance.
6. Failure to adapt to changing circumstances: The compliance management system should be flexible and able to adapt to
changing circumstances, such as changes in regulations or business operations. Failure to adapt the system can result in
non-compliance.
7. Treating compliance as a one-time event: Compliance management is an ongoing process that requires continuous
improvement. Treating compliance as a one-time event can lead to complacency and non-compliance.
7. KEY IMPLEMENTATION STEPS
75. What is critical to success
1. Top Management Support: Having strong support from top management is essential for the successful implementation of
ISO 37301. Leaders should communicate their commitment to the CMS to ensure its effective implementation and
continued success.
2. Obligation Identification: Knowing your obligations is critical for effective compliance. Lack of knowledge will contribute
to gaps in compliance, excessive risk, and failure to provide stakeholder assurance. This identification should include legal,
regulator, and stakeholder obligations.
3. Risk Assessment: The CMS should be built around an assessment of the organization's compliance risks. This
assessment should identify the risks that the organization faces and prioritize them based on their severity and likelihood
of occurrence.
4. Policies and Procedures: Policies and procedures that are aligned with the organization's goals, risk profile, and
compliance requirements should be developed. These policies and procedures should be communicated effectively to
ensure that everyone understands their roles and responsibilities in achieving compliance.
5. Training and Awareness: All employees should receive training and awareness programs to ensure they understand their
roles and responsibilities in complying with the CMS. Regular training and awareness programs should be conducted to
ensure that employees remain up-to-date on changes to the CMS and the organization's compliance requirements.
6. Monitoring and Measurement: The CMS should include mechanisms for monitoring and measuring its effectiveness. This
includes regular compliance audits, reviews, and assessments to ensure that the CMS is functioning effectively and
meeting its objectives.
7. Continuous Improvement: The organization should continually evaluate and improve its CMS to ensure its ongoing
effectiveness. The CMS should be flexible enough to adapt to changes in the organization's compliance risks, regulatory
requirements, and business objectives.
7. KEY IMPLEMENTATION STEPS
76. Steps to follow
7. KEY IMPLEMENTATION STEPS
UNDERSTAND
THE
STANDARD:
Read and understand the
requirements of ISO
37301, and how it
applies to your
organization. This
includes the principles,
objectives, and
requirements of the
standard.
CONDUCT
A
GAP
ANALYSIS:
Assess your
organization's current
compliance
management system
against the requirements
of ISO 37301. Identify
the gaps and areas for
improvement.
DEFINE
SCOPE:
Define the scope of your
compliance
management system.
Determine which
activities, processes,
and functions will be
covered by the system.
ESTABLISH
A
COMPLIANCE
POLICY:
Develop a compliance
policy that sets out your
organization's
commitment to
complying with
applicable laws,
regulations, and
standards. The policy
should be
communicated to all
relevant stakeholders.
DEVELOP
A
COMPLIANCE
MANAGEMENT
FRAMEWORK:
Establish a compliance
management framework
that includes processes,
procedures, and controls
for managing
compliance risks. This
includes identifying and
assessing compliance
risks, implementing
controls to mitigate
those risks, monitoring
and reviewing the
effectiveness of the
controls, and reporting
on compliance
performance.
Step 1 Step 2 Step 3 Step 4 Step 5
77. Steps to follow
7. KEY IMPLEMENTATION STEPS
IMPLEMENT
THE
COMPLIANCE
MANAGEMENT
SYSTEM:
Implement the
compliance
management system
by providing the
necessary resources,
assigning roles and
responsibilities, and
training staff on the
system.
MONITOR
AND
MEASURE
PERFORMANCE:
Establish metrics and
monitoring
procedures to
measure the
effectiveness of the
compliance
management system.
This includes regular
reviews, audits, and
assessments.
CONTINUOUSLY
IMPROVE:
Continuously improve
the compliance
management system
by analyzing
performance data,
identifying
opportunities for
improvement, and
taking corrective
action.
GET
CERTIFIED:
Once your
organization has
implemented the
compliance
management system
and it has been in
operation for a
sufficient period of
time, you can seek
certification to ISO
37301 from a
recognized
certification body.
Step 6 Step 7 Step 8 Step 9