• Dr. Jan-Hendrik Gnändiger, Partner |

Highlights

  • DIN ISO 37301 defines requirements for an effective compliance management system. As a guideline and basic standard, it provides clear guidelines for companies of all sizes.

  • The new standard replaces ISO 19600 and is directly certifiable as a Level A standard.

  • Certification is important and brings decisive advantages at national and international level.

Compliance in companies has been growing in importance for years. Businesses are responsible for ensuring compliance with expanding national and international regulations and for meeting compliance requirements. One way that a company can demonstrate its adherence to the rules is by implementing an effective compliance management system (CMS). 

The international standard ISO 19600 was published in 2014 as a guideline and aid for implementing a CMS. In Germany, there is also the auditing standard IDW PS 980, developed by the Institute of Public Auditors in Germany (IDW), which contains principles for auditing compliance management systems and is addressed to German auditors. 

The publication of ISO 37301 in April 2021 will now make it possible to prove the effectiveness of a CMS with international validity. In contrast to ISO 19600, which as a Type B standard only contains recommendations, ISO 37301 is a Type A standard that is suitable for both implementation and certification and contains clear obligations for companies. 

The new DIN standard ISO 37301 defines requirements and provides guidelines for introducing, implementing and improving a modern CMS in a company.

International significance of certifications

Certifying management systems according to international standards creates greater uniformity in the implementation of compliance rules. Liability and reputational risks are reduced, while the international market and the public will have greater confidence in your company. 

Other benefits of successful certification include increased effectiveness and optimisation of compliance-relevant processes. On the other hand, certification provides proof for supervisory and law enforcement authorities and offers security for management as well as for employees and stakeholders. In addition, proof of a functioning CMS can create advantages when a company is bidding for contracts and looking to be selected as a supplier. 

Large and small companies alike benefit from ISO 37301 certification. The standard explicitly states that it is suitable for companies of any size, type and with any nature of activity, as well as private and public sector organisations.

ISO 37301 can guide and assist successful implementation of a CMS

In line with its predecessor ISO 19600, ISO 37301 contains specifications as well as guidelines on establishing, developing, implementing, evaluating, maintaining and improving an effective CMS. The specifications and practical instructions provided by ISO 37301 are deliberately chosen in a flexible manner so that an effective CMS can be introduced regardless of the specifics of any one organisation.

In this way, it allows companies to implement the CMS detached from systems already existing in the organisation. However, one recommendation is to integrate the CMS into existing management systems such as those for risk, quality or anti-corruption. 

There are various project approaches for using the ISO standard. For example, it is advisable to carry out a readiness assessment to check the status of the CMS with regard to the requirements of ISO 37301. This makes the adequacy, implementation and effectiveness of the CMS transparent.

Based on this assessment, weak points can be identified and necessary steps and required adjustments documented in a roadmap, allowing a certifiable CMS to be implemented. Provided that all criteria mentioned in ISO 37301 are met, the CMS can be certified according to the standard and a corresponding certificate can be provided.

Conclusion

Although the implementation of ISO 37301 remains voluntary, the pros of certification clearly outweigh the cons. The following advantages are good arguments for explicitly recommending certification to all companies:

  • relevance in legal proceedings as well as in building trust between (international) business partners,
  • flexibility in applying the standard,
  • transparency created with regard to opportunities for improvement and risks.

As the market leader in the field of IDW PS 980 audits and as an accredited certification body for ISO standards, KPMG has the necessary expertise to provide you with optimal support.