Compliance

standardized
Forensic & Integrity Services
ISO 37301: compliance management
Today, most companies are operating on the edge of technological innovation, potentially far from the
knowledge and understanding of regulators’ intentions, and they could find themselves in a regulatory
“no-man’s-land.” In many cases, the current set of laws and regulations are not — or only partly —
applicable to new business models. In the absence of certainty, it is up to the company to weigh ethical
decisions and blaze the trail itself.

Long-lasting economic success is strongly correlated with a culture of integrity and compliance. The
first step — design and implement a systematic compliance program — is a hurdle many organizations
have already taken. However, implementing a management system by continuously learning from past
experiences and leading practices remains a challenge to be addressed for many organizations.

The journey from a compliance program to a compliance management system is important but may
be daunting if there is not a widely accepted reference. That’s why the International Organization for
Standardization (ISO) published a new certifiable standard for compliance management systems in
April 2021.

Compliance management sounds simple — it’s following laws and regulation. However, it can sometimes
be challenging to have an organization move in an ethical direction. The avoidance of compliance
and the committed misconduct of employees, business partners and corporate management is and
will remain a central challenge of modern business management. Moreover, there is the tightening
of national and international legislation and regulation, particularly in the areas of anti-corruption,
cartels and competition, but also in the area of cybercrime or data protection. In all important markets,
authorities intensify the enforcement of regulations and focus more on the personal responsibility
of the management. Thus, knowing their risks and defining clear responsibilities to manage is crucial
for organizations.

Compliance standardized | 1
 Why standardization of compliance risks are regularly assessed, business partners
matters are screened (based on a risk-based approach),
the organization has a working system to raise
In a world that grows more connected every concerns and, in case of nonconformities, the
day, and with trade flows stretching far beyond organization is improving its systems.
the borders of an organization’s headquarters,
The standard outlines significant and mandatory
the world of compliance becomes increasingly
components of corporate compliance programs
complex. Regulators and supervisors are holding
while offering a high level of flexibility to design,
organizations responsible not only for the actions
implement and operate an organization-centric,
of their own employees but also for the actions specific compliance program that is fulfilling the
of agents and suppliers. Just contractually needs of the individual corporation.
obliging subsidiaries, agents or suppliers to have
a compliance program might not be enough to
The key elements of an ISO 37301
reduce the risk of noncompliance. This is where
compliance management system
ISO 37301 comes in.
ISO 37301 was designed by a committee of The standard is based on well-established
and globally recognized principles of good
professionals and experts from many different
governance, proportionality, transparency
countries and has the support of the majority of
ISO member nations. It provides trust thatand sustainability. It can be drilled down to the
The core elements of an anti-bribery and corruption
following compliance
building blocks:program
in accordance with ISO 37001

Context of the
organization Leadership Planning Support

Including understanding Including governing body, Including actions to address Including resources,
the organization, anti-bribery policy, risks and opportunities, anti- competences, awareness
expectations of stakeholders, compliance function, roles bribery/anti-corruption — and training, communication
strategy, system and risk and responsibilities compliance objectives and documentation
assessment and planning of
activities
Including due Monitoring, Nonconformity
diligence, controls, anti- measurement, internal and corrective action
bribery/anti-corruption — audit and management and program
commitments, gifts and review, etc. improvement
hospitality, donations,
speak-up and investigations

Performance
Operation Improvement
evaluation

Compliance standardized | 2
Four reasons to consider ISO 37301 for an organization:

1. ISO 37301 provides an organization 3. ISO 37301 can help protect an organization
with a practical structure for a dynamic against third-party risks
compliance program
According to the EY Global Integrity Report 2020,
ISO 37301 changes often static compliance only one-third of organizations are very confident
programs to dynamic compliance management that their third parties demonstrate integrity
systems. The standard follows practical basic in the work they do.2 This opens the possibility
principles that can be adjusted to accommodate for third-party risks that may result in penalties
factors like size, geography or industry. Once an or fines for an organization. Over the years,
organization is certified, a “surveillance audit” several organizations have faced enforcement
will be done annually (recertification is required due to actions of third parties. Working with
after the third year) by an independent third- organizations that are ISO 37301-certified shows
party auditor, which means that an extra set of that their compliance programs correspond with
eyes will critically look at the compliance system the international standard and are audited by an
and further stimulate an organization’s learning independent third party on a yearly basis.
process.
4. ISO 37301 contributes to an organization’s
2. ISO 37301 provides an organization with a ethical reputation
powerful defense
Becoming certified for ISO 37301 is a way tfor
In case of an investigation, an ISO 37301 an organization to show that its compliance
management system not only shows that a efforts are ahead of the curve and a good way
compliance program is in place, but also equips to gain competitive advantage over peers in
organizations with documented evidence to tenders and high-value contracts. Government
substantiate the program’s viability and provide institutions increasingly demand that parties
a reliable audit trail. Regulators and supervisors, have a compliance management system in place
such as the U.S. Department of Justice,1 are to qualify (and explicitly refer to ISO standards as
taking these into account when determining a leading standard).
the fines that need to be paid in instances of
noncompliance. Also, the upcoming German
corporate criminal law points in this direction.

1“Evaluation of Corporate Compliance Programs (Updated June 2020),” U.S. Department of Justice Criminal Division, https://www.justice.gov/criminal-fraud/
page/file/937501/download, accessed 28 June 2021.
2Global Integrity Report 2020, EYGM Limited, 2020, https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/assurance/assurance-pdfs/ey-is-this-the-
moment-of-truth-for-corporate-integrity.pdf, accessed 28 June 2021.

Compliance standardized | 3
A standard that can be tailored to Global experience, local knowledge
organizations of any shape or form and relevant skills
Every organization needs to comply with laws The EY Forensic & Integrity Services Team
and regulations. However, smaller companies has the global reach to assist companies in
might be demotivated by the notion of building a developing a strategic corporate compliance
compliance management system that is similar program. Our Integrity, Compliance and Ethics
to the ones large multinationals use. Therefore, Services (ICE) Team is well positioned as an
ISO 37301 is designed to be applicable to all independent, objective advisor. The ICE Team
organizations, regardless of type, size or nature has deep risk management experience and
of activity and whether in the public, private or global resources familiar with major compliance
not-for-profit sectors. risks to help companies effectively manage their
corporate compliance obligations. Developing and
Based on the size or nature of the organization,
embedding a prevention program and a culture of
some risks can be lower or higher. Organizations
ethics, values and integrity in line with ISO 37301
can decide to focus on certain risk categories and
will help organizations sustain global compliance.
accept the risks involved with the others. Also, the
compliance function under ISO 37301 needs to be We can help organizations build better processes
adequate relative to the size of the operations. It on issues of critical corporate and personal
is possible to have only a fraction of a full-time importance.
employee’s time or outsource the operation (rather Our teams provide the following support:
than accountability) of the compliance function
entirely. This frees organizations from the burden Gap analysis
associated with compliance, given that their • Identify and prioritize the company’s significant
management system is operational and effective. integrity and compliance risks
• Assess the design of the company’s compliance
Better prepare than repair infrastructure, including the compliance
function, people, processes and entity-level
ISO 37301 has the potential to become the controls
single international standard for compliance • Compare compliance risks and infrastructure
management systems. The core elements are not with the requirements of ISO 37301 to identify
new, but brought together in this standard, they improvement opportunities
form a solid base for organizations of any size and
Implementation of compliance management
from any sector or country to lift their compliance
systems
efforts to the next level. For organizations that
intend to be proactive and mitigate compliance • Assist in developing and implementing
risks, ISO 37301 gap analysis, based on the draft policies and procedures based on ISO 37301
version, can help evaluate areas of improvement requirements
of compliance efforts. • Conduct training and communication and
provide implementation support
• Help with performance evaluation and
improvement
• Prepare for ISO certification

Compliance standardized | 4
 EY | Building a better working world
EY contacts
EY exists to build a better working world, helping to create
Global and Area long-term value for clients, people and society and build
subject-matter resources trust in the capital markets.

Brenton Enabled by data and technology, diverse EY teams in over

Steenkamp 150 countries provide trust through assurance and help
brenton.steenkamp@nl.ey.com clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and

transactions, EY teams ask better questions to find new
answers for the complex issues facing our world today.
Andreas
Pyrcek EY refers to the global organization, and may refer to one or more, of the member
andreas.pyrcek@de.ey.com firms of Ernst & Young Global Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company limited by guarantee, does not provide
services to clients. Information about how EY collects and uses personal data and
a description of the rights individuals have under data protection legislation are
available via ey.com/privacy. EY member firms do not practice law where prohibited
by local laws. For more information about our organization, please visit ey.com.
Vinay
Garodiya © 2021 EYGM Limited.
All Rights Reserved.
vinay.garodiya@in.ey.com
EYG no. 008737-21Gbl
2106-3803843
ED None

This material has been prepared for general informational purposes only and is not intended to be relied upon
as accounting, tax, legal or other professional advice. Please refer to your advisors for specific advice.

ey.com