ISO 37301 Compliance Management System

Empowering enterprises for steady development

1. Standard positioning and evolution
ISO 37301 originated from ISO 19600 (originally a guiding standard) and has been upgraded to a certification standard with clear requirements, emphasizing the construction of a risk-based compliance management system (CMS). It is suitable for organizations of any size and industry, and has strategic value especially for multinational operations and heavily regulated fields such as finance, healthcare, and energy.             
                        
2. Core principles
Governance driven: requires the integration of compliance into organizational strategy and decision-making processes, achieving high-level commitment and cultural penetration.         
Full lifecycle management: covering compliance obligation identification, risk assessment, control implementation, performance monitoring, and continuous improvement.     
Stakeholder orientation: Focus on multidimensional compliance requirements of laws, regulations, industry standards, and internal policies.

ISO 37301 is based on the "Plan Do Check Improve" (PDCA) cycle model, which requires organizations to achieve compliance goals through dynamic management processes. Its core elements include the following six modules:
1. Organizational environment and compliance obligations
Scope definition: Clearly define the business areas, regions, and regulatory requirements covered by the compliance management system, including mandatory laws and regulations, industry standards, contractual commitments, and ethical norms.
Stakeholder analysis: Identify the compliance expectations of shareholders, customers, regulatory agencies, and other entities, and incorporate them into the design of the management system.

2. Leadership and Governance Structure
The top management promises to require the management to develop compliance policies, allocate resources, and establish a 'top-down' compliance culture.
Independence of Compliance Function: Establish a dedicated compliance department or designate a compliance officer to ensure that they have the authority to independently exercise their powers.

3. Risk oriented compliance control
Risk identification and assessment: Using quantitative and qualitative methods, evaluate the legal consequences, financial losses, and reputational risks that may result from violations.
Control measures design: Develop multi-level control mechanisms for high-risk areas, including policies, processes, training, and technical monitoring.

4. Supporting resources and capacity building
Personnel Capability: Ensure that all employees understand compliance obligations through regular training, awareness raising programs, and competency assessments.
Digital tools: Utilize compliance management software (such as GRC system) to achieve risk monitoring, process automation, and data traceability.

5. Operation and continuous monitoring
Process execution: Ensure compliance requirements are embedded in core business processes such as procurement, sales, and finance.
Real time monitoring and reporting: Establish reporting mechanisms, internal audits, and third-party due diligence procedures to promptly identify and correct deviations.

6. Performance evaluation and improvement
Internal audit: Regularly verify the effectiveness of the system and identify opportunities for improvement.
Management review: The top management evaluates the achievement of compliance goals and adjusts strategic direction.
            

1. Provide clear guidance: Provides a clear blueprint for building a compliance management system for enterprises, with clear guidelines for organizational structure, process design, and personnel training
2. Enhance risk prevention capabilities: Through risk assessment and the development of response measures, enterprises can more effectively identify and respond to potential compliance risks, reducing the possibility of violations
3. Promote continuous improvement: Regular audit and review mechanisms ensure that the compliance management system can continuously adapt to changing legal and business environments
4. Enhancing corporate image: A compliance management system that complies with international standards not only helps with standardized internal management, but also enhances the company's reputation among partners and customers
5. Protecting the interests of enterprises: Effective compliance management can reduce the legal risks and economic losses faced by enterprises due to violations
6. International recognition: The international verifiability of ISO 37301 provides important support in corporate compliance governance, conveying business trust, proving the existence of a compliance management system to regulatory agencies, providing positive evidence of illegal sentencing to judicial authorities as a company, and striving for compliance non prosecutio

ISO 37301 is applicable to organizations of any type, size, nature, and industry worldwide. Both large multinational corporations and small and medium-sized enterprises can enhance their compliance management capabilities by implementing the ISO 37301 standard. In addition, this standard can also be integrated with other management systems (such as ISO 9001 quality management system, ISO 14001 environmental management system, etc.) to achieve more efficient management.
• Financial industry: Meet strict regulatory requirements for anti money laundering (AML) and counter-terrorism financing (CTF).
• Manufacturing industry: Dealing with supply chain compliance, export control, and environmental regulations (such as REACH, RoHS).
• Technology companies: Ensuring data security (GDPR, CCPA) and intellectual property compliance.
• Medical and pharmaceutical industries: standardize business practices, prevent corruption, and ensure product quality compliance.

（I.） Application materials
1. System documents
Compliance Management Manual: Clarify compliance policies, objectives, organizational structure, and system scope.
Program files: such as' Compliance Risk Assessment Procedure ',' Reporting and Investigation Procedure ',' Training Management Procedure ', etc.
Record forms: compliance obligation list, risk assessment report, training records, internal audit report, etc.

2. Operational evidence
Internal audit report: Proving that the system operates in accordance with standard requirements.
Management review report: including the achievement of compliance goals, improvement suggestions, and resource adjustment plans.

3. Compliance Obligations List
Clearly define the laws, regulations, industry standards, contractual commitments, and ethical guidelines that enterprises must comply with.

4. Risk assessment and control documents
Compliance risk identification, assessment results, and corresponding control measures (such as anti bribery policies, data privacy protection plans, etc.).

5. Other supporting materials
Business license, organizational chart, and job responsibilities for compliance functions.
Employee compliance training records, proof of reporting channel settings (such as reporting hotline, email).
Record of handling internal and external compliance incidents in recent years and report on corrective measures.

（II.） Application requirements
ISO 37301 is a voluntary international standard that any organization (regardless of industry, size, or nature) can apply for certification, but must meet the following basic conditions:
1. Clear compliance management requirements
Organizations need to have compliance management related risks (such as legal, regulatory, contractual, or ethical risks) and hope to enhance compliance capabilities through a systematic approach.
We need to commit to incorporating compliance goals into strategic planning and advancing them in sync with business development.

2. Senior commitment and resource support
The top management should clearly express their support for the construction of a compliance management system and provide necessary human, financial, and technical resources (such as establishing a compliance department or position).
It is necessary to establish a compliance culture and promote full participation through institutional design (such as reward and punishment mechanisms).

3. Existing compliance management foundation
We have established a preliminary compliance management system or process (such as anti-corruption, data protection, etc.), or have the ability to integrate the governance framework of ISO 37301.
Be able to demonstrate that compliance management activities match actual business needs (such as designing control measures for high-risk areas).

4. Continuous improvement mechanism
It is necessary to have internal audit, management review, and violation response mechanisms to ensure dynamic optimization of the system.

（III.） Precautions
Selection of certification body: It is necessary to choose an organization authorized by the National Accreditation Service (CNAS) or the International Accreditation Forum (IAF).
Continuous improvement: After certification, the system needs to be regularly maintained and subject to supervision and audit (usually once a year).
Resource investment: Small and medium-sized enterprises can prioritize focusing on high-risk areas and meet standard requirements in stages.

1. Gap Analysis
Assess the gap between existing compliance practices and ISO 37301 requirements, and develop an implementation roadmap.

2. System design and documentation
Develop compliance manuals, procedural documents, and record forms to ensure that the system complies with standard terms.

3. Trial operation and internal audit
Conduct a 3-6 month system trial run and verify its effectiveness through internal audits.

4. Management review and corrective measures
The top management reviews the performance of the system and approves certification applications.

5. Third party certification audit
Two stage audit conducted by accredited certification bodies:
• Phase 1 (document review): Confirm the conformity of the system design.
Phase 2 (on-site audit): Verify the effectiveness of the system operation.

6. Continuous improvement and supervision review
After obtaining the certificate, it is necessary to undergo annual supervision and review to ensure continuous compliance with standard requirements.