3/12/2021
1
9TH ANNUAL EUROPEAN COMPLIANCE & ETHICS INSTITUTE
NEW ISO 37301Prof. Hernan Huwyler
@hewyler #SCCEecei
/in/hernanwyler/hewyler
1
2
3/12/2021
2
An internationalcertificable standard
for compliance programs
Use
Compliance by design,
not by disaster
Use
3
4
3/12/2021
3
It will replace theISO 19600 on anti-corruption without
major changes
Use
It is starting…
5
6
3/12/2021
4
Strong corporatedefense to meet
accountabilityprinciples
Use
Studies show modestresults in reducing
regulatory violationsCoglianese, Cary and Nash, Jennifer, "Compliance Management Systems: Do They Make a Difference?" (2020)
Use
7
8
3/12/2021
5
New ISOs for 2021
37000 Governance
37301Compliance
ISO 37002 Whistleblowing
The ISO 37301 should harmonize the
compliance controls in policies and procedures
Implication
9
10
3/12/2021
6
The final standard will be published in
May 2021
Use
@hewyler #SCCEecei
Defines compliance as meeting obligations >needs and expectations
of interested parties
Scope
11
12
3/12/2021
7
Regulations
Laws
Contracts
Scope
Compliance obligations
Mandatory
Voluntary Commitments
Values
Implement and update a central compliance
register to compile obligations
Implication
13
14
3/12/2021
8
Embed responsibilities for compliance
obligations into policies and job definitions
Implication
Ensure that performance appraisals and
incentives cover embed responsibilities in roles
Implication
15
16
3/12/2021
9
Implement a compliance control matrix linking
objectives, obligations, risks and policies
Implication
Then, not meeting obligations creates compliance risks
Scope
@hewyler #SCCEecei
17
18
3/12/2021
10
Context
Expand the scope for objective-centric and
data-driven compliance risk assessments
Implication
19
20
3/12/2021
11
• Periodically
• Material changes
Risk processC
ompl
ianc
e ob
ligat
ions
Activities
Objectives
Products
Services
Scope
Ris
k as
sess
men
t
Cor
rect
ive
actio
ns
Ensure managers communicate
compliance risks to affected and interested
parties
Implication
21
22
3/12/2021
12
Collect data on materialized compliance
risks in fraud losses, complains and claims
bases
Implication
Implement a root-cause analysis of
compliance violations
Implication
23
24
3/12/2021
13
Validate quality and availability of compliance
documentation and its security controls to prevent
changes and destruction
Implication
Adjust the compliance management systems
to address the risk management plans and
evaluate their effectiveness
Implication
25
26
3/12/2021
14
Compliance Mgmt System
Compliance Mgmt System
Purposes
Policies and Procedures
Processes
27
28
3/12/2021
15
Compliance Mgmt System
Purposes
Policies and Procedures
Processes
Compliance Mgmt System
Board and senior mgmtInternal and 3P documentation
External experts
29
30
3/12/2021
16
Compliance Mgmt System
Values
Leadership
Culture
Update principles in the compliance policy to
externally and internally communicate changes
Implication
31
32
3/12/2021
17
Update compliance KPIs and targets in monitoring
trends and reporting to upper management
Implication
Assess the effectiveness of compliance training
and awareness for employees and 3Ps
acting on their behalf
Implication
33
34
3/12/2021
18
Due diligence required for hiring and
promotion > no transfers or continuous
Changes
Disciplinary actions required for non-compliance > no
grievances and appeals
Changes
35
36
3/12/2021
19
Assess competences to meet compliance
obligations in employee due diligence
Implication
Baseline
• Identity
• Career
• Right to work
• Education
• Licenses
• Credit
• Criminal
ImplicationEnhanced
• Legal demands
• Social media
• Registered assets
• Family and household
37
38
3/12/2021
20
Add the consequences of non-compliances the compliance policy and
train employees and new hires
Implication
Validate the data consistency and accuracy
for compliance communication in the non-
financial reporting
Implication
39
40
3/12/2021
21
Protection for whistleblowing > no
incentives
Changes
@hewyler #SCCEecei
Include anti-retaliation controls in the
whistleblowing policy
Implication
41
42
3/12/2021
22
• Implement a leniency program
• Have an independent investigative team
• Prevent risks in the complaint ramifications
• Monitor peer pressure, bullying and exclusion
Anti-retaliation controls
• Approve changes in work conditions
• Include the impact on family members
• Provide financial and emotional support
• Protect whistleblowers from 3 to 5 years
Anti-retaliation controls
43
44
3/12/2021
23
Whistleblowing
Accessible to all employees
Anonymous or not
ISO 37002 Whistleblowing
Environmental obligations for strategic
planning
Changes
45
46
3/12/2021
24
Audit compliance controls and third-
parties
Nice-to-have
Separate accountabilities and
responsibilities in the performance of
compliance controls
Nice-to-have
47
48
3/12/2021
25
Include high riskscenarios of compliance
breaches in the crisis protocols
Nice-to-have
Expand due diligence to partnerships,
mergers and aquisitions
Nice-to-have
49
50
3/12/2021
26
Adjust the approvals and escalation procedures for decisions and processes
posing high risks
Nice-to-have
Balance roles for thecompliance mgmt
system with the 3 linesmodel
Nice-to-have
51
52
3/12/2021
27
/in/hernanwyler
hewyler
Let´s connect
53