3/12/2021

1

9TH ANNUAL EUROPEAN COMPLIANCE & ETHICS INSTITUTE

NEW ISO 37301Prof. Hernan Huwyler

@hewyler #SCCEecei

/in/hernanwyler/hewyler

1

2

3/12/2021

2

An internationalcertificable standard

for compliance programs

Use

Compliance by design,

not by disaster

Use

3

4

3/12/2021

3

It will replace theISO 19600 on anti-corruption without

major changes

Use

It is starting…

5

6

3/12/2021

4

Strong corporatedefense to meet

accountabilityprinciples

Use

Studies show modestresults in reducing

regulatory violationsCoglianese, Cary and Nash, Jennifer, "Compliance Management Systems: Do They Make a Difference?" (2020)

Use

7

8

3/12/2021

5

New ISOs for 2021

37000 Governance

37301Compliance

ISO 37002 Whistleblowing

The ISO 37301 should harmonize the

compliance controls in policies and procedures

Implication

9

10

3/12/2021

6

The final standard will be published in

May 2021

Use

@hewyler #SCCEecei

Defines compliance as meeting obligations >needs and expectations

of interested parties

Scope

11

12

3/12/2021

7

Regulations

Laws

Contracts

Scope

Compliance obligations

Mandatory

Voluntary Commitments

Values

Implement and update a central compliance

register to compile obligations

Implication

13

14

3/12/2021

8

Embed responsibilities for compliance

obligations into policies and job definitions

Implication

Ensure that performance appraisals and

incentives cover embed responsibilities in roles

Implication

15

16

3/12/2021

9

Implement a compliance control matrix linking

objectives, obligations, risks and policies

Implication

Then, not meeting obligations creates compliance risks

Scope

@hewyler #SCCEecei

17

18

3/12/2021

10

Context

Expand the scope for objective-centric and

data-driven compliance risk assessments

Implication

19

20

3/12/2021

11

• Periodically

• Material changes

Risk processC

ompl

ianc

e ob

ligat

ions

Activities

Objectives

Products

Services

Scope

Ris

k as

sess

men

t

Cor

rect

ive

actio

ns

Ensure managers communicate

compliance risks to affected and interested

parties

Implication

21

22

3/12/2021

12

Collect data on materialized compliance

risks in fraud losses, complains and claims

bases

Implication

Implement a root-cause analysis of

compliance violations

Implication

23

24

3/12/2021

13

Validate quality and availability of compliance

documentation and its security controls to prevent

changes and destruction

Implication

Adjust the compliance management systems

to address the risk management plans and

evaluate their effectiveness

Implication

25

26

3/12/2021

14

Compliance Mgmt System

Compliance Mgmt System

Purposes

Policies and Procedures

Processes

27

28

3/12/2021

15

Compliance Mgmt System

Purposes

Policies and Procedures

Processes

Compliance Mgmt System

Board and senior mgmtInternal and 3P documentation

External experts

29

30

3/12/2021

16

Compliance Mgmt System

Values

Leadership

Culture

Update principles in the compliance policy to

externally and internally communicate changes

Implication

31

32

3/12/2021

17

Update compliance KPIs and targets in monitoring

trends and reporting to upper management

Implication

Assess the effectiveness of compliance training

and awareness for employees and 3Ps

acting on their behalf

Implication

33

34

3/12/2021

18

Due diligence required for hiring and

promotion > no transfers or continuous

Changes

Disciplinary actions required for non-compliance > no

grievances and appeals

Changes

35

36

3/12/2021

19

Assess competences to meet compliance

obligations in employee due diligence

Implication

Baseline

• Identity

• Career

• Right to work

• Education

• Licenses

• Credit

• Criminal

ImplicationEnhanced

• Legal demands

• Social media

• Registered assets

• Family and household

37

38

3/12/2021

20

Add the consequences of non-compliances the compliance policy and

train employees and new hires

Implication

Validate the data consistency and accuracy

for compliance communication in the non-

financial reporting

Implication

39

40

3/12/2021

21

Protection for whistleblowing > no

incentives

Changes

@hewyler #SCCEecei

Include anti-retaliation controls in the

whistleblowing policy

Implication

41

42

3/12/2021

22

• Implement a leniency program

• Have an independent investigative team

• Prevent risks in the complaint ramifications

• Monitor peer pressure, bullying and exclusion

Anti-retaliation controls

• Approve changes in work conditions

• Include the impact on family members

• Provide financial and emotional support

• Protect whistleblowers from 3 to 5 years

Anti-retaliation controls

43

44

3/12/2021

23

Whistleblowing

Accessible to all employees

Anonymous or not

ISO 37002 Whistleblowing

Environmental obligations for strategic

planning

Changes

45

46

3/12/2021

24

Audit compliance controls and third-

parties

Nice-to-have

Separate accountabilities and

responsibilities in the performance of

compliance controls

Nice-to-have

47

48

3/12/2021

25

Include high riskscenarios of compliance

breaches in the crisis protocols

Nice-to-have

Expand due diligence to partnerships,

mergers and aquisitions

Nice-to-have

49

50

3/12/2021

26

Adjust the approvals and escalation procedures for decisions and processes

posing high risks

Nice-to-have

Balance roles for thecompliance mgmt

system with the 3 linesmodel

Nice-to-have

51

52

3/12/2021

27

/in/hernanwyler

hewyler

Let´s connect

53