ISO 37301

Compliance is the cornerstone of sustainable development for enterprises. In recent years, the international community and governments around the world have been committed to establishing and maintaining an open, transparent, and fair social order. At the same time, China is comprehensively promoting the rule of law. In such context, enterprises are increasingly concerned about the compliance risks they are faced with and how to achieve compliance. Compliance means that the enterprise complies with applicable laws, regulations, and regulatory provisions, as well as relevant standards, contracts, effective governance principles, and ethical guidelines. In modern enterprise management, compliance management is considered one of the three pillars of enterprise management, alongside business management and financial management.

Looking into the government's policy direction in recent years, it is obvious that the government's compliance requirements for enterprise operations have gradually extended from parts to the whole, covering various types of organizations such as state-owned enterprises, foreign enterprises, private enterprises, and enterprises in various industries. The connotation of compliance has also extended from the initial anti-fraud and anti-commercial bribery to various aspects such as anti-monopoly, anti-unfair competition, export control compliance, criminal compliance, intellectual property compliance, and corporate governance compliance. Compliance management is not only an inherent requirement for the stable operation of enterprises, but also a basic prerequisite for preventing violation risks. It is a part that every enterprise must manage and a powerful weapon to safeguard its own interests.

In April 2021, ISO 37301: 2021 Compliance Management Systems—Requirements with Guidance for Use was released by the International Organization for Standardization (ISO) and took effect. On September 16, 2022, the State owned Assets Supervision and Administration Commission (SASAC) issued the "Measures for Compliance Management of Central Enterprises" (hereinafter referred to as the "Measures"), which made detailed provisions on the further deepening of compliance management of central enterprises from the aspects of institutional development, operational mechanism, compliance culture, supervision and accountability. This is the first regulatory system issued by SASAC for compliance management. The Measures shall come into effect on October 1, 2022.

The implementation of the Measures will undoubtedly promote the overall improvement of the compliance management level of Chinese enterprises. On the basis of previous relevant documents, the Measures have put forward clear requirements for central enterprises to further deepen compliance management. The Measure contains more comprehensive content and higher requirements, and the measures are also more practical and rigid. The Measures stipulates that central enterprises should establish a Chief Compliance Officer held concurrently by the General Legal Advisor, based on their actual situation, without adding new leadership positions and number of positions. This also brings higher requirements to enterprises. ISO 37301: 2021 Compliance Management Systems- Requirements with Guidance for Use is highly compatible with the "Measures" in terms of management philosophy, methodology, and other aspects, and is an important tool for enterprises to establish and improve compliance management systems.

In April 2021, the International Organization for Standardization released ISO 37301:2021 Compliance Management Systems Requirements- Requirements with Guidance for Use to replace ISO 19600:2014 Compliance Management Systems- Guidance. ISO 37301:2021 Compliance Management Systems Requirements- Requirements with Guidance for Use is a Class A standard developed by ISO. Its purpose is to provide standardized requirements and implementation guidelines for enterprises to establish compliance management systems. ISO 37301:2021 Compliance Management Systems Requirements- Requirements with Guidance for Use applies the management system standard structure of ISO/IEC Directions Annex SL, making it easier for the compliance management system to integrate with other management systems based on ISO standards that the enterprise already has.

 Figure 1: Major contents of the Compliance Management Systems

ISO 37301:2021Compliance Management Systems Requirements- Requirements with Guidance for Use further strengthens the leadership role and compliance culture. At the same time, the scope of "people" under the control of the compliance management system has been extended from the legally recognized recruited "employees" to all "staff" who have a contractual relationship with the enterprise, and the content of employment procedures has been added. The management requirements are more generic to meet the current requirements of compliance management.

To build a high standard market system and develop new advantages in participating in international competition and cooperation, China must maintain a fair and unified market environment, and continuously strengthen the supervision of enterprises. By implementing compliance management systems, enterprises can control their compliance risks and improve their compliance performance, resulting in benefits including but not limited to the following:

1.Establishing a compliance management system helps to reconstruct the corporate compliance culture;

2. Establishing a compliance management system helps improve an enterprise's ability to avoid risks;

3. Establishing a compliance management system can promote the deployment of internal liability systems within the enterprise;

4. Establishing a compliance management system can prevent decision-making errors;

5. Establishing a compliance management system helps to enhance the business reputation of enterprises;

6. Establishing a compliance management system is a firewall against corporate crime;

7. Establishing a compliance management system can enhance an enterprise's competitiveness and achieve sustainable development.

As shown in figure 2 of the compliance management system process, we can see that the development of the compliance management system mainly involves three aspects: the compliance management system, the compliance management organization system, and the compliance management operation system. Firstly, the focus of developing a compliance management system for enterprises is to clarify their compliance management obligations by sorting out and analyzing their business operations, identifying their scope of compliance risks. Secondly, the focus of developing an enterprise compliance management organizational system is to continuously improve the compliance management mechanism by adding or improving the enterprise’s compliance management organizations, clarifying the rights and obligations of the organizations. Finally, the focus of developing a compliance management operation system for enterprises is to cultivate a compliance culture by establishing risk identification and warning mechanisms, compliance supervision and evaluation mechanisms, and compliance risk reporting mechanisms, in order to ensure the long-term effectiveness of the compliance management system.

Figure 2: Compliance management system flowchart

Based on the thinking of the compliance management system flowchart, enterprises can efficiently establish a compliance management system in accordance with the specific requirements of the "Measures for Compliance Management of Central Enterprises " and the development process of the compliance management system for large groups published in the "Global Six Compliance Management Guidelines - Internal White Paper".

Figure 3: The process for developing a compliance management system for large groups

Enterprises applying for ISO37301:2021 certification should meet the following basic criteria:

Having independent legal personality or authorized by an independent legal person;

A documented compliance management system that complies with the requirements of ISO 37301:2021 Compliance Management System- Requirements with Guidelines for Use has been established. Prior to applying for certification, internal audits and management reviews have been conducted. Make sure that the compliance management system is effective and has been fully operated for at least three months;

Sufficient information on the operation of the compliance management system should be provided to CEPREI Certification Body. For multiple sites, the certification scope, address, and personnel distribution of each site should be specified;

From the establishment of a compliance management system, it is necessary to maintain self-evaluation of compliance with laws and regulations, submit compliance self-declarations and other documents, and take necessary corrective measures in a timely manner and notify relevant parties when relevant laws and regulations are not met.