Let’s look into what the ISO 37301 compliance management systems standard is.
This standard enables organizations and businesses to put in place an effective compliance management system where senior management is accountable, and supervises and improves it over time.
In light of many of today’s new regulations about modern slavery, sustainability, greenhouse gas emissions, product safety, and more, compliance is becoming more important than ever for businesses. So we’ll look at ISO 37301 from the point of view of how it impacts manufacturing in China, too.
Prefer listening to reading?
Listen to the audio for this post here (based on a conversation with Clive Greenwood from SMC Compliance and Sean Li from the BSI):
What is the ISO 37301 standard about?
In short, it’s a standard focused on traceability and accountability that drives a company to put in place a management system that improves the organization’s compliance with applicable requirements (government, regulatory, etc).
The most senior management levels of a company must oversee and be accountable for the company’s and products’ compliance with the applicable requirements, standards, and laws of their location and marketplace. For example, products sold in Europe must be compliant with all applicable European requirements.
Traceability also plays an important role, for example for improving the EPD (Environmental Product Declaration) submissions and making senior management more accountable for the claims made. (03:21)
What is a compliance management system and how does it fit in with other common standards such as ISO 9001, 14001, etc?
There are basically three levels of standards: product, business, and in the case of ISO 37301, governance (senior management). The compliance management system is a helpful tool for senior management to help them recognize the various compliance risks and to be able to take action to comply with them.
The standard demands a structure be put in place for senior management to manage the compliance aspects of the group or business. For example, there might be a committee on the board that the CEO reports to about compliance, or an independent compliance officer might be appointed whose role it is to examine the organization’s compliance above the single business unit level or at the senior management level.
An example would be:
Some businesses are a group of companies. Let’s say that one company manufactures medical products and is bound by the ISO 13485 standard which is the quality management system for medical devices. This standard demands that the business unit has a compliance officer. But this compliance officer would still report to the GM of the group or other senior management, and they could feasibly order them to ignore certain issues or to sweep something negative under the carpet. ISO 37301 aims to put in place systems at the very top to make the senior management accountable for compliance which would avoid scenarios like this from occurring. (06:25)
What does a compliance management system in China look like, and is the government taking it seriously?
Companies need to set the right culture for compliance and a function above the business unit level to whom they report back about compliance. Many State-owned enterprises in China are now being pushed to implement ISO 37301 and some local governments are behind this drive on the ground in China.
There are basically 3 lines of defence against non-compliance:
- Business level (sales, manufacturing, etc, should comply with requirements that affect them specifically, i.e. making sure that products being made for the USA should comply with relevant laws for that market)
- Legal department (informs the different staff and parts of the business how to comply, and provide some oversight)
- Top management level (responsible for compliance on a strategic level for the entire business)
Either external third-party auditors from a certifying body such as BSI can watch over the different stakeholders outlined above, or it can be handled internally where an in-house corporate compliance officer (similar to a lawyer) who will audit compliance can be hired and then trained by the certifying body. (12:29)
How about traceability? When supply chains in China have been historically opaque, will businesses struggle to comply?
New regulations like the EU Ecodesign regulation demand a lot more transparency of supply chains for traceability in order for businesses to comply. Chinese enterprises have a choice about their future. If they are only interested in trading within the Chinese Mainland, they will ignore regulations about sustainability, compliance, etc. from places like the EU or Australia. However, those who want to export products to such countries will need to invest in bringing their business up to speed with new regulations and this will probably include getting consultancy from third-party experts or certifying bodies. Many smaller Chinese enterprises have expressed concerns about the costs of doing so and may abandon the export market due to this.
ISO 37301 will provide the customers of Chinese enterprises with some confidence that the enterprise is taking compliance seriously and is working to comply with market regulations such as those regarding emissions, sustainability, etc. (17:24)
How best to implement ISO 37301 along with other specific standards?
Depending on what needs to be achieved a business would be wise to choose one topic, such as product safety, human rights, sustainability, etc, and implement a business process management system for that, then supplement it with the compliance management system to make sure that it all happens effectively.
ISO 37301 is similar in structure to 9001 or 13485, including a separate layer in ‘risk management’ for legal & regulatory compliance as part of your risk assessment. This means that implementing ISO 37301 for companies who already hold the other standards mentioned should be fairly straightforward to achieve. They need to add a new section about strategic compliance oversight to an existing system, so it is integrated into your existing business management, but with added senior-level accountability. It will be a dynamic system, where the organization will need to be tested to check that it can cope with new regulations coming in, for example. (25:11)
Looking at a company’s organization, its checks & balances, its values, etc.
Chinese companies are good at creating lots of good-looking documents that give the impression that they are compliant, but often it’s just theater. The senior management culture of a company needs to change so the business leaders actually listen to the compliance officer (which is the opposite of what happened with the Lehman brothers investment bank, for example). They will be held responsible for law-breaking and non-compliance because there will be an independently audited paper trail for this that leads back to them.
BSI auditors, for example, will not only examine documents, though. They will look for tangible evidence that the organization has adopted specific risk-controlling actions and interview staff in person as well in order to obtain a broad understanding of the compliance situation. This will tend to counteract any instances where incorrect documentation has been provided. (30:16)
Summary: The importance of an independent auditor to supervise the compliance management system.
ISO 37301 is about uncovering the truth and putting lines of defence against compliance issues in place and having independent auditors in place to supervise the compliance management system.
This goes back to the senior management’s culture, as always. (36:00)
- Removing Probability Analysis from Risk Management?
- What is the EU Ecodesign for Sustainable Products Regulation?
- BSI ISO 9001 Certification
- Lifecycle Assessment (LCA) and Environmental Product Declaration (EPD) Requirements: What Manufacturers need to know
- What Are Good Manufacturing Practices (GMPs)?
- 11 Common Electronic Product Certification And Compliance Requirements