Compliance management system
according to ISO 37301
How SMEs and corporations can effectively ensure legal compliance and regulatory conformity, thereby protecting their business from sanctions and reputational damage.
What is a compliance management system?
An effective compliance management system encompasses all measures, processes, and structures within an organisation that are necessary to ensure regulatory compliance.
The requirements for compliance management within an organisation may arise from legal obligations, contractual agreements, and voluntary commitments.
A compliance management system enables organisations to identify, monitor, and mitigate liability risks at an early stage. This applies not only to company management but also to all employees and, where applicable, suppliers.
The objective of a compliance management system is to embed a culture of compliance within the workforce and to systematically improve an organisation’s adherence to rules. This is typically done following the Plan-Do-Check-Act (PDCA) cycle, also known as the Deming Cycle.
Moreover, an effective compliance management system helps organisations to anticipate and respond appropriately to future compliance requirements in an ever-evolving legal landscape. Prominent examples in recent years include:
- the EU General Data Protection Regulation (GDPR),
- the EU Corporate Sustainability Due Diligence Directive and the German Supply Chain Due Diligence Act (LkSG
- the EU Whistleblower Directive and the German Whistleblower Protection Act (HinSchG)
- the Accessibility Improvement Act (BFSG)
Who needs a compliance management system?
An integrated compliance management system is not only relevant for large corporations but is increasingly important for medium-sized enterprises, public authorities, and larger NGOs.
In addition to the advantages of legal certainty and reduced liability risks, an effective compliance management system is also becoming a common requirement from clients seeking to ensure compliance throughout their supply chain.
In general, the more a company’s products or services are subject to legal regulations, the more worthwhile it is to implement a compliance management system.
What does a compliance management system include?
A compliance management system captures all requirements relevant to the organisation and manages the resulting (liability) risks. Common areas include:
- Legal requirements, for example:
- Employment law
- Fraud and bribery
- Data protection law (e.g. GDPR, German Federal Data Protection Act – BDSG)
- Whistleblower protection
- Information security (e.g. BSIG, NIS2, DORA)
- Supply chains
- Environmental protection
- Competition law
- Sustainability law
- Contractual obligations from clients, such as:
- Information security certification in accordance with ISO 27001
- TISAX assessment in the mobility sector
- Voluntary commitments, such as:
- Industry-specific commitments (e.g. Code of Conduct)
- Employee pledges
- Self-imposed commitments in the areas of human rights, environmental protection, sustainability, or transparency
A compliance management system integrates various standards, which is why it is often referred to as an integrated management system. For example, an information security management system (ISMS) based on ISO 27001 and a data protection management system (DPMS) based on ISO 27701 can be centrally implemented within a compliance management system.
This approach creates numerous synergy effects and offers the advantage of managing compliance consistently across the entire organisation, which in turn significantly increases employee acceptance.
In practice, a compliance management system typically relies on a combination of processes and systems. For instance, a whistleblowing system allows internal reporting of compliance breaches, helping organisations detect and address issues early on.
What are the benefits of a compliance management system?
The key advantages of a compliance management system are clear:
- Awareness: The organisation gains clarity about which regulations must be followed and what liability risks may arise.
- Risk management: Identified liability risks are monitored and, where possible, mitigated.
- Employee awareness: Staff are informed about compliance requirements and trained to meet them.
- Control: Technical and organisational measures help enforce or optimise compliance across the business.
- Liability reduction: A functioning compliance management system can have a mitigating effect in the event of violations (see German Federal Court of Justice ruling of 9 May 2017 – 1 StR 265/16).
- Reputation: Preventing or reducing compliance breaches helps preserve the organisation’s good reputation.
- Competitive advantage: An established compliance management system is increasingly a prerequisite for doing business with clients or at least a compelling selling point.
How to set up a compliance management system?
Based on our experience, the following approach has proven effective for implementing a compliance management system. Depending on your organisation and industry, tailored steps may be required.
Analysing compliance requirements for your organisation
The first step in establishing a compliance management system is to identify and analyse the compliance requirements relevant to your organisation. Based on these legal, contractual, and voluntary obligations, you can derive specific tasks and requirements, as well as identify and assess associated risks.
Begin by determining which laws, regulations, and directives apply to your company. Internal commitments such as a Code of Conduct or other policies must also be taken into account. Since legal obligations vary widely between organisations, compliance requirements are highly individual.
A helpful tool for capturing all applicable requirements is the creation of a legal register. This document compiles all relevant laws and other applicable rules. It’s essential that the register is regularly reviewed and updated to reflect new or amended legislation.
Similarly, all contractual obligations that apply to your organisation should be systematically documented and reviewed.
Another key element of this phase is the definition of the risks facing the organisation. This risk analysis is based on factors such as your industry, business activities, and the applicable legal framework.
Because this analysis and goal-setting process is often complex, it is usually advisable to involve broadly experienced compliance consultants or subject-matter experts for specific areas. SMEs frequently lack in-house specialist knowledge, whereas large corporations often face the challenge of managing a wide array of obligations and staying on top of regulatory changes to effectively identify and assess risks — and thereby avoid potential liability.
Compliance audit
The second step involves conducting a gap analysis to identify areas where your organisation does not yet meet the applicable compliance requirements. If relevant management systems (such as an information security management system) are already in place, these can also be included in the audit process.
The audit should thoroughly analyse existing policy documents, processes, legal registers, Codes of Conduct, and other relevant compliance elements to assess their implementation and effectiveness.
It is advisable to follow the well-established Plan-Do-Check-Act (PDCA) cycle even during the audit stage. This approach lays the groundwork for a continuous improvement process from the outset, ensuring that compliance efforts remain dynamic and responsive over time.
Risk assessment and mitigation
A core element of any compliance management system is risk assessment. This involves systematically identifying, analysing, and prioritising compliance risks. Examples of such risks include corruption, data protection breaches, money laundering, or violations of employment law.
There are several strategies for handling compliance risks:
- Risk acceptance: Minor risks may be accepted by management if the potential damage and the likelihood of occurrence are low enough to make this decision justifiable.
- Risk reduction: Risks can be mitigated through technical and organisational measures, such as internal policies and procedures. Training and awareness programmes for employees are also effective tools for reducing compliance-related risks.
- Risk transfer: Some risks can be transferred to third parties. This is commonly done through insurance policies, which can cushion financial consequences, though they cannot eliminate the risk entirely.
- Risk avoidance: If a certain activity poses unacceptable risks, it may be necessary to modify or discontinue business processes to prevent exposure altogether.
Defining responsibilities
A functioning compliance management system requires clearly defined responsibilities and role assignments. The ultimate responsibility lies with the management team, which must actively support and oversee the system.
A key part of this is the appointment of a Compliance Officer or a dedicated compliance team tasked with supporting, monitoring, and maintaining the compliance management system. In larger organisations, this role is often expanded into a Compliance Committee or a Chief Compliance Officer who acts as a liaison between departments.
To ensure effectiveness, compliance officers must be able to act independently, avoiding conflicts of interest. They must also be granted sufficient authority and resources to identify potential violations and implement appropriate measures.
When planning and managing implementation, it can be highly beneficial to engage (external) experts. These professionals can provide proven templates and best practices for drafting core compliance policies and establishing or enhancing risk management structures within the organisation.
Defining policies and processes
The compliance audit results in a list of actions, highlighting the gaps and tasks that need to be addressed.
Based on the identified risks, organisations should develop binding policies and define clear processes. These may include:
- Procedural guidelines
- Codes of Conduct
- Internal control systems
- Training programmes
It is essential to document these rules and ensure they are effectively communicated across the organisation. This provides a solid foundation for monitoring compliance and enforcing standards.
Awareness and training
One of the most critical elements of a compliance management system is the awareness and training of employees tailored to their specific roles and responsibilities.
To deliver this effectively, it is usually beneficial to rely on established providers of online courses, as well as virtual or in-person training sessions on relevant compliance topics. These formats ensure consistent delivery and help embed compliance deeply into the organisational culture.
Monitoring, reporting, and continuous improvement
Regular review and continuous improvement of the compliance management system are essential to ensure its ongoing effectiveness.
- Internal changes such as the development of new business areas or entry into new markets may require adjustments to compliance measures.
- External factors including evolving legal and regulatory requirements also necessitate continual adaptation of the compliance management system.
Monitoring the compliance management system can be achieved through internal and external audits, which help assess the system’s performance and identify areas for enhancement.
Additionally, anonymous reporting channels, such as whistleblower systems, play a crucial role in enabling the early detection of violations.
By integrating a structured feedback and reporting loop, organisations can respond proactively to changes and ensure that compliance measures evolve in line with both legal obligations and operational realities.
What specific requirements apply to your organisation?
Our experts will help you identify all relevant regulations.
Book a free initial consultation today!
How can you certify your compliance management system according to ISO 37301?
ISO 37301, which evolved from the former ISO 19600, provides a certifiable, globally recognised standard for compliance management systems. It defines precisely how a compliance system must be structured in order to meet legal requirements and uphold ethical standards.
With ISO 37301 certification, your organisation can demonstrate legal conformity, adherence to ethical principles, and the ability to manage increasingly complex compliance demands. This not only provides a competitive advantage but also has a positive impact on corporate culture, making it beneficial for your organisation as a whole.
The certification process generally involves a gap analysis against ISO 37301 requirements, implementation or optimisation of compliance measures, internal audits and documentation, and finally a certification audit conducted by an accredited body.
Get certified!
We’ll be happy to show you how to set up your compliance management system and successfully achieve ISO 37301 certification.
Book a free introductory consultation today!
Compliance management software
With our specialised SaaS solution activeMind.cloud, you can take your compliance management to peak performance.
Our experts will gladly show you how it works in a demo call.
