Eye Record

 

1. Core Elements: The Organization and Its Environment

 

II. Top-Level Elements – Compliance Goals and Principles

 

III. Core Elements – Leadership Role, Compliance Governance, and Compliance Culture

 

IV. Execution Element – A Cyclic, Driveable Compliance Management Structure

 

ISO 37301 explicitly states that the standard applies to organizations of all types, sizes, and natures—ranging from sole proprietors and companies to groups, enterprises, public institutions, governmental bodies, partnerships, charities, research organizations, and more. Importantly, this applies regardless of whether the organization is structured as a legal entity, publicly owned, or privately held. As a result, the standard offers broad guidance for businesses of all kinds in designing and implementing effective compliance management practices. While ISO 37301 does not provide direct answers to specific business-related compliance challenges, it does introduce a scientific, efficient, and systematic approach to managing compliance. At its core, compliance is a dynamic management strategy—one that fosters and reflects an organization’s culture through robust internal controls. By leveraging the framework established by ISO 37301, companies can tailor their compliance management systems to meet the unique demands of their diverse business operations.

 

A compliance management system is a framework that encompasses the fundamental structure, strategies, processes, and procedures designed to achieve desired compliance outcomes—and to proactively prevent, identify, and address non-compliance issues. Characterized by a coherent and rigorous organizational setup, it represents a dynamic, systematic approach to management. When building a compliance management system, it’s essential to focus on the following key components:

 

1. Core Elements: The Organization and Its Environment

 

Compliance, at its core, is about helping businesses better fulfill their obligations while meeting—or balancing—the needs and expectations of all stakeholders. Understanding the organization itself, as well as the broader environment in which it operates, enables companies to clearly identify and stay informed about these obligations, needs, and expectations. Before developing a compliance management strategy, businesses must carefully consider both internal and external factors related to themselves and their surroundings—these form the foundation and essential prerequisites for building a robust compliance management system.

 

1. External Environment

 

External factors include both the regulatory environment in which a company operates, as well as compliance obligations arising from agreements or arrangements the company has made with external stakeholders. On one hand, businesses must clearly define what "rules" they need to follow—essentially, understanding the regulatory landscape they’re navigating. This regulatory environment can shift depending on the industry a company is in, the business model it employs, or even changes in national policies. Typically, the external regulatory context takes into account legal and regulatory requirements, court rulings, government policies, emerging regulatory trends, and the scope of oversight. On the other hand, companies should also identify voluntary obligations they’ve chosen to embrace—such as agreements reached through partnerships with third parties, memberships in organizations or industry groups, and publicly disclosed policies.

 

2. Internal Environment

 

On the other hand, from the perspective of internal corporate factors, companies also need a clear understanding of their current state of development—this includes corporate culture, the company’s business strategy and operational model, the nature and scope of its business activities, the organization structure within the company, management policies, available resources, and relationships with external partners.

 

Enterprises should, based on a thorough understanding of both internal and external factors, define the scope and applicability of their compliance management systems and tailor these systems accordingly. This approach will not only help companies meet external regulatory requirements but also strike a balance between internal business development needs and compliance-related costs.

 

II. Top-Level Elements – Compliance Goals and Principles

 

Based on a clear understanding of the underlying factors—such as the external environment and the company’s own circumstances—businesses should clearly define the goals and principles for building their compliance management systems. These serve as guiding elements that permeate the entire process of establishing and refining the compliance framework.

 

Compliance objectives are the issues that need to be addressed or the values an organization aims to achieve through building its compliance management system. When setting compliance goals, companies should establish both overarching objectives—such as operating with integrity, fostering a strong corporate culture, adhering to laws and regulations, safeguarding a positive company reputation, demonstrating social value, and upholding ethical standards—and more specific, function-specific, and tiered targets tailored to different departments and levels within the organization. These objectives should also be formulated in a way that allows for quantifiable outcomes—for instance, management could commit to conducting compliance training sessions twice annually for employees. Importantly, the compliance goals set by the company must align with its compliance policies, comply with applicable laws and regulations, remain feasible, be measurable, and, when necessary, be updated periodically in response to evolving business needs.

 

The principle of corporate compliance refers to the guiding and binding guidelines that direct enterprises in building their compliance management systems, such as:

 

Integration of Management Systems with Business Operations: Emphasizing that a compliance management system is not an isolated framework—it should instead be built upon and seamlessly integrated into business processes.

 

A robust governance structure: emphasizes the leadership's ability to provide direction while simultaneously strengthening oversight and accountability mechanisms for the leadership within the organizational framework of the management system, ensuring the compliance team maintains its defined roles, responsibilities, and independence.

 

Compliance cost investment should be proportional to compliance risks: Emphasize identifying and analyzing the environment in which the company operates, as well as its specific compliance risks, to prioritize them effectively. Based on these priorities, optimize resource allocation to strike a balance between compliance costs and compliance needs.

 

Integrity: Emphasizing a corporate culture of honesty and ethical conduct within the organization, while proactively preventing employee fraud and corruption.

 

Transparency: Emphasizes the timely reporting and disclosure of compliance information, enabling prompt action to address non-compliance issues by reporting violations or promptly sharing relevant details—thereby reducing compliance risks.

 

Accountability System: Emphasizes the principles of corporate business management, designates compliance officers, and integrates compliance performance evaluations into employees' overall performance assessments.

 

Sustainability: Emphasizing that a compliance management system is not static once established, but rather evolves continuously through ongoing adjustments and updates to drive the system's development.

 

III. Core Elements – Leadership Role, Compliance Governance, and Compliance Culture

 

Leadership, compliance governance, and compliance culture are the three core pillars of a compliance management system—and they are essential for building a robust compliance framework and ensuring its stable, effective operation.

 

1. Leadership Role

 

Leaders refer to the corporate governance body[1] and top management[2]; leadership primarily involves these entities making clear and effective compliance commitments. Since building a compliance management system is inherently "top-down," the exemplary behavior of leadership plays a critical role in both establishing and sustaining such a system. For instance, Huawei’s leadership has publicly and clearly committed to "upholding integrity in business operations, adhering to high ethical standards, and complying with all applicable laws and regulations," as well as "establishing a compliance management system aligned with industry best practices through continuous investment of resources."

 

There are many ways for leadership to demonstrate commitment, but the most important is by providing active, clear support to establish and sustain a compliance management system.

 

Leadership and management at all levels actively demonstrate their commitment—through their actions and decisions—to establishing, developing, implementing, evaluating, maintaining, and continuously improving an effective and rapidly responsive compliance management system.

 

Leadership formally approves the compliance policy;

 

Top management is responsible for fully fulfilling the organization's compliance commitments;

 

Management at all levels consistently communicates—demonstrating through both words and actions—a clear message that the company will fulfill its compliance obligations.

 

Clearly and convincingly communicate the commitment to compliance—along with concrete actions—to all personnel and relevant stakeholders.

 

2. Compliance Governance

 

Compliance governance is the newly established compliance management system section under ISO 37301, and its primary function is to clearly define the compliance team’s position and authority within the company’s internal governance structure as the entity responsible for compliance management. In practice, the compliance team can either operate as a standalone department or be integrated into a single department alongside legal affairs and risk management—provided that it adheres to the following fundamental principles:

 

The compliance team maintains direct communication with corporate leadership and should engage in straightforward exchanges with them. For instance, companies can establish an Integrity & Compliance Committee that reports directly to the company’s Board of Directors, while also ensuring that compliance team members attend board meetings as observers.

 

The compliance team should remain independent, with its actions and operations free from inappropriate interference by any other entity.

 

The compliance team holds significant authority and should have the power to advocate for and raise any compliance-related issues.

 

The compliance team has ample resources to support the organization in seamlessly carrying out the essential tasks and fulfilling the necessary responsibilities of its compliance management system.

 

3. Compliance Culture

 

Compliance culture refers to the values, ethical principles, and beliefs that permeate an entire organization, shaping the behaviors and practices that ultimately impact customers, employees, suppliers, markets, and communities. It interacts dynamically with the organization’s structure and control systems, fostering a set of behavioral guidelines that drive positive compliance outcomes. Corporate leadership and management at all levels should actively cultivate and promote a robust compliance culture, ensuring it becomes ingrained in every employee, every business area, and every aspect of daily management and operations across the organization.

 

Factors supporting the development of a compliance culture include a set of clearly communicated values, active leadership commitment to implementing and upholding these values, and emphasizing compliance and organizational values during onboarding or new employee training. Hunan Construction Group, which was once sanctioned by the World Bank Group under its "Conditional Debarment" policy, has established a group-wide culture of integrity and compliance guided by ethical principles and behavioral standards such as "adhering to rules, honoring commitments, telling the truth, and delivering results." The company also requires every employee to recite and abide by the "Compliance Declaration."

 

IV. Execution Element – A Cyclic, Driveable Compliance Management Structure

 

A compliance management system first involves establishing a foundational framework, and then ensuring its functionality through the implementation of policies, processes, and procedures. Throughout this ongoing operation, the system’s effectiveness is continuously assessed, serving as the basis for targeted improvements. As mentioned earlier, therefore, a compliance management system is not static once built—it is, instead, an iterative, cyclical management model designed for continuous enhancement.

 

1. Risk Assessment

 

Assessing compliance risks means identifying the compliance risks a company may face and prioritizing which risks need to be addressed first. In corporate compliance practices, determining how to conduct risk assessments and accurately categorize risks is a critical component of effective compliance efforts. To carry out compliance risk assessments, companies should focus on the following four key areas:

 

First, it is necessary to identify the various risks facing the company. This can be achieved through thorough due diligence and cross-departmental discussions, enabling a comprehensive understanding of the company’s organizational structure, business processes, financial practices, and human resource policies. The goal is to systematically list as many real-world risks as possible that the company may encounter during its operations. When assessing and evaluating corporate compliance risks, two key aspects are typically considered: 1. The likelihood of the risk occurring, and 2. The severity of the potential consequences if the risk does materialize. Based on different combinations of these two factors—probability and consequence severity—corporate compliance risks can be categorized into the following types:

 

Highly probable and, if they occur, would lead to extremely severe consequences: these risks should be given top priority and closely monitored throughout the company’s compliance process.

 

Though the probability of occurrence is low, the consequences would be extremely severe: While these risks are unlikely to happen, their impact could be devastating. Therefore, businesses must prioritize strategies to mitigate the adverse effects of such risks and develop comprehensive risk-response plans, ensuring they can act swiftly and effectively should these scenarios arise.

 

Highly probable but unlikely to result in severe consequences: While these risks are easy to occur, they typically do not disrupt a company’s normal operations. Therefore, in practice, they carry lower priority compared to the first two risk categories. Companies can mitigate the likelihood of such risks by building robust compliance systems.

 

The probability of occurrence is low, and even if it does happen, it won’t lead to serious consequences—such risks can practically be disregarded in practice.

 

Second, it is necessary to assess inherent risks [3], evaluating both the likelihood of risk occurrence and the severity of its potential consequences to gauge the company’s ability to manage each specific risk. It’s important to note that the source of the risk can significantly influence how the company perceives its probability and impact; therefore, before assessing these factors, companies must first analyze the root causes—identifying which events are most likely to trigger the risk in the first place.

 

Third, it is necessary to assess the effectiveness of the company’s current risk management system, thereby measuring the organization’s residual risks [4]. These residual risks should then be categorized based on their unique combinations of probability and potential consequences, with priorities assigned accordingly. This approach will enable a more efficient allocation of compliance management resources, ultimately helping to minimize the negative impact of risks on the business.

 

Finally, since corporate compliance risks can shift due to factors such as policy changes, internal adjustments, and evolving business models, risk assessments must be periodically revisited following the aforementioned process—to ensure that risks are effectively monitored and addressed appropriately.

 

2. Planning

 

The planning aims to help organizations prevent or mitigate adverse outcomes, ensure their compliance management systems deliver the intended results, and enable continuous improvement. When designing a compliance management system, companies should consider their compliance objectives, identified regulatory obligations, and the outcomes of compliance risk assessments. Based on this, they can strategically allocate resources, determine how the compliance framework can be seamlessly integrated into existing business operations, draft clear compliance policies, define specific compliance measures, and establish mechanisms to evaluate the effectiveness of the compliance management system over time.

 

Compliance planning should address two levels of requirements: The first level involves determining what measures to implement—based on the results of a risk assessment—to prevent and mitigate compliance risks. The second level focuses on analyzing the company’s resources and external environment, helping the organization leverage its assets fully, efficiently, and strategically to capitalize on favorable conditions.

 

The establishment of compliance objectives should be grounded in the results of compliance risk assessments, with the primary goal of mitigating overall risks. When planning how to achieve these compliance targets, companies must clearly define: the specific purposes for which compliance is required, the resources needed, who will be responsible for implementing compliance efforts, the timeline for completion (including progress milestones), and how outcomes will be evaluated. As previously mentioned, compliance goals should be quantifiable—encompassing both the overarching objective of building a robust compliance management system, as well as clearly defined compliance aims tailored to distinct business scenarios.

 

3. Support

 

To ensure the effective establishment and implementation of a compliance management system, companies should provide multi-faceted support measures:

 

Resource Support: Companies should identify and provide the resources required for establishing, implementing, maintaining, and continuously improving their compliance management systems, such as financial budgets and infrastructure. We recommend that companies first clearly define the total resources available for building the compliance management system, and then develop a resource allocation plan based on the specific compliance sub-objectives, ensuring efficient utilization of these resources.

 

Talent Support: Companies should clearly define the essential competencies required for employees across all internal organizations and functional areas to effectively drive the establishment of a compliance management system. This ensures that recruited talent aligns with job requirements, while also fostering diversity and complementarity in the team's professional backgrounds.

 

Cultivating Compliance Awareness: Companies should regularly organize compliance training sessions for employees to strengthen their awareness of regulatory requirements, ensure they fully understand compliance policies, recognize the critical role of compliance management in business growth, and provide internal channels for compliance-related discussions or reporting concerns.

 

Comprehensive Communication Mechanisms: Companies should establish robust and transparent information communication channels—both internally, facilitating seamless exchanges among different departments while ensuring the independence of the compliance function, and externally, enabling effective outreach to regulatory authorities, monitoring industry trends and policy developments, and fostering open dialogue with consumers and users for timely feedback. Additionally, it is essential to set up dedicated channels for reporting compliance violations and lodging complaints within the organization.

 

Information Documentation: Enterprises should establish a mechanism to ensure compliance management activities leave traceable records, creating clear compliance management systems and documentation. Additionally, they must systematically record and retain all information generated during compliance efforts, including business communications, compliance-related research, compliance reporting, and responses to compliance risks.

 

4. Execute

 

Enterprises should specifically plan, implement, and control the procedures necessary to achieve compliance policies and objectives at the operational level of the compliance management system, ensuring its smooth and effective functioning.

 

A well-designed compliance management system should incorporate a two-dimensional framework. First, it must ensure the system fosters a positive impact on the organization’s compliance culture—for instance, by establishing clear corporate codes of conduct and embedding them into daily operations, so that every employee is fully aware of and committed to adhering to these guidelines. Second, the system should implement robust control measures across the company’s key business activities, covering all operational processes such as production, installation, service, maintenance, and sales. Additionally, it should include risk management strategies specifically tailored to partners, suppliers, or distributors involved in contract agreements. If a company outsources certain business functions, it must conduct thorough due diligence on third parties to verify that they meet—or even exceed—compliance standards and commitments equivalent to, if not higher than, those expected within the company itself.

 

The aforementioned control measures may include:

 

Conduct compliance risk assessments for key areas and priority partners, and based on these assessments, develop clear, practical, and easy-to-follow written operational policies, procedures, and work guidelines.

 

Identify key compliance items and establish an approval system;

 

Develop an annual compliance plan;

 

Conducting regular, ongoing assessments of the effectiveness of the compliance management system, and so forth.

 

Additionally, companies should consider establishing an anonymous or confidential whistleblowing system, enabling employees and agents to report concerns or seek guidance from top management and corporate governance bodies (including relevant committees) through open and accessible channels—without fear of retaliation. Complementing this system, organizations should implement prompt and thorough investigation procedures for any allegations or suspicions of misconduct involving company personnel or external parties. Furthermore, companies must adopt digital documentation practices to systematically record their responses, investigation findings, disciplinary actions, and remedial measures taken. This ensures that all steps—from initial reporting to final corrective actions—are meticulously documented, laying a clear audit trail that can inform future revisions and updates to the organization’s compliance management framework.

 

5. Performance Evaluation

 

Performance evaluation involves four key steps: monitoring, measurement, analysis, and assessment. It also incorporates elements of internal auditing and management review. Primarily, its purpose is to evaluate the effectiveness of the existing compliance management system, serving as a foundation for subsequent revisions and improvements to the system.

 

Common information sources for effective compliance performance evaluation include:

 

Corporate personnel (e.g., through reporting systems, hotlines, feedback channels, suggestion boxes, etc.);

 

Customers (e.g., via the complaint handling system);

 

Third parties, suppliers, contractual counterparts, etc.;

 

Existing compliance issues;

 

Non-compliant items;

 

Audits and reviews, etc.

 

Companies should pay close attention to establishing a compliance reporting system, which has become a key source of information for evaluating the compliance management framework. Even a minor issue can reveal significant weaknesses in current processes and the compliance management system. Failure to report such issues promptly may lead companies to overlook them as insignificant—potentially allowing these small problems to escalate into systemic, large-scale concerns.

 

Ultimately, the results of the effectiveness evaluation of the company’s compliance management system, along with corresponding improvement recommendations, should be documented in a written report and submitted regularly—typically on an annual basis—to the company’s leadership team.

 

6. Improvement

 

Compliance is dynamic, not static—it should be continuously revised and updated based on practical outcomes to ensure it remains aligned with the current state of corporate management and operations. Companies must assess whether and how to refine their compliance management systems by leveraging insights from regular performance evaluations and the resulting improvement recommendations.

 

Please also note that when revising the compliance management system, it is essential to carefully consider and manage the overall impact of any necessary changes, ensuring the integrity and effectiveness of the system are maintained.

 

Conclusion

 

In March 2021, the Fourth Session of the 13th National People's Congress voted to adopt the "14th Five-Year Plan." The plan explicitly calls for guiding companies expanding overseas to "strengthen compliance management" and encourages private enterprises to "promote law-abiding and compliant business practices." As a result, the scope of corporate compliance initiatives has expanded from state-owned enterprises to include private businesses. With this development, corporate compliance management has now been elevated to the level of national strategy. Looking ahead, implementing robust corporate compliance practices is not only an inevitable trend of our times but also a crucial requirement aligned with broader national strategic objectives.

 

The ISO 37301 certification is applicable to businesses of all sizes and sectors. Companies should seize this opportunity to build or upgrade their compliance management systems in line with ISO 37301—and take the lead in obtaining certification. This represents a critical growth opportunity for businesses, while also equipping them to meet even stricter and more complex compliance requirements in the future.

 

Note:

 

[1] The top manager reports to and is accountable to the individual or individuals who hold ultimate responsibility and authority for the organization's activities, governance, and policies.

 

[2] An individual or group of individuals who provide guidance and control at the highest organizational level.

 

[3] Inherent risk refers to all compliance risks an enterprise faces when it operates without corresponding compliance risk management control measures—essentially, in an unmanaged state.

 

[4] Residual risk refers to the compliance risks that remain unaddressed despite the enterprise's existing compliance risk management measures.