Directors and boards should be aware of three new governance standards released this year by The International Organization for Standardization (ISO):
- ISO 37000:2021 Governance of organizations – Guidance;
- ISO 37002:2021 Whistleblowing management systems — Guidelines; and
- ISO 37301:2021 Compliance management systems — Requirements with guidance for use.
Australia has been at the forefront of standards development in each of these areas with the now withdrawn Australian standards:
- AS 8000—2003 Good governance principles;
- AS 3806—2006 Compliance Programs, which formed the basis of ISO 19600; and
- AS 8004—2003 Whistleblower Protection Programs for Entities.
The new standards will shortly have “AS” before “ISO” when adopted as the Australian standard. It is timely to consider the impact they will have for your organisation.
The introduction to ISO 37000:2021 sets the scene for this new standard, which provides boards with guidance on how to govern well, so that their organisations can perform effectively while behaving ethically and responsibly:
The pursuit of purpose is at the centre of all organizations and is, therefore, of primary importance for the governance of organizations. Good governance of organizations lays the foundation for the fulfilment of the purpose of the organization in an ethical, effective and responsible manner in line with stakeholder expectations.
The publication of ISO 37000 is an important milestone, because it is the first international standard on good organisational governance. The standard sets out 11 core principles of good governance and the role of senior leaders (board and management) around the world in defining and upholding standards relating to:
- Purpose: the board should ensure the organisation’s purpose is clearly defined;
- Value generation: the board should define the organisation’s value generation objectives to fulfil its purpose;
- Strategy: directing and engaging strategies in accordance with the value generation model;
- Oversight: overseeing organisational performance and ensuring that the organisation fulfils all expectations;
- Accountability: holding to account those to whom the board has delegated authority;
- Stakeholder engagement: the board should engage with its stakeholders and consider their expectations;
- Leadership: ethical and effective leadership arrangements;
- Data and decisions: the board have the data (information) it needs for decision making;
- Risk governance: the effect of uncertainty on organisational purpose and strategic outcomes;
- Social responsibility: transparent decision making aligned with broader societal expectations; and
- Viability and performance over time: remaining viable over time without compromising current and future generations.
While the above principles are covered to a greater or lesser extent in other governance codes and guidance such as the OECD Principles1 and ASX Principles,2 ISO 37000 is very much a governance standard suited to current times.
For example, it highlights the global environmental, social and governance (ESG) trend in underlining the importance of values, culture and social responsibility, as set out in the United Nations Global Compact’s (UNGC) 10 principles on human rights, labour, environment and anti-corruption and the United Nation’s 17 Sustainable Development Goals (SDGs).
With increasing demand from investors, stakeholders and customers for corporate responsibility and sustainability boards, institutions can no longer ignore ESG factors or the role the board and management play in setting the tone at the top for an ethical organisational culture.
Interestingly, the standard takes a different approach to other guidance in its terminology and focus. For example, rather than a board’s role in “risk management”, it uses “risk governance” in principle 9, where the board:
- sets the tone at the top for the implementation of risk management by implementing the risk management system, defining resources, risk appetite, risk criteria and risk limits;
- assesses, manages, monitors and communicates risk in its decision-making processes; and
- obtains assurance that the competencies, authorities, tasks and responsibilities for risk management are assigned.
While there is much that is familiar in the new standard,3 boards should not dismiss it as merely re-packaging existing advice, as ISO 37000 will benefit those organisations wishing to review their current governance processes and procedures as well as those boards willing to look beyond the traditional ideas of good governance to include more environmentally and socially conscious practices.
ISO 37002 provides guidance for organisations to create a whistleblowing management system (WMS) based on trust, impartiality and protection. The guideline aims to support and protect whistleblowers and other interested parties involved, ensure that reports of wrongdoing are dealt with in a proper and timely manner and looks at improving organisational culture and governance. It can be adapted for any type or size of organisation in any sector.
At the moment ISO 37002 is not a certifiable standard like anti-bribery (ISO 37001) or compliance (ISO 37301), but it complements those standards as well as the governance standard (ISO 37000) discussed above. This also means that it is designed to allow for easy integration with Commonwealth or state-level requirements on bullying, harassment and related issues.
The requirements to protect whistleblower confidentiality under Australian laws require organisations to have and maintain stricter processes for obtaining consent and restricting the sharing of disclosures than what is contemplated in ISO 37002 guidelines. However, the standard will work well alongside existing legal and regulatory requirements, e.g., Corporations Act, WHS, environmental and money laundering legislation.
Unlike the previous Australian whistleblower standard, ISO 37002 provides comprehensive guidance on implementing a WMS in any type of organisation no matter what the sector or industry.
With the increased number of laws and regulations, maintaining a culture of compliance is a key organisational challenge.
A compliance management system (CMS) provides organisations with a structured approach to meet all compliance obligations, those that they have to comply with, such as laws and regulations, and those that they voluntarily choose to comply with, such as internal policies and procedures.
Having a CMS demonstrates commitment to good organisational governance and ethical conduct, which contributes to an organisation’s overall success. ISO 37301:2021 sets out the requirements and provides guidelines for establishing, developing, implementing, evaluating, maintaining, and continually improving a leading practice CMS.
The ISO outlines the following benefits for ISO 37301:
- improving business opportunities and sustainability;
- protecting and enhancing an organisation’s reputation and credibility;
- taking into account expectations of interested parties;
- demonstrating an organisation’s commitment to managing its compliance risks effectively and efficiently;
- increasing the confidence of third parties in the organisation’s capacity to achieve sustained success; and
- minimising the risk of a contravention occurring with the attendant costs and reputational damage.
ISO 37001 has replaced the previous standard ISO 19600:2014 (AS ISO 19600:2015). The major difference between these standards is that ISO 37001 establishes requirements for the implementation of a CMS, as opposed to the previous standard which only provided recommendations. As such, organisations can now choose to have their CMS verified and certified through an independent third party, although this certification will not be necessary for most organisations.
For those organisations that have already implemented ISO 19600, many of the core elements have been maintained and incorporated into the new standard, so complying with ISO 37000 will not be onerous.
Overall, the new standard provides the necessary guidelines which help an organisation:
- be aware and comply with existing and new legislation, regulations and “rules” (e.g., policies, procedures) that should be followed;
- be aware of the potential risk of breaching any compliance obligation; and
- eliminate and correct potential or actual compliance breaches in an effective manner.
What should your organisation do?
The publication of these standards provides boards with the opportunity to review their current systems and policies to see whether they align with leading practice.
For example, the governance standard, ISO 37000, will give the board cause to reflect on the organisation’s approach to sustainability and its culture. Similarly, even if not required to do so under the Corporations Act, an organisation might wish to go beyond just having a whistleblower policy and establish a WMS to create a protective environment where people can confidently report concerns, which is crucial to the effective prevention of and dealing with wrongdoing.
Please contact me for specific advice or policy assistance to assist your organisation benefit from these new international, soon to be Australian adopted, standards.
1 OECD, 2015, G20/OECD Principles of Corporate Governance, OECD Publishing, Paris.
2 ASX Corporate Governance Council, 2019, Corporate Governance Principles and Recommendations, 4th edn, Australian Securities Exchange Ltd, Sydney.
3 See, for example, the guidance provided by authors such as Kiel, G., G. Nicholson, J.A. Tunny, & J. Beck, 2012, Directors at Work: A Practical Guide for Boards, Thomson Reuters, Sydney.