CEP Magazine (May 2024)
As we’ve noted here before, numerous environmental, social, and governance aspects have very clear compliance ramifications, whether in the form of laws and regulations or stakeholder expectations that can result in serious adverse consequences if a company comes up short. A February amendment to ISO 37301, Compliance management systems, places one of these risk areas clearly within the scope of compliance programs.[1]
Of course, ISO 37301 is the standard used by many European companies and multinational organizations. It has many similarities to, as well as some differences from, the guidance on compliance and ethics programs used in the U.S., derived from the Federal Sentencing Guidelines and subsequent guidance from the U.S. Department of Justice.
Two important sections of ISO 37301 were amended in February. Section 4.1, “Understanding the organization and its context,” provides guidance on identifying issues relevant to a compliance program based on factors such as the legal and regulatory context, technology, economic factors, an organization’s business model and strategy, and the nature and scope of relationships with third parties. The amendment adds one new issue to consider: “whether climate change is a relevant issue.”
Section 4.2, “Understanding the needs and expectations of interested parties,” states that organizations should identify third parties that are relevant to compliance and what the requirements of those third parties are. For example, a legal requirement that may not directly apply to your company might have indirect application as a result of an arrangement the company has with a third party, such as a customer. The February amendment states that relevant third parties may “have requirements related to climate change” that should be considered.
What’s most interesting about these amendments is that ISO 37301 generally does not address specific compliance risk areas. It focuses on the compliance program as a whole and describes the critical elements of such systems (e.g., risk assessments and compliance training). The fact that ISO 37301 now specifically includes expectations for systems to consider climate change reflects the magnitude of this issue.
Many climate-related considerations are already included in the legal and regulatory frameworks addressing the environment. Others go beyond what is mandated by the law, addressing other climate-related commitments and stakeholder expectations. And nowhere are regulatory and stakeholder expectations changing more rapidly than they are with climate change. Managing these areas using many of the same tools used to manage legal risks makes sense. And now, following ISO 37301 mandates this consideration.
1 International Organization for Standardization, “ISO 37301:2021/Amd 1:2024: Compliance management systems Requirements with guidance for use Amendment 1: Climate action changes,” accessed February 26, 2024, https://www.iso.org/standard/88422.html.
[View source.]