Within the ISO 37301 standard, there is requirement 4.5: Compliance Obligations, which many consider to be the simplest, especially because many companies already have a compliance program in place. However, it deserves much more attention.
The organization must systematically identify these compliance obligations, meaning it should be an ongoing process and not just a one-time assessment.
Thus, the auditor responsible for the management system must continuously monitor the identification of new compliance obligations and verify whether the previously identified obligations have been reviewed.
This aspect of reviewing is extremely important, particularly in countries like Brazil, where legal instability is significant. Laws are constantly being revised, new laws and regulations emerge, leaving organizations vulnerable to this risk.
Documented Information in Requirement 4.5
The standard requires that these compliance obligations be documented information, and there are various ways you can gather this information.
In the market, you will find numerous systems, which, in addition to software, often have a team working continuously on identifying compliance obligations.
Despite the availability of systems, simpler methods can be used if resources are limited, such as a spreadsheet or matrix, as long as review dates are established.
Map the Impact and Management of Compliance Obligations
The standard also provides some guidance in Annex A, which is not mandatory but, in my opinion, is the most important recommendation:
“A risk-based approach should be taken, meaning that organizations should start by identifying the most important compliance obligations relevant to their business and then focus on all other compliance obligations.” – ISO 37301:2021
This recommendation follows the Pareto principle (80/20 rule), which suggests that 80% of effects come from just 20% of causes. Therefore, start by focusing on the compliance obligations that pose the greatest risk to your business, analyze them, and set your priorities.
Following this recommendation, we naturally address other aspects: map the impact of these compliance obligations and how they are being managed, as well as establish controls. Managing these obligations is crucial so that if one of the obligations is revised, as an auditor, you can more easily reorganize how to handle the change and whether it will affect other processes.
Of course, these recommendations can overlap with the company’s risk analysis, but each company must determine the best approach.
