ISO 37302:2025

International
Standard
ISO 37302
First edition
Compliance management
2025-07
systems — Guidance for the
evaluation of effectiveness
Systèmes de management de la conformité — Lignes directrices
pour l'évaluation de l'efficacité
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General principles . 2
5 Evaluation methodology . 2
5.1 General .2
5.2 Evaluation scales .3
5.3 Evaluation indicator framework .3
6 Evaluation criteria . 5
6.1 Planning and establishment of the compliance management system .5
6.1.1 Analysis of the context of the organization, including requirements of interested
parties .5
6.1.2 Identification and update of compliance obligations .7
6.1.3 Determination of the scope of the compliance management system and
assessment of compliance risk .8
6.1.4 Leadership and commitment of governing body and top management.10
6.1.5 Implementation of compliance governance principles . 12
6.1.6 Maintenance and promotion of compliance culture .14
6.1.7 Assignment of the roles, responsibilities, and authorities for personnel at
different levels . 15
6.1.8 Compliance policy and setting of objectives . .17
6.1.9 Planning of actions to address risk and opportunity and the resources required .19
6.2 Implementation of the planned compliance management system . 20
6.2.1 Operational actions to address risk and opportunity . 20
6.2.2 Allocation of resources .21
6.2.3 Competences, capacity building and raising awareness . 23
6.2.4 Employment process, rewards and disciplinary actions . 25
6.2.5 Training . 26
6.2.6 Internal and external communication . 28
6.2.7 Establishment of a mechanism for raising concerns . 29
6.2.8 Implementation of processes for investigation . 30
6.2.9 Management of documented information .32
6.3 Evaluating performance and improvement of the compliance management system . 33
6.3.1 Monitoring, measurement, analysis and evaluation of performance . 33
6.3.2 Internal audit . 34
6.3.3 Management review . 36
6.3.4 Actions to address nonconformity and/or noncompliance and correction .37
6.3.5 Continual improvement in a planned manner . 39
7 Evaluation process .40
7.1 Objectives . 40
7.2 Structured approach . 40
7.3 Evaluators .41
7.4 Evaluation method .41
7.4.1 Design .41
7.4.2 Implementation .41
7.4.3 Reporting and response . .42
Annex A (informative) Figure of the evaluation indicator framework .43

iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 309, Governance of organizations.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

iv
Introduction
An effective compliance management system supports an organization. It enables the organization to
demonstrate its commitment to complying with:
— relevant laws;
— regulatory requirements;
— industry codes;
— organizational standards;
— standards of good governance;
— generally accepted best practices;
— ethics;
— the expectations of the interested parties.
Compliance becomes sustainable when it is embedded in the culture of the organization and in the behaviour
and attitude of personnel under the control of the organization. Embedded compliance positively influences
the compliance performance of the organization.
ISO 37301 sets out the requirements and provides guidance for establishing, developing, implementing,
evaluating and improving an effective and responsive compliance management system within an
organization. This document provides guidance to support the implementation of the requirements in
ISO 37301 related to evaluating the performance of a compliance management system (including monitoring,
measurement, analysis, evaluation and management reviews) and thus ensuring continual improvement in
any type of organization.
The framework can also be used to evaluate the effectiveness of other types of compliance management
systems.
v
International Standard ISO 37302:2025(en)
Compliance management systems — Guidance for the
evaluation of effectiveness
1 Scope
This document establishes principles and an evaluation indicator framework for assessing the effectiveness
of a compliance management system. This includes evaluation criteria for specified indicators. This
document also provides guidance as well as suggestions on the evaluation model.
The guidance provided in this document aims to support the monitoring, measurement, analysis and
evaluation of a compliance management system. It aims to support management review of the compliance
management system to foster continual improvement. It does not add to, change or otherwise modify
requirements for compliance management systems or any other standards.
This document is applicable to the activities for evaluating the effectiveness of the compliance management
system in all organizations, regardless of the type, size and nature, including organizations from the public,
private or non-profit sector.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 37301, Compliance management systems — Requirements with guidance for use
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 37301 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
effectiveness
extent to which planned activities are realized and planned results are achieved
[SOURCE: ISO 37301:2021, 3.13]
3.2
evaluation indicator
measurable reference point of the current status or condition of a compliance management system activity
Note 1 to entry: Evaluation indicators can be quantitative or qualitative.
3.3
evaluation indicator framework
schema comprised of evaluation indicators (3.2) that reflects the effectiveness of a compliance
management system
4 General principles
The evaluation of the effectiveness of a compliance management system should be based on the following
principles:
a) Objectivity: The evaluation indicator framework can be used in different contexts and for different
purposes and is established so that the results of an evaluation reflect the actual status of the compliance
management system.
b) Completeness and scalability: The evaluation criteria for each indicator considers the planning,
development, implementation and continual improvement of processes, the achievement of planned
results and the degree of achievement.
c) Traceability: The evaluation results are verified through objective methods and evidence of documented
information as well as other supporting information.
5 Evaluation methodology
5.1 General
The effectiveness of the compliance management system refers to its ability to consistently achieve its
objectives and intended results. Moreover, an effective compliance management system results in improved
performance and enhanced value for the organization and its interested parties.
The evaluation methodology provides for three dimensions: policy and procedures; conduct and culture;
and results and impacts. These are evaluated along a scale with five levels of effectiveness (see 5.2). Every
evaluation indicator can be evaluated along these dimensions. The evaluation indicator framework provides
indicators aligned with the requirements of a compliance management system compliant with ISO 37301.
The evaluation criteria provide indicators for assessing the individual parts of a compliance management
system at a detailed granularity (see Clause 6). Applying the evaluation criteria outlined in this document
ensures that activities are consistently evaluated and that inadequacies and areas for continual improvement
are identified, which in turn helps the organization adapt to changing conditions or requirements.

5.2 Evaluation scales
Table 1 outlines the three dimensions and scales for measuring the effectiveness of a compliance
management system.
Table 1 — Scales for the evaluation of the effectiveness of a compliance management system
Description
Scales
Policy and procedures Conduct and culture Results and impacts
Few processes exist and most of Behaviour within the organization No apparent impacts or recog-
Level 1 them are incomplete. does not reflect any alignment with nizable results.
the standard procedures.
Processes are implemented incon- There is understanding of the stand- Results are inconsistent; align-
Level 2 sistently, not formally defined and ard procedures, but the procedures ment with objectives is coinci-
communicated separately. are not systematically enforced. dental rather than intentional.
Processes are implemented and Behaviour begins to reflect compli- Results are only loosely
documented but not assessed to ance measures yet there is signifi- aligned with objectives and
Level 3 determine whether they are ful- cant room for improving alignment not consistent throughout the
filling the related requirements. and effectiveness. scope of the compliance man-
agement system.
Processes are integrated into Behaviour is actively managed to Results are aligned with the
organizational processes; they align with the standard procedures defined objectives and fully
are monitored, measured and with continuous evaluation and pro- integrated in the organization-
Level 4
evaluated. active adjustments to enhance com- al process.
pliance, reduce risks and reinforce a
culture of ethical conduct.
Processes are integrated into Behaviour is actively managed to Results are integrated in a
the organization process and are align with the standard procedures; feedback loop that fosters
continually improved; correction compliance measures are fully continual improvement and
Level 5
measures are implemented to embedded within the organizational adaptation to changing condi-
ensure the effectiveness of the behaviour through continuous mon- tions.
compliance management system. itoring, feedback and adaptation.
5.3 Evaluation indicator framework
The framework provides indicators for each component of the compliance management system in line
with ISO 37301. The indicators are based on a single requirement or a group of requirements related to a
component of ISO 37301. The framework is outlined in Table 2 and Figure A.1.

Table 2 — Composition of the evaluation indicator framework
Dimensions of the evaluation indicator framework Indicator description
Analysis of the context of the organization, including re-
quirements of interested parties
Identification and update of compliance obligations
Determination of the scope of the compliance management
system and assessment of compliance risk
Leadership and commitment of governing body and top
management
Planning and establishment of the compliance manage-
ment system Implementation of compliance governance principles
Maintenance and promotion of compliance culture
Assignment of the roles, responsibilities and authorities for
personnel at different levels
Compliance policy and setting of objectives
Planning of actions to address risks and opportunities and
the resources required
Operational actions to address risk and opportunity
Allocation of resources
Competences, capacity building and raising awareness
Employment process, rewards and disciplinary actions
Implementation of the planned compliance manage-
Training
ment system
Internal and external communication
Establishment of a mechanism for raising concerns
Implementation of processes for investigation
Management of documented information
Monitoring, measurement, analysis and evaluation of per-
formance
Internal audit
Evaluating performance and improvement of the com-
Management review
pliance management system
Actions to address nonconformity and/or noncompliance
and correction
Continual improvement in a planned manner

6 Evaluation criteria
6.1 Planning and establishment of the compliance management system
6.1.1 Analysis of the context of the organization, including requirements of interested parties
6.1.1.1 Policy and procedures and conduct and culture evaluation
The dimensions on policy and procedures and conduct and culture, which are used to analyse the context of
the organization, including the requirements of interested parties, should be evaluated according to Table 3.
Table 3 — Evaluation criteria for policy and procedures and conduct and culture related to analysis
of the context of the organization, including requirements of interested parties
Scales Description
The procedures for the analysis of the context of the organization, including identification of interested
Level 1
parties relevant to the compliance management system, are not established.
There are procedures for the analysis of the context of the organization, including identification of inter-
ested parties relevant to the compliance management system, but the procedures are incomplete.
Level 2
The procedures have not been implemented in business activities or are inconsistently implemented.
Comprehensive procedures for analysing the context of the organization, including identification of in-
terested parties relevant to the compliance management system, have been established and specify the
following:
— responsibility for analysing the context of the organization;
— scope of the context that needs to be analysed, including internal and external issues that affect the
organization's ability to achieve the intended results of the compliance management system;
Level 3
— considerations of the requirements of the interested parties;
— input resources to be considered for analysing the context of the organization.
Analysis of the context has been conducted in some businesses or only part of the internal and external
issues that affect the organization's ability to achieve the intended results of the compliance manage-
ment system have been analysed, and appropriate documented information has been created and main-
tained.
Comprehensive procedures, as specified at Level 3, have been established and adjusted based on past
practices.
Analysis of the context of the organization, including identification of interested parties relevant to the
Level 4
compliance management system, have been fully implemented for all businesses in accordance with the
procedures. Appropriate documented information has been created, maintained and updated to reflect
changes in the analysis.
Comprehensive procedures, as specified at Level 3, have been established and fully embedded within or-
ganizational processes. The procedures are consistently monitored and evaluated; they are continually
improved and adapted to changing parameters in the internal and external context of the organization.
Level 5 Analysis of the context of the organization is regularly reconducted and updated based on changes in the
internal and external issues.
Updated documented information is adjusted to serve the needs of functions throughout the organiza-
tion.
6.1.1.2 Results and impacts evaluation
The results and impacts related to analysis of the context of the organization, including the requirements of
interested parties, should be evaluated according to Table 4.

Table 4 — Evaluation criteria for results and impacts related to analysis of the context of the
organization, including requirements of interested parties
Scales Description
Internal and external issues, including interested parties and their relevant requirements, that affect
Level 1 the organization's ability to achieve the intended results of the compliance management system have not
been determined.
Internal and external issues, including interested parties and their relevant requirements, that affect
Level 2 the organization's ability to achieve the intended results of the compliance management system are
determined inconsistently.
Internal and external issues that affect the organization's ability to achieve the intended results of the
compliance management system have been partially determined or only for some business activities.
Level 3
Identification of interested parties and consideration of their requirements and concerns are only for
some business activities.
Internal and external issues, including interested parties and their relevant requirements, that affect the
Level 4 organization's ability to achieve the intended results of the compliance management system have been
determined for all relevant business and are proactively managed.
Internal and external issues, including interested parties and their relevant requirements, that affect the
organization's ability to achieve the intended results of the compliance management system have been
determined based on extensive analysis, including consideration of the legal, cultural, technical and
business environment.
The analysis of context is reviewed and updated based on changes in the internal or external environ-
Level 5
ment.
The affected personnel within the organization participate in the determination of the analysis of the
internal and external issues and have a good understanding of their impacts.
External interested parties are consulted to incorporate the relevant requirements to the compliance
management system into the analyses of the context of the organization.

6.1.2 Identification and update of compliance obligations
6.1.2.1 Policy and procedures and conduct and culture evaluation
The dimensions on policy and procedures and conduct and culture related to identifying and updating
compliance obligations should be evaluated according to Table 5.
Table 5 — Evaluation criteria for policy and procedures and conduct and culture related to
identification and update of compliance obligations
Scales Description
Level 1 The procedures for identifying and updating compliance obligations are not established.
There are procedures for identifying and updating compliance obligations, but the procedures are in-
complete.
Level 2
The procedures have not been implemented in business activities or are inconsistently implemented.
Comprehensive procedures for identifying and updating compliance obligations have been established,
which specify the following:
— identification and analysis of the relevant requirements of interested parties;
— the scope of compliance obligations;
Level 3
— documented information for identifying and updating compliance obligations.
Compliance obligations for certain activities, products and services have been identified and updated, or
the procedures have been implemented when noncompliance occurs.
Appropriate documented information has been created and maintained.
Comprehensive procedures, as specified at Level 3, have been established and adjusted based on past
practices in identifying and analysing compliance obligations.
The mandatory compliance obligations and some voluntary compliance obligations derived from activ-
Level 4 ities, products and services have been identified, maintained and updated according to the established
schedule.
Appropriate documented information has been created, maintained and updated to reflect changes in
compliance obligations and measures to address these changes.
Comprehensive procedures, as specified at Level 3, have been established and fully embedded within or-
ganizational processes. The procedures are consistently monitored and evaluated; they are continually
improved and adapted to changing parameters in the internal and external context of the organization.
The mandatory compliance obligations and any voluntary compliance obligations derived from activi-
Level 5
ties, products and services have been identified, maintained and updated according to the established
schedule, in particular on decisions on changes or expansion of business activities.
Updated documented information has been created and is maintained to demonstrate to external stake-
holders that the organization has kept pace with the latest developments over time.
6.1.2.2 Results and impacts evaluation
The results and impacts related to identifying and updating compliance obligations should be evaluated
according to Table 6.
Table 6 — Evaluation criteria for results and impacts related to identification and update of
compliance obligations
Scales Description
Level 1 The compliance obligations have not been determined.
Level 2 The compliance obligations are only occasionally and inconsistently determined.
Compliance obligations are only determined for certain activities, products and services or where non-
Level 3
compliance occurs.
Mandatory compliance obligations and some voluntary compliance obligations derived from activities,
products and services have been determined and proactively managed.
Level 4
Changes to compliance obligations are considered in the compliance risk assessment.
The mandatory compliance obligations and voluntary compliance obligations have been determined and
recorded. These are related to the organization's activities, products, services and relevant aspects of its
operations.
Determination of the mandatory and voluntary compliance obligations is based on independent data
analysis. Resources have been allocated for the comprehensive and timely determination of relevant
Level 5
compliance obligations and the impact on the business activities of the organization.
The determination of compliance obligations is regularly updated to identify changed or new compli-
ance obligations and their impact on the business activities of the organization, which are incorporated
into the compliance risk assessment. Change or expansion of business activities consider the impact of
compliance obligations.
6.1.3 Determination of the scope of the compliance management system and assessment of
compliance risk
6.1.3.1 Policy and procedures and conduct and culture evaluation
The dimensions on policy and procedures and conduct and culture related to determining the scope of the
compliance management system and assessment of compliance risk should be evaluated according to Table 7.

Table 7 — Evaluation criteria for policy and procedures and conduct and culture related to
determining the scope of the compliance management system and assessment of compliance risk
Scales Description
Level 1 The procedures for compliance risk assessment are not established.
There are procedures for compliance risk assessment, but the procedures are incomplete.
Level 2
The procedures have not been implemented in business activities or are inconsistently implemented.
Comprehensive procedures for compliance risk assessment have been established, which specify the
following:
— identification, analysis, evaluation and description of compliance risks;
— monitoring of compliance risks;
Level 3
— regular assessment and update of compliance risks;
— results of the assessment to be used as criteria for the determination of the scope of the compliance
management system.
Appropriate documented information has been created and maintained.
Comprehensive procedures, as specified at Level 3, have been established and adjusted based on past
compliance risk assessment practices.
Procedures require compliance risk assessment for outsourced business activities and processes with
Level 4 third parties. Procedures require risk reassessment on a regular basis, when changes occur in the con-
text of the organization and upon occurrence of noncompliance.
Appropriate documented information has been created, maintained and updated to reflect changes in
the compliance risk assessment.
Comprehensive procedures, as specified at Level 3, have been established and fully embedded within or-
ganizational processes. The procedures are consistently monitored and evaluated; they are continually
improved and adapted to changing parameters in the internal and external context of the organization.
Procedures include objectives of risk assessment in terms of quality and intended results, and improve-
Level 5 ments were made towards meeting the objectives and intended results. Reassessment has been con-
ducted at regular intervals and when changes occur in the organization's business, internal and external
environment and upon occurrence of noncompliance.
Updated documented information reflecting the changes to the compliance risk assessment has been
created and maintained.
6.1.3.2 Results and impacts evaluation
The results and impacts related to determining the scope of the compliance management system and
assessment of compliance risk should be evaluated according to Table 8.

Table 8 — Evaluation criteria for results and impacts related to determination of the scope of the
compliance management system and assessment of compliance risk
Scales Description
Level 1 The compliance risk assessment has not been conducted.
Level 2 The compliance risk assessment is only occasionally and inconsistently conducted.
The compliance risk assessment has only been conducted for certain business areas of the organization
Level 3
or areas where noncompliance events have occurred.
The compliance risk assessment has been conducted for the organization and is managed.
Reassessment has been conducted in a timely manner when changes occur, for example in the organiza-
tion's business activities and in the internal and external environment, and upon occurrence of noncom-
Level 4
pliance.
The results of the compliance risk assessment are input to the development of measures to ensure fulfil-
ment of compliance obligations.
Compliance risk assessments have been regularly conducted in accordance with the procedures, which
include compliance risk assessments for outsourced business or activities and processes with third par-
ties and updated according to the changes in internal and external context.
Compliance risks have been determined, categorized and prioritized according to the evaluation of their
impact and likelihood of occurrence.
The results of the compliance risk assessment are input for the allocation of resources to develop, imple-
ment and maintain strategic and operational measures to ensure the fulfilment of compliance obliga-
tions.
The time elapsed between identification and evaluation of material changes in the internal and external
Level 5
context and the initiation and implementation of amendments to the compliance management system is
monitored to ensure timely reassessment of compliance risk.
Resources have been allocated for monitoring and addressing compliance risks.
Relevant systems and processes of the organization have been optimized and adjusted based on the
results of compliance risk monitoring.
The compliance risk assessment methods have been updated based on known compliance concerns or
noncompliance.
Documented information on compliance risk assessment and compliance risk measures has been creat-
ed, updated and maintained.
6.1.4 Leadership and commitment of governing body and top management
6.1.4.1 Policy and procedures and conduct and culture evaluation
The dimensions on policy and procedures and conduct and culture related to leadership and commitment of
governing body and top management should be evaluated according to Table 9.

Table 9 — Evaluation criteria for policy and procedures and conduct and culture related to
leadership and commitment of governing body and top management
Scales Description
The procedures for ensuring a regular and consistent demonstration of leadership and commitment
Level 1 to the compliance management system by the governing body and the top management have not been
established.
The procedures for ensuring a regular and consistent demonstration of leadership and commitment to
Level 2 the compliance management system by the governing body and the top management are incomplete or
inconsistently implemented.
Comprehensive procedures for ensuring a regular and consistent demonstration of leadership and com-
mitment to the compliance management system by the governing body and top management have been
established, which specify the following:
— approval of the compliance policy;
Level 3
— communication of the importance of compliance;
— support management and personnel in their contribution to the compliance culture.
Comprehensive procedures, as specified at Level 3, have been established and adjusted on best practic-
Level 4 es to reflect changes in the context of the organization, in operating activities and the business model,
when exposed to compliance risk and upon the occurrence of noncompliance.
Comprehensive procedures, as specified at Level 3, have been established and fully embedded with-
Level 5 in organizational processes, consistently monitored, evaluated, continually improved and adapted to
changed parameters.
6.1.4.2 Results and impacts evaluation
The results and impacts related to leadership and commitment of governing body and top management
should be evaluated according to Table 10.

Table 10 — Evaluation criteria for results and impacts related to leadership and commitment of
governing body and top management
Scales Description
Level 1 Governing body and top management have not expressed their commitments to compliance.
The expression of commitments to compliance by the governing body and top management are incon-
Level 2
sistent.
The expression of commitments to compliance by the governing body and top management are not sys-
Level 3
tematically demonstrated, and alignment with the organization’s objective is insufficient.
The expression of commitments to compliance by governing body and top management are systemat-
ically demonstrated and proactively managed to react to changes in the exposure to compliance risks
such as new business activities or the occurrence of noncompliance.
The compliance policy is approved by the governing body.
Level 4
The top management is responsible for ensuring that the organization achieves its commitment to com-
pliance.
The compliance commitments are communicated to all personnel and relevant interested parties and
have concrete measures in place to support them in their contribution to the effectiveness of the compli-
ance management system.
The governing body and top management have confirmed through their own actions and decisions that
they are committed to establishing, developing, implementing, evaluating, maintaining and improving
an effective and responsive compliance management system.
Appropriate resources are provided for establishing, developing, implementing, evaluating, maintaining
and improving a strong compliance culture by conducting awareness raising activities and training for
all personnel and relevant parties.
Policies, processes and procedures not only reflect legal requirements, but also reflect voluntary norms
Level 5
and the core values of the organization.
Responsibilities for compliance are assigned to all levels of management which are held accountable.
The compliance management system is regularly reviewed and continuously improved to ensure the or-
ganizational compliance performance. Timely implementation of corrective measures for nonconformi-
ties and noncompliance is monitored and reported to the governing body and top management.
The governing body and top management adhere to the organization's compliance management system.
6.1.5 Implementation of compliance governance principles
6.1.5.1 Policy and procedures and conduct and culture evaluation
The dimensions on policy and procedures and conduct and culture related to implementing the compliance
governance principles should be evaluated according to Table 11.
Table 11 — Evaluation criteria for policy and procedures and conduct and culture related to
implementing compliance governance principles
Scales Description
Level 1 No procedures for implementing compliance governance principles have been established.
There are procedures for establishing compliance governance principles, but the procedures are incom-
plete.
Level 2
The procedures have not been implemented in business activities or are inconsistently implemented.
Comprehensive procedures are in place to ensure that important compliance matters are reported di-
rectly to the governing body promptly.
Procedures are in place which specify that the compliance function:
— participates in meetings of the governing body and top management on a regular basis;
Level 3
— is consulted in decision-making involving compliance risks.
Descriptions of roles and responsibilities and the appointment of the compliance function by the govern-
ing body and top management reflect:

TTabablele 1 111 ((ccoonnttiinnueuedd))
Scales Description
— the independence of the compliance function from undue interference;
— permission to address the governing body directly;
— the authority and competence needed to fulfil the responsibility of operating the compliance
management system.
Some of the compliance governance principles have been implemented. However, access of the compli-
ance function to information and decision-making is limited.
The governance principles as specified at Level 3 have been established and adjusted based on the reali-
ty of the organization.
Level 4
All compliance governance principles are effective in respect of all relevant business functions and are
reflected in the compliance organizational framework to ensure a direct reporting line to the governing
body and the independence, authority and competence of the compliance function.
The governance principles as specified at Level 3 have been established and adjusted based on the reality
of the organization to ensure the independence, authority and competence of the compliance function.
All compliance gove
...