Glossary
Compliance Management System
The integrated framework of policies, procedures, training, and monitoring through which an organisation manages compliance risk. ISO 37301:2021 sets the canonical structure: identify obligations, assess risks, design controls (including a whistleblowing channel), train staff, monitor, review, improve. The CMS is typically owned by the compliance officer and reports to the board's audit committee.
Full definition
A compliance management system (CMS) is the operationalized framework that turns laws and regulations into day-to-day behaviour. ISO 37301:2021 sets out the canonical structure: identify obligations, assess risks, design controls (including a whistleblowing channel), train staff, monitor, review, improve. The CMS is typically owned by the compliance officer and reports to the board's audit committee. Whistleblowing is one of the few CMS controls that detects what other controls miss. It is the 'sensor of last resort'.
Related terms
- Compliance Officer The senior executive accountable for an organisation's compliance management system. In whistleblowing, the compliance officer is most often the designated person under EU Directive 2019/1937 Article 8(5), operating the internal channel, training case handlers, and reporting to the board on volume and outcomes. The role is regulated in finance and increasingly expected at 250+ employees.
- ISO 37301 The international standard for compliance management systems, published in 2021. ISO 37301 defines requirements for organisations to identify their compliance obligations, manage compliance risk, and maintain a culture that enables compliance. Whistleblowing channels are explicitly listed as a control. Organisations often pursue triple certification across ISO 37001 (anti-bribery), ISO 37002 (whistleblowing), and ISO 37301.
- Internal Reporting Channel A confidential mechanism inside an organisation through which employees and other workers can report breaches. EU Directive 2019/1937 Article 8 requires every legal entity with 50 or more employees to operate one, accept reports in writing, orally, or through a physical meeting, acknowledge within 7 days, and provide substantive feedback within 3 months.