The wait is finally over. On 15 October 2016, the International Organization for Standardization published the much-awaited ISO 37001 standard on anti-bribery management systems. The world of anti-corruption experts is abuzz with predictions on the importance and likely impact of the new standard. In this article, I offer some brief insights on the new standard and elaborate on its potential impact on organizations envisaging of being crowned ISO 37001 certified.
As far as its actual content is concerned, the new standard (and here I share the opinion of many of my colleagues and experts in this area) is not vastly different from the Resource Guide to the US Foreign Corrupt Practices Act (published by the US Department of Justice) or the guidance to the UK Bribery Act (released by the UK Ministry of Justice). However, what sets ISO 37001 apart from the aforementioned documents is that it is not designed to provide guidance in relation to any particular legislation; it is, by definition as an international standard, unbound by jurisdiction and designed to be internationally recognized.
A quick read through the new standard will reveal what one would expect from a robust and mature anti-bribery and corruption (“ABC”) management system. It covers both active and passive bribery, with the focus not only on organizations themselves, but also on their personnel, business associates and third parties (which, again, is nothing new and is presently a common and widely accepted practice).
Like other ISO standards, the new standard includes a provision allowing organizations to be ISO 37001 certified by an independent third party — an option of significant importance and potential. The benefits of certification go far beyond mere bragging rights. Independent assurance that a company’s anti-bribery and corruption management system is in line with the ISO 37001 standard can provide a competitive advantage in realizing opportunities with potential business partners. It may also represent a mitigating factor for an organization facing bribery and corruption charges or prosecution (see the next section for further thoughts on this subject).
To get the bragging rights and associated benefits of being certified, an organization will need to demonstrate that the following areas of its anti-bribery management system are implemented:
An anti-bribery policy;
- Management leadership, commitment and responsibility;
- Personnel controls and training;
- Risk assessments;
- Due diligence on projects and business associates;
- Financial, commercial and contractual controls;
- Reporting, monitoring, investigation and review; and
- Corrective action and continual improvement.
Impact and importance for organizations
Going through the certification process will require time and resources, so an organization will naturally wonder whether the end game is worth it. Businesses and non-profit organizations alike should consider the potential returns on investment and impact. Essentially they should ask, “What’s in it for me?” Here are some of the main advantages organizations may potentially benefit from.
International anti-bribery and corruption laws hold organizations accountable for the actions of their business partners and acquisitions. Thus, the standard due diligence process has evolved to include evaluations of a target’s or potential business partner’s approach to preventing bribery and corruption in their business operations. This is especially significant for companies of a smaller size with ambitions to grow; such firms are increasingly expected to have anti-bribery and corruption processes and controls in place to fulfill the compliance requirements of their large multinational business partners (especially those subject to the FCPA or the UK Bribery Act). Being able to demonstrate being ISO 37001 certified could be a powerful and differentiating factor for a company competing for such business opportunities.
It is also critical to demonstrate strong anti-bribery and corruption controls for existing relationships. Companies have developed comprehensive approaches to ongoing third-party risk management, which often include periodic monitoring and auditing of their business partners. A single supplier or distributor may undergo multiple ABC audits from different organizations in a single year — this disruptive practice has become a normal part of doing business. What if that supplier or distributor could instead provide an ISO 37001 certification to all of its business partners? I think this could potentially reduce the number, frequency and duration of audits and site visits from partner companies, ultimately resulting in cost and time savings for all involved.
Therefore, a certification under the new standard may become a convenient and valuable asset offering both competitive advantages and risk-mitigating and cost-saving measures to organizations on both sides of a business partnership.
Advantage vis-à-vis law enforcement / authorities:
The certification under the new international standard may also serve as a mitigating factor when it comes to actions taken by authorities against an organization for alleged bribery. As past experience shows, the authorities will consider a wide range of factors, such as self-disclosure, full cooperation and the existence of an effective compliance program, when determining the appropriate level of enforcement action. An organization being investigated, charged or prosecuted for potential misconduct related to bribery and corruption may offer the certification as evidence that it has made significant efforts to implement a proper and effective anti-bribery management system.
Of course, having the certification is not in itself a guarantee that an organization is immune to the risk of corruption or that no bribery has occurred. However, I still think that in this respect the advantages of getting the certification outweigh the cost of the investment needed to receive it.
In conclusion, the much-anticipated standard is here. It is widely welcomed by the global community of anti-bribery experts and covers the most important elements of a solid anti-bribery management system. The standard is flexible enough to be applied to organizations of various sizes, sectors and industries, and can produce a valuable return for organizations willing to invest in becoming certified. For now, it is safe to conclude that the standard offers a recipe for successfully managing the risk of bribery and represents a real step forward by the international community seeking to combat corruption.