In October 2016, the International Organization for Standardization (ISO) established the first and only internationally recognized and certifiable Anti-bribery Management Systems Standard, ISO 37001, designed to assist global organizations in their fight against bribery and corruption. The Geneva-based ISO developed this new Standard over the course of three years, where delegates from more than 50 countries and representing a wide range of industries came to agree on a set of principles that companies of all sizes (public, private and non-profit sectors) can implement to prevent, detect, and address bribery throughout their organization.
Fast-forward one year later, and global corporate adoption rates for ISO 37001 certification have been on the rise, albeit at a somewhat moderate pace, as the broader industry takes a wait-and-see approach. Some Compliance professionals remain skeptical, questioning the merits of certification. “What you will see when speaking with different organizations considering implementing 37001 is that it is a relatively new standard, so a lot of organizations are trying to understand what does it mean and how does it impact them,” a Corporate Compliance Executive of a major Fortune 500 company said.
ISO 37001 is the first certifiable standard for global organizations to be able to document and show their customers, shareholders, third-party suppliers, and regulatory oversight committees that an anti-bribery management system is in place, and that it was implemented to meet best global practices. One thing it does not do, however, is fully eradicate the existence of cultural and ethical lapses within an organization.
“No ISO standard is a silver bullet,” said Scott McCleskey, a Regulatory Compliance professional with over 25 years of experience in the United States and Europe, and a Senior Vice President with Eukleia, a Compliance training consultancy. “You do not get an ISO standard and then think you’re not going to have bribery in your organization.”
Still, ISO 37001 can be used as a valuable tool for organizations to leverage in terms of evaluating and building out their own internal anti-bribery and corruption programs, as well as evaluating the programs of the members of their value chain. Organizations may now require their third-party suppliers to obtain certification before partnering with them – a potentially significant milestone for the industry given that a majority of bribery enforcement actions involve third-party misconduct.
“From a small to medium business perspective, there is a huge opportunity for these companies to differentiate themselves from their competitors. In terms of the broader spectrum of risks, the privacy and security piece cannot be understated,” said the Corporate Compliance Executive.
However, some Compliance professionals question whether ISO 37001 goes beyond the current best practices already in existence in the anti-bribery space. Many of the requirements highlighted in the new Standard do not
differ much from current regulations such as the Foreign Corrupt Practices Act (FCPA), issued by the US Department of Justice (DOJ), and the UK Bribery Act, issued by the UK Ministry of Justice. “If you look at the standard closely, there’s not a whole lot new in there,” said McCleskey. “I view it as a statement of best practice…a kind of gut-check. Am I doing the right things?”
Adopt Anti-Bribery Policy
Conduct Bribery Risk Assessments
Manager of Function
Provide Training
Monitor Implementations
Due Diligence on Third Parties
In a typical ISO 37001 certification process, there are three different parties involved:
- Consultants – prepares organization for certification
- Certification Auditors – inspects anti-bribery program; provides proof that organization meets all standards of program
- Certification Body – grants certification; reviews audit reports and determines whether organization meets requirements
While ISO 37001 has not been formally endorsed by the DOJ or the SEC, there have been some notable U.S.-based multi-national corporations seeking certification this year. Both Walmart and Microsoft have applied for certification, and will likely want their suppliers and value chain to be certified as well. The adoption of 37001 by Microsoft and Walmart may be a sign that companies are beginning to recognize the value of having an internationally recognized standard, but some in the industry remain skeptical that adoption rates will catch fire anytime soon, specifically for more sophisticated organizations like banks, which operate under much greater regulatory scrutiny.
“Our view is that we don’t think it would be that helpful. If we ever found ourselves in a position where we had to talk to the SEC or DOJ about our compliance program, we do not think (37001) would be a value-add,” said a Chief Anti-Bribery & Corruption Officer from a top-tier global bank. “I am not sure (37001) goes to the right level or the right depths in terms of demonstrating the strength of your program.”
Hui Chen, an anti-corruption expert who formerly served in the DOJ’s Fraud section of the criminal division, also questioned the value of certification, citing a lack of statistical evidence to prove an implementation of such a “management system” would be effective in reducing instances of bribery. Ms. Chen takes her critique of 37001 a step further, raising her concerns around the quality of the people conducting the certification, and the methodology used in the certification process. “There is really no certification for the certifier… that concerns me,” she said. “Without some level of standard, there is no consistent methodology and no consistent quality assurance of the certifier.”
Unsurprisingly, Ms. Chen does not feel strongly about ISO 37001 certification. “People have asked me, ‘how would the DOJ view ISO certification?’ My answer is in line with what the Fraud section has consistently given, which is, we would not outsource our job.”