In risk and compliance circles, ISO 37001—the International Organization for Standardization (ISO) 37001 Anti-Bribery Management Systems Standard—continues to spark debate, with many of the discussions focusing on certification. This is a worthy topic, but even for companies not quite ready to take the certification leap, ISO 37001 can still offer value.
The standard can be a tool through which a company can measure the effectiveness of its anti-corruption compliance program, recalibrate compliance program effectiveness, improve risk management, and establish greater stability across its value chain.
Published in October 2016, the ISO 37001 Anti-Bribery Management Systems Standard is the first global anti-bribery compliance standard. It was designed by a multinational, multi-stakeholder group to be used by all manner of organizations—public, private, and non-profit—regardless of size, industry, or location. The goal of the standard was to provide a risk-based, business-centered framework to prevent and detect bribery and mitigate associated risks.
Movement toward Certification
Certification is often the goal with an ISO standard, and there has been some momentum in this area. The list of companies interested in certification includes organizations across industries and geographies, state-owned enterprises, and some public agencies, including global asset management firm Legg Mason; Terna Group and ENI SpA, both based in Italy; Robert Bosch Middle East, based in the UAE; French giant Alstom; Jersey-based IP management firm CPA Global; Mabey, an international provider of bridging and non-mechanical construction equipment headquartered in the UK; energy storage company Systems Sunlight in Greece; EKVITA, a legal and tax consulting firm based in Azerbaijan; Estre Ambiental, a Brazilian waste management company; Credit Agricole in France; Malaysian energy company Petronas; and others. Walmart and Microsoft have publicly announced their intent to seek certification as well.
The list of accredited certifying bodies that offer certification services continues to grow, albeit slowly. Certifying bodies that are interested in becoming accredited to offer certification must demonstrate a high level of competence in management systems, anti-bribery programs, and the ISO 37001 standard. As such, the process is time consuming, taking as long as a year to complete. This has resulted in a relatively small pool of certifiers. However, the lack of accredited auditors has not entirely deterred companies from moving forward to meet the standard, as ISO does not require the use of an accredited auditor. So far, over 100 companies have been certified under the standard.
Beyond adoption by individual companies, many national standards bodies have adopted ISO 37001, and some governments are encouraging its use. Several government agencies themselves have achieved certification, including Peru’s Development and Social Inclusion Ministry, Indonesia’s National Narcotics Board, and Malaysia’s Qualification Agency. And, while the standard is still voluntary, there has been discussion around making it a requirement for bidding on public contracts.
ISO 37001 has been met with challenges not unlike many new standards on the journey to broader acceptance. One such criticism is that the standard provides nothing new and is therefore unnecessary. In reality, the standard was not meant to impart new requirements, but instead to harmonize existing guidelines. Another criticism is that ISO 37001 does not include some necessary elements from other guidelines. Our reading of the standard is that while there are variations in language and detail, there are few differences in the essentials. The standard’s requirements go beyond other guidelines in some areas, in terms of detail and implementation guidance. For more on this point, see the Anti-Corruption Guidelines Reference, which compares ISO 37001 to pre-existing guidance. Some have also argued that this is simply a mechanism that can be used as a “one and done” method of creating a program. However, the standard requires regular monitoring, auditing, and continual improvement.
Harmonization for Global Stakeholders
Certification can be very valuable as a means of demonstrating compliance, especially in the areas of non-financial disclosures supporting corporate social responsibility efforts or if the standard becomes a requirement. But certification aside, the standard itself holds value for many organizations as a tool to support existing efforts around anti-bribery.
ISO 37001 can provide a framework for companies with less mature compliance functions to develop a program. Those with more mature programs can use the standard to benchmark the strength of their program, look for areas of improvement, or create a backdrop for reporting and disclosure statements. Assessments with maturity-based questions, such as the one offered by CREATe Compliance, an Ethisphere company, offer a way to benchmark against the standard and its requirements.
Companies can also employ ISO 37001 to measure and evaluate third-party partners across their value chain. ISO 37001 has harmonized existing regulations and standards across countries, creating a consistent rubric and common language. Additionally, third parties may be more comfortable working within a globally known and jurisdiction-neutral standard.
The standard’s operational and risk-based approach provides guidance the business person can understand without the need to translate “legalese.” It also provides practical guidance on how to design and implement an anti-bribery system for companies that have a less mature anti-bribery program. ISO 37001 provides a manageable scope for small and medium-sized businesses. And many multinational companies have third party partners in their value chain that are far from having a mature program because of their size, country of origin, level of compliance program experience, or the nature of their industry. An organization and its partners may benefit from having a neutral, international set of measures and controls that can be fit to the unique needs of each business and provide a road map for implementation and monitoring. Use of ISO 37001 can allow an organization to ensure consistent application of anti-bribery standards throughout its value chain while simultaneously supporting the improvement of those activities within each third-party partner.
About the Author:
Leslie Benton is the Vice President of CREATe Compliance; and VP of Stakeholder Engagement for the Center for Responsible Enterprise And Trade (CREATe.org). Ms. Benton is one of the ISO 37001 Anti-Bribery Management Systems Standard drafters as a member of the U.S. Technical Advisory Group to the ISO committee developing ISO 37001. Ms. Benton is a former Senior Vice President of Levick Strategic Communications, where she led the anti-corruption and compliance communications practice. Previously, she was the Senior Policy Director for the U.S. chapter of Transparency International, where she spearheaded the chapter’s outreach to the U.S. Government, the G8 and G20, international institutions, multilateral development banks and the private sector. A lawyer by training, Ms. Benton is widely recognized for her experience in navigating the complex legal and regulatory landscape for NGOs and Fortune 500 companies in addition to her expertise in corporate compliance and governance, and anti-corruption reform.