The drumbeat of those supporting ISO 37001 continues. The Man From FCPA finds it to be misplaced as anything close to the international standard for anti-bribery/anti-corruption programs. It leads both the recipients of the certification and those who make the mistake of relying upon it in the same position, worrying more about the paper part of compliance than actually doing compliance through operationalizing it into the DNA of your organization.
While there is certainly nothing wrong with laying what should go into a compliance program, ISO 37001 has features which make it less than ideal. The first is the claim that the standard is as good a law. Make no mistake, the standard is not law. Next is the focus on having a paper program. The DOJ and SEC jointly issued 2012 FCPA Guidance made clear that an effective compliance program is based upon a company assessing its own risks and then setting up a program to manage those risks going forward. The ISO standard also misses the boat on internal controls. ISO 37001 includes only a general, mandate that a company implement financial controls to mitigate bribery risks.
Beyond the structural defects noted above, there are an equal number of problems around the certification process. It does not matter how many certifications a third party might have; the issue is whether they are doing compliance. That is why the most crucial step in the third-party management lifecycle is the fifth and final step; managing the relationship after the contract is signed. the key issue for any company is whether their third-parties are doing business in compliance, under the terms and conditions of the contract and under the statements, promises and obligations set out in the five-step third party management process.
The first company to achieve an ISO 37001 certification was ENI. The same week that ENI proudly announced this result, Italian authorities announced both the company’s current and most recent Chief Executive Officers would stand trial for approving bribes paid by the company. One might reasonably ask how a company could receive a certification for its “AntiBribery Management Systems” when both its current and former chief executives are under indictment for ‘international corruption’?
The Justice Department, SEC and Serious Fraud Office (SFO) continually make abundantly clear that a company is responsible for its counter-parties not violating applicable anti-corruption laws. Put another way, a third-party, with an ISO 37001 certification who violates the FCPA, UK Bribery Act or any other similar law puts your company at just as much risk as a third-party with no ISO 37001 certification.