Even as the push to adopt a uniform international anti-bribery management system standard gains momentum on a global scale, many companies say their anti-bribery compliance programs still are not up to par.
That finding emanates from a recent survey jointly conducted by Compliance Week and STEELE Compliance Solutions to assess what preliminary response companies have to ISO 37001—a proposed new anti-bribery management systems standard currently under consideration by the International Organization for Standardization (ISO), an independent, non-governmental group comprised of the national standards bodies from 163 member countries.
ISO published draft ISO 37001 in 2013 as part of an international project to come up with a consistent language and framework globally regarded as anti-corruption best practice that companies of all sizes in the public, private, and non-governmental sectors can implement to prevent, detect, and address bribery, wherever they do business. Once published by the end of this year, ISO 37001 will give companies the opportunity to obtain certification from accredited third parties if their anti-bribery compliance programs meet the standard’s stringent criteria.
ISO 37001 builds upon many other forms of anti-bribery guidance already in place, including the U.S. Sentencing Guidelines, the FCPA Resource Guide, the U.K. Bribery Act Guidance, and OECD Good Practice Guidance. “For U.S. multinationals with anti-bribery programs that meet existing guidance, obtaining certification shouldn’t be particularly difficult,” says Dennis Haist, general counsel and chief compliance officer at STEELE.
The real legwork more likely will fall on companies in countries where the risk of bribery and corruption is especially high—such as Asia-Pacific, Mexico, Africa, and the Middle East—where anti-bribery compliance programs tend to be less mature than their Western counterparts.
“For U.S. multinationals with anti-bribery programs that meet existing guidance, obtaining certification shouldn’t be particularly difficult.”
Dennis Haist, General Counsel, CFO, STEELE Compliance Solutions
“It’s going to be a challenge to bring their anti-bribery management standards up to the ISO standard,” Haist says. For companies in those countries, “it will be a major commitment of time and money to implement and maintain certification.”
Among its many requirements, ISO 37001 places significant importance on taking a risk-based approach to due diligence as it applies to business associates. Simply taking a traditional approach of conducting database checks against watch lists—such as OFAC’s Specially Designated Nationals (SDNs) list—may not be enough to satisfy ISO 37001 certification.
Instead, the draft version of ISO 37001 recommends that due diligence “may include” a variety of other measures, such as:
IS YOUR FIRM FAMILIAR WITH ISO 37001?
A questionnaire sent to the business associate to assess its level of risk;
A web search on the business associate, its shareholders, and top management to identify any bribery-related information;
A search of government, judicial, and international resources for relevant information;
Checking publicly available debarment lists of organizations that are restricted or prohibited from contracting with public or government entities kept by national or local governments or multilateral institutions, such as the World Bank;
Making inquiries of appropriate other parties about the business associate’s ethical reputation; and
Appointing other individuals or firms with relevant expertise to assist in the due diligence process.
According to the findings of the Compliance Week/STEELE survey, however, most companies have indicated that their due diligence procedures do not fully align with these requirements. Only 34 percent of 112 compliance professionals surveyed said they are “fully in compliance,” while another 39 percent said further changes to their anti-corruption programs will need to be made. Another 10 percent said they are “not even close,” while the remaining 17 percent said they are unsure.
Of those who said they are making changes to their anti-bribery practices and procedures to satisfy ISO 37001, such measures include training, assigning a specific individual or team to implement ISO 37001, performing a gap analysis, and more.
ISO 37001 lays out other hallmarks of a robust anti-bribery compliance program as well, including leadership and commitment from senior management with respect to the company’s anti-corruption compliance program; anti-bribery policies, procedures, and controls; an independent compliance function; and whistleblower procedures and protections. They must further undertake enterprise-wide risk assessments; proper due diligence on intermediaries and transactions; anti-bribery training; monitoring and auditing; and remediation measures following actual or alleged bribery.
Sources: Compliance Week; Steele
Whether or not to seek ISO 37001 certification is a decision that many respondents said they are currently weighing. According to the survey, 20 percent of respondents said they are “very likely” to seek ISO 37001 certification, while 36 percent answered “somewhat likely.” Another 21 percent said it’s “not likely,” while the remaining 22 percent were undecided.
Furthermore, many compliance officers are still trying to wrap their arms around exactly what ISO 37001 requires. More than half of respondents expressed having at least some level of familiarity with the standard’s 50 pages of criteria, while another 42 percent said they are “not at all familiar” with the standard.
At this stage in the game, the idea of ISO 37001 is still so new that many companies are hesitant to be the first to publicly pursue this in any meaningful way, says STEELE CEO Eric Lochner. That being said, once the first few companies pursue ISO 37001 certification, “then I would imagine you’ll start to see a lot of folks immediately following,” he says.
Companies of all sizes can gain several potential benefits from achieving ISO 37001 certification—from large multinationals facing substantial bribery and corruption risks to small and mid-size enterprises (SMEs) seeking a competitive advantage. SMEs that achieve ISO 37001 certification “are going to be more attractive to large multinational buyers,” Haist says.
THIRD-PARTY COMPLIANCE PROGRAM ALIGNMENT WITH ISO 37001
Additionally, for a large global company that finds itself entangled in a bribery investigation, ISO 37001 certification may provide an additional level of proof that the company has taken reasonable steps to reduce bribery and corruption risk. Even if they don’t get certified, companies can use it to benchmark their own anti-bribery compliance program, Haist says.
ISO 37001 certification is not meant to provide any assurances that no bribery has occurred or will occur in the future at a company. ISO 37001 addresses only bribery, and does not address other criminal offenses such as fraud, cartels, anti-trust, and money laundering.
Compliance officers also should be aware that some countries have enacted legal requirements that aren’t necessarily shared by other countries. According to ISO, if a provision in the standard is illegal in a particular country, “an organization will not be required to comply with that requirement, but can comply with the remainder of the standard.”
All that being said, nearly 90 percent of respondents agreed that a global anti-bribery standard will result in more companies adopting or improving their compliance programs. “That’s a large percentage, and it speaks to the value of a comprehensive standard for program development,” Haist says.
Overall, implementation of ISO 37001 can only benefit compliance officers at multinational companies. “If the board, audit committee, and the CEO all mandate certification—or benchmarking against the ISO 37001 standard—the chief compliance officer’s job becomes that much easier,” Haist says.
“It is certainly my hope that you have forward-thinking chief compliance officers that will want to take this and run with it,” Lochner says. “If I was a CEO of a large multinational, or sitting on the board of a large multinational, this is one of the things I’d be asking my chief compliance officer for their view on.”