The pros and cons of ISO 37001 certification

The corporate world is awash in global standards: accounting, risk management, information technology, quality and safety management, and much more. Little surprise, then, that a uniform international standard for the prevention and detection of bribery would eventually enter the picture, too.

The International Organization for Standardization (ISO)—an independent, non-governmental group with a membership of 162 national standard-setting bodies—this month published the final version of ISO 37001. It is the first internationally recognized and certifiable anti-bribery minimum standards program, designed to help organizations of all sizes in the public, private, and non-government sectors combat bribery risk in their own operations and throughout their global supply chains.

Neill Stansbury, director of the Global Infrastructure Anti-Corruption Centre and chair of ISO’s project committee, notes that the changes between the draft standard, published for international comment in January 2016, and the final version are not material from a compliance practitioner perspective. “All the key controls required by the draft remain, and none have been added,” he says. “The changes were mostly minor changes to improve the wording rather than to change the content.”

Nothing in the standard should come as a surprise to any compliance officer whose organization already has in place a world-class anti-bribery program.

Specifically, ISO 37001 sets out requirements for:

Anti-bribery policy and procedures;

Senior management leadership, commitment, and responsibility;

Oversight by a compliance manager or function;

Anti-bribery training;

Risk assessments and due diligence on projects and business associates;

Financial, procurement, commercial, and contractual controls;

Reporting, monitoring, investigation, and review; and

Corrective action and continuous improvement.

Now that ISO 37001 has been formally published, companies have the opportunity to obtain certification from accredited third parties if their anti-bribery compliance programs meet the standard’s stringent criteria. That being said, certification bodies are only in their infancy, and the certification process itself is still fraught with uncertainty.

“I don’t think we’re even ready at this point,” says Nina Gross, leader of BDO’s global forensics practice in Washington, D.C.. A lot more conversations need to be had about what certification would look like, and what that even means, who would or could perform certifications, and how global regulatory bodies react to them, she says.

“The bottom line is we don’t need another standard in anti-corruption.”
Rebecca Goldman, VP, Law, Rockwell Automation

Uncertainty also surrounds the certification bodies themselves. During a webinar hosted by Compliance Week on Oct. 20—Anti-bribery compliance with ISO 37001 lagging—Leslie Benton, vice president of advocacy and stakeholder engagement for ISO Technical Advisory Group, said that certification bodies in the United States are “a little bit behind the curve,” unlike in the United Kingdom, where they’ve already accredited some auditors to certify the standards.

Criticism and praise

Publication of ISO 37001 has elicited passionate debate from all sides of the compliance community on whether its implementation was truly necessary. “For big multinational Western companies—U.S., European, Canadian, Australian—the ISO standard might actually be of little consequence,” Gross says. Many of these companies already have robust anti-corruption programs and have dedicated significant time and resources in anti-bribery compliance for years, she says.

Critics of the standard point to similar anti-bribery guidance, including the FCPA Resource Guide issued by the U.S. Department of Justice and the Securities and Exchange Commission, the Adequate Procedures guidance issued by the U.K. Ministry of Justice, in addition to other global international anti-bribery standards that already exist.

“The bottom line is we don’t need another standard in anti-corruption,” says Rebecca Goldman, vice president of commercial law at Rockwell Automation, a U.S. provider of industrial automation and information products.

Rockwell Automation is just one of several companies that said it will not be obtaining ISO 37001 certification. According to a recent survey jointly conducted by Compliance Week and STEELE Compliance Solutions, 21 percent of 112 respondents said it’s “not likely” they will seek ISO 37001 certification, while the another 22 percent said they were undecided.

A separate survey of member companies conducted by TRACE International, a non-profit business association in the anti-bribery space, revealed similar findings, in which half said they had no plans to certify. When asked why, the top answer, cited by 75 percent of respondents, was that they already have confidence in their current anti-bribery program.

More than half (62.5 percent) also reasoned that enforcement agencies haven’t endorsed the standard, and 58 percent of respondents said they don’t have confidence in the “quality of the review process or the reviewers.” Time commitment and burden placed on internal staff to facilitate certification was also a concern, cited by 46 percent of respondents to the TRACE survey.

DO YOU KNOW ISO 37001?

To what extent is your organization familiar with the draft version of ISO 37001 anti-bribery standard?

Other critics in the compliance community point to the level of flexibility afforded by the standard as being potentially detrimental to some compliance programs. ISO 37001 was developed to be flexible enough for an organization to implement policies, procedures, and controls in a manner that is reasonable and proportionate to its size, geographic region, scale, and complexity of its operations.

What is “reasonable and proportionate” for each organization, however, are not auditable standards, says Alexandra Wrage, president and founder of TRACE. “They are incredibly judgment-laden,” she says.

Moreover, many compliance officers already put considerably thought and effort and resources into their anti-bribery compliance programs. Some companies have hundreds, even thousands, of full-time compliance staff who have dedicated years to tweaking and perfecting their programs.

So to have ISO 37001 inspectors, whose level of expertise is not yet known, superimpose their judgment over compliance teams that have been working in the ant-corruption space for years could undermine their programs, Wrage says. “In many respects, this is an incredibly superficial test for a really complicated process,” she says.

Still, others look to the implementation of ISO 37001 as a positive development for the anti-bribery compliance community overall. Critics of ISO tend to focus only on the substance of the standards, rather than the bigger picture, “so it’s easy to underestimate the importance of this,” says Matt Herrington, a partner at law firm Steptoe. “It’s quite important just in that it exists.”

Publication of ISO 37001 signals a “coming-of-age moment” for the anti-corruption compliance space being recognized by ISO as one of these disciplines that is critical for high-performing organizations to get right, Herrington says. It’s also encouraging that anti-bribery is being taken as seriously as all of the other 20,000 ISO standards that companies look to for guidance and best practices every day, he says.

Gross says that critics of the standard need to look at its implementation from a broader perspective: “What could this mean globally for the anti-corruption movement and globally for compliance?”

Companies in emerging markets, for example, whose anti-bribery compliance programs are not as mature as their Western counterparts, have much to gain by obtaining ISO 37001 certification. In countries like Latin America, the Middle East, and Africa, ISO 37001 “may provide their government and companies a way to move the compliance effort along,” Gross says.

Additionally, for a company that finds itself entangled in a bribery investigation, particularly those in high-risk countries, ISO 37001 certification may provide an additional level of proof to present to enforcement authorities that the company has taken reasonable steps to reduce bribery risk.

Other proponents of the standard say just having the standard is beneficial for the compliance community overall, even beyond high-risk regions of the world. “There are a lot of companies that aren’t doing very much at all,” Benton said during the Compliance Week webinar. ISO 37001 can be a tool to help them implement, maintain, and improve their anti-bribery program, she said.

“It’s an incredibly positive move forward,” says Kristy Grant-Hart, CEO of Spark Compliance Consulting. “Traditionally, compliance officers have looked to best practices and benchmarked their anti-bribery programs against each other.”

“For compliance officers trying make their anti-bribery compliance programs the best that they can be, however, this standard gives the compliance community the opportunity to verify independently that they have a world-class anti-bribery compliance program in place,” says Grant-Hart, former chief compliance officer at United International Pictures, the international distribution company of Paramount and Universal Pictures.

Grant-Hart, whose firm is a provider of ISO 37001 certification, says she’s already received “numerous inquiries” from companies across a variety of industries who have expressed interest in wanting to be one of the first ones out of the gate to be ISO 37001 certified.

Findings from the Compliance Week/STEELE survey show that many other companies are weighing the possibility of certification. Twenty percent of respondents said they are “very likely” to seek ISO 37001 certification, while 36 percent answered “somewhat likely.”

Weighing certification

When weighing certification, it’s important for the compliance community to understand what ISO 37001 will not do:

ISO 37001 is not a silver bullet. It will not demonstrate that a company’s anti-bribery standard is reasonable and proportionate to the specific risks faced by the company itself.

ISO 37001 does not act as a substitute for all anti-bribery laws worldwide. Thus, meeting the ISO 37001 requirements does not mean that the company also meets the specific legal requirements of countries where it operates.

ISO 37001 is not foolproof. No anti-bribery program in the world, no matter how robust, can guarantee the prevention of all acts of bribery all the time. On a related note, it won’t shield organizations from investigations, such as percent whistleblower reports to regulators.

ISO 37001 addresses only bribery. It does not address other criminal offenses such as fraud, cartels, anti-trust, and money laundering.

Even without certification, however, a company can still use ISO 37001 to benchmark its own program, gaining comfort that its anti-bribery system is internationally compliant. If you’re a company with nothing in place or an immature anti-bribery program in place or you’re thinking about expanding your global footprint, “this might be a great starting point,” Gross says.

No matter which side of the fence those in the compliance community land on, ISO 37001 is here to stay. “We’re really in a wait-and-see mode,” Gross says. We’re going to have to see how governments and prosecutorial agencies and international bodies around the world respond to this and then progress from there.