Weighing the issues of ISO 37001 certification

Now that the compliance community has had a few months to digest the requirements of ISO 37001—the first internationally recognized and certifiable anti-bribery minimum standards program—some common questions have emerged. Foremost among them: What is the value in getting ISO 37001-certified? Who is going to provide certification? What considerations should go into choosing a certification body?

Answers to those questions and more were discussed last week in a webcast sponsored by KPMG to delve further into what is going to be “an increasingly hot topic in the months ahead,” said Gary Giampetruzzi, a partner at law firm Paul Hastings.

In October 2016, the International Organization for Standardization (ISO)—an independent, non-governmental group with a membership of 162 national standard-setting bodies—published the final version of ISO 37001. The standard is designed to help all organizations—public, private, and non-profit—prevent and detect bribery in their own operations and throughout their global supply chains.

ISO 37001 builds upon many other forms of anti-bribery guidance already in place, including the U.S. Sentencing Guidelines, the FCPA Resource Guide, the U.K.’s Ministry of Justice Bribery Act Guidance, and the OECD Good Practice Guidance. Supporters of the standard note that ISO 37001 generally provides even more granularity than many other forms of guidance out there. “It’s quite complex and quite extensive,” Giampetruzzi said.

Specifically, in addition to the 10 core anti-bribery principles set out in ISO 37001, “Annex A” provides additional guidance on how to implement these principles. Such sub-sections cover the scope of an anti-bribery management system; how to conduct a bribery-risk assessment; the roles and responsibilities of the governing body and top management; awareness and training; third-party due diligence; and much more.

“All of this fosters auditability,” said Corinne Lammers, a partner at law firm Paul Hastings. “Once a company has designed a compliance program that is consistent with ISO [37001], they then can audit that program in adherence to the standard, whether or not they seek ISO certification.”

“Once a company has designed a compliance program that is consistent with ISO [37001], they then can audit that program in adherence to the standard, whether or not they seek ISO certification.”
Corinne Lammers, Partner, Paul Hastings

Weighing certification. Whether or not to seek ISO certification is a significant question still weighing heavily on the minds of many companies right now across all industries. In a survey jointly conducted by Compliance Week and STEELE Compliance Solutions to assess what preliminary response that companies had to ISO 37001, 20 percent of 112 respondents said they are “very likely” to seek ISO 37001 certification, while 36 percent answered “somewhat likely.” Another 21 percent said it’s “not likely,” while the remaining 22 percent were undecided.

“Those opinions will evolve,” said Giampetruzzi, referring to the survey findings. “I think we’re going to see these results break more strongly in the next six to twelve months and break toward people—either for internal purposes or for certification purposes—embracing [ISO 37001 certification] beyond what these preliminary numbers suggest.”

The survey findings also indicate that many companies’ anti-bribery compliance programs are likely at various stages of maturity. “The way in which a company uses the ISO standard may depend on the stage of development of a company’s compliance program and what its risk profile looks like,” Lammers said.

For example, a company with a very robust compliance program that’s already regularly conducting risk assessments and benchmarking its anti-bribery compliance program may use this as a guide for perfecting its program, or use it as a benchmark to evaluate potential business partners, Lammers added.

On the opposite end of the spectrum, other companies may use it to develop and implement an anti-bribery compliance program from the ground, up, she said. The real legwork more likely will fall on companies in countries where the risk of bribery and corruption is especially high—such as Asia-Pacific, Mexico, Africa, and the Middle East—where anti-bribery compliance programs tend to be less mature than their Western counterparts.

WILL YOU SEEK ISO 37001 FOR YOUR ABAC?

As it stands now, however, many unanswered questions still surround ISO 37001 for which only time can answer: To what extent will ISO 37001 certification matter? Will the size or maturity level of a company’s anti-bribery compliance program determine the scope of ISO 37001 certification? Will ISO 37001 certification become more meaningful in certain regions of the world than others?

The effect of ISO 37001 largely will depend on the extent to which companies begin to use the standard, whether they will use it to seek certification or use it to benchmark their own anti-bribery compliance programs, or both.

Another potential benefit of ISO 37001 certification is that it can be used as an important market differentiator. For example, when deciding what business partner or third party to do business with overseas, or when looking to engage in a joint venture, wouldn’t the company be more comfortable doing business with a firm or individual that is ISO 37001 certified as opposed to one that is not?

“I think it will, especially when you get into riskier countries abroad,” said Jeffrey Garfield, a managing director for KPMG’s advisory services practice focusing on investigations and regulatory enforcement. Just as companies traditionally have used the implementation of a compliance program as a competitive advantage, “I think ISO certification is going to be used in a very similar manner,” he said.

Choosing a provider. Now that ISO 37001 has been formally published, companies have the opportunity to obtain certification from accredited third parties if their anti-bribery compliance programs meet the standards’ stringent criteria. That being said, certification bodies are only in their infancy, and the certification process itself is still fraught with uncertainty.

Right now, across the globe, some firms and individuals are getting accredited to provide ISO 37001 certification, and understanding their expertise and qualifications will be critical, Garfield stressed. Companies may be certified by a non-accredited firm or individual, “but those that are accredited are going to hold a little bit more water externally,” he added.

When choosing a certification body, ISO recommends the follow measures:

Check if it is accredited. Accreditation is not compulsory, and non-accreditation does not necessarily mean it is not reputable, but it does provide independent confirmation of competence. To find an accredited certification body, contact the national accreditation body in your country or visit the International Accreditation Forum.

Evaluate several certification bodies;

Check if the certification body uses ISO’s Committee on Conformity Assessment (CASCO) standard;

“The certification process is going to be only as good as the robustness of the underlying review,” Lammers stressed. “To the extent that a company seeks certification from an unaccredited entity, or one that isn’t deeply versed in this ISO standard, it’s likely going to be of less value and a less robust process and something the company should consider when they’re determining who is going to conduct that certification process for them.”