As of Oct. 14, there is a new global standard for anti-bribery and corruption (ABC) management systems, courtesy of the International Organization for Standardization. Called ISO 37001, it means there is now an internationally recognized set of measures to prevent and detect bribery.
ISO 37001 will be a game-changer for ABC. It’s designed for use in both public-sector and private-sector organizations. We expect to see widespread international adoption by the former, which will in turn require that organizations wanting to do business with them are certified to the same standard.
Certification to ISO 37001 will become essential for companies wanting to do public-sector work, and we will see it quickly permeate through industry sectors. Companies not certified will be at a disadvantage.
What Does ISO 37001 Require?
ISO 37001 is designed to help organizations establish, implement, maintain, and improve an anti-bribery compliance program. It specifies a series of measures that the organization must implement in a reasonable and proportionate manner.
The approach is one that business recognizes: a management systems approach. The draft language is plain English, not legalese. ISO 37001 simplifies anti-bribery compliance and acts as a useful document to avoid a long and complex comparison between various competing national guides.
Companies operating internationally have to grapple with many different standards from many different countries. The United States is notable for its specific requirements, including those of the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC).
The UK Bribery Act of 2010 also introduced an offense of corporate failure to prevent bribery. The defense for a company against this liability is to prove that it had “adequate practices” in place to prevent bribery.
Like the Bribery Act and DOJ/SEC guidance, ISO 37001 addresses tone at the top, due diligence, training, gifts and hospitality, books and records, and risk assessments. And, like the guidance, it speaks in terms of compliance programs that are “reasonable,” “appropriate,” and “proportionate.”
Although the ISO 37001 standard closely resembles existing ABC guidance in some respects, it sets out for the first time an internationally agreed-upon set of procedures. Companies can use and understand this standard when doing business with suppliers around the world. At a practical level, it will be universal shorthand for “we are OK to do business with.”
What’s more, the ISO is auditable, in that an independent third party can certify that a company’s procedures meet the internationally agreed minimum standard. In the UK, for example, it can be a defense for a company to have “adequate procedures” to prevent bribery. It will be a brave prosecutor who prosecutes a company for not having adequate procedures when a certificate for ISO 37001 is hanging on the wall in the firm’s reception area.
ISO 37001 deals with both active (paying) and passive (receiving) bribes by an organization, its personnel, or associates acting on the organization’s behalf or for its benefit. Thus it is valid for public- and private-sector organizations whatever their size, as well as non-governmental organizations.
Compliance-minded companies will have to put together plans to ensure their anti-bribery systems meet the exacting standards of ISO 37001.
For executives inside organizations, it gives clarity to the Bribery Act’s “adequate procedures” and the U.S. Foreign Corrupt Practices Act requirements for ABC systems. ISO 37001 helps compliance officers ensure that their program respects international good practice.
In addition, certification of an organization provides suppliers with reassurance that customers have adequate procedures in place. It helps companies all over the world to be more easily approved as partners, agents, or representatives. For the sake of a fairly nominal audit fee, one might ask — or certainly the directors of a company could ask — “Why don’t we just do it? What’s the downside?”
Consistency with Other Management Standards
ISO 37001 follows the common ISO method for management system standards, consistent with ISO 9001 and 14001. Compliance professionals working in jurisdictions with credible anti-bribery enforcement will find in this standard little that’s new. Each section promotes a standard that is “reasonable.” It follows the usual “plan-do-act-check” approach, including the requirements to:
- Implement an anti-bribery policy and program
- Appoint a compliance manager (who can be full-time or part-time) to oversee the program
- Assess bribery risks, including appropriate due diligence
- Take reasonable and proportionate steps to ensure that business associates have implemented appropriate anti-bribery controls
- Control gifts, hospitality, donations, and similar benefits to ensure they do not have a corrupt purpose
- Implement appropriate financial, procurement, and other commercial controls so as to help prevent the risk of bribery
- Implement reporting (whistle-blowing) procedures
- Communicate the policy and program to all relevant personnel and business associates
- Provide appropriate ABC training to personnel
- Verify as far as reasonable that personnel will comply with the anti-bribery policy
- Investigate and deal appropriately with any actual or suspected bribery
Although we expect wide adoption of ISO 37001, a number of well-meaning standards have devolved into fringe pursuits. The best guess is that ISO 37001 will track the acceptance of ISO 9001 — whose structure ISO 37001 mimics. ISO 9001 is the most popular global standard, now used by more than a million organizations in 178 countries. It’s a certified quality management system (QMS) for organizations that want to prove their ability to consistently provide products and services that meet the needs of their customers and other stakeholders.
Another popular standard, ISO 14001, is used by more than 220,000 organizations around the world. It sets out a framework that an organization can follow to set up an effective environmental management system.
Maintenance of ISO 9001 and/or 14001 have become almost essential for companies in many industry sectors. Likewise, adoption of ISO 37001 may quicken if it becomes the de facto substitute for supply chain anti-corruption questionnaires and/or serves, for early adopters, as a compliance and marketing differentiator.
For many years, both central and local governments have stipulated quality management systems in their tenders. By asking for ISO 9001 and 14001 from contractors, the public sector can prove it is spending taxpayers’ money wisely, while not having to waste time checking an organization’s credentials. They can just look for the ISO certification.
Procurement specifications often require certification as a condition to supply, so gaining certification to the standard opens doors. And as major organizations also realized the benefits of ISO certification, they started to demand it of their suppliers. ISO 9001, for example, is now almost a requirement in most governmental supply chains.
And for many companies, conformance to ISO 14001 is becoming a contractual requirement. In addition to its marketing benefits, the U.S. Environmental Protection Agency, for instance, provides regulatory incentives under its Common Sense Initiative program for organizations certified to ISO 14001.
So, it’s significant that several countries have already committed to having some central governmental agencies certified to ISO 37001. It will follow that organizations wanting to win tenders from those agencies will also need the certification. It seems inevitable that ISO 37001 will soon become a requirement for international public tender work, throughout the entire supply chain.
Getting Ahead of the Curve
Government agencies and regulators alike are going to need time to game out what ISO 37001 means in practice and how it will be assessed. Previous guidance under the UK Bribery Act and by the DOJ means many firms should already have structures in place which at the minimum guard against bribery and corruption as outlined under ISO.
Nevertheless, firms should take care to review any discrepancies between their existing programs now and get ahead of widespread implementation. Similarly, the expectation of global adoption makes it imperative for all firms to begin reviewing their existing compliance programs and making adjustments according to ISO 37001 — or to set in motion the process of establishing appropriate safeguards.
David Lawler is a managing director of global investigations and compliance for Navigant, a global professional services firm.