In October 2016, the International Organization for Standardization (ISO) published ISO 37001, the first anti-bribery management system standard designed to help organizations prevent, detect and address bribery. ISO 37001 includes a series of measures and controls that represent global anti-bribery best practices. These measures and controls include the following and are designed to help an organization implement an anti-bribery management system from scratch or to enhance controls already in place:
- Adopt an anti-bribery policy
- Appoint a person to oversee anti-bribery compliance
- Implement appropriate training
- Conduct risk assessments
- Perform due diligence on projects and business associates
- Implement financial and commercial controls
- Institute reporting, monitoring and investigation procedures
- Execute corrective actions
The ISO 37001 standard is designed to be used by any organization regardless of its size (large or small) or nature (public, private or not-for-profit) and the bribery risk it faces. By implementing ISO 37001, organizations can demonstrate to its stakeholders that internationally recognized anti-bribery controls are in place. In addition, certifying compliance with this standard also lends to the organization’s credibility; certification is obtained through an audit conducted by a third-party, is valid for three years, and is subject to yearly reviews.
What do U.S. Authorities Say about ISO 37001?
It is not clear whether U.S. regulators view ISO 37001 as particularly helpful in evaluating foreign Corrupt Practices Act (FCPA) compliance programs, and the U.S. Department of Justice (DOJ) has not stated equivocally whether it intends to adopt these standards or whether ISO 37001 certification will have meaningful value. Based on comments from the DOJ Fraud Section senior leadership, it appears that ISO 37001 certification may be factored into FCPA investigations, including efforts by companies to remediate their program by implementing ISO 37001. However, DOJ policies also require prosecutors to independently assess an organization’s compliance program, and while certifications may be a point of reference, it cannot substitute the prosecutors’ own inquiries and judgments.
Thus, ISO 37001 certification is not to be viewed as a “silver bullet” or “check the box” substitution for establishing an internal FCPA compliance program or replacing other FCPA guidance and considerations. The certification should be viewed for what it is – meeting a very high standard of leading global anti-bribery practices.
Are Organizations Adopting ISO 37001?
Some major U.S. corporations are beginning to seek ISO 37001 certification. For instance, Microsoft and Wal-Mart have announced plans to seek certification, and this will likely lead to certification efforts among their vendors, distributors, and customers.
Internationally-based companies are also obtaining certification. France’s Alstom (which was once the target of a major DOJ investigation for violating FCPA anti-bribery provisions) became one of the first companies in the world to be certified as ISO 37001 compliant. The German company, Bosch, and Italy’s Terna Group and ENI have also been certified.
Additionally, the governments of Singapore, Peru and Nigeria have all indicated they will be seeking certification for their governmental agencies and related groups.
Is ISO 37001 Certification Right for Your Organization?
It is sometimes difficult for an organization to make a decision about certification to new ISO standards. The United States has not fully required or endorsed this standard, and it is just gaining adoption from key large companies. In determining whether ISO 37001 certification is right for your organization, it may make sense to consider the following factors:
- Your organization is ISO-certified in other areas. Many organizations have achieved the popular ISO 27001 (information security management systems) and ISO 9000 (quality management) certifications. Companies with prior ISO certifications understand how ISO certifications can be used and are willing to commit the (often substantial) budget and resources required to build out an ISO-compliant program. Consider whether your company is able to allocate appropriate resources, and is in a position to provide extra investment or attention for the ISO 37001 compliance/certification program.
- Your organization is mature and has strong governance. Not only does your organization need to be mature enough to develop an ISO program, but keep in mind that your organization will also have to undergo yearly audits and three-year certification cycles. The audits will vary in length and inconvenience depending on the certification body used by your organization, but you should assume that your organization will be disrupted for several days each year. The certification process itself is even more onerous and repeating it every three years will require an experienced company capable of handling detailed inquiries.
- Your organization is under investigation by regulators. If your company is at risk of, or is currently under government review/investigation for anti-bribery violations, ISO 37001 certification may provide a framework for that review and help demonstrate to the government your commitment for taking positive steps to enhance your compliance program. If a monitor is appointed to your organization, having the ISO certification in place can also provide a recognized structure for the monitor to assess your anti-bribery compliance program.
If none of the above characteristics apply to your organization, you may wish to refrain from seeking ISO 37001 certification, at this time. You can wait and assess the broader regulator feed. In the meantime, there are steps you can take to strengthen your anti-bribery compliance program now:
- Consider working to become ISO-compliant (as opposed to obtaining ISO certification). Being ISO compliant means your company’s management system fully adheres to the ISO standard requirements but has not obtained certification. Therefore, some of the burdens associated with continuous certification, reviews and audits, have been alleviated. Working toward ISO 37001 compliance provides your organization with a place to start and will strengthen an existing program. It is beneficial to think through your company’s processes and how you can improve them to meet the standards of ISO 37001.
- Use resources to engage outside help to improve your program. Rather than pre-maturely engaging a certification body to assess your anti-bribery program, allocate resources and budget to obtain outside help to improve your program, such as developing a risk assessment methodology and process. Dedicating resources to building the program now will help you implement the more rigorous ISO 37001 standards if you choose to do so in the future.
Anti-bribery is a challenging issue for companies across the globe, and ISO 37001 provides additional guidance to help organizations design and implement an effective compliance program. Although ISO 37001 certification may be appropriate for your organization, it should not be viewed as a replacement to the FCPA Resource Guide; however, certification can serve as an important supplement to those guidelines.