It’s been a month since ISO 37001 was published and there are some questions we have heard percolating in the compliance world about what this means. These are the questions we’ve been hearing the most:
1.What is the elevator pitch for the standard?
ISO 37001 is an international good practice standard that is focused on anti-bribery and corruption and can be used in all jurisdictions and geographies. It comes from a long-standing and well-respected international organization that is best known for quality and environmental standards that have been adopted around the world.
Bribery risks will vary depending on the size of an organization, the locations and sectors in which it operates, and the nature, scale and complexity of its activities.
It is applicable to small, medium and large organizations in all sectors, including public, private and not-for-profit. Although applicable to organizations across the spectrum, there is no one-size-fits-all solution for implementation. Bribery risks will vary depending on the size of an organization, the locations and sectors in which it operates, and the nature, scale and complexity of its activities.
In relation to the UK Bribery Act (UKBA) or the U.S. Foreign Corrupt Practices Act (FCPA) Guidance, nothing really new is required or expected as a result of ISO 37001; however, organizations will now be able to obtain certification of their programs from a third-party nonprofit organization.
2.What are the pros and cons of getting certified?
- Certification may effectively result in an external risk assessment and “stamp of approval” of an organization’s anti-bribery and corruption program. This may offer a degree of comfort for boards and executive teams.
- It will provide proactive evidence of a program’s commitment to identifying and reducing bribery.
- It may be more palatable to non-U.S. companies and, if widely adopted along with the other international anti-bribery and corruption standards, it could create a level playing field and benefit all competitors, consumers and governments.
- ISO standards have traditionally been more directed to manufacturing processes and safety standards such as how many eye-wash stations or first-aid kits per capita an organization has and could be seen as a “check-the-box” exercise.
- Many compliance decisions are based on “reasonable” subjective decisions and strong due diligence processes still don’t take the risk to zero. This certification will not mean that an organization won’t have a violation. Some organizations might see this certification as an insurance policy and let their guard down.
- The certification should not be a “one and done” process. The program still needs to be regularly reviewed and adjusted for new business or geographic risks.
- Outside auditors may not be able to effectively assess a program against this standard. Alexandra Wrage, president and founder of TRACE, has suggested that it may result in a rubber stamp on existing programs or a barrier for certifying auditors who may not understand the background for certain “reasonable” provisions made to control bribery and corruption.
- We don’t yet know what positions the regulators will take regarding this standard and whether certification will be considered a mitigating factor in any investigations.
3. Why has this ISO standard received so much more publicity than others?
This could be because ISO 37001 is a country and statute neutral program that all organizations can use more easily than some...
It is interesting that the December 2014 ISO Standard/Guidance 19600 on Compliance Management Systems has received little attention from compliance officers, regulators and industry associations, yet ISO 37001 is receiving considerably more coverage. This could be because ISO 37001 is a country and statute neutral program that all organizations can use more easily than some of the past U.S., UK or other country centric anti-bribery and corruption guidance. It is also more proactive in feel and less punitive than FCPA and UKBA.
4.Why is there not a flurry of people trying to get certified?
Many organizations will want to review the standard carefully, let this settle in and watch for how organizations and regulators react before taking the steps toward certification. Also the risk of failing a certification attempt could open up an organization to more scrutiny and risk than before the certification process began.
Once a few large organizations complete the certification process, the standard will most likely embed and companies will begin to require certification from downstream contractors as additional due diligence. Organizations should be prepared to see these requests coming from key customers.
5.What happens if you fail to meet the certification?
Organizations will need to address any gaps identified by a failed certification attempt. Not doing so may result in greater risks in the event of a failure or misconduct since organizations will have had actual notice of issues or control failures.
What questions or answers do you have about ISO 37001? Is your organization considering certification? Let’s keep the discussion going.
Request a consultation with the Advisory Services Team to continue learning how to improve your ethics and compliance program.