Some, though certainly not all, of the dust has settled since ISO 37001 published last fall. As compliance professionals grapple with the new standard, we thought it would be interesting to use the power of social media to seek input from our readers on ISO 37001 now that everyone has had some time to get better acquainted.
Such polarizing opinions on a topic makes for a perfect opportunity to bring the community together for discussion.
As cited by Compliance Week, the opinions on ISO 37001 run the gamut from “…we don’t need another standard in anti-bribery” to the standard signaling “a ‘coming-of-age moment’ for the anti-corruption compliance space.” Such polarizing opinions on a topic makes for a perfect opportunity to bring the community together for discussion. So let’s do that.
Points for Discussion
1. By the Industry for the Industry
ISO 37001 was drafted with input from hundreds of experts across 56 countries and seven liaison organizations. The committee drafting the standard included business people, as well as lawyers, NGOs, academics and others, assembled to ensure the standard was rigorous and practical. As a result, the framework was written in non-legalistic, plain language and provided a new level of detail, uniformity and transparency.
Is the standard easy to understand? Does it provide detail, uniformity and transparency where other standards or regulations did not?
2. The Benefits of a New Standard
Organizations understand that reports of bribery can hurt their reputations and brands—and that conforming to standards like ISO 37001 can be a key market differentiator. The standard was created so organizations could use it to engage business partners and measure their own compliance capabilities. The end goal is to minimize the risk of unlawful behavior, allow for earlier interventions and provide evidence of reasonable steps to prevent bribery and demonstrate commitment to ethical practices. Regulators have recently rewarded organizations that take such steps.
Has ISO 37001 made it easier to gauge business partners on compliance? Has it made it easier to judge your own organization?
3. Flexibility of Design
ISO 37001 was designed to aid in complying with international good practices and with relevant anti-bribery legal requirements in all countries. It also can be adapted according to the size and nature of the organization and the potential bribery risk.
Will ISO 37001 work in all jurisdictions? Will it work for organizations of various sizes?
It’s important to remember that ISO 370001 certification will be voluntary and that ISO doesn’t perform certifications itself. But independent certification bodies can use the new standard, and that service should be available later this year.
Adherence to ISO 37001 is not a safe harbor or a bar to liability.
In the U.S., the ANSI-ASQ National Accreditation Governing body (ANAB) issues accreditation to auditors. ISO 37001 certification will be valid for three years, with an annual surveillance audit. Auditor competency is governed by detailed requirements (ISO/IEC 17021-1 and -9), developed by ISO's Committee on Conformity Assessment (CASCO), to ensure confidence, quality and reliability in the certification process. ISO 37001 auditors are required to have specific knowledge, including knowledge of the standard’s requirements, bribery concepts and scenarios, third-party risk, bribery risk assessment and due diligence, and the design and evaluation of effective anti-bribery controls.
Organizations should also remember that adherence to ISO 37001 is not a safe harbor or a bar to liability. But it’s worth looking at, as it may be taken into consideration by prosecutors should a bribery-related event occur. It can provide some evidence that an organization has taken reasonable steps to prevent wrongdoing.