ISO 37001: yawner or transformer?
September 2017 | FEATURE | BRIBERY & CORRUPTION
Financier Worldwide Magazine
September 2017 Issue
With bribes estimated at $1 trillion paid across the globe each year, bribery is among the most destructive and challenging of issues. It is a widespread form of corruption that has a corrosive effect on society, public trust, economic development and, ultimately, quality of life.
Recognising the catastrophic consequences of failing to tackle bribery, the International Organization for Standardization (ISO) recently published the ISO 37001 standard – a business tool specifically designed to address the issue. Assisting organisations within their own operations and across their global value chains, the standard seeks to broaden and strengthen internal systems and processes, and ultimately promote ethical business cultures.
ISO 37001 is intended for use in any country by small, medium and large enterprises in the public, private and voluntary sectors. It allows organisations to have their anti-bribery programmes certified to an international standard. However, reaction thus far has been rather muted, with many practitioners uncertain whether adherence to the standard amounts to much more than just a box-ticking exercise.
For those in the compliance world, two questions loom large: what are the real requirements imposed by the ISO 37001 standard and how should organisations go about implementing, auditing and certifying a compliance management system that is in accordance with it?
Although the ISO recognises that many of the measures required by ISO 37001 will mirror the anti-bribery policies and procedures already implemented by companies, it insists the standard is intended to be adaptable according to the nature of the organisation and its likelihood of encountering bribery.
“The bribery risk facing an organisation varies according to factors such as the size of the organisation, the countries and sectors in which the organisation operates, and the nature, scale and complexity of the organisation’s operations,” says Neill Stansbury, chair of the ISO project committee responsible for the ISO 37001 standard. “Therefore, ISO 37001 specifies the implementation by the organisation of reasonable and proportionate policies, procedures and controls.”
Accordingly, the ISO 37001 standard requires organisations to have in place: (i) an anti-bribery policy and procedures; (ii) top management leadership, commitment and responsibility; (iii) oversight by a compliance manager or function; (iv) anti-bribery training; (v) risk assessments and due diligence on projects and business associates; (vi) financial, procurement, commercial and contractual controls; (vii) reporting, monitoring, investigation and review; and (viii) corrective action and continual improvement.
“Bribery is a significant business risk in many countries and sectors,” asserts Mr Stansbury. “In many cases, it has been tolerated as a ‘necessary’ part of doing business. However, increasing awareness of the damage caused by bribery to countries, organisations and individuals has resulted in calls for effective action to be taken to prevent bribery.”
But the new standard does have its critics. Among them is Mike Koehler, a law professor and creator of the FCPA Professor website. “To anyone well versed on the numerous sources of best practices in the anti-bribery space prior to the release of ISO 37001, the standard is a complete yawner. Indeed, it is particularly disappointing as several best practices are not even captured in the purported best practices document,” he suggests. “My advice to companies subject to the Foreign Corrupt Practices Act (FCPA) is to ignore the ISO 37001 standard and focus instead on the numerous sources of best practices drafted or cited by US FCPA enforcement agencies.”
In terms of its future viability, it is still too early to determine how widely the ISO 37001 standard is likely to be used. That said, its status as the world’s first internationally recognised ABMS which can be independently certified, the wide international support it had during its development (with 59 participating and observing countries) and the scope for it to be implemented with other management standards such as ISO 9001, 14001 and 45001, are strong pointers toward it becoming the most widely used and recognised ABMS.
And while the implementation of an ISO 37001 compliant ABMS does not completely eliminate the risk of bribery, the standard’s proponents are confident that systems enhanced by ISO 37001 will help assure organisations that they have implemented reasonable and proportionate measures to prevent, detect and deal with bribery, thereby minimising the risk of bribery and its debilitating consequences.
Advocates and detractors
Of course, every endeavour has its advocates and detractors, and in this regard the ISO 37001 standard is clearly no exception. “In the years to come, ISO 37001 will be widely viewed by sophisticated observers as much to do about nothing – and with good reason,” suggests Mr Koehler. “Sure, individuals and companies marketing ISO 37001 certifications and compliance services will point to ad hoc examples as signs of success, but most will recognise the self-interest of those doing so.”
© Financier Worldwide