Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Alexandra Wrage: The pros and (substantial) cons of an ISO anti-bribery standard

The international business community wins when companies across supply and marketing chains work to the same high standards. There is less risk and more predictability, which promotes confidence among business partners. Benchmarking among peers and establishing and sharing model language and best practices all help to ensure that companies set their sights on a reasonable common denominator for compliance. 

But standardization can only go so far. 

Anyone who doubts this need only review the language of the U.S. Federal Sentencing Guidelines, the DOJ/SEC Resource Guide to the FCPA. or the Guidance to the UK Bribery Act each of which resorts, of necessity, to references to programs that are “reasonable”, “appropriate” and “proportionate.”

Anti-bribery compliance isn’t like a fire code or a health standard. There is an objectively established ideal number of fire extinguishers per square foot of office space. There is scientific data supporting the optimal shelf life for food products. Anti-bribery compliance is both simpler (don’t provide something you shouldn’t in exchange for something you’re not entitled to) and more complicated (risks faced by companies of different sizes, in different industries and operating in different countries differ dramatically). There is no fire extinguisher standard for anti-bribery compliance, so the compliance community struggles with what’s reasonable and appropriate.

The new anti-bribery standard proposed by the International Standards Organization (ISO 37001) reflects this same “reasonable and appropriate” language. Compliance professionals working in jurisdictions with a credible threat of anti-bribery enforcement — the U.S., UK, Canada, Germany — will find nothing new in this standard. 

So where does it add value?   

The well-respected Geneva-based ISO lends an air of neutrality to principles otherwise promulgated by the U.S. and UK enforcement agencies. This is particularly important for entirely domestic companies and state-owned entities. A large Indonesian company, traded solely on the Indonesian stock exchange, or a Saudi national oil company, for example, may well prefer to debate “reasonable” and “appropriate” in the context of an ISO document rather than against the backdrop of the U.S. sentencing guidelines. Anything that reduces resistance to better compliance is welcome.

ISO 37001 can be treated as another guidance document, or if can be used as an audit standard. As a guidance document, it is fine but it offers nothing new for U.S. companies. Like the DOJ/SEC Guidance, it addresses tone at the top, due diligence, training, gifts and hospitality, books and records and risk assessments. And, like the guidance, each section promotes a standard that is “reasonable.”

As an audit standard for U.S. companies, ISO 37001 is more worrying. The ISO standard states that “different types of business associates are likely to require different levels of due diligence.” This is a sensible and well-recognized principle. Companies may vary the scope of their due diligence as a result of the markets they’re in, deal size, interaction with the government, contingent as opposed to fixed-fee compensation and known industry risks. 

The ISO standard provides no guidance on how that should be done, just as the DOJ/SEC Guidance doesn’t. They wisely recognize that it’s a matter of context and judgment. That judgment should be exercised by the compliance professionals within the company, together with their legal and other advisers, because they’re most familiar with the company and the risks it faces. 

So how, then, will an ISO inspector opine on the propriety of those judgment calls? Either the inspector, one of hundreds approved to undertake ISO inspections, will simply rubber stamp the decisions of the company’s compliance team, noting that “different types of business associates … require different levels of due diligence,” for example, or they will challenge the judgment of the company’s compliance team and seek to replace it with their own, necessarily less informed position. I am not sure which is worse. The former results in a faux credential that adds nothing of real value and the latter undermines the compliance team struggling to get these issues right. (The third option, that a company will fail the inspection because they’ve done nothing at all seems unlikely; what company in that situation would waste time and resources by initiating a doomed ISO inspection?)

Anti-bribery compliance issues are difficult. Compliance officers struggle every day with questions of how frequently to refresh due diligence, whether to train managers alongside sales teams or separately, how expensive a meal can be before it’s no longer reasonable, no longer appropriate. There is no fire extinguisher standard to which they can turn. The vision of an external compliance inspector arriving at the front door, staying for a week or two, and using that time to replace the compliance professionals’ judgment with his or her own is worrying.

A lot of thought has gone into the proposed ISO standard, just as a lot of thought went into the DOJ and UK guidance documents. Compliance professionals should read it and note the few minor distinctions between it and existing standards.

But compliance officers are good at what they do because they know their corporate culture and reputation. They understand their companies’ appetite for or aversion to risk, their industries and their markets. They are in the best possible position to assess the reasonableness and appropriateness of their programs.


Alexandra Wrage (pictured above) is president and founder of TRACE. She is the author of Bribery and Extortion: Undermining Business, Governments and Security, co-editor of How to Pay a Bribe: Thinking Like a Criminal to Thwart Bribery Schemes, and the host of the training DVD Toxic Transactions: Bribery, Extortion and the High Price of Bad Business, produced by NBC. She’s a former member of FIFA’s Independent Governance Committee and served on the 2015 B20 Taskforce on Anti-Corruption, which drafted recommendations to G20 leaders for consideration in their global economic policies. Prior to founding TRACE, she was international counsel at Northrop Grumman. She can be contacted here.

Share this post



  1. Excellent, thoughtful memo: in fact a call for a positive (realpolitik) rather than normative approach to the pitfalls of preempting bribery.
    Arthur F.P.Wassenberg, emeritus professor International Political Economics, author of Capitalist Discipline – On the Orchestration of Corporate games (Palgrave, London, 2014)

  2. Alexandra Wragge has unsurprisingly masterfully identified the pros and cons of an ISO standard.

    I am, however,not sure that the cons are as substantial as she thinks. I am a member of ISO PC 278 on Anti-Bribery Management Systems and have also conducted several audits of anti-bribery systems, some with certification (not under the ISO standard which is not yet available), some without.

    The trigger for the new ISO Standard (ISO 37001) has been Section 7 of the UK Bribery Act which has introduced a strict liability of organizations for bribery within their sphere of activities unless they can show that they have adequate procedures to prevent bribery from happening in their operations. This has raised a lot of interest in adequate procedures and prompted the British Standard Institution (BSI) to issue its own standard for anti-bribery management systems (BS 10500). In order to have a global standard, BSI then turned to ISO which has the global reach which a British standard lacks. However, the result is more than BS 10500 dressed up as an ISO standard and I think that it is fair to say that the new ISO standard (as commented in the guidance document which comes with it) is a rather comprehensive codification of best practices as they have developed over the last decade and a half.

    ISO 37001 will be a requirements standard, which means that it can be audited and certified. An ISO certification will in no way be a defense against prosecution but the certification report will certainly be a document which prosecution authorities will be interested to see. ISO certification will also enable companies to give evidence, stronger than a self-declaration, of their anti bribery efforts.

    As Alexandra Wrage points out, a lot depends on the quality of the certification auditor. Auditing an anti-bribery management system is not the same as conducting a quality management system audit but requires specific skills and experience. I am the convenor of an ISO committee which will meet in the coming weeks to establish competency requirements for ISO 37001 auditors andI believe very strongly that these auditors need not only knowledge of, but also prior experience in compliance and anti-corruption.

    As far as the relationship between the auditor and the compliance officer is concerned, my experience is not that the latter feels threatened by the former. On the contrary, my relationship with the compliance officers of audited organisations has always been very smooth. Compliance officers take a lot of interest in audits and see comments of the auditor as strengthening rather than weakening their position. In one case, where the certification could not be granted, the compliance officer explicitly stated that this would help him to obtain a reinforcement of the system from management. In another case, the compliance officer expressed his surprise about how much he had learned in the process. In all other cases, I never experienced an antagonistic attitude as, from what I have heard, sometimes develop between an organisation and its monitor.

    The real danger of certification is on the contrary that a compliance officer may be refused necessary resources or that his initiatives may be rejected after a successful certification because management would not see the need for further action after having been certified by a third party but this kind of management may well not deserve a certification in the first place.

    The certification of anti-bribery management systems has already started to develop and shall continue to do so, with or without ISO. It takes place according to standards of variable quality and is not always conducted with the required level of professionalism. The ISO standard has the vocation to establish a global reference on substance and form of anti-bribery certification. This is ultimately part of establishing the level playing field which is so much talked about.

Comments are closed for this article!