Four months ago the ISO 37001 Anti-Bribery Management Systems document was published, and companies were finally able to have their anti-bribery program certified to an international standard. Since then we’ve repeatedly heard the same myths about the Standard.
Here’s the truth about what ISO 37001 is, what it does, and who is doing it.
Myth NO. 1: No One is Seeking Certification. False! Eni S.p.A., a Fortune 100 gas and oil company with operations in over 79 countries, recently touted its certification achievement. It’s the first Italian company to receive certification, and others are hot on its tail. Many companies are hoping to become first-to-market with certification in their country or industry.
Implementing all of the standard’s requirements and preparing for the certification audit takes time. Until they formally receive certification, most companies keep mum about the process.
A survey conducted by Compliance Week and Steele Solutions found that 56 percent of companies stated they were likely to seek certification. By year-end we expect a flood of additional certified companies.
Myth NO. 2: ISO 37001 Certification is Just a “Paper Program.” ISO 37001 does require that many aspects of the anti-bribery program be documented, but no reputable auditing company would certify a company solely with a paper program. Qualified auditors with anti-bribery experience and in-depth knowledge of ISO 37001 are required to conduct the audit.
Auditors carry out in-depth on-site visits to an organization’s headquarters and a sampling of its regional and international offices and wholly-owned subsidiaries’ offices, and these visits require interviews with top management, department heads, sales people, HR, Legal and Audit. If you want to skate by with a paper compliance program, ISO 37001 is not for your organization.
Myth NO. 3: Certification Is Impossible to Achieve Because The Program Has to Be Perfect to Get It. Wrong! No anti-bribery program is without its flaws. The experts who drafted the ISO 37001 Standard recognized this, which is why ISO 37001 contains requirements related to corrective action and continuous improvement of the program. Organizations can become ISO 37001 certified even if there are small flaws — known as “minor non-conformities” — in the program, provided that they are able to show during their annual surveillance audits that they are working to correct them.
Myth NO. 4: ISO 37001 Certification Provides Immunity from Prosecution. There is no silver bullet that guarantees an organization will not be prosecuted for violating bribery and corruption laws. Nor is there any management system that can guarantee that an instance of bribery will not occur in your organization. That being said, having ISO 37001 certification can serve as a strong mitigating factor for an organization in the event of a government action, which leads us to our last myth…
Myth NO. 5: The DOJ and SEC Don’t Care about ISO 37001 Certification. Wrong! Just because ISO 37001 certification won’t automatically grant your organization immunity from prosecution doesn’t mean that the DOJ, SEC and SFO won’t take your organization’s ISO 37001 certification into account. Meeting the ISO 37001 requirements ensures that your program meets the Federal Sentencing Guidelines’ requirement of an effective compliance and ethics program, which will will serve as a mitigating factor in sentencing.
Although the DOJ and SEC have not issued any official statements on ISO 37001, various officials speaking in their private capacities have expressed support for the standard and what it seeks to achieve. At the ACI FCPA conference this past November, Andrew Weissmann, Chief of the DOJ’s Fraud Section, noted that the government would certainly factor in ISO 37001 certification in its investigations, including efforts by companies to remediate their program by implementing ISO 37001. He also stated that Hui Chen, the DOJ’s Compliance Counsel Expert, had been training the team on the standard.
For companies looking to meet global anti-bribery best practices, and have independent certification that they’ve done that, there’s only one standard. And that’s no myth.