Four months ago the ISO 37001 Anti-Bribery Management Systems document was published, and companies were finally able to have their anti-bribery program certified to an international standard. Since then we’ve repeatedly heard the same myths about the Standard.
Here’s the truth about what ISO 37001 is, what it does, and who is doing it.
Myth NO. 1: No One is Seeking Certification. False! Eni S.p.A., a Fortune 100 gas and oil company with operations in over 79 countries, recently touted its certification achievement. It’s the first Italian company to receive certification, and others are hot on its tail. Many companies are hoping to become first-to-market with certification in their country or industry.
Implementing all of the standard’s requirements and preparing for the certification audit takes time. Until they formally receive certification, most companies keep mum about the process.
A survey conducted by Compliance Week and Steele Solutions found that 56 percent of companies stated they were likely to seek certification. By year-end we expect a flood of additional certified companies.
Myth NO. 2: ISO 37001 Certification is Just a “Paper Program.” ISO 37001 does require that many aspects of the anti-bribery program be documented, but no reputable auditing company would certify a company solely with a paper program. Qualified auditors with anti-bribery experience and in-depth knowledge of ISO 37001 are required to conduct the audit.
Auditors carry out in-depth on-site visits to an organization’s headquarters and a sampling of its regional and international offices and wholly-owned subsidiaries’ offices, and these visits require interviews with top management, department heads, sales people, HR, Legal and Audit. If you want to skate by with a paper compliance program, ISO 37001 is not for your organization.
Myth NO. 3: Certification Is Impossible to Achieve Because The Program Has to Be Perfect to Get It. Wrong! No anti-bribery program is without its flaws. The experts who drafted the ISO 37001 Standard recognized this, which is why ISO 37001 contains requirements related to corrective action and continuous improvement of the program. Organizations can become ISO 37001 certified even if there are small flaws — known as “minor non-conformities” — in the program, provided that they are able to show during their annual surveillance audits that they are working to correct them.
Myth NO. 4: ISO 37001 Certification Provides Immunity from Prosecution. There is no silver bullet that guarantees an organization will not be prosecuted for violating bribery and corruption laws. Nor is there any management system that can guarantee that an instance of bribery will not occur in your organization. That being said, having ISO 37001 certification can serve as a strong mitigating factor for an organization in the event of a government action, which leads us to our last myth…
Myth NO. 5: The DOJ and SEC Don’t Care about ISO 37001 Certification. Wrong! Just because ISO 37001 certification won’t automatically grant your organization immunity from prosecution doesn’t mean that the DOJ, SEC and SFO won’t take your organization’s ISO 37001 certification into account. Meeting the ISO 37001 requirements ensures that your program meets the Federal Sentencing Guidelines’ requirement of an effective compliance and ethics program, which will will serve as a mitigating factor in sentencing.
Although the DOJ and SEC have not issued any official statements on ISO 37001, various officials speaking in their private capacities have expressed support for the standard and what it seeks to achieve. At the ACI FCPA conference this past November, Andrew Weissmann, Chief of the DOJ’s Fraud Section, noted that the government would certainly factor in ISO 37001 certification in its investigations, including efforts by companies to remediate their program by implementing ISO 37001. He also stated that Hui Chen, the DOJ’s Compliance Counsel Expert, had been training the team on the standard.
For companies looking to meet global anti-bribery best practices, and have independent certification that they’ve done that, there’s only one standard. And that’s no myth.
Kristy Grant-Hart the author of the book “How to be a Wildly Effective Compliance Officer.” She is the CEO of Spark Compliance Consulting. She can be found at @KristyGrantHart and emailed here.
Diana Trevley is the West Coast Director of Spark Compliance Consulting. She can be emailed here.
Kirsty and DIana, Thank you for this timely and useful blog from such respected authors.
Happy Valentines Day
Other than “myths,” I think there are some serious concerns about ISO 37001. Here is one. I was reading an article in the SCCE Magazine, Compliance and Ethics Professional, about a Brazilian enforcement authority requiring a company to adopt an ISO based compliance program in a corruption case. But I realized it was NOT ISO 37001, but ISO 19000, Compliance Management Systems. So there are already two different standards out there.
One of the biggest concerns is about a race to the bottom in certification. As long as companies are free to pick who will do the certification there is a dangerous conflict of interest. Why would a company pick a certifier with a reputation for being tough? Why would a certifier risk damaging its ability to sell its services by having a reputation as a tough judge? If I were ISO, I would require that certifiers be assigned without the company being certified having control over the certifier.
I also find it distasteful that people have to pay to even see the standards or to use them. There are enough government guides out there for free; why have a system that seems designed to be a revenue source for ISO. Better to have a system where all the world can use, comment on, and criticize the standards.
This is not a question of “myths.” There are serious doubts about the ISO approach in this area. Regards, Joe
Excellent points all, Kristy and Diana. Thanks for helping to clarify what can be a confusing ISO 37001 environment.
To build on your foundation, there are two other myths that are worth debunking:
Myth NO. 6: If I have an “effective” FCPA program, I basically have all I need to get ISO 37001 certified. Probably not. You may have most or all of the basic components in your program, but do you have the processes and procedures emphasized by ISO 37001 to support one of the primary goals of this new standard – creating and maintaining a sustainable business management system?
As an example of the relative differences between the two worlds – one legally focused and the other emphasizing business – the DOJ/SEC Guidelines document does not contain the word “planning”. ISO 37001 Section 6 is entitled “Planning”; one out of seven substantive sections of the standard is devoted to this critical business activity. Two detailed subsections cover the anti-bribery planning priorities “Actions to address risks and opportunities” and “Anti-bribery objectives and planning to achieve them”.
Myth NO. 7: ISO 37001 may be a business standard, but there’s no quantifiable business benefit. Not so fast. It is early in ISO 37001’s life span, particularly in the US where no certifications have been issued to date.
As Kristy and Diana point out citing various recent US surveys, many companies already see benefit in seeking ISO 37001 Anti-bribery management systems certification during 2017. With another well-received ISO standard – ISO 9001 Quality management systems – various UK studies indicate that companies implementing ISO 9001 that affirmatively marketed their certification and its meaning saw an 8 – 12% increase in revenues.
Stay tuned on this question. To the extent that credible ROI can be linked with ISO 37001 in the months and years to come, certification becomes that much more compelling.
Worth MacMurray is a Principal at Governance & Compliance Initiatives in McLean, Virginia. He was a member of the US Technical Advisory Group that worked with other countries to produce ISO 37001. He can be contacted here.
Comments are closed for this article!