Wal-Mart’s Executive Vice President and Global Chief Ethics and Compliance Officer told the Thomson Reuters Financial and Risk Summit that his company is seeking ISO 37001 certification.
“We have begun looking for a company that would certify us,” Jay Jorgensen, said on May 3.
This announcement from the world’s largest retailer comes just a month after Microsoft announced its own plans to seek ISO 37001 certification.
We’re a global company with more than 120,000 employees in more than 190 countries. After being closely involved in the development of ISO 37001, Microsoft will seek certification from an independent and accredited third party to demonstrate that our anti-bribery program satisfies the requirements of the standard. We hope other companies will do the same. A common consistent and rigorous standard for anti-bribery will cut across countries, industries and all segments of the value chain.
Microsoft and Wal-Mart’s recent announcements show that these international companies recognize the value of having a uniform international standard across their organization to combat bribery. However, since it’s publication late last year, some compliance experts have continued to view the Standard with scepticism.
Much of this discomfort is rooted in a misunderstanding of what the Standard is meant to accomplish and its place among the various guidelines on anti-bribery best practices. As more and more companies seek ISO 37001 certification, and require their third-parties and suppliers to do the same, it is important for compliance professionals to familiarize themselves with the Standard.
We previously exposed five myths about ISO 37001 (and the truth about them), but some myths continue to persist. For instance:
Myth: ISO 37001 is a race to the bottom. If the “bottom” is a company meeting global best practices and regulatory expectations, then hallelujah! ISO 37001 provides a high-water mark where companies must meet rigorous requirements and documentation in order to obtain certification. Certification is good for three years, but companies must undergo an annual mini-audit to show continuous improvement in their anti-bribery program and continued adherence to the Standard.
Documentation is checked and people are interviewed to ensure the Standard is being met on a continuing basis. Certification is sought by Board, management and compliance officers not just for the sake of certification, but to truly show they have a world-class program.
Myth: ISO 19600 and ISO 37001 are the same thing or in conflict. While it is true that ISO 19600 and ISO 37001 both relate to the compliance community, they are entirely different standards. ISO 19600 provides guidelines for compliance management systems but is not specific to anti-bribery systems. Most importantly, ISO 19600 is not a certifiable standard, meaning organizations can use the ISO 19600 Standard to help them to evaluate and establish their compliance programs, but certification is not available.
Critically, ISO 37001 is the first and only international ISO Standard relating to compliance programs and anti-bribery management systems. It sets forth very specific requirements that must be met to achieve certification. Both ISO Standards can be used together, but only one is specific to anti-bribery programs and only one is certifiable.
Moreover, there is no conflict between the two standards. An organization can follow the guidelines of ISO 19600 and implement the requirements of ISO 37001 in perfect harmony.
Myth: Anybody Can Certify ISO 37001. ISO specifically contemplates using certification bodies that adhere to certain standards, set forth in ISO 17021-01 and 17021-09. Companies using unqualified certifiers do so at their own risk. When looking for a certifying body, look for one that follows the requirements of ISO 17021-01 and 17021-09 and that uses auditors who have demonstrated expertise in compliance programs and anti-bribery best practices. Similarly, if a third-party touts ISO 37001 certification, do should still do your due diligence on the organization.
Myth: ISO 37001 is only good for certification. ISO 37001 is an excellent tool for benchmarking your program, conducting a gap analysis to determine where remediation is required to meet best practices, and for internal auditors to use as a framework against which to gauge an anti-bribery program’s effectiveness. We’re seeing many companies using the ISO 37001 Standard’s requirements to guide their program as it matures, with a view that if they ever decide to seek certification, their programs will be in a good place to do so.
* * *
Wal-Mart, Microsoft, and the governments of Singapore, Peru and the Philippines are simply the first in what we expect will be a long line of governments and multi-national companies that recognize the power and importance of having a uniform certifiable standard with clear requirements for a robust anti-bribery program.
Who’s next? We’ll find out soon, we’re sure.
Kristy Grant-Hart the author of the book How to be a Wildly Effective Compliance Officer. She is the CEO of Spark Compliance Consulting. She can be found at @KristyGrantHart and emailed at [email protected].