Is my anti-corruption program effective or not effective? In the United States, companies only receive the definitive answer to that question in worst case scenarios — at the back end of a governmental program evaluation, typically while under FCPA scrutiny by the DOJ.
And because the rare published declinations and enforcement actions are often difficult to apply broadly, they typically raise as many questions as provide meaningful answers.
By contrast, a certified ISO 37001 Anti-bribery management system provides various front-end advantages:
- The certification audit is undertaken voluntarily by an organization, not while “under the gun.”
- The auditor is an independent and accredited third party, selected by the organization.
- The scope of the audit is specified by the organization (with ISO 37001’s flexibility providing the opportunity to start with a relatively manageable organizational subset (like Alstom, certifying Europe) or a corporate division, and then expanding the certification scope through follow-up audits, as desired).
- The audit process is designed to provide prompt feedback: the audit team’s report issued to the organization after completion of the Stage 1 (design) and Stage 2 (effectiveness) review activity specifies any major and/or minor systemic nonconformities that may exist.
- The audit report also specifies the nature and timing of the corrective action needed prior to any audit team certification recommendation to the certifying body’s certification committee, and
- Positive market recognition in various forms may well result from certification — finally allowing companies to beneficially leverage their past and on-going FCPA program anti-bribery costs. Historically, this has been the case with other ISO management system standards — e.g. quality (ISO 9001), environmental (14001) and information security (27001).
To be clear, an organization’s receipt of certification to the ISO 37001 business standard does not necessarily mean that they have an “effective” anti-corruption program in the eyes of the government or otherwise meet applicable legal standards.
But the chances of meeting applicable legal standards are likely improved for those organizations that receive ISO 37001 certification because of the standard’s requirements emphasizing process and detail, and the rigorous independent and accredited third party certification audit process.
For example, don’t the following ISO 37001 anti-bribery system requirements (supplementing the compliance program guidance found in the U.S. Sentencing Guidelines, the DOJ/SEC FCPA Guidance and the DOJ Evaluation of Corporate Compliance Program (pdf) document) also help strengthen an anti-corruption compliance program?
Consider these factors:
Resources: Organizations shall determine and provide the (human, physical and financial) resources needed for the establishment, implementation, maintenance and continual improvement of the anti-bribery management system. (7.1) and to support the anti-bribery compliance function (5.3.3).
For many companies, any anti-bribery-related resource analysis consists of the compliance department’s annual budget review – which, in some cases, can be a “cram down” (e.g. a CFO communication that “compliance gets 1.5% more (or worse, less) than last year — period”) rather than a serious discussion to review the facts. By contrast, ISO 37001’s focus is on the overall system — its maintenance and improvement — based on need.
Controlled entities: Organizations shall implement procedures requiring that all other organizations that it controls either implement the organization’s anti-bribery controls or implement their own controls — reasonable and proportionate to the bribery risk. (8.5.1)
It’s not enough for the parent company alone to have appropriate controls. Query what this may mean for private equity, venture capital and other investment vehicles.
Continual improvement: Organizations shall continually improve the suitability, adequacy and effectiveness of the anti-bribery management system. This fundamental continual improvement ISO principle appears throughout the document (e.g. in the core anti-bribery management system requirement (4.4), in management’s leadership and commitment responsibilities (5.1.2), as one of the components to be included in the anti-bribery policy (5.2 g), as part of the resource assessment (7.1) and as a stand-alone requirement (10.2), among other places.) Proactive anti-bribery measures are thus emphasized and supported in numerous ways.
Measurement and monitoring: Section 9.1 exemplifies ISO 37001’s business approach to anti-bribery. As with other ISO management system standards, this monitoring, measurement, analysis and evaluation requirement includes: what needs to be measured and monitored; who is responsible; the methods involved; when the activities will occur; when the results will be analyzed and evaluated; to whom and how the results will be reported; and what documentation is to be retained. Given the current FCPA enforcement emphasis on “operationalizing compliance,” wouldn’t many (if not most) anti-corruption compliance programs benefit from this degree of management system process and detail?
* * *
In the FCPA world, management and boards of organizations taking constructive and good faith steps to fight bribery often ponder how the organization’s efforts will be received should it be subjected to a DOJ “back end” review. They similarly despair at the amounts spent on anti-corruption corporate compliance programs that seemingly generate little measurable business benefit besides a degree of insurance.
ISO 37001 certification changes this landscape. With its various “front end” advantages, organizational leaders now have a business tool that can increase confidence internally (for organizational leaders) and externally (to the market) that the entity is taking substantive and management system-certified steps to fight bribery.