Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Karen E. Gray: ISO 37001 certification can help companies prepare for DOJ industry sweeps

After news broke that the U.S. Department of Justice was investigating Uber’s potential violations of the Foreign Corrupt Practices in late August, the National Law Review wrote, “In our experience, once DOJ begins learning about a particular industry in such an investigation, the investigation will expand to other players within the industry. It’s called an ‘industry sweep,’ and it’s a thing.”

If tech startups are now under the DOJ microscope, then the case for implementing anti-bribery compliance programs — regardless of an organization’s size — has been strengthened. After all, startups usually launch with a small, very localized footprint, which would seem to negate the need for an FCPA compliance program.

The challenge for startups — and other small-to-medium sized businesses — is balancing the cost of a compliance program with the level of risk. Uber went from small startup to global disruptor operating in 70 countries in only eight years. And while not every company experiences such a rocket-like growth trajectory, the global nature of supply chains means that companies are more vulnerable to third-party risk exposure.

The risk increases further for companies within regulated industries. As the National Law Review pointed out, “Playing abroad in a regulated industry requires constant interaction with foreign government officials. Each of those interactions creates a risk that some payment, offer, or business hospitality could be considered an FCPA violation.”

For Uber, the allegations involve payments to police to facilitate the licensing of its drivers, but bribery risk could just as easily involve gifts offered by pharma reps to doctors at state-run hospitals.

The ISO 37001 certification standard introduced last October was designed for flexibility, making it appropriate for multinational companies, small and medium-sized enterprises, public, private, and non-governmental organisations.

Moreover, ISO 37001 is written in straightforward business language — rather than complex legal jargon that permeates guidance provided by anti-bribery enforcement agencies in the U.S. and UK — making it far more approachable for organizations that don’t have a fleet of lawyers and compliance professionals on the payroll.

The ISO 37001 requirements establish a framework that companies can follow, even if their current risk level is low, to help ensure that as they expand into new geographies — through direct operations or via their supply chain — companies can mitigate bribery risk.

Those requirements include:

1. Implementing a clear, anti-bribery policy

2. Establishing management leadership, commitment, and responsibility

3. Developing personnel controls and training

4. Conducting risk assessments and due diligence on projects, business associates 
and other third parties

5. Executing financial, commercial, and contractual controls

6. Instituting an ongoing process for reporting, monitoring, investigating, and reviewing

7. Taking corrective action when indicated and focus on continual process improvement

Whether companies are seeking ISO 37001 certification or not, small to mid-size companies, including young startups, can start the process without breaking the budget.

While risk remains relatively low, beginning with the first three requirements can help to generate awareness. As circumstances change — such as expansion into a new market in a foreign country — companies can implement the rest of the requirements.

Technology, like automated risk screening or due diligence platforms, can further strengthen companies’ anti-bribery compliance programs. The cost of such tools may even be offset by the savings realized through lower human resources demand.

In addition, improved risk awareness helps companies respond quickly when a red flag is spotted, reducing the potential financial and reputational damage caused by corruption allegations. Ultimately, not every company needs ISO 37001 certification, but Uber’s current plight certainly shows that companies need to periodically conduct risk assessments to determine whether a more proactive approach to bribery risk mitigation is needed.


Karen E.  Gray is a Senior Entity Due Diligence and Monitoring specialist for LexisNexis. She serves as an expert and central point person for all due diligence and third-party monitoring solutions. She is a resource for Benchmarking, Market Intelligence, Strategic Category Management, and Vendor Selection, and focuses on efforts to improve profitability and cash flow, risk mitigation and operational efficiencies with regard to vendor selection and monitoring.

Share this post


1 Comment

  1. There are some concerns about the cost of ISO 37001 certification. For small and median size businesses this may be a concern. Instead of focusing on the monetary cost of ISO 37001 certification these companies should be asking two questions:

    1. Will we get the value expected based on the money spent?
    2. Will ISO 37001 enable us to meet our regulatory compliance needs?

    If the answers to both questions are yes there can be a business case made for seeking certification. However, ISO 37001 certification is not needed or required for companies to meet regulatory compliance. FCPA, UK Bribery Act, and other national anti-bribery laws does not require this certification for compliance. ISO 37001 certification management system will more than anything standardizes corporate anti-bribery behavior in international business, most valuable to companies with multiple supply chain partners and agents. The flexibility of ISO 37001 allows companies to incorporate varies national anti-bribery laws into their management system. This may be the best value of ISO 37001 certification.

Comments are closed for this article!