In Deputy Attorney General Rosenstein’s recent announcement of a new FCPA Policy, he highlighted three hallmarks of a Policy effective compliance program: fostering a culture of compliance; dedicating sufficient resources to compliance activities; and ensuring that experienced compliance personnel have appropriate access to the board.
These same criteria are also found within the October 2016-issued ISO 37001’s requirements applying to an anti-bribery management system:
Culture: A specific ISO 37001 management obligation is “promoting an appropriate anti-bribery culture within the organization” (5.1.2 h)). The business standard states elsewhere: “The nature of an organization’s culture is critical to the success or failure of an anti-bribery management system.” (Introduction)
Sufficient Resources: There are governance, planning and support aspects to ISO 37001’s coverage of this topic. The board’s obligation is “requiring that adequate and appropriate resources needed for effective operation of the anti-bribery management system are allocated and assigned” (5.1.1 d)) and management is charged with “deploying adequate and appropriate resources for the effective operation of the anti-bribery management system.” (5.1.2 j))
While planning anti-bribery objectives and how to achieve them, the organization is tasked with determining “what resources will be required”. (6.2) In supporting the system, “[t]he organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the anti-bribery management system.” (7.1)
Appropriate Access to the Board: The compliance function’s ability to communicate upwards is clear under ISO 37001: “The anti-bribery compliance function shall have direct and prompt access to the [board] … and [management] in the event that any issue or concern needs to be raised in relation to bribery or the anti-bribery management system.” (5.3.2)
The new Policy is similarly aligned with ISO 37001 on the need for appropriate flexibility. The US Attorneys’ Manual (the Policy’s new home) lists various aspects of an effective program and notes “the criteria…will be periodically updated and …may vary based on the size and resources of the organization.” (emphasis added)
ISO 37001’s Introduction states “[t]he bribery risks facing an organization vary according to factors such as the size of the organization, the locations and sectors in which the organization operates, and the nature, scale and complexity of the organization’s activities. This document specifies the implementation by the organization of policies, procedures and controls which are reasonable and proportionate according to the bribery risks the organization faces.” (emphasis added)
Businesses and other organizations trying to manage FCPA bribery risks have long sought: (a) greater clarity in DOJ FCPA enforcement policy and practice; and (b) more detailed guidance (in one single source) on leading anti-bribery activities — what to do, and how to do it. In the forms of DOJ’s new Policy (including its incentives for effective programs) and ISO 37001’s comprehensive anti-bribery system structure — these now exist.
These separate legal and business standards take different parts, but they’re both singing from the same anti-bribery song sheet.