ISO 37001: The New Anti-Corruption International Standard

The International Organization for Standardization (ISO) has recently entered the fray by establishing an ISO certification standard 37001 specifically addressing anti-bribery in corporations by providing a structure for organizations to assist them in the implementation or management of anti-bribery managements systems.  So what is ISO 37001?  Simply put, it is an international standard for anti-bribery management systems.  The beauty of ISO 37001 is the global acceptance of the standard for anti-corruption compliance.

Obviously an anti-bribery system is to prevent bribes from being given or offered by corporate individuals representing business interests of the organization.  As with all ISO certification standards there are specific elements that must be met by the organization in order to be certified.  The system is set up that there is a consistent review of the system in order to ensure compliance and continual improvement.

While national laws may differ regarding anti-corruption compliance, the idea, as with any standard, is to provide a common ground where all global branches of an organization, no matter the location, have the same basis for compliance.  Keep in mind that ISO 37001 only addresses bribery.  Other white collar compliance issues such as fraud, ant-trust offences and other types of corrupt practices activities are not within the scope of this standard.

As with other ISO standards, the organization must review the scope for the anti-bribery  management system and what the organization plans to achieve by implementing ISO 37001.   The organization must review its risk of bribery; honestly.  A bribery risk assessment is required to determine the types of bribery risks the organization may be exposed to; not only what bribes may be coming externally into the organization, but is there the potential that employees of the organization are giving bribes to third parties.  Part of the assessment is to consider what types of controls, if any, are currently in place and are they suitable to mitigate the actual or potential risk that the organization may experience.  Understanding your organization, stakeholder expectations, culture of the organization as well as the country of operation, and an assessment of the risk of bribery both internally and externally to the organization are important elements that are addressed in the standard.

Meeting the required elements of the standard are necessary to achieve ISO certification.  The elements follow the similar pattern of all managements systems, primary a Plan-Do-Check-Act methodology.  In the anti-bribery management system, leadership is a key element.  It is a clearly defined element and not subjected to interpretation through other required elements.  The standard has a clearly defined a requirement for the role and responsibility of upper management with regards to this management system, particular who has the responsibility and authority to oversee and implement the anti-bribery management system.

The planning portion of the standard includes the identifying the objects and targets the system is to achieve, ensuring that resources are available and that employees are aware of the system, trained in the requirements and competent.  The system then requires the implementation of the system through operational planning and controls. The system requires procedures are implemented that allow employees to report any suspected or known bribery acts.  The protection from retaliation is a key aspect in the reporting concerns to the organization.  The system must then have a procedure for investigation and dealing with any bribery actions reported.  Monitoring of the system is required.  The organization needs to ensure that the appropriate methods for monitoring the system are in place and that the results are properly analyzed and assessed.  As with other ISO standards the internal auditing function is also part of ISO 37001.  Procedures for non-conformances and methods for corrective actions are to be in place.  Finally top management needs to review the systems at planned intervals.

As with certification in other ISO standards, third party registrars review the programs and provide feedback for areas of compliance, non-compliance and opportunities for improvement.  Certification does not ensure that there may not be legal contraventions; however, the purpose of the standard is to provide a framework for planning, implementation, monitoring and review.

Having an anti-bribery management system in place, such as ISO 37001, communicates to employees, stakeholders and third parties the commitment of the organization to prevent bribery from occurring at the organization.  While a management system cannot prevent legal actions against the organization for actions of bribery, the management system and certification provide due diligence that reasonable precautions are taken and actively in place to prevent such actions.

While ISO 37001 may not prevent incidents of bribery, government investigations or charges to an organization for anti-bribery actions, the general consensus is that it may be considered a useful tool in the prevention of bribery actions.  “For U.S. companies operating internationally, through a subsidiary, distribution center or other representatives, ISO 37001 can be a key tool in markets where the risk of corruption is high or culturally “normal”, and it can be an equally powerful tool for locally based conglomerates.”[1]

Recent reports have been published announcing that both Microsoft  and Wal-Mart Stores Inc. are looking for third party certifiers for ISO 37001 certification.[2]  Wal-Mart has been the focus of potential misconduct, including violations of the Foreign Corrupt Practices Act  in some overseas markets including China, Brazil, India and Mexico.[3]  For Microsoft, “ISO 37001 establishes a common language to help solve the cross-border problem of corruption.”[4]

It is too early to tell how readily other multi-national organizations will move towards ISO 37001 certification not only as a requirement for their own organization, but as a requirement for their suppliers and distributors.  A recent survey, “Statistics on Compliance”[5] posted by Steven Mulrenan on November 1, 2016, 34% surveyed identified that the organization’s total annual revenue was more than US$ 5 billion and 75.5% surveyed identified that less than US$ 50,000 would best describe the annual budget to instructed an independent third party to audit a level of compliance with ISO 37001.  The commitment of resources is crucial to the success of any certification process.  If there is already an identified cost threshold to obtain compliance, organizations may use other types of compliance management systems that include identification and control of bribery.

Will ISO 37001 work to improve anti-corruption practices?  Only time will tell.  But, ISO 37001 provides an accepted global framework in anti-corruption compliance which is a significant step and will provide a baseline for global organizations to get all branches, in all geographic locations, on the same page with anti-bribery compliance.

[1]Cevallos, Fernando and Mich, Brian, “ISO 37001 Is Here.  Will it Work?”, http://www.fcpablog.com/blog/2016/10/17/iso-37001-is-here-will-it-work.html. Accessed March 10, 2017.

[2] http://fcpablog.com/blog/2017/5/11/Microsoft-and-wal-mart-seek-iso-37001-anti-bribery-certification. Accessed May 11. 2017.

[3] Krolicki, Kevin and Bose, Nandita, “Wall-Mart seeks anti-corruption certification, in talks with regulators”, Business Week, May 3, 2017.

[4] http://www.comlianceweek.com/authors/Jaclyn-jaeger.  Accessed May 29, 2017.

[5] https://insights.redflaggroup.com/articles/iso-37001-survey-results. Accessed March 10, 2017.

Norm Keith

Norm Keith

Mr. Keith is a senior partner and member of the White Collar Defence practice group in the Toronto office of Fasken Martineau and the author of 12 books, including Insider Trading in Canada (Lexis Nexis, 2012). Contact him at +1 416 868 7824 or nkeith@fasken.com.