Since its launch in 2016, ISO 37001 Anti-Bribery Management Systems standard has had its supporters and critics. Some regulatory bodies and compliance communities initially expressed concern regarding the lack of a body of evidence supporting the effectiveness of ISO 37001:2016 from certain standpoints. Critics asserted that the new standard failed to address broad compliance concerns, and questioned whether ISO 37001:2016 certification alone can prevent prosecution. These observations should certainly be weighed and considered, as any new compliance standard must be properly evaluated on its merits. In the case of ISO 37001, however, the critics have made some misjudgments in regards to the key factors they feel are in question with the standard.
One of the most important things to remember is that a standard like 37001 and all of its measures require a commitment and implementation by the organisation adopting them. ISO 37001 is a standard, administered by a certified body but ultimately implemented by employees of the organisation itself. The purpose of ISO 37001 standard is to provide a framework against which an organisation’s anti-bribery management can be assessed and certified, rather than a foolproof blueprint to prevent bribery.
The story behind ISO 37001:2016
First, some background: The International Organization for Standardization, or ISO, is the international standard-setting body composed of representatives from various national standards organisations. Founded on 23 Feb. 1947, ISO promotes worldwide proprietary, industrial, and commercial standards. Responding to an international need, ISO issued the 37001:2016 Anti-Bribery Management System standard to help businesses, nonprofits and governmental agencies reduce their risk of bribery and corruption by establishing, implementing, maintaining and improving an anti-bribery management system.
The ISO 37001 standard requirement, which references to ISO 19600 – Compliance Management System, specifies mandatory requirements for organisations when establishing/updating their anti-bribery management programs in a manner that is proportionate to the potential bribery risk. The reference to these requirements is referred to as “appropriate” and “reasonable”, hence directing organisations to undertake a subjective, diligent and rigorous review of current compliance framework, which will make ISO 37001 effective for them. According to Deloitte & Touche LLP, “[in ISO 37001:2016] it’s the substance, not the form, of a compliance program that determines its effectiveness”.
Anti-corruption versus broad compliance issues
Some of the concerns regarding the effectiveness of ISO 37001 are focused on whether it addresses broad compliance issues, like inequality, harassment, various types of fraud (outside of bribery and corruption), or similar offences. Seeing that it generally does not, as its focus is on anti-bribery and anti-corruption compliance, some take the view that ISO 37001 has adopted a simplistic approach. The scope of ISO 37001 addresses “establishing, implementing, maintaining, reviewing, and improving an anti-bribery management system,” whether as a stand-alone initiative or part of a broader anti-corruption. Therefore, implementing ISO 37001 standard requirements should be viewed as a way of enhancing, rather than replacing, an organisation’s existing anti-corruption compliance programs.
ISO 37001 is effective step-by-step guidance for those organisations which lack an anti-corruption framework and enables them to implement a compliance program without investing significant time in identifying the regulatory and non-regulatory requirements. In fact, ISO 37001 has incorporated Federal Sentencing Guidelines, U.S. Department of Justice (DOJ) and Securities and Exchange Commission (SEC) Resource Guide to the U.S. Foreign Corrupt Practices Act, the U.K. Ministry of Justice Bribery Act 2010 Guidance, and OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance. Former U.S. Deputy Attorney General Rod Rosenstein highlighted three hallmarks of a policy-effective compliance program, which are concurrent with ISO 37001 requirements and include: fostering a culture of compliance; dedicating sufficient resources to compliance activities; and ensuring that experienced compliance personnel has appropriate access to the board.
Prosecution of offences
Lastly, there is a widely held belief that obtaining ISO 37001 certification is an effective tool to avoid prosecution for bribery. These misconceptions have not been viewed favourably insofar as to Ms. Hui Chen, U.S. DOJ’s former compliance counsel, stating “Dan Kahn, the Chief of the FCPA Unit in the Fraud Section of DOJ’s Criminal Division, has been very consistent: prosecutors will not outsource their responsibilities”. Rightly so. ISO 37001 certification does not act as insurance to corporate liability for bribery, neither does it refute the need to perform due diligence, and it should be considered and implemented as per company’s risk profile. In practicality, implementing ISO 37001 can demonstrate to enforcement agencies and regulators that the organisation has taken reasonable steps to establish a compliance program to mitigate bribery risks, however, ISO 37001 certification will mitigate the consequences, if not a shield, an organisation from investigation or prosecution.
ISO 37001:2016 embraced by organisations and governments
It is important to note that organisations and governments alike are embracing ISO 37001 as the standard for prevention and detection. One example of this is in Malaysia, where the ISO 37001 standard was adopted across the government under Prime Minister Tun Dr Mahathir Mohamad. The new system has been received positively in both the public and private sectors, and Malaysia’s former anti-graft chief said “the people’s perception on the government’s seriousness to fight corruption had increased to 70.8 per cent last year from 59.8 per cent in 2016. He said that Malaysia has also shown improvement in its performance indicators in several important international studies and indexes” (New Straits Times, 2019). True to form, various heads of government in the country are following the directive. Defence Minister Mohamed Sabu recently “cautioned his officers to adhere to the Anti-Bribery Management System, which had attained the International Standards Organisation’s ISO 37001: 2016 certification” (New Straits Times, 2019).
Malaysia is not alone. In Peru, Singapore, and China (Shenzhen Institute of Standards and Technology [SIST]), the national standard bodies have adopted and localised the ISO 37001 standard. In Italy, the ISO 37001 accreditation scheme has been developed by Accredia; whereas in the UK, United Kingdom Accreditation Service (UKAS) has undertaken an ISO 37001 pilot program to develop an accreditation scheme. In the United Arab Emirates, Emirates International Accreditation Centre (EIAC) is undertaking the ISO 37001 accreditation scheme development with CRI Group’s ABAC Center of Excellence. ABAC® is an initiative launched by CRI Group and offers ISO 37001 certification services. Hence, amid these positive developments, the outlook for ISO 37001 looks promising. ISO 37001 is not a “silver bullet” to foolproof an organisation from bribery or corruption, or avoid prosecution should those offences occur. It was never designed to be. Instead, it is a framework to implement the necessary controls and systems at the organisation level – across all levels – so as to be better equipped to prevent bribery and corruption moving forward.