This past April, the International Organization for Standardization (ISO) released its draft standard on anti-bribery management systems (ISO 37001). The standard is tentatively scheduled to be finalized later this year. In substantive content, the draft ISO standard is similar to the FCPA Resource Guide provided by the U.S. Department of Justice and Securities and Exchange Commission, in that it provides a list of elements that an effective anti-bribery/corruption (“ABC”) program should contain.
In terms of the specific elements listed, the proposed ISO standard provides a number of sound recommendations – such as a comprehensive, risk-based approach, as well as management commitment to promoting an ethical corporate culture—but with a few exceptions, the draft ISO 37001 standard is not much different from the guidance available from the DOJ/SEC and other sources in multiple jurisdictions.
That’s not to say that there is nothing whatsoever distinctive about ISO 37001. It does differ from the existing guidance in some ways, some good (such as the comprehensive focus on documentation, document retention, and document availability) and some not so good (such as the unrealistic recommendations regarding extension of management’s internal control systems to third-party vendors). The draft ISO standard also puzzlingly omits consideration of certain key issues –such as the labor law and data privacy issues that arise in connection with bribery investigations, questions regarding how to address anti-bribery concerns in connection with M&A or joint venture due diligence, and (most generally) the integration of ABC management systems into the firm’s wider financial, operational, and regulatory functions. But, again, in most respects the ISO 37001 draft standard closely resembles existing ABC guidance.
What makes the ISO 37001 standard distinctive, and the reason its finalization would be potentially such big news, is that ISO 37001 (like other ISO standards dealing with more technical matters) is intended to be subject to independent “certification” by third-party auditors. In other words, if and when the ISO 37001 standard is finalized, companies will be able to hire auditing firms to review their ABC programs and (if the auditor determines the firm meets the ISO 37001 criteria) to provide a formal certification that the company is ISO 37001-compliant. The question whether formal ISO 37001 certification of this sort will be a good thing (for firms, or for the world) has been hotly debated (for previous discussions on this blog, see here and here).
From management’s perspective, the most significant benefit of obtaining annual certification are, first, that the certification process can help improve the company’s ABC program, and receiving the certification can reassure the company (and the investing public) that the company has measures in place to prevent, detect, and respond to bribery by firm employees. Second, that the certification that the company has an ISO-compliant ABC program could be useful should the company find itself under investigation for bribery violations; the certification could help management demonstrate that any bribery that may have taken place was in direct violation of the company’s (effective) ABC compliance systems and thus represent a “one-off” occurrence attributable to a “bad apple” employee(s).
However, it is not yet clear how much weight regulators (or the market) will place on an ISO 37001 certification. Recent revelations at Unaoil (where a massive bribery scheme was uncovered, despite the fact that the firm’s anti-bribery program had been certified by a reputable organization) call into question the viability of any independent compliance program certification process. As a legal matter, no certification will offer an affirmative defense for a violation of the U.S. Foreign Corrupt Practices Act or any other international act or regulation to an organization with an ABC compliance violation.
Moreover, the current ISO 37001 lacks clarity on a key question: Will the ISO certification focus narrowly on the existence of the formal elements of an effective ABC program, or will the certification process include an evaluation of whether the program is operating effectively? In other words, will certification be limited to whether firm’s ABC program contains the elements of an effective program, or will the third-party certification under the ISO 37001 standard verify that the components of the ABC program are being implemented properly in practice, taking into account the company’s particular situation, risk profile, and operating environment?
The latter may seem preferable, both from the perspective of reducing global corruption and from the perspective of companies’ desire to reassure investors, government regulators, and the general public. But that approach may not be realistic, mainly because the costs of an annual review process that assessing operation (not just existence) of an ABC program may be substantial, perhaps prohibitive. Indeed, the prices charged by most existing certification firms (the ones most likely to perform ISO 37001 certification) suggest that a thorough examination of actual operation is unlikely. But, of course, if the certification only focuses on the existence of the elements of an effective ABC program, the certification may amount to little more than a check-the-box evaluation that confirms the existence of a “paper program”—an exercise that is less costly for the company, but one that has offers little value to stakeholders.
Note: This article is also posted to The Global Anticorruption Blog.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.