ETHIC Intelligence hosts its third annual international conference
on corruption prevention Standards and Guidelines

OECD Conference Centre, Paris - Monday, September 10, 2018

ETHIC Intelligence is very pleased to host its third annual international conference on Standards and Guidelines in corruption prevention on September 10, 2018 at the OECD Conference Centre in Paris. Click below to view photos and videos from last year’s event where experts from business, civil society and government exchanged and debated issues related to the fight against corruption.

Click here for photos and videos

FOLLOW ETHIC Intelligence


ISO 37001: lessons on the one-year anniversary of its publication 

Since the publication of this standard one year ago, ETHIC Intelligence has been consulted by many companies, big and small, from a variety of sectors, has conducted numerous Gap Analysis exercises, mock audits and real audits culminating in the certification of several companies from across the globe.

On this anniversary, I would like to share the lessons that I have drawn over the past 12 months on the implementation of the ISO 37001 standard on anti-bribery management systems.

  1. A standard adopted to organizations of any size – particularly SMEs

The first thing that struck me was the fact that we worked with companies of all sizes from multi-nationals, to mid-caps to SMEs.

The challenge of the standard’s drafters – amongst whom I count myself and my staff – was thus met. We wanted the standard to be useful to all including small companies. With the experience of the past year I can attest that it is very useful for SMEs and particularly easy for small companies to implement.

Although the standard is a challenge to read it becomes straightforward when the requirements of Section 4 are examined in detail. Generally, this section requires that the company:

  1. Fully understand the expectations of its stakeholders (for example, clients or partners) in corruption prevention
  2. Recognize the legal obligations applicable to its organization (for example FCPA for companies having a link with the USA, Brazilian Decree 8420 for Brazilian companies, the Sapin II law for French companies, etc.…)
  3. Identify the corruption risks vis-à-vis its operations

Once these three questions have been addressed, the other five sections of the standard act as a helpful guide.


     2. The issue of scope is a key challenge for larger companies

Determining answers to the three questions of section 4 above is much more complex for a large group with diverse activities and even more so for conglomerates.

A large group may seek certification for the totality of its activities but:

  1. The expectations of the stakeholders could be very different depending on whether they are individual consumers, business partners or public authorities (regulatory in particular…).
  2. Applicable laws could vary as well depending on the area of operations
  3. And of course, the corruption risk may vary considerably from one subsidiary to the other.

I often suggest to large companies that they define a preliminary scope – often the one which appears to include the most risk – and on which they have made the most investment to counter the risk.  

After a successful first certification, it is easier to carry out other certifications. This is where we see the large groups certify business unit after business unit or region of operations by region of operations or even subsidiary by subsidiary.

Defining the appropriate scope for an ISO 37001 certification is an important decision for a large company as its definition will have a direct impact on the success of the audit.


The ISO 37001 requires for example that ‘the risk assessment shall identify the bribery risks the organization might reasonably anticipate (section 4.5.1) 


      3. A standard for public entities…

 The biggest surprise this past year came from the public sector! Public companies – in particular in the sectors of water and energy –  got in touch. Even though they have public shareholders they are first and foremost companies. Even more interesting is the fact that we were contacted by a municipality, even a political party!

The second challenge facing the drafters – after the challenge of ensuring the utility of the standard to PMEs – is on the verge of being met: design a standard that can be used by both the private and public sector and undoubtedly, before long, by NGOs.

Obviously, methods for corruption prevention vary greatly depending on whether the corruption is active (an offer of a bribe) or passive (the request for or acceptance of a bribe).

The ISO 37001 highlights that the structure of any anti-corruption program should include these six steps:

  • A risk assessment (section 4)
  • Support from the highest level (section 5)
  • Well-planned objectives (section 6)
  • Appropriate resources (section 7)
  • Appropriate tools (sections 8)
  • Regular evaluation (section 9)
  • Continuous improvement (section 10)


If one day a public entity which has been certified ISO 37001 purchases products or services from a private company which has been ISO 37001 certified perhaps it could be said that the risk of corruption in the transaction has been reduced by 99% .… only the human factor will remain as an element of uncertainty and unpredictability.

If the ISO 37001 develops as much in the public sector as in the private then we will see an increase in confidence between public and private actors of which the citizens, as consumers and taxpayers, will be the primary beneficiaries.



The issue of scope is a key challenge for larger companies


Click to tweet 

       4. The intrinsic difficulty of the standard … « as appropriate »….

Because the goal of the drafting committee was to ensure that the standard be applicable in every country and for every size of company, from large to small, private to public, it was necessary to fine tune certain requirements.

This fine tuning can be found in the text in the form of expressions like « as appropriate »… or « as reasonable » of which there are over a hundred examples.

This approach – essential to obtain a universal standard which would garner confidence on any type of transaction – makes the standard particularly difficult for auditors to use when carrying out a certification audit.

Conscious of this difficulty, the drafters requested that a supplementary section be added to the ISO standard 17021 which applies to certification agencies. This section 9 requires that auditors possess a real expertise and experience in corruption prevention.

The ISO 37001 requires for example that ‘the risk assessment shall identify the bribery risks the organization might reasonably anticipate (section 4.5.1). With no experience, an auditor would not necessarily know that a sales agent represents a higher risk than a consultant who represents a higher risk than a supplier. Nor would an inexperienced auditor know that if a sub-contractor represents a low risk of corruption, the risk is high if the sub-contractor is imposed by the client.

The quality of the audit – and by consequence – the quality of the certification depends intrinsically on the expertise of the auditors in corruption prevention. That is why it is essential that any organization seeking ISO 37001 certification verify that the auditors have real experience and expertise in corruption prevention. An ISO 37001 certification will only have value if the auditors who carried it out are specialists in the field.

In addition, the smallest weakness on the part of an auditor in terms of expertise in corruption prevention could be very damaging to the company – particularly If one day the certification file is examined by a court or brought to the attention of the public or a rating agency.

Even more importantly, an auditor’s lack of expertise in corruption prevention calls into question the credibility of a standard whose impact could have immensely positive effects on corruption prevention by increasing confidence and trust amongst economic, political and administrative actors.

02 OCT, 2017 Category : Blog 1 292 Views

Comments (1)

  • Yaser Samimi says:

    Thanks a lot for sharing the wealth of experience and expertise with us. The concept of active vis-a-vis passive corruption is very insightful. As a matter of fact, I wonder if ISO 17021 has changed due to 37001 drafting committee. I would be very thankful for more information.

Leave a comment

Your email address will not be published.

To maintain the quality and relevance of the discussion, all comments will be moderated. Thank you for your understanding.

Philippe Montigny President, ETHIC Intelligence Certification Committee

Philippe Montigny is CEO of ETHIC Intelligence and Chairman of its Certification Committee. Philippe has over 20 years of experience in advising companies on strategies to prevent corruption and leverage business integrity.

Follow us

about the blog

The compliance community must navigate amidst an ever-changing landscape of laws, recommendations, emerging corruption risks, trends in investigations and the threat of prosecution. The ambition of this blog is to bring this landscape into focus while raising compliance effectiveness from both a business and legal perspective.

visit our website

Anti-corruption compliance is a major asset to companies; ETHIC Intelligence Certification of compliance programs and Validation of business partner commitments leverage this asset in a concrete way to help business.

About tools

Compliance tools

Related Articles