ETHIC Intelligence was very pleased to host its second annual international conference on Standards and Guidlines: Recent developments in Anti-Corruption Compliance on September 11, 2017 at the OECD conference centre in Paris. You can now view photos and video from the conference where experts from business, civil society and government exchanged and debated on how best to progress in the fight against corruption.
Since the publication of this standard one year ago, ETHIC Intelligence has been consulted by many companies, big and small, from a variety of sectors, has conducted numerous Gap Analysis exercises, mock audits and real audits culminating in the certification of several companies from across the globe.
On this anniversary, I would like to share the lessons that I have drawn over the past 12 months on the implementation of the ISO 37001 standard on anti-bribery management systems.
The first thing that struck me was the fact that we worked with companies of all sizes from multi-nationals, to mid-caps to SMEs.
The challenge of the standard’s drafters – amongst whom I count myself and my staff – was thus met. We wanted the standard to be useful to all including small companies. With the experience of the past year I can attest that it is very useful for SMEs and particularly easy for small companies to implement.
Although the standard is a challenge to read it becomes straightforward when the requirements of Section 4 are examined in detail. Generally, this section requires that the company:
Once these three questions have been addressed, the other five sections of the standard act as a helpful guide.
2. The issue of scope is a key challenge for larger companies
Determining answers to the three questions of section 4 above is much more complex for a large group with diverse activities and even more so for conglomerates.
A large group may seek certification for the totality of its activities but:
I often suggest to large companies that they define a preliminary scope – often the one which appears to include the most risk – and on which they have made the most investment to counter the risk.
After a successful first certification, it is easier to carry out other certifications. This is where we see the large groups certify business unit after business unit or region of operations by region of operations or even subsidiary by subsidiary.
Defining the appropriate scope for an ISO 37001 certification is an important decision for a large company as its definition will have a direct impact on the success of the audit.
3. A standard for public entities…
The biggest surprise this past year came from the public sector! Public companies – in particular in the sectors of water and energy – got in touch. Even though they have public shareholders they are first and foremost companies. Even more interesting is the fact that we were contacted by a municipality, even a political party!
The second challenge facing the drafters – after the challenge of ensuring the utility of the standard to PMEs – is on the verge of being met: design a standard that can be used by both the private and public sector and undoubtedly, before long, by NGOs.
Obviously, methods for corruption prevention vary greatly depending on whether the corruption is active (an offer of a bribe) or passive (the request for or acceptance of a bribe).
The ISO 37001 highlights that the structure of any anti-corruption program should include these six steps:
If one day a public entity which has been certified ISO 37001 purchases products or services from a private company which has been ISO 37001 certified perhaps it could be said that the risk of corruption in the transaction has been reduced by 99% .… only the human factor will remain as an element of uncertainty and unpredictability.
If the ISO 37001 develops as much in the public sector as in the private then we will see an increase in confidence between public and private actors of which the citizens, as consumers and taxpayers, will be the primary beneficiaries.
The issue of scope is a key challenge for larger companies
Click to tweet
4. The intrinsic difficulty of the standard … « as appropriate »….
Because the goal of the drafting committee was to ensure that the standard be applicable in every country and for every size of company, from large to small, private to public, it was necessary to fine tune certain requirements.
This fine tuning can be found in the text in the form of expressions like « as appropriate »… or « as reasonable » of which there are over a hundred examples.
This approach – essential to obtain a universal standard which would garner confidence on any type of transaction – makes the standard particularly difficult for auditors to use when carrying out a certification audit.
Conscious of this difficulty, the drafters requested that a supplementary section be added to the ISO standard 17021 which applies to certification agencies. This section 9 requires that auditors possess a real expertise and experience in corruption prevention.
The ISO 37001 requires for example that ‘the risk assessment shall identify the bribery risks the organization might reasonably anticipate (section 4.5.1). With no experience, an auditor would not necessarily know that a sales agent represents a higher risk than a consultant who represents a higher risk than a supplier. Nor would an inexperienced auditor know that if a sub-contractor represents a low risk of corruption, the risk is high if the sub-contractor is imposed by the client.
The quality of the audit – and by consequence – the quality of the certification depends intrinsically on the expertise of the auditors in corruption prevention. That is why it is essential that any organization seeking ISO 37001 certification verify that the auditors have real experience and expertise in corruption prevention. An ISO 37001 certification will only have value if the auditors who carried it out are specialists in the field.
In addition, the smallest weakness on the part of an auditor in terms of expertise in corruption prevention could be very damaging to the company – particularly If one day the certification file is examined by a court or brought to the attention of the public or a rating agency.
Even more importantly, an auditor’s lack of expertise in corruption prevention calls into question the credibility of a standard whose impact could have immensely positive effects on corruption prevention by increasing confidence and trust amongst economic, political and administrative actors.
Philippe Montigny is CEO of ETHIC Intelligence and Chairman of its Certification Committee. Philippe has over 20 years of experience in advising companies on strategies to prevent corruption and leverage business integrity.
The compliance community must navigate amidst an ever-changing landscape of laws, recommendations, emerging corruption risks, trends in investigations and the threat of prosecution. The ambition of this blog is to bring this landscape into focus while raising compliance effectiveness from both a business and legal perspective.
Anti-corruption compliance is a major asset to companies; ETHIC Intelligence Certification of compliance programs and Validation of business partner commitments leverage this asset in a concrete way to help business.