I participated in the working sessions leading to ISO 37001’s elaboration under the Presidency of Neill Stansbury, Director of GIACC (Global Infrastructure Anti-Corruption Centre), and was convinced that the publication of this standard would be a turning point for anti-corruption compliance programs. For years, the main preoccupation of compliance officers had focused on the design and implementation of the program. The fact that ISO has developed a standard on the subject confirmed the existence of recognized principles in the prevention and detection of corruption. This development also highlighted the growing concern of compliance officers who wanted to ensure that their program respected international best practices.
Who does this standard concern?
Since the start of the discussions, originating at the British Standard Institute in June 2013, it was clear that the standard would have to be relevant to different kinds of organizations: large companies, SMEs, public and private entities and NGOs.
Consequently, it became a flexible tool that assists any kind of organization in the design of policies to prevent and detect bribery and compliance officers will find it useful as a benchmark when assessing their programs.
What are the differences between the ISO 37001 and the ISO 19600?
ISO 19600, published in December 2014, was designed to address the issue of compliance at large. ISO 37001, published in October 2016, was designed to address the issue of anti-bribery compliance specifically. My participation in the drafting of the ISO 19600 and my nomination as the ISO Liaison Officer for the two standards, enabled me to confirm the two standards’ consistency with one another. If an organization has designed an anti-corruption compliance program according to the ISO 19600, it will be relatively easy to comply with the ISO 37001 requirements.
The main difference between the two standards is that the ISO 19600 is drafted as a set of guidelines i.e.: “The organization should…”. Therefore, it offers an ambitious framework for compliance, allowing companies to address all compliance issues: anti-trust, data privacy, export control, money laundering…. Although this standard does not lend itself to comparisons between two ISO 19600 certified companies, it can be used by consulting firms to carry out audits on companies who wish to base their compliance on these guidelines and to benefit from recommendations on how to improve their compliance organization.
The ISO 37001 on anti-bribery compliance is drafted as a set of requirements: “The organization shall….” It is therefore certifiable by third parties. However, because they are requirements, there is no room for recommendations: either the organization meets the requirements, or it does not.
How is the ISO 37001 standard structured?
ISO 37001 has been designed for easy integration into an organization’s existing management processes and controls. The standard follows the common ISO structure for management system standards and is consistent with the structure of other management systems including ISO 9001 and 14001.
It follows the usual “Plan-Do-Act-Check” approach. Therefore, companies wanting to design and implement an anti-bribery management system can use it. In addition, it is accompanied by a section which provides guidance to assist managers with its implementation.
What are the main requirements of ISO 37001?
ISO 37001 lists some of the measures which must be implemented for an organization to prevent and detect bribery appropriately:
- Assessment of bribery risks, including due diligence
- Implementation of an anti-bribery policy and program
- Identification of a compliance function to monitor the program
- Communication of the anti-corruption policy to associated persons (joint venture partners, sub-contractors, suppliers, consultants etc.)
- Training for personnel and associated persons
- Monitoring of benefits given by the organization (gifts, hospitality, donations…) to ensure that they do not have a corrupt intent
- Verification that employees comply with the anti-bribery policy
- Implementation of controls to prevent bribery risk
- Implementation of whistleblowing procedures
- Process to detect bribery and to deal with any actual or alleged bribery
What is the added value of ISO 37001?
I believe this standard has three advantages:
- Firstly, it embodies the global recognition of the importance of anti-corruption compliance for most, if not all, organizations and reflects the widely shared expectation that organizations need to ensure integrity in their daily decisions.
- Secondly, it demonstrates that there is a commonly agreed set of measures deemed necessary for bribery’s prevention and detection. Reaching an agreement within the working group was not always simple, but the fact that participants from five continents were able to concur in the end demonstrates that cultural differences were insignificant when important decisions were required.
- Thirdly, it represents a first step towards leveling the playing field. Bribery distorts economic decisions; it brings an unfair advantage to the briber and handicaps companies committed to doing business with integrity. The fact that the OECD Convention was the only anti-bribery convention with a monitoring mechanism ensuring its proper enforcement meant that the incrimination of transnational corruption existed, in reality, only in the 43 countries signatory to the Convention. Companies headquartered in other countries faced fewer risks of prosecution for the corruption of foreign public officials…, explaining why corruption remained prevalent worldwide. A global standard allows for the recognition of companies committed to doing business with integrity regardless of where its HQ is located and contributes to the establishment of a global community of organizations committed to ethical business practices.