The publication of the ISO Standard 37001 and its certifiability has caused a debate as to whether the standard offers legal protection or not in the event an act of corruption is discovered at a company. As corruption is an offense that can result in the corporation’s criminal prosecution, companies want to know what kind of legal protection comes with an ISO 37001 certification.
Companies are eager to learn if an ISO 37001 certification would offer an affirmative defense to any company accused of corruption subsequent to the certification of the company’s corruption prevention system.
The short answer is no, but…
ISO 37001 supports a defendant’s contention that he has made his best efforts to prevent corruption
A judge will not accept a company’s certification as an adequate defense for an act of corruption; he will want to understand the how and why of the crime. In that sense, the ISO 37001 certification does not provide, stricto sensu, a legal defense.
However, the certification can be used by the defendant to support his claim that the company did do its best to thwart corruption. An ISO 37001 certification enables the defense to show that the infraction was committed despite all of the company’s best intentions and efforts to prevent corruption and provides the lawyer with a convincing argument to assert that, through certification, the company demonstrated its willingness to conduct business with integrity.
It is relevant to note that a court in Bern, Switzerland, concluded in its 22nd of November 2011 decision in a case involving a multinational company that the most appropriate action was that of an order to dismiss action. It did so noting that, after the acts in question, “… efforts had already been made for years to improve the organization of the compliance department. The latter fact also becomes manifest in the fact that ETHIC Intelligence Agency in 2007 issued a certificate grading the Company’s Integrity Program as good.” The trial’s outcome was the imposition of a sanction limited to the reimbursement of undue profits only.
ISO 37001 certification provides solid evidence of an affirmative defense vis-à-vis the UKBA’s “failure to prevent corruption”
For those companies subject to the UK Bribery Act (UKBA), a second, more nuanced answer is necessary.
In addition to the primary corruption offense, this 2010 law includes the second offense of “failure to prevent corruption”; the latter concerns any company “which is doing business in the UK”. Yet the UKBA also provides for an affirmative defense for companies that have implemented an anti-corruption compliance program according to the six principles of the UK Bribery Act Guidance. Accomplishing this certification thus constitutes a strong defense for the company.
Specifically, paragraph 6.4 – to which ETHIC Intelligence contributed an opinion at the time of the document’s drafting – specifies that “Some organizations may be able to apply for certified compliance with one of the independently-verified anti-bribery standards maintained by industrial sector associations or multilateral bodies”. The British authorities also noted: “However, such certification may not necessarily mean that a commercial organization’s bribery prevention procedures are ‘adequate’ for all purposes where an offence under section 7 of the Bribery Act could be charged”.
ISO 37001 certification demonstrates the company’s willingness to abide by DoJ recommendations
ISO 37001 Certification demonstrates that management has tried to ensure that the corporate anti-corruption compliance system meets international best practices. ISO 37001 Certification also demonstrates the company’s willingness to have its anti-corruption compliance system regularly evaluated as recommended by the American authorities: “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.” (The FCPA Resources Guide p 61)
ISO certifications always involve an initial audit and a yearly surveillance audit. The latter aims at verifying how areas for improvement have been dealt with by the organization. The very nature of ISO Certification is to demonstrate that a company is engaged in continuous improvement.
ISO 37001 certification provides a legal assurance, but which is intrinsically limited
As indicated above, ISO 37001 Certification provides a certain level of legal assurance, but it does not verify that implemented procedures are either effective or appropriate to the company’s specific risk. It merely confirms that the company’s anti-corruption compliance system exists and that it meets the standard’s requirements. This is important but does not constitute an affirmative defense per se.
The stakes for an ISO 37001 certified company under investigation or prosecution are not whether it has an anti-corruption compliance program, but whether this program is adapted to the company’s specific risks. Section 4 of the standard “Context of the organization” is one of the shortest, but by far the most complex and most important one for the company. This is where the ISO 37001 is really challenging for companies: section 4 expects them to identify their own legal requirements, assess their own corruption risks and decide alone what is appropriate to mitigate them. This is also why certifying ISO 37001 is challenging for certification bodies as they have to rely on highly experienced auditors as required by the ISO/IEC 17021.9:2016 which applies to ISO 37001 accredited agencies.
This challenge is the reason why ETHIC Intelligence relies exclusively on qualified auditors who not only master audit techniques, but who are also experienced anti-corruption experts. In addition, we require from them that they draft a very detailed report to allow second-tier verification by our Certification Committee.
I do not want an ISO 37001 Certification to be perceived as a window dressing exercise, resulting from a quick and cheap audit. I want to be sure that an organization will always be proud of the effort it has invested in compliance and certification… including in front of a court. It is the reason why I, as President of ETHIC Intelligence, attach the utmost importance to the fact that appropriate time and resources be devoted to document review and in-situ audit.
The ETHIC Intelligence Certification process – which includes a strict control on the absence of conflicts of interest - is intended to provide the highest level of assurance and legal defense, in the always possible case of corruption, keeping in mind that a magistrate will never take any Certification as sufficient. He will always want to examine a case without “pre-conceptions” and the rigor – or lack thereof – with which an ISO 37001 certification audit has been performed will certainly play a role in the judgement.