The ISO 37001 standard declares: “This document specifies the implementation by the organization of policies and procedures and controls which are reasonable and proportionate”. Two lines later it states, “this document can help the organization implement reasonable and proportionate measures designed to prevent, detect and respond to bribery”.
The recurrence (up to 200 times) of the words proportionate, appropriate, reasonable and adequate is paradoxical given the strict connotation associated to requirements and yet the use of these words allows for a certain amount of latitude and flexibility.
Why such flexibility? What are the advantages? And what difficulties could they pose?
Why such a flexible standard?
Having participated in the Standard’s drafting over the four years during which the Pilot Committee meetings were taking place, I can confirm that the delegates’ main preoccupation was to ensure the standard’s accessibility to all types of organizations.
The goal was to design a unique standard that would satisfy a wide range of expectations.
To do so, the Standard needed to accommodate large companies with a high risk of corruption, operations in multiple countries, and complex commercial activities, that were motivated to ensure that their Anti-Bribery Management System would allow them « to avoid or mitigate the costs, risks and damages of involvement in Bribery ».
It was just as necessary for the Standard to accommodate smaller companies prepared to address the corruption risks associated with their specific size and activity and ensure they too had the opportunity to apply for the ISO 37001 certification.
From this standpoint, ISO 37001 reflects the philosophy of the UK Bribery Act and its Guidance, which has required companies to be equipped with “adequate procedures” since 2011. This similarity is undoubtedly the result of two influences: that of Neill Stansbury, who headed up the Working Group with talent, and that of the British Standards Institution which managed the secretariat.
What are the advantages of an Anti-Bribery Management System which is “reasonable and appropriate”?
The notion of “reasonable and appropriate” implies a recognition of the fact that there is no “one size fits all.” More importantly, it is an acknowledgement that an effective Anti-Bribery Management System is intimately linked to how adequately it responds to the organization’s specific risks and business model. It is the admission that a system that is disproportionate, either too heavy or too light, for an organization’s risk and type of business, is inappropriate.
- The first advantage of an appropriate ABMS is that any organization can submit its system for certification. Neither the company’s size nor its resources can prevent it from applying for certification. The system in question just needs to be “reasonable and appropriate.”
- The second advantage is that it encourages an organization to put in the preliminary work to ensure that it will be ready for certification and have necessary elements that are reasonable and appropriate to its specificities in place. To do so, the organization must determine its corruption risks and activities and shape its management system according to the most adequate procedures for prevention and control. Compliance is not just a set of rules demanding application. It is a system of management fully integrated into business strategy. ISO 37001 empowers management with compliance responsibility.
In that regard the ISO 37001 belongs to the same family as other management standards. It requires a company to define, for a certain context and a risk (section 4), the actions for implementation (sections 6, 7 and 8), to evaluate their efficacy (section 9) and draw the appropriate conclusions for the continual improvement of the system (section 10).
As with the other management standards, the ISO 37001 encourages companies to enter a virtuous circle of improvements of the Anti-Bribery Management System.
What difficulties arise with an Anti-Bribery Management System which is “reasonable and appropriate”?
The first difficulty from the semantics of the words ‘reasonable and appropriate.’ The corruption risks will be perceived differently by people from different backgrounds and locations. There will be an element of subjectivity. Underestimating corruption risks could result in an anti-bribery management system being considered inappropriate. A lack of familiarity with best practices in corruption prevention could also lead to the use of objectively inadequate tools.
Even if anti-corruption compliance has only gained in importance over the past few decades there is still a substantial quantity of expertise available today on both risk identification and evaluation, as well as on appropriate tools for prevention and detection’s design. It is up to the company to find that expertise. For smaller organizations, there is more and more literature available on the subject either on the internet, through conferences or via specialized training courses. For larger and, consequently, more complex organizations with riskier operations, there are many consulting firms and legal offices with solid experience that – because of their work with multiple clients on a range of issues – are in a real position to recognize emerging best practices.
The second difficulty arises from the fact that the Standard is certifiable. It is up to the auditor to determine whether what the company has considered reasonable and appropriate is in fact so. Unfortunately, it is possible for a company that has misidentified its corruption risk and thus developed an inadequate management system to be mistakenly certified by an auditor unfamiliar with both the Standard and the nuances of anti-corruption compliance. This is one of the Standard’s weaknesses. An auditor lacking the necessary expertise necessary to effectively evaluate either the risk of corruption or the appropriateness of the system’s procedures, could attribute a certification in instances in which a more qualified auditor would not.
To address this concern, the Pilot Committee PC 278 charged a sub-committee with the completion of ISO 17021, through section 9, which applies to certifying bodies and requires auditors to have expertise in corruption prevention and detection.
It will be up to the companies seeking certification, and particularly to those wishing to have their third parties certified, to identify auditors with the requisite expertise in corruption prevention.
As for other management system standards, the quality of the certification will be closely linked to the expertise and rigor of the certifying body. ISO 37001 was developed to address procedures targeting corruption prevention and detection; the absence of which can lead to a company’s criminal investigation and prosecution. Choose a certification body for its expertise and experience. Don’t base your decision on price and vague guarantees as this could lull you into a false sense of security vis-à-vis your corruption prevention program and might expose you to financial penalties later.