A few months after the publication of the ISO 37001 standard, ETHIC Intelligence was carrying out its first ISO 37001 certification. Later, I received feedback from the Compliance Officer of that certified company. He stated that the ISO 37001 audits had strengthened the organization’s compliance culture thus rendering the compliance program more effective.
When I asked what he meant by “more effective”, he said: “the corruption prevention policy is much more readily understood and accepted which leads to greater efficacy.” He then added, “the audit, in and of itself, provides an incredible boost to the culture.” He had been pleasantly surprised to witness staff cooperation and acceptance of the audit from areas where he had been expecting resistance.
Upon hearing this I re-read the ISO 37001 to identify exactly what it is that fosters an effective compliance program.
Implementation of ISO 37001 forces stakeholders to identify their expectations vis-à-vis the company
Section 4.2 which includes “understanding the needs and expectations of stakeholders” may appear innocuous at first glance, but I believe it is one of the most important requirements.
Of course, it begins with the necessity of determining which are the legal requirements relevant to the organization. In certain countries, these requirements are in the form of obligations (Italy, Law Decree 231, France, Sapin II law…) whilst in others they are formulated as recommendations (USA, Chapter 8 of the Federal Sentencing Guidelines; UK Bribery Act Guidance, …). In the latter countries, the law compels the establishment of a culture of compliance.
Section 4.2, however, also compels organizations to identify the non-obligatory expectations of the stakeholders. Stakeholders expect a company with whom they have a vested interest to implement international anti-corruption best practices, even when those are not imposed by law. Through the consequent cascading effect, every company will ultimately have an anti-corruption compliance program encompassing contractors or partners who meet stakeholders’ expectations.
Section, 4.2 goes even further; it calls upon companies to respect even those guidelines which are voluntary, whether they originate with professional associations, NGOs or local communities in which they operate. This means that a general commitment to the Global Compact, for example, must be supported by concrete measures.
Because the company abides by stakeholders’ expectations, a culture of compliance is naturally instilled in the organization and within the relationships it holds with third parties.
The implementation of the ISO 37001 is as much a top-down as it is a bottom-up exercise
Section 4.2 is a vital, yet insufficient, component in the implementation of an anti-bribery management system.
The strength of management system standards – and of the ISO 37001 specifically– is that they engage all levels of the company, from the highest levels down to the operational staff working in the field.
Section 5 is entitled Leadership. It requires (sub-section 5.1) that corruption prevention be integrated into the company’s strategy at the highest level: The Board of Directors and the Executive Committee. In addition, sub-section 5.3.3 also requires an appropriate delegation of power.
The ISO 37001 gains in legitimacy by demanding that a decision be taken at the highest level of the company. It is equally significant that the last section - dedicated to performance evaluation-, stipulates that results of every evaluation of the system’s implementation in the field be examined by the Executive Committee and by the Board of Directors; this enables them to confirm that decisions taken on appropriate corrective measures are acted upon in a timely manner and with proper support.
The implementation of the ISO 37001 Anti-Bribery Management System standard creates a corruption prevention process in which both the executive and the operations levels of the company are equally involved. The ISO 37001’s implementation promotes a dynamic culture of corruption prevention throughout the company.
The ISO 37001 audit mobilizes every department in the company
Prior to an ISO 37001 audit, I recommend that companies undergo a Gap Analysis to prepare for the auditors’ specific demands and to identify areas where there may be gaps between the standard’s requirements and the company’s practices.
Specifically, I recommend a “Gap Analysis seminar”. The Compliance Officer invites not just those working in compliance but also those from human resources, finance, audit, communications, etc. to gather around the table for a day. Going through the standard’s requirements, step by step, allows every department to understand what is – or what should – be its contribution to the Anti-Bribery Management System… and what will be expected from it during the certification audit.
A company can only be certified if every department meets the Standard’s specific requirements. For example, human resources for employment processes and training (section 7.2.2 and 7.3); finance for the financial controls (section 8.3); audit for non-financial controls (section 8.4); communications for documented information (section 7.5), etc.
The decision to launch an ISO 37001 audit does not simply demonstrate an interest in certification; it reaffirms the role and responsibility of each member of the company in the implementation of an anti-bribery management system.
The paradox of the ISO 37001 is that it appears, at first glance, to be a very formal exercise of box-ticking. However, since auditors verify that each requirement is met, the attribution of a certification reflects a valid recognition that a culture of anti-corruption compliance exists throughout the company and that the system itself benefits from continuous improvement.