Many compliance managers have asked me if the fact that their business associates were certified ISO 37001 would relieve them of the responsibility of conducting further due diligence.
It is a relevant question which requires a detailed response.
Due diligence: an essential component of the ISO 37001
The ISO 37001 anti-bribery management system has a specificity distinct from other ISO management systems: it requires organizations – companies or public administrations – to conduct a risk assessment, specifically a corruption risk assessment. It is on the basis of this risk assessment that they must design, implement and evaluate their anti-bribery management system.
Specifically, the standard requires that the organization implement procedures to mitigate any risk that is considered above low. What are the situations for any company that present corruption risks? They include any instance when the organization is in contact with business associates which include clients, suppliers, sub-contractors, sales agents, consortium partners, etc.…
Business associates present different risks depending on a variety of parameters, specifically:
- Their role: sales agents who represent a company present a higher risk than suppliers of cleaning products
- The importance of the transaction: a supplier who furnishes several sites in multiple countries presents a higher risk than an occasional supplier whose contracts are worth a couple of thousand euros or dollars.
- The nature: a public administration presents a higher risk than a private company which has an audit and internal control function.
- Finally, the country of operation plays a major role as the frequency of corruption varies significantly from one to the other.
Due diligence will enable the organization to determine the measures necessary to mitigate any identified risks. Depending on the results of the due diligence, the organization can decide to either discontinue its relationship with the business associate, employ stronger controls or request the business associate’s commitment to doing business with integrity.
Beyond due diligence: the commitment of business associates to integrity
The demonstration of their commitment to business with integrity is one of the requirements (cf section 8.5) that an organization certified ISO 37001 must ask of the business associates that present more than a low risk of corruption.
But if a business associate is certified ISO 37001, meaning it has implemented an anti-bribery management system subject to an annual surveillance audit, this associate could be considered as representing a low risk.
In other words, when an organization is considering a business relationship with a partner whether it be supplier, consortium member, sub-contractor, etc., and the potential partner is certified ISO 37001, most of the reasons for further due diligence are greatly diminished if not disappear entirely.
Not only has an ISO 37001 certified business associate implemented an anti-bribery management system, it also expects from its partners a commitment to integrity as per section 8.2 of the ISO 37001 standard. Thus, the risk of corruption with this partner is low and due diligence is unnecessary. Or almost…
ISO 37001 certification leads to a new approach to due diligence
Even if the risk of corruption from an ISO 37001 certified partner remains low, there is still the risk that individuals from this organization – manager or shareholder – could represent a conflict of interest; a conflict of interest which could lead to an eventual risk of corruption.
Imagine that a company headquartered in country A responds to a public call for tender in country B using the services of a consulting firm certified ISO 37001 headquartered in country C. Imagine that one of the shareholders of this firm in country C has a familial link to one of the decision makers involved in the call for tender in country B. If the company from country C wins the call for tender it could come under suspicion and be subjected to a corruption investigation due to the link between the shareholder of company C and the family member in country B.
This link is not in and of itself an obstacle to ISO 37001 certification for the consulting company, but it does present a risk of corruption to the organization that only a thorough due diligence could uncover.
ISO 37001 certification of a third party does not always preclude the implementation of due diligence, but facilitates targeted due diligence particularly on individuals, ultimate beneficiaries or politically exposed persons (PEP), as this third party will better understand the need of such an investigation.
This is how the extended use of ISO 37001 certification by business associates will change the way compliance managers organize their due diligence. In many case, ISO 37001 certification by business associates will make further due diligence unnecessary which will have a major impact on the budgets of companies looking to work with these associates. Additionally, it seems reasonable to assume that compliance managers will from now on be able to target more precisely their due diligence on the entities and individuals who present the highest risk.
Will ISO 37001 certification of business associates be taken into consideration by enforcement authorities?
This legitimate question leads to another more general question which I have had occasion to address before. What legal defense does ISO 37001 certification afford?
I don’t believe that ISO 37001 certification will ever provide an affirmative defense as in cases of corruption the judge will always investigate to understand the nature of the offense. However, an ISO 37001 certification process undertaken with rigor will be an important element of any defense to demonstrate a real commitment on the part of the company to preventing and detecting the risk of corruption.
If an act of corruption is committed by a business associate certified ISO 37001 but on whom due diligence has not been performed, I believe that a judge would take a similar view. He or she will want to understand why due diligence was not conducted. Was ISO 37001 certification of the business associate considered as sufficient to ensure that it did not represent a risk of corruption particularly with respect to conflicts of interest which could characterize an act of corruption? And secondly, was the certification obtained in a professional manner by a qualified certification agency with specialized auditors? In other word was it – or not – reasonable to consider that the ISO Certification mitigated appropriately its corruption risk.
ISO 37001 certification versus due diligence: a new challenge for compliance officers
Budgets allocated to compliance are not extendable and compliance officers are constantly prioritizing and making trade-offs.
Requiring that business associates demonstrate their commitment to integrity by becoming ISO 37001 certified is one way to save on the due diligence budget.
My advice is that no organization should consider ISO 37001 certification as a panacea precluding the need for due diligence. The certification should be integrated as one of the tools - like the anti-corruption clause of the International Chamber of Commerce (ICC) - used to ensure the integrity of third parties.
A risk assessment of third parties is essential to determine which policy an organization should implement regarding its business partners and under which conditions it would be appropriate to request an ISO 37001 certification or perform due diligence and/or include the ICC anti-corruption clause in the contract.
There is one condition an organization will never avoid: it is essential that the organization itself be certified ISO 37001 in order to understand what the process brings - and what it does not bring - in terms of security. And last but not least, certification will also lend legitimacy to its requests that partners be certified.