What is ISO 37001?
ISO 37001 is an international standard which specifies the procedures which an organization should implement to assist it prevent bribery, and identify and deal with any bribery which occurs. It requires organizations to implement these procedures on a reasonable and proportionate basis according to the type and size of the organization, and the nature and extent of bribery risks faced. It is applicable to small, medium and large organizations in the public and private sector, and can be used in any country. It cannot provide absolute assurance that no bribery will occur, but it can help establish that the organization has implemented reasonable and proportionate anti-bribery procedures.
What has changed to make ISO 37001 important?
The bribery risk environment for organizations has changed significantly over the last ten years. While the risk of bribery occurring has probably stayed constant (as bribery is still endemic in many countries), the risk of penalty, financial loss and reputational damage for an organization and its employees if they are found to have been involved in bribery has increased from near zero to high. This is primarily because of the changed prosecutions policy of most OECD countries. Spurred on mainly by the OECD Anti-Bribery Convention which requires OECD countries to take action to prevent bribery, and which has a peer review mechanism to help enforce the Convention, most OECD countries have strengthened their laws, and prosecutions have materially increased. Some countries, such as the USA, France, UK and Italy, have gone further than ensuring that bribery is prohibited by law and prosecuted – they have also passed laws that either require organizations to implement anti-bribery procedures, or stipulate that anti-bribery procedures provide a defence or mitigation in the event of a prosecution.
Therefore, it is no longer a question for a well-run organization to ask whether they should implement anti-bribery procedures, as the answer is obviously yes. The questions are now (1) what procedures should we implement, (2) how do we verify that they are effectively implemented, and (3) how do we obtain assurance that our high bribery risk business associates (e.g. joint venture partners, agents, sub-contractors, suppliers and consultants) also have implemented effective anti-bribery procedures (as their actions can impact adversely on the organization).
Is there a similarity between anti-bribery management, and quality, safety and environmental management?
Yes. The questions asked in 2 above are no different to those that organizations have been asking over the last 30 years in relation to safety, quality and environmental management. As the law was strengthened in these areas, it became increasingly critical for organizations to implement effective safety, quality and environmental management procedures, and to ensure that their business associates did likewise. The requirement was for a level playing field; i.e. to try to ensure that organizations worldwide were working to the same standards. The outcome was the publication of three major international standards which are now widely used internationally: ISO 9001 (quality), ISO 14001 (environment) and OHSAS 18001 (safety – shortly to be replaced by ISO 45001).
Controlling bribery is no less a management obligation than controlling an organization’s safety, quality and environmental responsibilities. Many of the controls you put in place in relation e.g. to safety management (leadership, training, management responsibility, resources, audit, reporting, enforcement, improvement) are similar to the controls you would put in place to prevent bribery. Therefore, it was logical to extend the stable of international standards to include an anti-bribery standard.
How was the ISO 37001 developed?
In 2013, ISO established a Project Committee which was tasked with writing a new anti-bribery standard, ISO 37001. ISO is the International Organization for Standardization, which is a non-governmental international organization based in Geneva, made up of the national standards bodies from 162 member countries. The ISO 37001 Project Committee comprised experts from the following participating and observing countries and liaison organizations.
- Participating countries (37): Australia, Austria, Brazil, Cameroon, Canada, China, Colombia, Croatia, Czech Republic, Denmark, Ecuador, Egypt, France, Germany, Guatemala, India, Iraq, Israel, Kenya, Lebanon, Malaysia, Mauritius, Mexico, Morocco, Nigeria, Norway, Pakistan, Saudi Arabia, Serbia, Singapore, Spain, Sweden, Switzerland, Tunisia, UK, USA, Zambia.
- Observing countries (22): Argentina, Armenia, Bulgaria, Chile, Cyprus, Cote d’Ivoire, Finland, Hong Kong, Hungary, Italy, Japan, Korea, Lithuania, Macau, Mongolia, Netherlands, New Zealand, Poland, Portugal, Russia, Thailand, Uruguay.
- Liaison organizations (8): ASIS, European Construction Industry Federation (FIEC), Independent International Organization for Certification (IIOC), International Federation of Consulting Engineers (FIDIC), IQNet, Organization for Economic Co-operation and Development (OECD), Transparency International (TI), World Federation of Engineering Organizations (WFEO).
- Committee Secretariat and Chair: British Standards Institution (BSI).
The development process of an ISO standard is formal and democratic. The first draft of 37001 was circulated to all member countries in 2013. Each participating country created a national committee which agreed upon amendments to the draft. These agreed national amendments were then submitted to the ISO Secretariat. Each country’s comments were then debated and voted upon at the international committee meeting, and an agreed amended text was produced. This amended text was then re-submitted to all member countries, which then re-submitted it to their national committees for comment. This process continued through six drafts and six international meetings from 2013 to 2016. The final draft was then voted upon by all member countries. ISO rules require final approval of 66.6% of voting countries. 37001 achieved a 91% vote in favour, showing very significant international enthusiasm for the standard.
The international meetings were each held over three to five working days, and were attended on each occasion by approximately 80 experts from 25 countries. Each meeting had to agree between 500 and 800 suggested amendments from member countries, and each amendment had to be voted on and agreed by consensus, so meetings posed a management challenge to enable this number of amendments to be dealt with. This was achieved at the earlier meetings by forming sub-committees to agree different sections of the text, with the full committee agreeing on major points of principal. The last two meetings agreed all amendments in full committee.
Did the involvement of so many countries make the standard a weak compromise document?
No. Remarkably, bearing in mind the large number of people attending, from such a wide range of countries, languages and legal systems, the committee members showed a very high level of agreement on what core requirements the standard should contain and the wording of those requirements. In particular, committee members were determined that it should be a genuine, comprehensive and achievable standard which set a high standard of compliance internationally. The members wanted the standard to make a real difference internationally to anti-bribery compliance, and not just be a box ticking exercise, or empty words.
My organisation already is certified to ISO 9001. Will ISO 37001 be similar in structure?
Yes. The standard is written using the same core structure, definitions and processes as 9001, 14001 and 45001. The Project Committee was unable to change these core requirements. Therefore, 37001 will be recognisable to an organization which has implemented any of the other standards. The difference between the standards is in the subject specific text of the standard.
So, what are the benefits of, and expectations for, ISO 37001?
The outcome of this comprehensive international process is the publication of the world’s first internationally recognised minimum requirements standard. It specifies the procedures which an organization must put in place in order to be compliant with the standard. It is in this respect that the standard has broken new ground. Previously, there were many publications which provided guidance on a good practice anti-bribery programme. However, an organization can choose which aspects of guidance it will adopt. With 37001, an organization must comply with all of the requirements in order to be compliant. As a result, this means that an organization can receive independent certification that it is compliant with 37001.
Therefore that there is now international consensus on what procedures an organization should implement in order to have a good practice anti-bribery programme. In addition, the ability to get their programme independently certified means that an organization can now verify to its owners, board and business associates that it has implemented appropriate procedures. An organization can now also seek this verification from its business associates.
The expectation is that 37001 will follow a similar trajectory to the other core management system standards such as 9001, 14001 and 45001. It will make sense for public sector and private sector procurement functions, in calling for tenders for major works, supplies or services, to require all bidders to provide proof that they are not only compliant with the appropriate quality, environmental and safety standards, but also with the anti-bribery standard. If this occurs, then organizations bidding for these major projects are likely also to require the major members of their supply chain to provide similar evidence, as they are likely to be contractually required to ensure the compliance of their supply chain.
37001 is also likely to become an important part of the due diligence process for organizations seeking business associates in higher risk jurisdictions. These business associates pose a risk to organizations working with them, as the corrupt actions of the business associate may cause loss to the organization, and may also make the organization liable for the business associate’s actions. This risk is reduced if the organization only works with a business associate which has been certified as compliant with 37001.
It is also likely to play a key factor in an organization’s defence in the event of a bribery investigation or prosecution. If an organization pretends to implement a 37001 programme as a smokescreen to conceal corrupt conduct, or if an organization materially breaches its anti-bribery procedures at senior level, then the presence of an alleged 37001 programme is unlikely to protect an organization from prosecution. However, if an organization has genuinely and in good faith implemented the programme, and, despite its best efforts, the programme is breached by a manager or business associate, then the programme is highly likely to act as a defence for the organization, or at least, a mitigatory factor. In short, it must be better to have the programme in place than not, as the programme both helps prevent bribery and to deal with it if it does occur.
How can we rely on the adequacy of certification?
As with 9001, 14001 and 45001, a key question is the adequacy of the certification. The risk of corrupt or negligent certification exists. Therefore, an organization should seek certification from a certifying body which is of known integrity and reputation. The integrity of the certification process is further assisted by the accreditation process. National accreditation bodies audit the certifying bodies. Therefore, an organization is likely to seek, both for its own certification, and in looking for proof of the certification of its business associates, that the certification is issued by a recognised certifier which has been accredited by a recognised accreditation body. The pool of recognised certifiers and accreditation bodies which are providing certification and accreditation to 37001 is rapidly increasing.
Will there be widespread adoption of ISO 37001?
Hopefully yes. It is early days yet, but an increasing number of organizations worldwide are now adopting it. It took several years before the other main ISO management standards became mainstream. So, the future level of international take up of 37001 is not yet certain. However, due to its wide international support, and the fact that it is an independently certifiable minimum requirements standard, the publication of ISO 37001 can materially help improve anti-bribery compliance internationally, and is a major step forward in the fight against bribery.