Since its publication in October 2016 the ISO 37001 standard on Anti-Bribery Management Systems has been the subject of many comments as well as unfounded criticisms. Below I will address the three most common.
The ISO 37001 is a universal standard drafted by a working group – Technical Committee 309 – composed of delegations from 20 countries1. As a universal standard it cannot prioritize one national law over another. It does not specifically refer to the FCPA, nor does it refer to Italian law decree 231 or the UK Bribery Act for instance.
For compliance experts at the time, the publication of the UK Bribery Act Guidance in 2011 was revolutionary.
For the first time a national authority considered that what determined the quality of a compliance program was its appropriateness to identified risk. The issue of proportionate procedures (Principle n°1) is central to the Guidance. Why was this viewed as a revolution? - Because previously, due to the lack of clear guidelines, Compliance Officers were unsure as to where and to what extent they had to develop their anti-bribery program. They also had to be mindful of the possibility that in an instance of bribery a judge could consider the anti-bribery procedures inadequate leading to an accusation that management had been lax in its corruption prevention initiatives.
When I participated in the ISO/PC 278 working group which drafted the "Anti-Bribery Management Systems Standard", we had three objectives:
The difficulty was to design a standard which could be used by organizations of all sizes and from all sectors regardless if they were public, private or not-for-profit. This challenge is reflected in the sometimes-repetitive nature of the standard.
Several trends are leading companies to increase the frequency of their internal investigations. Soon, internal investigations will no longer be the exception, but the rule.
The Compliance Officer must be prepared for this development which has three important consequences on: i) the confidential status of any information collected, ii) the protection of staff and iii) the credibility of the CCO and his or her compliance program.
Many compliance managers have asked me if the fact that their business associates were certified ISO 37001 would relieve them of the responsibility of conducting further due diligence.
It is a relevant question which requires a detailed response.
Every act of corruption involves a conflict of interest. The receiver or corrupted individual acts in his own interest and not in that of the organization he represents.
Is it necessary to conduct due diligence on clients, and if so, how? I have been asked this question frequently over the past few months.
Conducting due diligence on third parties who work for or with the company is manifestly necessary and useful. If the third party represents a corruption risk, the risk can be mitigated with anti-corruption clauses, modifications to working conditions, anti-corruption training, more intensive monitoring or by demanding audit rights and subsequent controls.
Carrying out due diligence on third parties which is not based on a risk assessment is counterproductive for the following reasons:
A whistleblowing system is now an incontrovertible tool for compliance.
But it is not enough to have a whistleblowing system; it must be one that works….one that raises alarms on suspicion of fraud or corruption effectively.
If the whistleblowing system results in very few alerts being raised, the Compliance Officer is faced with a paradox:
Either the compliance program is particularly effective
or – the opposite – the whistleblowing system is ineffective
In other words, is a procedure which raises very few alerts reassuring or...alarming?
Why mapping corruption risk is important ?
It is important for three reasons:
The first reason is because compliance is efficient only if it is tailored to the organization’s specific corruption risk.
If corruption risks are not evaluated sufficiently, underestimated or overestimated, a compliance program will not be effective.
If underestimated, corruption risks will not be properly mitigated.
40 years after the publication of the FCPA and 20 years after the signature of the OECD Anti-Bribery Convention, 2017 saw several developments in the fight against corruption.
And if these developments, although relatively isolated for the time being, were to become more commonplace I could, we all could, dream of a world where corruption disappears. My dream for 2018 is that the three following wishes become reality:
The intensification of investigations and criminal prosecutions of executives from large companies as well as of politicians and high level public servants in Brazil this past year is particularly significant.
I remember the satisfaction of the signatory countries’ representatives when, 20 years ago, an agreement was reached at the OECD on Combating Bribery of Foreign Public Officials in International Business Transactions. Finally, there was a legal instrument to combat this insidious practice. Yet the text was only signed by a few states and countries’ willingness to prosecute its companies for acts of corruption committed overseas - acts which resulted in contracts and profits at home - was, except for the United States, largely absent.
When I first started working with companies on corruption prevention 20 years ago, their primary concern was related to the issue of passive corruption: how could they ensure that no staff member would accept a bribe, for example, from a supplier or even a client, in exchange for special treatment? If an employee accepts a bribe from a supplier, it is not to benefit the company; instead, passive bribery impacts negatively on a business’ profitability and hampers its competitiveness, making it one of the organization’s main sources of concern. Which is why companies focused primarily on passive as opposed to active corruption for a time.
Although incidents of passive corruption often originate within the purchasing department, it is not an activity exclusive to this branch. Passive corruption can also occur with employees responsible for product specifications, or managers occasionally needing to use emergency or exceptional purchasing procedures.
For small to medium-sized enterprises that need to implement an anti-corruption compliance policy the ISO 37001 is a useful, easy-to-use and affordable reference.
One of the most common questions I am asked is “to which function should the anti-corruption compliance post be attached?” As previously mentioned, it cannot be connected to an operations role for reasons of conflict of interest.
Mid-sized companies’ structure differs greatly from their larger or multinational counterparts. Multinationals, as listed companies, are obliged to have at the headquarters level, resources and processes necessary to secure compliance with regulations that apply to listed companies. These companies have been respecting other international requirements for years so do not see the addition of an investment in compliance as an excessive burden.
A few months after the publication of the ISO 37001 standard, ETHIC Intelligence was carrying out its first ISO 37001 certification. Later, I received feedback from the Compliance Officer of that certified company. He stated that the ISO 37001 audits had strengthened the organization’s compliance culture thus rendering the compliance program more effective.
This chapter’s title is a little provocative. The role of the Chief Compliance Officer is not to increase profit but to ensure that business is conducted in complete respect of relevant laws.
The question of what budget should be allocated to anti-corruption compliance is a difficult one for any company. For Top Management, compliance has a cost – undoubtedly necessary – whose expenditure cannot be reconciled in a tangible manner or with a physical receipt. The impossibility of defining return on investment often results in the compliance budget being kept to a minimum. The Compliance Officer, on the other hand, is aware of an allegation or act of corruption’s potentially dramatic effects on the company and views a compliance budget as a sort of insurance policy which should cover the company’s identified risks to an appropriate degree.
Philippe Montigny is the founder of ETHIC Intelligence, a leading anti-corruption certification agency that has been certifying companies since 2006. He is currently the Chairman of the Technical and Impartiality committees and has over 20 years of experience in anti-corruption compliance, beginning at the Office of the OECD Secretary-General, for which he was involved in the ministerial negotiations that led to the OECD Anti-Bribery Convention in 1997. Philippe Montigny was also a co-drafter of the compliance management system standard (ISO 19600) published in 2014 and of the anti-bribery management system standard (ISO 37001) published in 2016 and served as ISO liaison officer between the two.