For compliance experts at the time, the publication of the UK Bribery Act Guidance in 2011 was revolutionary.
For the first time a national authority considered that what determined the quality of a compliance program was its appropriateness to identified risk. The issue of proportionate procedures (Principle n°1) is central to the Guidance. Why was this viewed as a revolution? - Because previously, due to the lack of clear guidelines, Compliance Officers were unsure as to where and to what extent they had to develop their anti-bribery program. They also had to be mindful of the possibility that in an instance of bribery a judge could consider the anti-bribery procedures inadequate leading to an accusation that management had been lax in its corruption prevention initiatives.
The British approach set the standard for anti-corruption compliance systems and now everyone considers that an anti-corruption compliance program should be appropriate to identified risks and the organization’s activity. And national authorities expect organizations to be able to demonstrate that their program is reasonable and appropriate. It is the company’s responsibility to prove its commitment to corruption prevention. Thus, it is the responsibility of the Compliance Officer to not only design and implement an appropriate anti-corruption compliance program, but also to be able to demonstrate that the program is appropriate. And he must be able to demonstrate its appropriateness to both senior management and, potentially, the authorities.
By using the requirements of the ISO 37001, the Compliance Officer will build an Anti-Bribery Management System (ABMS) appropriate to the needs of the company. And if this is followed by an ISO 37001 certification, he will be in a position to demonstrate to both senior management and the authorities that the program is appropriate.
The strength of the ISO 37001 standard is its insistence that “the anti-bribery management systems must be reasonable and appropriate” (section 4.4). To achieve this the standard established three requirements. The first and last are common to all standards, but the second is specific to the anti-bribery management standard.
1. The ABMS should be appropriate to the specificities of the organization.
The ISO 37001 standard’s Section 4 “context of the organization” and sub-section 4.1 in particular require “The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the objectives of its anti-bribery management system.”
In other words, the company must determine the elements of its organization and business model that present an issue to the anti-bribery management system: sales activities, purchasing, relations with administrations, use of third parties…. It must also identify all relevant legal obligations with respect to corruption prevention: certain countries go beyond penalizing corruption and issue recommendations to companies which are either optional, or compulsory. For example, an American company must consider Section 8 of the US Federal Sentencing Guidelines and, if it has a subsidiary in Italy and another in Mexico, it must also consider Italian Law Decree 231 (2001), in the first instance and the Mexican General Law of Administrative Responsibility (2017) in the second.
The design of any company’s anti-bribery management system begins with an analysis of the stakes and challenges faced by the organization with respect to corruption prevention so that the anti-bribery program is appropriate to its specificities.
2. The ABMS should be appropriate to the identified risk of corruption
The ISO 37001 was designed in line with other management systems standards including the ISO 9001 on quality or the ISO 14001 on the environment and thus has requirements that are common to all three. However, it is the only standard to include a section on risk assessment and, specifically, on bribery risk assessment.
Section 4.5 of ISO 37001 states “The organization shall undertake regular bribery risk assessment(s), which shall (a) identify the bribery risks the organization might reasonably anticipate, given the factors listed in 4.1;(b) analyse, assess and prioritize the identified bribery risks; (c) evaluate the suitability and effectiveness of the organization’s existing controls to mitigate the assessed bribery risks.”
Section 4.5 ensures that a corruption risk assessment is the backbone of an anti-bribery management system which is exactly what national authorities are expecting. It becomes evident later in the standard that this corruption risk assessment determines whether a corruption prevention procedure is necessary or not. Each time the risk assessment reveals a risk higher than low the company must implement an appropriate procedure to mitigate the risk.
Section 8.2 for instance requires companies to carry out reasonable due diligence as soon as:
a) specific categories of transactions, projects or activities,
b) planned or on-going relationships with specific categories of business associates, or
c) specific categories of personnel in certain positions
present a risk which is higher than low.
By identifying each risk higher than low the Compliance Officer knows where he must implement an appropriate system of prevention.
3. The ABMS should include an on-going evaluation and improvement mechanism
Like all ISO management system standards, ISO 37001 places importance on evaluation and controls.
This is apparent as early as Section 6 which is dedicated to planning actions necessary for the implementation of the anti-bribery management system. The company should plan actions in terms of quantifiable objectives. When objectives are measurable it is possible to verify if they have been achieved. For example, a company could plan that in the first year of a due diligence program on third parties all those representing a very high risk would be subject to due diligence checks while the second year would involve due diligence checks on those parties representing a significantly high risk with the third year dedicated to due diligence on third parties presenting a high risk.
The annual evaluation will verify if objectives have been realized. And if they have not been realized, the evaluation will identify the reasons for the lapse. If, for example, the objectives for due diligence were not obtained in year one because the company launched new initiatives resulting in the engagement of new third parties, the compliance team can assess what new resources will be required by management in year two in order to obtain the objectives and ensure that the anti-bribery management system remains appropriate to the organization’s operations.
“Performance evaluation” in Section 9 comes just before “improvement” in Section 10. In other words, the standard is structured for continual improvement to ensure the anti-bribery management system remains appropriate to the company’s needs regardless of internal developments which could potentially affect its organization, activity or business model.
Certification: a way to ensure that an anti-bribery management system is appropriate
By engaging in the certification of its anti-bribery management system a company ensures that the resources dedicated to anti-bribery are appropriate. Appropriate to developments in the legal frameworks to which its operations are subject, appropriate to its specific operations and appropriate to its corruption risks even if these change as the company grows and new activities are added.
The certification of an anti-bribery management system confirms whether the resources allocated to anti-corruption compliance are appropriate: neither insufficient, nor excessive. Certification ensures the optimal use of the resources the company has dedicated to corruption prevention.
In the guidelines of the standard an entire section is dedicated to the notion of a “reasonable and appropriate” program (section A 3) and the introduction is very clear on this issue:
“The measures cannot be so expensive, burdensome and bureaucratic that they are unaffordable or bring the business to a halt, nor can they be so simple and ineffective that bribery can easily occur. The measures need to be appropriate to the bribery risk and should have a reasonable chance of being successful in their aim of preventing, detecting and responding to bribery.”
However, the characterization “reasonable and appropriate” creates a challenge for certification agencies. The analysis that the company makes of its operations and legal context as well as the results of the company’s corruption risk assessment and dedicated resources require that the auditor executing the certification audit possess specific expertise in corruption prevention. That is why, as a member of the ISO 37001 drafting committee, I was part of the group advocating that the ISO 37001 standard be audited exclusively by those with a proven experience in the domain of corruption prevention. This resulted in the establishment of a sub-working group which proceeded to draft the ISO 17021.9 standard for certification agencies in which the specific skill requirements of ISO 37001 auditors are detailed.
This last issue may seem insignificant compared to the other elements of the process, but this expertise is in fact fundamental for the certification agency to be able to ensure that a company’s anti-bribery management system is appropriate to its operations and risks.
The value of an ISO 37001 certification comes from the quality and expertise of the certifying body, much more so than is the case for other ISO standards. It is the auditors’ specialty in anti-corruption compliance programs that will bring to the compliance and management teams the assurance that the anti-bribery management system is appropriate to the company’s needs. There is little doubt that should a certification file be examined by a judge, the quality of the certification agency and the expertise of its auditors will be taken into account to assess the company’s sincerity and commitment to the certification process.