Since its publication in October 2016 the ISO 37001 standard on Anti-Bribery Management Systems has been the subject of many comments as well as unfounded criticisms. Below I will address the three most common.
The ISO 37001 does not refer to the FCPA
The ISO 37001 is a universal standard drafted by a working group – Technical Committee 309 – composed of delegations from 20 countries1. As a universal standard it cannot prioritize one national law over another. It does not specifically refer to the FCPA, nor does it refer to Italian law decree 231 or the UK Bribery Act for instance.
Section 2 of the standard, Normative references, is clear on this point. It contains one line which reads: There are no normative references in this document. There is not ONE normative reference which applies globally to all organizations whether they be private, public or not-for-profit.
However, Section 4 of the standard which addresses an organization’s context requires explicitly that each organization take into account the context in which it operates. Specifically, section 4 requires organizations to consider: applicable statutory, regulatory, contractual and professional obligations and duties. In other words, a company whose operations are subject to the FCPA is required to take into account the requirements of the American law, just as an Italian company is required to consider whether their operations are subject to the Law Decree 231. Similarly, any organization with activity in the United Kingdom must determine if the failure to prevent corruption offence of the UK Bribery Act applies and, if so, this UK law must be incorporated into the legal references of the organization’s anti-bribery management system.
It is precisely because the standard does not refer exclusively to the FCPA that organizations are obliged to consider all national anti-corruption laws and determine if they are applicable in the countries where they operate. For example, a Mexican company holding American Depository Receipts (ADRs), with a subsidiary in Spain which exports to the UK must consider the Mexican General Law of Administrative Liabilities of 2017, the FCPA of 1977, the Spanish law of 2015 and the UK Bribery Act of 2010.
Having participated in the drafting of the ISO 37001, I can attest that the lack of a specific reference to the FCPA posed no problem for the American delegation as point 4.1 mentioned above makes it clear that organizations have an implicit obligation to consider all relevant legislation to which they are subject.
The ISO 37001, therefore, explicitly requires that organizations subject to the FCPA take into account the requirements of this American law and include them in the legal references of the anti-bribery management system.
The ISO 37001 does not refer to international best practices
The most important characteristic of international best practices is their ability to evolve and adapt to developments in corruption prevention. A standard which, at the time of its publication, refers to a specific best practice will be quickly outdated.
Although the ISO 37001 does not refer to a specific best practice, section 4.2 requires organizations to identify a) the stakeholders that are relevant to the anti-bribery management system; and b) the relevant requirements of these stakeholders.
In section 3 of the standard which outlines terms and definitions, the definition of a stakeholder is given as: person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity. This means, according to 4.2, that organizations like the OECD, Transparency International or the International Federation of Consulting Engineers (FIDIC) for example, are stakeholders which must be identified by an organization when it is developing its anti-bribery management system. And, according to 4.2.b, the organization must take these stakeholders’ guidelines into account, if pertinent for their operations.
To continue the example, OECD guidelines must be taken into account by an organization based in a country signatory to the OECD Anti-Bribery Convention of 1997. Companies in the defense sector are subject to Transparency International UK’s request to publish information on their corruption prevention programs and consulting engineering firms must respect the guidelines of the FIDIC when selecting consultants.
At the national level, some authorities have issued recommendations to companies. American companies follow the recommendations issued by the DoJ and the SEC in the FCPA Resource Guide of 2012 while an English company recognizes the UK Bribery Act Guidance of 2010 and a French firm will apply recommendations made by the French Anti-Corruption Agency in 2017/2018.
The ISO 37001, therefore, requires specifically that companies identify and respect all guidelines applicable to their operations.
ISO 37001 is just a tick-the-box exercise
ISO 37001 contains a significant number of requirements which can appear, at first glance, to be somewhat of a shopping list. However, this cursory first read misses the fact that sections 5 to 10 are organized according to the traditional Plan, Do, Check, Act (PDCA) characteristic of all management system standards.
The ISO 37001 is a management system like any other and works through a series of interacting processes which help the organization to achieve its pre-defined objectives.
The shopping list structure of the ISO 37001 is characteristic of all management systems.
The systematic nature of the ISO 37001 ensures, therefore, that the management system is comprehensive to guarantee its efficacy.
The standard is not an easy read, a fact which is at the root of many criticisms.
This is not surprising, however, given the stringent editing conditions. Wonderful work was done by the Chairman of the TC 309, Neill Stansbury, and the secretary, Mike Henigan, but we must keep in mind that committee members came from very diverse cultural and legal backgrounds and environments: USA, China, Nigeria, Tunisia, France, Guatemala, etc.… thus, discussions were occasionally long and difficult. Not to mention the fact that the standard was developed so that it could apply to any type of structure; public, private or not-for-profit.
Despite the challenges, the ISO 37001 standard is a remarkable tool to build, evaluate and improve an anti-bribery management system.
As is the case with all ISO standards, the ISO 37001 will be evaluated after a few years of implementation. It is reasonable to assume that the evaluation might result in a simplified text. All ISO management system standards are designed for continual improvement as developments in the sector occur…
(1) Australia, Austria, Germany, Brazil, Canada, China, Denmark, Egypt, Equator, Spain, USA, France, Guatemala, Malaysia, Mexico, UK, Singapore, Switzerland, Sweden and Tunisia.