[Excerpted from “A New Global Standard to Address Bribery Risk: ISO 37001—Anti-Bribery Management Systems Standard,” which is published in SCCE’s The Complete Compliance and Ethics Manual – 2018]
Proactively managing bribery risk is both critical to business success and a legal necessity. Companies and other organizations face a dynamic, changing legal and operational landscape as more countries adopt and enforce anti-bribery laws. Today, offering, soliciting, or providing a bribe is illegal in virtually every country, whether in relation to a commercial or government engagement, and whether directly or indirectly through a third party.
As a result, organizations must address compliance within their own operations and among their business partners. With that goal in mind, businesses and other stakeholders from around the globe developed a certifiable anti-bribery management systems standard, ISO 37001:2016. Published by the International Organization for Standardization (ISO) in October of 2016, ISO 37001 is the first global standard on anti-bribery compliance. The standard was drafted to help organizations—public, private, and non-profit—reduce risk and costs related to bribery by providing a business framework for preventing, detecting and addressing bribery.
What is ISO?
The International Organization for Standardization is a global non-governmental organization that develops and publishes international standards. Since the organization’s founding in 1947, ISO has published more than 21,000 international standards. The organization’s members include national standards bodies from 163 countries.
ISO 37001 follows the format of other ISO management systems standards, including ISO 9001 (Quality Management), ISO/IEC 27001 (Information Security Management), and ISO 45001 (Occupational Health and Safety). In ISO parlance, a “management system” describes the set of procedures an organization should follow in order to meet its objectives. Following a standard derived from best practices for management systems can have several benefits, including more efficient use of resources, improved risk management, and consistency across an organization.
What is ISO 37001?
The standard was developed through a multi-stakeholder, consensus-based process. Drafting took place over the course of four years by a committee that included 56 country delegations and delegations from seven liaison organizations made up of experts from companies, the legal and audit communities, academia and government. The standard is informed by and builds on existing guidelines in the area of anti-bribery compliance, including, among others, the U.S. Federal Sentencing Guidelines, the U.S. Department of Justice (DOJ) and Securities and Exchange Commission (SEC) Resource Guide to the U.S. Foreign Corrupt Practices Act, the U.K. Ministry of Justice Bribery Act 2010 Guidance, and OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance.
ISO 37001 was developed as a “requirements standard.” As such, organizations—or part of an organization—can obtain certification from third parties that their anti-bribery management systems conform to the standard’s requirements. Of course, the standard can also be used simply as guidance—to benchmark, assess and improve an anti-bribery program.
What does ISO 37001 require?
The standard requires organizations to implement a series of measures that are “reasonable and proportionate” to its specific risk profile. Among the focus areas are:
- Adopting an anti-bribery policy and related procedures and financial and non-financial controls;
- Requiring top management and, if applicable, board-level leadership;
- Appointing a senior-level person or group to comprise a compliance function to oversee the implementation and operation of the management system;
- Undertaking bribery risk assessments;
- Performing due diligence on business partners and transactions;
- Requiring compliance from controlled organizations and business partners;
- Providing training and ongoing communication;
- Monitoring and auditing implementation of the management system; and
- Taking corrective action to work toward continual improvement.
The anti-bribery program can be stand-alone or sit within an organization’s larger compliance program.
The standard is risk-based; that is, an anti-bribery risk assessment serves as the foundation for the anti-bribery program’s scope and objectives, and a finding of “more than a low risk of bribery,” triggers most of the standard’s requirements. Those requirements are not absolute. Policies, procedures and controls should be “reasonable and proportionate” to the bribery risks the organization faces.
The “reasonable and proportionate” language was included as a recognition that organizational risk can vary greatly depending on a number of factors and therefore the detail of how each requirement should be implemented will vary as well. As the Annex to the standard puts it “It is impossible to prescribe in detail what an organization should do in any particular circumstance. The ‘reasonable and proportionate’ qualification has been introduced into [the standard] so that every circumstance can be judged on its own merit.”
The standard’s application is broad. It addresses government or commercial bribery by the organization (outbound) and of the organization (inbound), whether done directly or indirectly (e.g., a bribe offered or accepted through or by a third party). It does not address fraud, cartels and other anti-competition offences, money-laundering or other activities related to corrupt practices. The standard also recognizes that bribery is defined by national legislation, but it does provide a general definition as guidance to illuminate the standard’s purpose and scope.
Leslie Benton is Vice President of Advocacy & Stakeholder Engagement at Create.org in Washington DC. She is one of the ISO 37001 Anti-Bribery Management Systems drafters as a member of the U.S. Technical Advisory Group to the ISO committee developing ISO 37001.
More information on The Complete Compliance and Ethics Manual – 2018