By Mark Speck
Managing Partner, Specktrum Inc. and Hawkeye Financial
If nothing else the ISO 37001 standards can act as a Litmus Test for an organization’s anti-bribery program
It certainly was an exhilarating experience leading a session on the value of and path it takes to achieve an ISO 37001 Anti-bribery Management Systems certification at the 17th annual Ethics and Compliance Institute hosted by the Society of Corporate Compliance and Ethics (SCCE) in Las Vegas with Diana Trevley, West Coast Director of Spark Compliance, 2+ weeks ago on Tuesday Oct 23rd.
In discussing the value proposition of seeking an ISO 37001 Anti-Bribery Management System certificate, Diana and I were presented with a rather startling and most unexpected objection from an attendee which underpins the need to ensure your anti-bribery program is robust.
Perhaps if nothing else, merely employing the ISO 37001 standards as a litmus test, can provide a level of assurance to an organization on the effectiveness of its compliance program. At minimum, this exercise might identify any gaping holes that exist in an organization’s anti-bribery compliance infrastructure.
But first, allow me to provide you a quick overview of why Diana and I are proponents of the ISO 37001 certification and why we think it’s a worth-while for companies to pursue.
ISO is an independent nongovernmental organization consisting of 162 national standards bodies, all of which collaborated in publishing ISO 37001, which became effective just over 2 years ago, in October 2016.
First, there are a set of specific standards that a qualifying company would need to have in place, including but not limited to demonstration of management leadership, commitment, and responsibility, performing focused risk assessments, existence of internal financial and non-financial controls, relevant training, policies and procedures covering violation reporting, monitoring, the conducting of due diligence on outside business associate, and performing corrective action and continual improvement of the anti-bribery management system. The value here is that the guidance provided by the DOJ, Serious Fraud Office, OECD and other prominent NGO’s are now articulated a bit more clearly into specific standards. Organizations that pursue certification would thus be in alignment with these standards and best practices.
Second, what keeps chief compliance officers up at night is usually centered on what they don’t know. How do compliance professionals know their control coverage is complete, and whether the controls that are in place are operating effectively, as designed, especially when operations is responsible and monitoring resources and methods are thin? An audit of this sort would give them assurance and an opportunity to fill program gaps before an issue arises.
Examples of this may be that an RFP fails to include anti-bribery language, high-risk suppliers are not having their invoices reconciled to their contracts, there is no contract review in relation to associate invoices; sales expense reimbursements are not being properly screened and analyzed, or a change to the whistleblowing case management system has led to a lack of case assignment or escalation.
Third and final for purposes of this article is that having an ISO 37001 can act as a competitive advantage, all things being equal, or for organizations that require more than just the ability to meet the utilitarian aspects of the service and or products being sought. Some firms require Quality Management Systems (9001), IT Security (27001), or demonstrations of good corporate citizenship, which can include a robust audited anti-bribery program. Disclaimer: We all know that having a certification of any type does not mean risk is 100% mitigated and can be completely relied on. And as Diana and I discussed in our session, a program’s 37001 integrity beyond paper, is relative to the organization itself and the auditor which it selects, which should be an accredited entity, versus a small firm in a high-risk country which could be rubber stamping the certification.
Now we get to the objection that could not be pre-empted. An attendee offered up, that it was unlikely that these benefits would get their organization to move forward with ISO 37001 if it meant more work and more controls for their business. How was she going to convince executive management to go forward under such circumstances?
What? Did we hear this right? Now perhaps that’s this compliance officer’s inaccurate appraisal, but this admission unto itself is a red flag. If you are saying that the business is unlikely to accept any further controls to get in alignment with the standards, due to commercial inconvenience and or cost factors, then you are effectively saying that your program is in trouble and is in need of the type of independent assessment that firms such as Spark or Specktrum could provide as a service, whether an ISO 37001 certificate is pursued or not.
While ISO 37001 is not a perfect instrument, and not right for every organization at a particular point in time; certainly, a decision not to pursue should never be based on an unwillingness of operations or any part of the business, to potentially have to take on more control activities.
It’s ironic that the question includes in its formation the answer sought. That this organization’s anti-bribery program is likely not tight, seems to lack complete support at the top nor through the ranks.
This organization likely needs an anti-bribery risk-control review and employing the 37001 standards for this purpose as your benchmark, whether seeking a certificate or not, is a good starting point.