Just over a year ago, the new Anti-Bribery Management Systems Standard, ISO 37001, was released by the International Organization for Standardization (ISO). Since that time, the standard has generated a significant degree of international attention. ISO 37001 has been adopted by national standards organizations around the world, numerous companies and a few public agencies have expressed interest in the certification process, and some companies have achieved certification. Amidst this activity there still exists a healthy debate about what the standard “brings to the table” and how useful it is in the wider anti-corruption context. In this article, we take a deeper dive into both the standard’s acceptance and the continuing debate about its benefits.
Finding its International Footing
Since its publication in October 2016, there have been public reports of the standard’s “adoption” by several national and regional standards bodies, including in several European countries, China, Singapore, Malaysia and Peru to name a few. The term “adoption” here means a variety of different things. For some jurisdictions, adoption means creating an accreditation system for auditors who will perform third party certification, as is the case in Germany and the United States. The United Kingdom Accreditation Service (UKAS) is undergoing a pilot program to develop an accreditation scheme of its own, but the program itself has yet to be completed.
In Singapore, Malaysia and China, in addition to developing accreditation processes, their national standards bodies have localized the standard and are encouraging its use. Singapore has announced the launch of the Singapore Standard (SS) ISO 37001, and SPRING Singapore, an agency under the Ministry of Trade and Industry and responsible for supporting Singapore enterprises, will provide training, consulting, and funding for companies interested in obtaining certification.
In Malaysia, the Department of Standards and the Anti-Corruption Commission (MACC) together launched an internal version of the standard known as Malaysian Standard (MS) ISO 37001. Moreover, the MACC decided to pursue certification in the standard themselves in order to boost public confidence in the certification process.
In China, the Shenzhen Institute of Standards and Technology (SIST) has adopted a version of the standard and plans to offer similar certification and advising initiatives, and is working to gain support from other parts of the country for these projects. According to a public report, the Shenzhen government has launched a pilot and invited companies to become certified in exchange for incentives and preferences in public procurement.
Certification and Public Contracting
The issue of certification as it affects public contracting has been closely watched. As of this writing and to our knowledge, 37001 certification is not yet required for public contracting in any jurisdiction, but several have announced that they are considering it. For example, after adopting the standard and developing a certification scheme, the National Quality Institute in Peru announced it is considering ISO 37001 certification for companies participating in the public bidding process.
ISO 37001 Certification and the Private Sector
Several private organizations have also achieved certification, including Terna Group and ENI SpA, both based in Italy; Robert Bosch Middle East based in the UAE; French giant Alstom; Jersey-based IP management firm CPA Global; and EKVITA, a legal and tax consulting firm based in Azerbaijan. In addition, there are reports that 11 companies have been certified in Malaysia. In the U.S., Wal-Mart and Microsoft have publicly announced their intent to seek certification, but are awaiting the establishment of accredited certification bodies in the United States.
The standard has garnered interest in the NGO sector as well. For example, Korea Pharmaceutical and Bio-Pharma Manufacturers Association (KPBMA) announced it would support its member companies in achieving ISO 37001 certification by providing consultations.
Debate about the Standard
This is a good, albeit slow start. One reason for the slow pace of certification may be the lack of accredited certifying bodies globally. Is this because auditors lack interest in being accredited to provide 37001 certification, as some have suggested? Perhaps. A more likely reason may be that although an accreditation process is underway in many places, it is time consuming and costly. Auditors who seek accreditation are required to show competence in anti-bribery management systems, in anti-bribery concepts and ISO 37001 itself to achieve accreditation. This process of examination takes months. It should be noted that lack of accreditation does not necessarily denote that a certifying body is unqualified but it is a factor to be considered when choosing an auditor.
Another reason cited for the slow pace of adoption is that ISO 37001 is “nothing new”. This may be the most widespread criticism of the standard, particularly in the United States. It is true that ISO 37001 builds upon existing guidelines such as the U.S. Department of Justice (DOJ) and Securities and Exchange Commission (SEC) Resource Guide to the U.S. Foreign Corrupt Practices Act, the U.K. Ministry of Justice Bribery Act 2010 Guidance, and OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance. And, as Christopher Bell of Greenberg Traurig (and a member of the U.S. Technical Advisory Group to the Committee drafting the standard) writes, “to the most sophisticated FCPA practitioner, the standard’s requirements will certainly be familiar.” He goes on, however, to note that whether the standard is new “may not be the only yardstick,” noting that many companies in the U.S. and elsewhere do not have sophisticated anti-corruption compliance systems, the resources that the Fortune 500 have put into their systems, or regular access to expert assistance in setting up their programs. For many, the standard can be useful tool to design or benchmark and improve their programs, whether or not they intend to seek certification.
Many observers have made the valid point that ISO 37001 certification will not act as a bar to corporate liability for bribery. Of course, while adherence to a standard or guideline cannot shield a company from an investigation or from liability for bribery, adherence to the standard’s detailed requirements, including requirements related to documentation of process and controls, should provide some evidence that a program is well-designed and effectively implemented should a negative event occurs.
Finally, there has been some criticism that the standard allows a company to be “one and done,” that is, to implement a program and never monitor it, but this is a misreading of the standard. Section 9 of the standard (“Performance evaluation”), requires a company to “evaluate the anti-bribery performance and the effectiveness and efficiency of the ant-bribery management system” through monitoring, internal audits, board and senior management reviews. Section 10 (“Improvement”) requires a company to continually improve the system as necessary based on the reviews required in Section 9 and any other relevant factors. For more on this point and other criticisms of the standard, see Kristy Grant Hart’s article in the FCPA blog here.
Many companies have already invested significant time and resources into developing internal systems for preventing bribery. The new ISO standard was designed to support those efforts, while providing transparency and clarity on the measures and controls that companies should be putting in place. One year after its release, acceptance of ISO 37001 remains at its early stages. Going forward, the development of supporting infrastructure for the standard, including more widespread expertise in the audit/certification community and general awareness among potential users – public and private, including the not-for-profit sector, will be the key to ISO 37001 reaching its full potential.
If we have missed any certifications or other activity, or if you would like to discuss the standard, please reach out – info@CREATe.org.