Since ISO 37001 was released in October 2016 (see here ), there have been many creative attempts to market ISO 37001 services.
This recent article  with the click bait headline “How ISO 37001 Might Protect You From Shareholder Lawsuits” is the latest example.
However, contrary to the suggestion in the article, corporate boards do not need ISO 37001 to act consistent with fiduciary duties. Moreover, as discussed below, the article contains incomplete and inaccurate statements of law.
In pertinent part, the article states:
“The Board has a fiduciary responsibility to its shareholders to steer their organizations clear of ABAC enforcement actions from global regulators. And while it may be impossible to prevent all ABAC violations, both shareholders and regulators expect that the Board will act in good faith to ensure the establishment of a strong compliance program. Short of this, the Board may find itself subject to derivative shareholder lawsuits and penalties, which can be levied not only against the organization but also against individual board members. The new ISO 37001 can act as a valuable guide to Boards of Directors who want to act in good faith, and protect their organizations as well as themselves.”
“In the landmark 1996 Caremark case, the courts ruled that: “A director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses.”
“Adherence to ISO 37001 can provide evidence of attention to best practices and may offer powerful legal protection to Boards of Directors (or the responsible Board Committee) who act in good faith to prevent bribery, provided the company has also paid attention to the local anti-bribery laws that apply”
For starters, it’s a false statement of law that the “Board has a fiduciary responsibility to its shareholders to steer their organizations clear of ABAC enforcement actions from global regulators.”
In fact, time and time again , courts have held  in derivative actions that just because improper conduct allegedly occurred does not mean that internal controls were deficient and/or that directors and officers breached their fiduciary duties.
Do board members have a fiduciary responsibility as described below, most certainly yes, but this fiduciary responsibility is no where near the responsibility to “steer their organizations clear” of anti-bribery and corruption enforcement actions (or any government enforcement action for that matter).
The above article references the so-called Caremark standard, but the analysis is incomplete because the contours of a director’s fiduciary does not end with the Caremark trial court decision. As the article correctly notes, in Caremark the court held: “A director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses.” (emphasis added).
In Stone v. Ritter, 911 A.2d 362 (2006), the Delaware Supreme Court provided the following necessary conditions for director oversight liability under the so-called Caremark standard:
- (i) a director utterly failed to implement any reporting or information system or controls; or
- (ii) having implemented such systems or controls, a director failed to monitor or oversee the corporation’s operations.
The court held that both situations require a showing that a director knew that they were not discharging their fiduciary obligations and courts have widely recognize that a director’s good faith exercise of oversight responsibility may not necessarily prevent employees from violating criminal laws or from causing the corporation to incur significant financial liability or both.
There are lots of ways those with fiduciary responsibilities can act consistent with their “Caremark” duties in the FCPA context and for many years (long before ISO 37001 was introduced in October 2016) directors and officers have done just that.
Indeed, the suggestion in the article that “adherence to ISO 37001 can provide evidence of attention to best practices” misses the point that FCPA and related compliance best practices existed long before ISO 37001 was introduced and that ISO 37001 doesn’t even capture all best practices. For instance, in February 2017 the DOJ released a policy document titled “Evaluation of Corporate Compliance Programs”  which cites numerous sources relevant to best practices. Absent from the citations is ISO 37001.
In short, despite the suggestion to the contrary, corporate boards do not need ISO 37001 to act consistent with fiduciary duties.
Free 90 Minute 2017 FCPA Year In Review Video
A summary of every corporate enforcement action; notable statistics and issues to consider; compliance take-away points; and enforcement agency and related developments. Click below to view the engaging video tutorial.