Last week the International Organization for Standardization (ISO) released ISO 37001 anti-bribery management systems – requirements with guidance for use. (See here for ISO’s release and here for a summary document. To obtain the actual document you have to pay for it which I regret that I did).
One’s view of ISO 37001 likely depends on one’s background, experience and motivation.
If you are familiar with the numerous sources of best practices in the anti-bribery space, then ISO 37001 is a complete yawner, indeed a disappointment as several best practices are not even captured in the purported best practices document.
If you are not familiar with the numerous sources of best practices in the anti-bribery space, and/or you are seeking to market your compliance practice, then ISO 37001 is probably a big deal.
Long before ISO 37001 was released last week, there existed numerous sources of best practices in the anti-bribery space. Best practices and benchmarking metrics can be found in the following sources among others.
- FCPA Guidance issued by the DOJ and SEC which contains a section titled “Hallmarks of Effective Compliance Programs”
- Typically Attachment C in nearly all recent DOJ FCPA resolution documents as well as certain SEC FCPA resolution documents
- The DOJ’s Principles of Prosecution of Business Organizations which contain a section titled “Corporate Compliance Programs”
- The U.S. Sentencing Guidelines which contain a section titled “Effective Compliance and Ethics Programs”
- U.K. Bribery Act Guidance issued by the U.K. Ministry of Justice
- The OECD’s Good Practice Guidance on Internal Controls, Ethics, and Compliance
Chapter 8 of the book “The FCPA In a New Era” provides a comprehensive topical aggregation of these sources, as well as additional best practices and benchmarking metrics, in an easy-to-read format.
At first blush, ISO 37001 is an impressive 54 page document. However, ISO 37001 has 11 pages of introduction, table of contents, and definitions (because you really need to know the definition of “requirement,” “competence,” and “outsource (verb)”) as well as a 3 page bibliography.
The remaining text is then roughly equally divided between requirements and an “annex” that sets forth “guidance on the use of this document.” There is substantial overlap between these two portions of ISO 37001.
Sure, ISO 37001 hits on many best practices in the anti-bribery space (such as conducting a risk assessment, the importance of adequate resources, high-level commitment, oversight, training and guidance, internal reporting and investigation), but the salient point is that ISO 37001 adds absolutely nothing compared to the pre-existing sources of best practices highlighted above.
Indeed, ISO 37001 is deficient because there are several best practices highlighted in these other sources relevant to key risk areas that are simply not mentioned in ISO 37001.
For these reasons, the business community should view ISO 37001 with a grain of salt and little more than an effort by an organization trying to sell and market a product – indeed, cross-sell a product as ISO 37001 contains the following guidance:
“The organization can choose to implement this anti-bribery management system as a separate system, or as an integrated part of an overall compliance management systems (in which case the organization can refer for guidance to ISO 19600). The organization can also choose to implement this anti-bribery management system in parallel with, or as part of, its other management systems, such as quality, environmental and information security (in which case the organization can refer to ISO 9001, ISO 14001, and ISO/IEC 27001), as well as ISO 26000 and ISO 31000.”
Moreover, while every organization is permitted to use a bit of puffery in marketing, the headline of ISO’s release “ISO Publishes Powerful New Tool To Combat Bribery” is misleading and sends the wrong message to the business community.
For starters and because of the numerous sources listed above, ISO 37001 is certainly not “new.”
Moreover, ISO 370001 is not “powerful” nor can it “combat bribery.” As ISO 37001 rightly acknowledges:
“Conformity with this document cannot provide assurance that no bribery has occurred or will occur in relation to the organization, as it is not possible to completely eliminate the risk of bribery.”
Perhaps the most troubling aspect of ISO 37001, an aspect that may lead to a boondoggle for the lucrative industry known as FCPA, Bribery Act, etc. Inc., is that ISO 37001 is a standard that is subject to certification. As stated in the ISO’s release:
“Organizations may choose to be certified to ISO 37001 by accredited third parties, to confirm that their anti-bribery management systems meets the standard’s criteria.”
Elsewhere, the ISO’s summary document states: “Third parties can certify an organization’s compliance with the standard in the same way they do for other ISO standards such as ISO 9001.” The same document states, under the heading “what benefits will [ISO 9001] bring to my business or organization” as follows: “It can also provide evidence in the event of a criminal investigation that you have taken reasonable steps to prevent bribery.”
Does any competent, knowledgeable observer think for a minute that an ISO 37001 certification is going to be viewed by the DOJ or SEC as “evidence” of anything? Particularly since many companies under FCPA scrutiny and/or companies that have resolved FCPA enforcement actions are already making good-faith efforts to incorporate best practices into their business organizations, yet occasional, isolated issues still arise?
Moreover, the DOJ/SEC issued FCPA Guidance states “compliance programs that employ a ‘check-the-box’ approach may be inefficient and, more importantly, ineffective.” ISO 37001 certification promotes “check-the-box’ compliance and gives business organizations a false sense of security.
Finally, business organizations contemplating an ISO 37001 certification need to understand, as referenced above, that ISO 37001 is deficient because there are several best practices covered in the numerous other sources of best practices that are simply not mentioned in ISO 37001.
In short, ISO 37001 is a complete yawner.