Since its release in October 2016 (see here) much has been written about ISO 37001 and one’s view of it likely depends on one’s background, experience and motivation.
If you are familiar with the numerous sources of best practices in the anti-bribery space, then ISO 37001 was (and remains) a complete yawner, indeed a disappointment as several best practices are not even captured in ISO 37001.
If you are not familiar with the numerous sources of best practices in the anti-bribery space, and/or you are seeking to market your compliance practice then ISO 37001 was (and remains) probably a big deal.
Fitting into the latter category is Philippe Montigny (President of the ETHIC Intelligence Certification Committee) who apparently was involved in the creation of ISO 37001 and who actively promotes ISO 37001 training and certification services. (Montigny was previously invited to be a guest on the FCPA Flash podcast to discuss ISO 37001 but declined).
Montigny recently published this post titled “ISO 37001: Three Unfounded Criticism.” Similar to many other ISO 37001 marketing attempts (see here, here and here for prior posts among others), Montigny’s post is not persuasive.
Montigny begins, in pertinent part:
“The ISO 37001 does not refer to the FCPA
The ISO 37001 is a universal standard drafted by a working group – Technical Committee 309 – composed of delegations from 20 countries. As a universal standard it cannot prioritize one national law over another. It does not specifically refer to the FCPA, nor does it refer to Italian law decree 231 or the UK Bribery Act for instance.
Section 2 of the standard, Normative references, is clear on this point. It contains one line which reads: There are no normative references in this document. There is not ONE normative reference which applies globally to all organizations whether they be private, public or not-for-profit.
However, Section 4 of the standard which addresses an organization’s context requires explicitly that each organization take into account the context in which it operates. Specifically, section 4 requires organizations to consider: applicable statutory, regulatory, contractual and professional obligations and duties. In other words, a company whose operations are subject to the FCPA is required to take into account the requirements of the American law, just as an Italian company is required to consider whether their operations are subject to the Law Decree 231. Similarly, any organization with activity in the United Kingdom must determine if the failure to prevent corruption offence of the UK Bribery Act applies and, if so, this UK law must be incorporated into the legal references of the organization’s anti-bribery management system.
It is precisely because the standard does not refer exclusively to the FCPA that organizations are obliged to consider all national anti-corruption laws and determine if they are applicable in the countries where they operate.”
For starters, by mentioning things like Technical Committee 309, section 2 normative references, and section 4 Montigny has already lost the conversation with those who are allergic to jargon.
“The ISO 37001 does not refer to international best practices
The most important characteristic of international best practices is their ability to evolve and adapt to developments in corruption prevention. A standard which, at the time of its publication, refers to a specific best practice will be quickly outdated.
Although the ISO 37001 does not refer to a specific best practice, section 4.2 requires organizations to identify a) the stakeholders that are relevant to the anti-bribery management system; and b) the relevant requirements of these stakeholders.
In section 3 of the standard which outlines terms and definitions, the definition of a stakeholder is given as: person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity. This means, according to 4.2, that organizations like the OECD, Transparency International or the International Federation of Consulting Engineers (FIDIC) for example, are stakeholders which must be identified by an organization when it is developing its anti-bribery management system. And, according to 4.2.b, the organization must take these stakeholders’ guidelines into account, if pertinent for their operations.
To continue the example, OECD guidelines must be taken into account by an organization based in a country signatory to the OECD Anti-Bribery Convention of 1997. Companies in the defense sector are subject to Transparency International UK’s request to publish information on their corruption prevention programs and consulting engineering firms must respect the guidelines of the FIDIC when selecting consultants.
At the national level, some authorities have issued recommendations to companies. American companies follow the recommendations issued by the DoJ and the SEC in the FCPA Resource Guide of 2012 while an English company recognizes the UK Bribery Act Guidance of 2010 and a French firm will apply recommendations made by the French Anti-Corruption Agency in 2017/2018.”
Same comment as above, but more substantively ISO 37001 was marketed as “the first international anti-bribery management system standard designed to help organizations combat bribery risk in their own operations and throughout their global value chains” (see here), but now I am being told that it “does not refer to international business practices?”
Moreover, the apparent requirement in ISO 37001 that business organization “must take” into account what unelected and unaccountable bureaucrats or lay persons at organizations like the OECD, Transparency International, or (god forbid) the formidable International Federation of Consulting Engineers is just plain absurd. As highlighted in this prior post, perhaps it was just a coincidence that the only companies to receive an “A” ranking in Transparency International’s defense company rankings were companies that were substantial contributors to Transparency International. Or perhaps it was not a coincidence because buried deep in the report one learns that contributing and/or belonging to Transparency International did indeed elevate a company’s score in Transparency International’s rankings.
“ISO 37001 is just a tick-the-box exercise
ISO 37001 contains a significant number of requirements which can appear, at first glance, to be somewhat of a shopping list. However, this cursory first read misses the fact that sections 5 to 10 are organized according to the traditional Plan, Do, Check, Act (PDCA) characteristic of all management system standards.
The ISO 37001 is a management system like any other and works through a series of interacting processes which help the organization to achieve its pre-defined objectives. The shopping list structure of the ISO 37001 is characteristic of all management systems.”
For starters, I generally take the position that when one’s argument is “A” is not what everyone thinks it is, that probably means “A” is what everyone thinks it is. It is sort of like the FCPA enforcement agencies going out of their way in certain FCPA enforcement actions (see here for instance) to allege that the problematic conduct did not qualify as facilitating payments, which probably means that it did.
Montigny conclusion beings with this observation.
“The standard is not an easy read, a fact which is at the root of many criticisms. This is not surprising, however, given the stringent editing conditions.”
That is actually pretty funny and I guess it would be like me as a professor really having difficulty reading a student’s paper, but the student tells me that is because of his “stringent editing conditions.”
[By the way, if you are looking for a comprehensive topical aggregation of risk management strategies from leading sources of guidance presented in an user-friendly chart that is easy for compliance professional to digest, see the below book].
Strategies For Minimizing Risk Under The FCPA
A compliance guide with issue-spotting scenarios, skills exercises and model answers. "This book is a prime example of why corporate compliance professionals and practitioners alike continue to listen to Professor Koehler."