The International Organization for Standardization (“ISO”) recently published ISO 37001, the first international anti-bribery management system standard. ISO, a Swiss-based international organization, is well known for issuing widely-used business process standards such as the ISO 9000 “family” of quality management system standards, one of the most widely used management tools in the world today. ISO received input from working groups representing over 20 countries in devising the new standard, which does not focus on the legal requirements of any single nation’s anti-corruption laws but rather allows a flexible approach to implementation that can fit the specific laws to which an organization is subject. As set forth in the standard’s introduction, ISO 37001 “reflects international good practice and can be used in all jurisdictions. It is applicable to small, medium and large organizations in all sectors, including public, private and not-for-profit sectors.” Despite its purported applicability to organizations of all types and sizes, ISO 37001 is not a one-size-fits-all compliance plan and requires organizations – consistent with accepted anti-corruption compliance practices – to perform an assessment of bribery risks and then to design and implement a compliance system that is “reasonable and appropriate” to the risks identified by the assessment.
Because ISO 37001 purports to draw upon existing anti-corruption guidance, much of what is contained in it will be familiar to those experienced in anti-bribery compliance. Among other things, ISO 37001 contains the following familiar requirements:
- Written anti-bribery compliance policy and procedures;
- Commitment and support from top management;
- Risk-based due diligence and assessment of bribery risk relating to business associates;
- An independent compliance manager;
- Anti-corruption training; and
- Reporting, monitoring, and corrective action.
So what, exactly, does ISO 37001 add to the existing guidance on anti-corruption compliance? Although the full impact of the new standard will not be measurable for some time, the new standard appears to add value in at least several ways.
- First, ISO 37001 is the first comprehensive international anti-corruption standard developed by the business community (rather than promulgated by an enforcement agency). The standard is written as a process management guideline in plain language. Companies will likely find more clear operational guidance in ISO 37001 than in the existing “legal” guidance issued by U.S. and U.K. regulators.
- Second, because it is an international standard, ISO 37001 has the potential to change behavior in the international marketplace to the benefit of U.S. companies that are subject to the Foreign Corrupt Practices Act (“FCPA”). Compliance with ISO 37001 will require foreign companies to adopt the same types of compliance protocols that are “best practices” for complying with the FCPA (or the U.K. Bribery Act, for that matter). Provided that it gains widespread acceptance, ISO 37001 may therefore help to remove the “unlevel playing field” that some believe the FCPA has created for U.S. companies.
- Finally, as with other compliance standards, companies will be able to certify their compliance with ISO 37001 through accredited third-party certification agencies. If experience with other ISO standards (such as ISO 9000) provides any guidance, companies may seek to market such certifications to customers. Compliance with ISO 37001 may in fact become a routine requirement in order to do business with sophisticated international entities.
One potentially valid criticism of the standard relates to one of its greatest strengths. Like the guidance issued by U.S. and U.K. regulators, ISO 37001 recognizes that compliance efforts should be risk-based and tailored to the likelihood that bribery will occur. It therefore provides organizations the ability to implement compliance measures deemed to be “reasonable and appropriate” to the perceived bribery risk. Although this methodology seems practical and even necessary in order to ensure that companies of all sizes can suitably tailor their compliance efforts, certification agencies who lack sufficient experience with the company (or with anti-corruption compliance) may find it difficult to determine whether the company has struck the right balance before certifying compliance with ISO 37001. As pointed out by Alexandra Wrage in a post on the FCPA blog (available here), overly deferential certification inspectors might certify ineffective procedures, and overly aggressive ones might require an organization to exert unreasonable efforts to mitigate a minimal risk of bribery. Hopefully, such difficulties can be overcome with the right combination of knowledgeable inspectors who take the requisite amount of time to understand the corruption risk faced by the companies they are asked to certify and competent compliance professionals who design and implement cost-effective procedures.
While recognizing all of the real or perceived benefits of ISO 37001, it is also important to recognize what it is not. Compliance with the new standard does not amount to an ironclad “get out of jail free” card should bribery occur. Corruption charges will still be resolved by a close examination of the relevant evidence. However, the existence of an ISO 37001 certified compliance system would seem to qualify as “adequate procedures” under the U.K. Bribery Act and therefore amount to an affirmative defense to a corporate charge of “failing to prevent corruption.” Likewise, given the renewed emphasis that the U.S. Department of Justice (which announced the retention of a full time compliance expert approximately a year ago) places on the existence of robust compliance systems, a certified compliance program would likely carry substantial weight with U.S. regulators as well.
Perhaps most importantly, the issuance of ISO 37001 is yet another reminder that corruption is increasingly viewed by an ever-growing audience of nations as a major concern. Companies that do not adopt anti-corruption guidelines, particularly in nations where there are existing anti-bribery laws (such as the United States), run an ever greater risk of facing substantial fines in the event that they or their business associates are involved in corruption.