The International Standards Organization’s ISO 37001: Antibribery Management Systems – Requirements with Guidance for Use has prompted an outpouring of commentary since publication last October. Meant to set forth “reasonable and proportionate” measures organizations of any kind and size located anywhere can take to prevent, detect, and respond to bribery, it has received generally positive reviews — on this blog, the FCPA blog (examples here and here), and elsewhere (here, here, and here for examples). Commentators offer it as a best practice guide for corporations wanting to instill an ethical culture among their employees and, not incidentally, avoid prosecution under the Foreign Corrupt Practices Act and its many offspring. But none of the commentary, or at least none I have seen (a Google search for ISO 37001 brings back several hundred thousand hits), lists, let alone discusses, what ISO 37001 recommends.
As a start on filling this gap, the recommendations are summarized on this spreadsheet. For perspective, ISO 37001 is compared to the latest version of the granddaddy of corporate compliance guides, the U.S. Government’s Federal Sentencing Guidelines (pp. 525 -33). To make the comparison, both are benchmarked against the elements of a compliance program listed in the Anticorruption Ethics and Compliance Handbook for Business, a volume jointly issued by the OECD, the World Bank, and the UNODC in 2013.
The OECD/World Bank/UNODC handbook distills 12 elements of a compliance program from a number of internationally recognized sources including the International Chamber of Commerce, the World Bank, Transparency International, and the Asia-Pacific Economic Cooperation Forum. The 12 are shown in column one of the spreadsheet with the corresponding provisions of 37001 and the Sentencing Guidelines in columns two and three. The correspondence is not precise because of the way 37001 and the guidelines phrase some of the requirements, particularly the more general ones requiring an organization’s leadership to demonstrate “commitment” to the program and oversee its implementation.
The most obvious difference between 37001 and the guidelines is scope. As its title announces, ISO 37001 is concerned solely with what organizations can do to prevent bribery whereas the sentencing guidelines are aimed at helping organizations prevent “criminal conduct” of any kind.
Despite this difference, there are more similarities than not (no doubt due to the influence the guidelines have had on compliance issues generally). In language that only a nitpicker (or lawyer charging by the hour) would contend reveal substantive differences, the two require the development of a compliance program, its publication, the periodic training of employees on its provisions, backing by senior management and the organization’s board, continued review and amendment of the program in light of experience, incentives for employees to follow it (including disciplinary action up to and encompassing termination for not), and provisions for employees to blow the whistle anonymously.
In two areas 37001 appears to go a step beyond the guidelines. One, it expressly requires that a compliance program address how employees are to deal with gifts, either the offer or receipt. Second, it contains detailed guidelines for ensuring an organization’s “business partner” does not expose the organization to any bribery risk. As the spreadsheet shows, by contrast the guidelines only require that a company take “reasonable steps” to “where appropriate” communicate the provisions of its compliance and ethics program to its agents. (In practice, the difference may not be that great. Given the risks corporations subject to the FCPA run if an agent is caught bribing, prudence would suggest these companies’ compliance program contain provisions governing agents similar to those in 37001.)
ISO 37001’s authors argue in the introduction that preventing bribery is a job for more than governments: “Organizations have a responsibility to proactively contribute,” it insists. They are surely correct, and the promulgation of 37001 is an important step forward in helping organizations meet that responsibility. It should be widely if not universally embraced.
Do recognize that most of the “generally positive reviews” of ISO 37001, including several you linked to, are authored by people selling and marketing their ISO 37001 practices.
Moreover, I don’t think even the most ardent IS0 37001 cheerleaders are marketing it as way to “avoid prosecution under the FCPA.” If they are this is false and misleading.
For additional reading on ISO 37001, see the numerous posts at the below link.
Professor Mike Koehler
I too found that most of the favorable commentary on ISO 37001 is by those with a financial interest in compliance programs, consultants who would like to be hired to devise a program or to audit or certify an existing program. I am also mindful that some consultants might be tempted to lay too much stress on ISO 37001’s provisions requiring the periodic training of personnel and review of the program’s effectiveness. More training and more review spells more chances to earn a fee.
But just because those in the business of providing advice on compliance programs have an economic incentive to sell their services doesn’t mean compliance programs aren’t a good thing. And large, for-profit corporations, where I assume the real money in compliance advisory services is, aren’t exactly babes-in-the-woods when it comes to consultants peddling their wares.
Peter Osmanski’s August 29 guest post on ISO certification is particularly informative. It nicely explains the issues those thinking about having their compliance program certified need to think through. Thanks for flagging it and the other ISO 37001 commentary on your site. For interest readers, here is the link to the Osmanski post: http://fcpaprofessor.com/category/iso-37001/
Of course compliance programs are a good thing. But a business organization does not need an ISO 37001 certification to act consistently with best practices and/or to demonstrate its commitment to compliance. There are numerous other metrics in the public domain (long before ISO 37001 was released in Oct. 2016) which speak to this issue. Tellingly perhaps, the DOJ’s Feb. 2017 Evaluation of Corporate Compliance Programs cited these numerous other sources, but it does NOT cite ISO 37001.
As to the babes-in-the-woods analogy, all of the large companies reportedly interested in ISO 37001 certifications are currently under FCPA (or related) scrutiny and their interest can perhaps be looked at a optics and elevating form over substance.
Professor Mike Koehler
With all due respect, the fact that the DoJ does not mention ISO 37001 is NOT telling. The DoJ only cites and can only cite official documents issued in the United States or by an international organisation of which the US is a member, like the Organisation for Economic Cooperation and Development (OECD).
Although ISO has acquired a certain authority in the world of standards, it is a private organisation supported by members which are private organisations as well, as is e.g. the American National Standards Institute (ANSI).
The strength of ISO 37001 derives from the fact that it builds on other (private) instruments like the British Anti-Bribery Management Systems Standard BSI 10500, the Business Principles for Countering Bribery of Transparency International and the Rules of the International Chamber of Commerce on Combating Corruption and represents the consensus of a large number of experts from a large number of countries. This makes it the only instrument with global standing.
ISO 37001 is more elaborate than the DoJ’s Evaluation of Corporate Compliance Programs, which is an evaluation tool rather than describing how an anti-bribery management system should look. Apart from the fact that the DoJ’s document applies to compliance at large while ISO 37001 focuses on corruption, I do not see any contradiction between both of them.
Thanks for the clarification. For one like myself who urges developing countries to require companies that do business with them through public contracts or resource concessions to require the firms to implement ISO 37001, its global standing is its most important characteristic. However much in practice a program designed around 37001 might resemble one designed with the DoJ guidelines or those of the UK SFO or another wealthy country in mind, that ISO 37001 reflects the consensus of a large number of individuals from many different countries, several of which are developing, is a critical element in the policy dialogue.
I realize this is an old post, but I was looking for information on this ISO standard and this post just answered all my questions. My little input for those who will search in the future – organizations don’t have to seek for a certificate in order to follow the recommendations set out in the standard. This was our message to all companies looking into it when I was working in consultancy and we were working with a certifying company to promote the new standard. Certification may be needed (as people correctly note above) for establishing new business partnerships, to help ensure an equal standard for all companies of one company group, etc. But this ISO standard pretty much sums up most of the best practice in anticorruption today. Any organization can easily use it as a guideline when designing their own new compliance program, or updating an old one. If along the road they decide that a certificate is needed, they can then start the process on that as well. In other words, I would suggest to look at this from two different (although of course related) perspectives.