The International Standards Organization’s ISO 37001: Antibribery Management Systems – Requirements with Guidance for Use has prompted an outpouring of commentary since publication last October. Meant to set forth “reasonable and proportionate” measures organizations of any kind and size located anywhere can take to prevent, detect, and respond to bribery, it has received generally positive reviews — on this blog, the FCPA blog (examples here and here), and elsewhere (here, here, and here for examples). Commentators offer it as a best practice guide for corporations wanting to instill an ethical culture among their employees and, not incidentally, avoid prosecution under the Foreign Corrupt Practices Act and its many offspring. But none of the commentary, or at least none I have seen (a Google search for ISO 37001 brings back several hundred thousand hits), lists, let alone discusses, what ISO 37001 recommends.
As a start on filling this gap, the recommendations are summarized on this spreadsheet. For perspective, ISO 37001 is compared to the latest version of the granddaddy of corporate compliance guides, the U.S. Government’s Federal Sentencing Guidelines (pp. 525 -33). To make the comparison, both are benchmarked against the elements of a compliance program listed in the Anticorruption Ethics and Compliance Handbook for Business, a volume jointly issued by the OECD, the World Bank, and the UNODC in 2013.
The OECD/World Bank/UNODC handbook distills 12 elements of a compliance program from a number of internationally recognized sources including the International Chamber of Commerce, the World Bank, Transparency International, and the Asia-Pacific Economic Cooperation Forum. The 12 are shown in column one of the spreadsheet with the corresponding provisions of 37001 and the Sentencing Guidelines in columns two and three. The correspondence is not precise because of the way 37001 and the guidelines phrase some of the requirements, particularly the more general ones requiring an organization’s leadership to demonstrate “commitment” to the program and oversee its implementation.
The most obvious difference between 37001 and the guidelines is scope. As its title announces, ISO 37001 is concerned solely with what organizations can do to prevent bribery whereas the sentencing guidelines are aimed at helping organizations prevent “criminal conduct” of any kind.
Despite this difference, there are more similarities than not (no doubt due to the influence the guidelines have had on compliance issues generally). In language that only a nitpicker (or lawyer charging by the hour) would contend reveal substantive differences, the two require the development of a compliance program, its publication, the periodic training of employees on its provisions, backing by senior management and the organization’s board, continued review and amendment of the program in light of experience, incentives for employees to follow it (including disciplinary action up to and encompassing termination for not), and provisions for employees to blow the whistle anonymously.
In two areas 37001 appears to go a step beyond the guidelines. One, it expressly requires that a compliance program address how employees are to deal with gifts, either the offer or receipt. Second, it contains detailed guidelines for ensuring an organization’s “business partner” does not expose the organization to any bribery risk. As the spreadsheet shows, by contrast the guidelines only require that a company take “reasonable steps” to “where appropriate” communicate the provisions of its compliance and ethics program to its agents. (In practice, the difference may not be that great. Given the risks corporations subject to the FCPA run if an agent is caught bribing, prudence would suggest these companies’ compliance program contain provisions governing agents similar to those in 37001.)
ISO 37001’s authors argue in the introduction that preventing bribery is a job for more than governments: “Organizations have a responsibility to proactively contribute,” it insists. They are surely correct, and the promulgation of 37001 is an important step forward in helping organizations meet that responsibility. It should be widely if not universally embraced.