William Marquardt and David Holley, respectively Director and Managing Director at the Berkeley Research Group, LLC (a private management consulting firm) contribute the following guest post, which is written in their personal capacity and does not necessarily reflect the opinions, position, or policy of the Berkeley Research Group or its other employees and affiliates:
This past April, the International Organization for Standardization (ISO) released its draft standard on anti-bribery management systems (ISO 37001). The standard is tentatively scheduled to be finalized later this year. In substantive content, the draft ISO standard is similar to the FCPA Resource Guide provided by the U.S. Department of Justice and Securities and Exchange Commission, in that it provides a list of elements that an effective anti-bribery/corruption (“ABC”) program should contain. In terms of the specific elements listed, the proposed ISO standard provides a number of sound recommendations – such as a comprehensive, risk-based approach, as well as management commitment to promoting an ethical corporate culture—but with a few exceptions, the draft ISO 37001 standard is not much different from the guidance available from the DOJ/SEC and other sources in multiple jurisdictions.
That’s not to say that there is nothing whatsoever distinctive about ISO 37001. It does differ from the existing guidance in some ways, some good (such as the comprehensive focus on documentation, document retention, and document availability) and some not so good (such as the unrealistic recommendations regarding extension of management’s internal control systems to third-party vendors). The draft ISO standard also puzzlingly omits consideration of certain key issues –such as the labor law and data privacy issues that arise in connection with bribery investigations, questions regarding how to address anti-bribery concerns in connection with M&A or joint venture due diligence, and (most generally) the integration of ABC management systems into the firm’s wider financial, operational, and regulatory functions. But, again, in most respects the ISO 37001 draft standard closely resembles existing ABC guidance.
What makes the ISO 37001 standard distinctive, and the reason its finalization would be potentially such big news, is that ISO 37001 (like other ISO standards dealing with more technical matters) is intended to be subject to independent “certification” by third-party auditors. In other words, if and when the ISO 37001 standard is finalized, companies will be able to hire auditing firms to review their ABC programs and (if the auditor determines the firm meets the ISO 37001 criteria) to provide a formal certification that the company is ISO 37001-compliant. The question whether formal ISO 37001 certification of this sort will be a good thing (for firms, or for the world) has been hotly debated (for previous discussions on this blog, see here and here). Continue reading