Compliance professionals argue about the merits of the ISO 37001 standard for anti-bribery systems endlessly. I’m not sure why that is.
ISO 37001 is a tool, nothing more. If your organization is serious about building a strong compliance program, you can use ISO 37001 to great effect. If you couldn’t care less and only want a paper compliance program, it can do that, too. A company will only create as much value from ISO 37001 as it cares to make for itself. That’s how tools work.
A much more productive question for compliance officers is to ask how you can use ISO 37001 productively. And here we can draw some lessons from another debate happening in the IT security world with SOC 2, a standard to help companies assess the data security of vendors they might use.
SOC 2 audits are based on a set of five “trust principles:” security, privacy, availability, process integrity, and confidentiality. A business reviewing a prospective tech vendor might ask that vendor for a SOC 2 audit — one conducted by a proven outside auditor and designed according to those five principles.
The key point: there is no “standard” SOC 2 audit that examines the third party according to all five principles. A vendor can’t have a SOC 2 audit performed on itself and hang the audit report in the front window. Rather, each company and third party design a SOC 2 audit specific to their risks, based on those principles.
For example, if you are hiring a data storage vendor, you’d craft a SOC 2 audit heavy on security and privacy, but not on process integrity; data storage vendors don’t process data. In contrast, the SOC 2 audit for an outsourced payroll function would pay lots of attention to process integrity, but perhaps less on availability if you only use the service 10 hours a month.
From SOC 2 to ISO 37001
Yes, SOC 2 audits and ISO 37001 certification have clear differences. Most notably, an organization can get its own 37001 certification for all the world to see. Those certifications are much more universal than SOC 2 audits.
What I like about this comparison, however, is that SOC 2 audits define how the parent company can gain assurance from its third parties. That’s how a global chief compliance officer could put ISO 37001 to best use, too.
Could your own company get itself certified as ISO 37001 compliant? Sure, and that might even be a useful exercise — but it will only be an exercise. Regulators have their own criteria for evaluating the effectiveness of a compliance program, and while those criteria are similar to what ISO 37001 requires, ISO 37001 certification itself won’t absolve a company facing in a corruption probe.
On the other hand, a global compliance officer could use ISO 37001 as a tool to better understand the anti-corruption programs that third parties might claim to have.
That is, if a third party boasts that it has ISO 37001 certification, you know the party is claiming to have some basic anti-corruption structures in place. Those claims can be the starting point to sharpen your own specific due diligence questions.
In the SOC 2 world, you can ask those questions in advance: What should we put in this audit? Who will perform it? What are that auditor’s credentials? What makes sense to audit for the risks we have?
In the ISO 37001 world, you might need to ask those questions after the fact: What was in this audit? Who did perform it? How useful is this audit for the risks we have?
Still, you can get those answers. Then you can see the gaps between that ISO 37001-certified vendor and your own expectations for anti-corruption programs, and respond accordingly. That might take the form of additional training for the vendor, or more intensive audits, or even a decision to go elsewhere — but ISO 37001 will provide context to help you make that decision more wisely.
Vendors, meanwhile, can anticipate that approach and tailor their own certification process to match it. Foremost, you can take the standard seriously, find an accredited ISO 37001 reviewer, and ensure that accreditation comes from a group that takes the standard as seriously as you do.
Again, ISO 37001 is a tool, nothing more. Use it well, and you’ll be able to address all those anti-corruption questions third parties might ask, quickly and clearly. Use it poorly, and eventually, you’ll find that what you built doesn’t work as you wanted.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.