Ethics and compliance being key words of the year, the ISO 37001:16 Anti-bribery Management System - Requirements with guidance for use (ISO 37001) is increasingly becoming a strong contender in business today. ISO 37001 provides companies around the world with practical guidance on "establishing, implementing, maintaining, reviewing and improving anti-bribery management systems". It reinforces the idea that anti-bribery compliance is not a Western currency, but a global standard. It is a reminder that compliance shields companies from the long stick of the law, but, more importantly, fosters competitive business environments. While ISO 37001 standard does not retain any prosecutorial power, it stresses the instrumental need to realign compliance standards and benchmark businesses’ ethical practices. Not surprisingly, some countries have also sought to adopt the ISO 37001 standard; amongst them Singapore, which has built a reputation of high levels of transparency and competitiveness.
Many companies are becoming ISO 37001 certified as a way to demonstrate compliance and commitment to ethical business practices. Walmart and Microsoft are currently seeking certification; CPA Global and Alstom in France are examples of companies that have already achieved certification. Notably, Bosch’s UAE unit was the first company to receive certification in the Middle East. Certification can be sought through an independent certifying body, preferably accredited by the International Accreditation Forum. While not being ISO certified does not equal that your anti-bribery management system is deficient - your program might adhere to the ISO 37001 requirements nonetheless - certification increases the confidence of external stakeholders in the efficiency of your anti-bribery program and enhances your reputation as an ethical business. Companies should, however, beware of over-reliance on certification, as the article later discusses, compliance should be acheived and upheld making the goal in itself in the process of staying compliant with the standard. Accordingly, ISO 37001 certification is only valid for a three-year period and subject to a yearly review.
This article explores the reasons to seek certification, the accreditation procedure, and why it’s important to see the ISO 37001 certification as a process and not an end.
3 Reasons to Seek Certification:
The ISO 37001 is a global standard for business, outlining the elements expected of a good compliance program. Certification is voluntary and renewed every three years. During this certification period, a company must undergo an annual surveillance review. The certification, however, is not the goal; the point is to achieve an effective anti-bribery program.
While getting an ISO certification may not be an end in itself, it does come with several important benefits for your organization.
- The ISO standard provides your company with practical guidance: The standard helps you put theory into practice. As an operational document, it outlines practical guidelines on how to enhance your compliance program, such as establishing financial and non-financial controls, tailoring your compliance training to the specific risks your company faces and targeting the right employee groups with the right type of training, etc.
- Adhering to the ISO requirements provides you with a powerful defense: In the event of misconduct or a compliance breach, you can prove that you have already established robust documentation procedures, and you can document the thoroughness of your anti-bribery program. The certification indicates that you are actively involving all parts of the organization in an overall compliance effort, from top management and the governing body to the compliance department. More importantly, it shows that top management are overseeing adequate implementation of the organization’s anti-bribery system management.
- ISO certification greatly enhances your reputation as an ethical business: While the ISO doesn’t have any prosecutorial authority, achieving the certification gives your company an enviable image of trustworthiness. Adhering to the standard demonstrates your commitment to ethical business and to fighting corruption. You’re making it clear that your organization -- including any employee or third party doing business for you or with you -- does not tolerate corrupt practices.
Compliance, Certification, and Accreditation:
Any organization can choose to be compliant with the ISO 37001 by implementing adequate procedures to meet the requirements outlined in the standard. Certifying compliance with the standard, however, requires additional steps.
First, a certification body must audit your organization. One part of the audit is a high-level review of the anti-corruption management system; another part looks at the management system in much closer detail to determine compliance in various areas. Auditors can help you develop your compliance program and evaluate whether your company is ready to obtain certification.
Next, an independent certifying body must certify your company. This must be a different group than the one that audited your system; the same people cannot evaluate your program and provide certification. When selecting a certification body, always ensure they are accredited by a member of the International Accreditation Forum (IAF).
There are also some certification bodies that are not accredited or are accredited by organizations that are not members of the IAF. This does not automatically mean that their service is poor, however, it is much harder to prove credibility. According to the IAF website, “these certificates are of questionable value since they don’t carry the backing of an accreditation body.” To date, no U.S. provider has been accredited as a certification provider. In general terms, it is still early to determine how much weight ISO 37001 certifications will carry.
What Certification Does Not Do:
While there are real benefits to pursuing certification, we shouldn’t overestimate its value. Adhering to the ISO standard does not guarantee that no compliance breach will occur within your company. Nor does it shield your company from liability or investigation.
That’s why it’s important to remember that the value of achieving certification is not in the end in itself, but rather in the process. The ISO is a global standard that provides guidance for anti-bribery system management best practices; as such, the value is in putting those best practices in place and developing an effective anti-bribery program that can constantly mitigate risk and foster a culture of compliance.