Since its launch in October 2016, ISO 37001:2016 standard continues to face a hostile climate with every passing day. There are concerns, stemming from regulatory bodies and compliance communities, regarding the lack of evidence to support the effectiveness of ISO 37001:2016 to prevent bribery, failure to address broad compliance concerns and whether ISO 37001:2016 certification alone can prevent prosecution.
Although these observations may appear valid and well researched, however, the critics have misidentified the key factors to take in consideration when voicing these concerns.
Firstly, the end-users of the ISO 37001:2016 standard, are intended to be at the organizational level and the effectiveness remains subjective to the implementation of the standard. The purpose of ISO 37001:2016 standard is to provide a framework against which an organisation’s anti-bribery management can be assessed and certified, rather than a foolproof blueprint to prevent bribery. The ISO 37001:2016 standard requirement, which references to ISO 19600 – Compliance Management System, specifies mandatory requirements for organizations when establishing/updating their anti-bribery management programs in a manner that is proportionate to the potential bribery risk. The reference to these requirements is referred to as “appropriate” and “reasonable”, hence directing organizations to undertake a subjective, diligent and rigorous review of current compliance framework, which will make ISO 37001:2016 effective for them. According to Deloitte & Touche LLP, “[in ISO 37001:2016] it’s the substance, not the form, of a compliance program that determines its effectiveness”
Furthermore, there are concerns regarding the effectiveness of ISO 37001:2016 in addressing broad compliance issues, like inequality, harassment, fraud or similar offences. The view is that ISO 37001:2016 has adopted a simplistic approach. The scope of ISO 37001:2016 addresses “establishing, implementing, maintaining, reviewing, and improving an anti-bribery management system,” whether as a stand-alone initiative or part of a broader anti-corruption. Therefore, implementing ISO 37001:2016 standard requirements, should be viewed as a way of enhancing, rather than replacing, an organization’s existing anti-corruption compliance programs. It is an effective step-by-step guidance for those organizations which lack an anti-corruption framework and enables them to implement a compliance program without investing significant time in identifying the regulatory and non-regulatory requirements. Surely enough, ISO 37001:2016 has incorporated Federal Sentencing Guidelines, U.S. Department of Justice (DOJ) and Securities and Exchange Commission (SEC) Resource Guide to the U.S. Foreign Corrupt Practices Act, the U.K. Ministry of Justice Bribery Act 2010 Guidance, and OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance. Furthermore, in Deputy Attorney General Rosenstein’s recent discussion regarding FCPA Policy, he highlighted three hallmarks of a Policy effective compliance program, which are concurrent with ISO 37001:2016 requirements and include: fostering a culture of compliance; dedicating sufficient resources to compliance activities; and ensuring that experienced compliance personnel have appropriate access to the board.
Lastly, there is a widely held belief that obtaining ISO 37001:2016 certification is an effective tool to avoid prosecution for bribery. These misconceptions have not been viewed favourably insofar as to Ms Hui Chen, US DOJ’s former compliance counsel, stating “Dan Kahn, the Chief of the FCPA Unit in the Fraud Section of DoJ’s Criminal Division, has been very consistent: prosecutors will not outsource their responsibilities”. Rightly so. ISO 37001:2016 Certification does not act as an insurance to corporate liability for bribery, neither does it refute the need to perform due diligence, and it should be considered and implemented as per company’s risk profile. In practicality, implementing ISO 37001:2016 can demonstrate to enforcement agencies and regulators that the organization has taken steps to establish a compliance program to mitigate bribery risks, however, ISO 37001:2016 certification will mitigate the consequences, if not a shield, an organization from investigation or prosecution.
ISO 37001:2016 is still in its infancy, and with the lapse of one year, the debate on the effectiveness is gaining heat. However, there is a positive response received by several national and regional standard bodies. For instance, in Peru, Singapore, Malaysia (Department of Standards and the Anti-Corruption Commission (MACC)) and China (Shenzhen Institute of Standards and Technology (SIST)), the national standard bodies have adopted and localised the ISO 37001:2016 standard, where has in Italy, the ISO 37001:2016 accreditation scheme has been developed by Accredia, whereas in the UK, United Kingdom Accreditation Service (UKAS) has undertaken ISO 37001:2016 pilot program to develop an accreditation scheme. In the United Arab Emirates, Dubai Accreditation Council is undertaking the ISO 37001:2016 accreditation scheme development with CRI Certification. CRI Certification, which comes under the umbrella of Anti-Bribery Anti-Corruption Centre of Excellenceis an initiative launched by CRI Group and offers ISO 37001:2016 training, standardization and certification services.
Hence, amid these positive developments, the outlook for ISO 37001:2016 looks promising.
Corporate Research and Investigations LLC
Office # 918, Liberty House, DIFC
Dubai, United Arab Emirates
T: +971 4 3589884 | T: +971 526 333341
CRICertification.com | Fraudinsider.com
- Deloitte & Touche LLP, Focus on Five
- http://www.iso.org/iso/catalogue_detail. htm?csnumber=6503
- Worth MacMurray, New DOJ enforcement policy and ISO 37001 are aligned, FCPA Blog