Search

Editors

Richard L. Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Harry Cassin Managing Editor


Elizabeth K. Spahn Editor Emeritus

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

Aarti Maharaj Contributing Editor


FCPA Blog Daily News

« Event: The FCPA Blog NYC 2016 Conference (October 26) | Main | Job: Senior Investigator (International Rescue Committee - NYC) »
Tuesday
Sep202016

ISO 37001: Why wouldn’t you certify your anti-bribery program? 

Considering the ever-higher fines for getting it wrong, why wouldn’t you certify your anti-bribery program? 

Sure, certification is not an absolute guarantee that a bribe won’t occur at your company. Nothing is foolproof after all, but the enormous benefits of certification outweighs any concerns people may have.

In the middle of October, the new ISO 37001 Anti-Bribery Management System standard will be published and available for certification.

The ISO 37001 standard was created by delegates from all over the globe, including the world’s best and brightest anti-bribery thought-leaders, scholars and business leaders. This produced a truly international standard that matches the expectations of U.S., UK, German, Canadian and other prosecutorial authorities throughout the world. 

Knowing your program lives up to the expectations of global regulators is invaluable.

So why wouldn’t you certify your program? Some people say…

Obtaining ISO 37001 certification won’t protect my company against prosecution.

That’s true on the surface. You won’t be able to waive your ISO 37001 certificate at the DOJ as a magical get-out-of-jail-free card. However, in the process of certification, you’ll be required to have done the types of things that naturally lead to mitigation. These include:

  • Performing a proper risk assessment and implementing or validating controls to mitigate those risks
  • Ensuring that training has been provided to at-risk individuals
  • Getting your documentation in order with respect to policies and procedures
  • Creating and maintaining a proportionate due diligence process on your high-risk third-parties, and
  • Obtaining proper tone from the top and management support for the program.

While certification won’t automatically get you a declination from regulators, you are much more less likely to have a corruption issue to begin with when you’ve got your compliance program established and embedded enough to obtain ISO 37001 certification.

ISO 37001 certification is a check-the-box review, so companies will only raise to the lowest common denominator required to obtain certification.

Certification requires companies to meet a relatively high standard that defies the check-the-box mentality. But let’s say for argument’s sake that this objection is true. Wouldn’t we all still be far better off than where we are now in many companies, particularly outside of the U.S. and Europe? 

When you look at the due diligence questionnaires of your intermediaries, agents and suppliers, how many of them check “yes” when asked if they have a compliance and ethics program, anti-bribery policy or anti-corruption training? Hmm, thought so.

The truth is, compliance and ethics programs are still in their infancy throughout much of the world, if they exist at all. The more that we in the compliance community can establish and enforce a minimum standard, the more easily new compliance officers can understand the requirements of a “good” compliance program which will help to rid the world of the scourge of corruption. The ISO standard provides a truly global benchmark for companies world-wide to live up to.

If your company wants to go above and beyond the requirements of the ISO standard, by all means do!  No one will stop you from doing more. But that doesn’t mean that there is no value in having a global standard to which companies can comply and certify.

But who will certify the certifiers? Is it going to be too easy or too hard to pass?

My company, Spark Compliance Consulting, is going to offer ISO 37001 certification as soon as the final version is published. 

We’ve spent months working with the draft standard and ISO 17021-1 to ensure we can truly test the company’s program against the ISO 37001 standard based on the organization's size, structure, operations, level of risk and whether the organization has taken steps that are reasonable to address the nature and extent of bribery risk.

*     *     *

Why wouldn’t you certify your anti-bribery program? At the very minimum certification provides confirmation that you’ve done what you need to do in order to provide a strong baseline of documentation, training, messaging and procedures which will help protect your organization from unethical behaviour and prosecution.

Reduced likelihood of prosecution, with increased security and peace of mind? Those come standard with certification.

___

Kristy Grant-Hart the author of the book “How to be a Wildly Effective Compliance Officer.” She is Managing Director of Spark Compliance Consulting and is an adjunct professor at Widener University, teaching Global Compliance and Ethics. She previously served as the Chief Compliance Officer at United International Pictures. She can be contacted here.