Richard L. Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Harry Cassin Managing Editor

Elizabeth K. Spahn Editor Emeritus

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

Aarti Maharaj Contributing Editor

FCPA Blog Daily News

« FINRA bars former Goldman Sachs banker linked to 1MBD | Main | Bill Steinman: Remember the privilege and keep it sacred »

Karen E. Gray: ISO 37001 certification can help companies prepare for DOJ industry sweeps

After news broke that the U.S. Department of Justice was investigating Uber’s potential violations of the Foreign Corrupt Practices in late August, the National Law Review wrote, “In our experience, once DOJ begins learning about a particular industry in such an investigation, the investigation will expand to other players within the industry. It’s called an ‘industry sweep,’ and it’s a thing.”

If tech startups are now under the DOJ microscope, then the case for implementing anti-bribery compliance programs -- regardless of an organization’s size -- has been strengthened. After all, startups usually launch with a small, very localized footprint, which would seem to negate the need for an FCPA compliance program.

The challenge for startups -- and other small-to-medium sized businesses -- is balancing the cost of a compliance program with the level of risk. Uber went from small startup to global disruptor operating in 70 countries in only eight years. And while not every company experiences such a rocket-like growth trajectory, the global nature of supply chains means that companies are more vulnerable to third-party risk exposure.

The risk increases further for companies within regulated industries. As the National Law Review pointed out, “Playing abroad in a regulated industry requires constant interaction with foreign government officials. Each of those interactions creates a risk that some payment, offer, or business hospitality could be considered an FCPA violation.”

For Uber, the allegations involve payments to police to facilitate the licensing of its drivers, but bribery risk could just as easily involve gifts offered by pharma reps to doctors at state-run hospitals.

The ISO 37001 certification standard introduced last October was designed for flexibility, making it appropriate for multinational companies, small and medium-sized enterprises, public, private, and non-governmental organisations.

Moreover, ISO 37001 is written in straightforward business language -- rather than complex legal jargon that permeates guidance provided by anti-bribery enforcement agencies in the U.S. and UK -- making it far more approachable for organizations that don’t have a fleet of lawyers and compliance professionals on the payroll.

The ISO 37001 requirements establish a framework that companies can follow, even if their current risk level is low, to help ensure that as they expand into new geographies -- through direct operations or via their supply chain -- companies can mitigate bribery risk.

Those requirements include:

1. Implementing a clear, anti-bribery policy

2. Establishing management leadership, commitment, and responsibility

3. Developing personnel controls and training

4. Conducting risk assessments and due diligence on projects, business associates 
and other third parties

5. Executing financial, commercial, and contractual controls

6. Instituting an ongoing process for reporting, monitoring, investigating, and reviewing

7. Taking corrective action when indicated and focus on continual process improvement

Whether companies are seeking ISO 37001 certification or not, small to mid-size companies, including young startups, can start the process without breaking the budget.

While risk remains relatively low, beginning with the first three requirements can help to generate awareness. As circumstances change -- such as expansion into a new market in a foreign country -- companies can implement the rest of the requirements.

Technology, like automated risk screening or due diligence platforms, can further strengthen companies’ anti-bribery compliance programs. The cost of such tools may even be offset by the savings realized through lower human resources demand.

In addition, improved risk awareness helps companies respond quickly when a red flag is spotted, reducing the potential financial and reputational damage caused by corruption allegations. Ultimately, not every company needs ISO 37001 certification, but Uber’s current plight certainly shows that companies need to periodically conduct risk assessments to determine whether a more proactive approach to bribery risk mitigation is needed.


Karen E.  Gray is a Senior Entity Due Diligence and Monitoring specialist for LexisNexis. She serves as an expert and central point person for all due diligence and third-party monitoring solutions. She is a resource for Benchmarking, Market Intelligence, Strategic Category Management, and Vendor Selection, and focuses on efforts to improve profitability and cash flow, risk mitigation and operational efficiencies with regard to vendor selection and monitoring.

Reader Comments (1)

There are some concerns about the cost of ISO 37001 certification. For small and median size businesses this may be a concern. Instead of focusing on the monetary cost of ISO 37001 certification these companies should be asking two questions:

1. Will we get the value expected based on the money spent?
2. Will ISO 37001 enable us to meet our regulatory compliance needs?

If the answers to both questions are yes there can be a business case made for seeking certification. However, ISO 37001 certification is not needed or required for companies to meet regulatory compliance. FCPA, UK Bribery Act, and other national anti-bribery laws does not require this certification for compliance. ISO 37001 certification management system will more than anything standardizes corporate anti-bribery behavior in international business, most valuable to companies with multiple supply chain partners and agents. The flexibility of ISO 37001 allows companies to incorporate varies national anti-bribery laws into their management system. This may be the best value of ISO 37001 certification.
October 4, 2017 | Unregistered CommenterJ Farrow
Comments for this entry have been disabled. Additional comments may not be added to this entry at this time.