Search

Editors

Harry Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Richard L. Cassin Editor at Large

Elizabeth K. Spahn Editor Emeritus 

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

FCPA Blog Daily News

« Mike Scher on the only gathering of its kind: The FCPA Blog NYC Conference 2016 | Main | Paul Pelletier on the Search for Mr. Goodboss: Who Should be the Next FCPA Chief? »
Tuesday
Apr262016

Kristy Grant-Hart on ISO 37001: Yes, we need one standard to rule them all

Have you ever sat across from your joint venture partner in Indonesia. Romania or Taiwan trying to explain why the United States Federal Sentencing Guidelines make it so their employees should be provided with anti-bribery training? I have, and it isn't a fun conversation.

The long, strong arm of the FCPA, as Dick Cassin has called it, can create reactive, fear-driven compliance programs that try to protect against enforcement by the local agencies. When a compliance officer visits joint venture partners, agents or companies in the supply chain outside the U.S. or UK, getting buy-in for adherence to standard compliance program elements like anti-bribery training, whistleblower mechanisms, and audit and terminations clauses for cause in contracts can be an uphill battle.

Enter the global ISO 37001 standard. 

ISO 37001 is expected to be finalized next month and available at the end of the year.  As Matt Kelly noted, “U.S. compliance officers can rest easy: this standard is nothing that you are not doing already.” 

Alexandra Wrage added, “Compliance professionals working in jurisdictions with a credible threat of anti-bribery enforcement -- the U.S., UK, Canada, Germany -- will find nothing new in this standard.” 

But that’s just the point -- companies outside of the U.S., UK, Canada and Germany will now have a positive, pro-active standard to adhere to, and the certification to prove it.

Worth MacMurray and Leslie Benton said the ISO standard was developed by businesses for business, and input on the standard was provided by delegates from 40 countries. Businesses are used to the certification process for other ISO standards, and many flaunt their ISO certifications as a competitive differentiator. 

My company has helped other companies prepare for their ISO 27001 certification audits (data privacy and security). I’ve seen supply chain and provider audits from multi-national companies requiring maintenance of ISO 27001 certification from their providers, as it is seen as a baseline requirement for doing business. If the global business community adopts the ISO 37001 certification as a baseline requirement, we'll be in a much better place than we are now.

But what about Alexandra Wrage's argument that an outside auditor cannot fully understand the risks the company faces, and will either rubber-stamp the program or impose his or her own judgments from a less informed position? While these are surely risks, I believe for most compliance officers, certification and re-certification of the compliance program to the ISO standard will be welcome.

The audit requires the provision of resources -- both for the audit itself and for the creation or continuation of the compliance program underlying the certification. You can’t prove you did training without having a training budget and records of attendance. Compliance frequently struggles with the removal of resources when a crisis hasn’t occurred or is far in the past. The annual ISO audit and re-certification process will ensure a basic level of resources and structure for the compliance program, which in many places throughout the world is infinitely more than they have now.

The ISO 37001 standard won't be a panacea for risk or a fool-proof protection against prosecution. But it will be a global standard of what constitutes a “good” anti-bribery compliance program. That's a welcome and exciting development for the compliance world. 

____

Kristy Grant-Hart, pictured above, is the author of the book How to be a Wildly Effective Compliance Officer.  She is Managing Director of Spark Compliance Consulting and is an adjunct professor at Delaware Law School, Widener University, teaching Global Compliance and Ethics. Before launching Spark Compliance, Ms. Grant-Hart was the Chief Compliance Officer at United International Pictures, the joint distribution company for Paramount Pictures and Universal Pictures in 65+ countries. She can be found at www.ComplianceKristy.com, @KristyGrantHart and emailed here.