ISO 37001: Why Your Anti-Corruption Policy Needs to Go Global
Lauren Connell, Managing Associate at The Volkov Law Group, joins us again for a posting on ISO 37001. Lauren can be reached at firstname.lastname@example.org.
Ten years ago the standard anticorruption policy was nearly exclusively FCPA-focused. DOJ and SEC enforcement actions were the primary, if not the only, concern for corporate executives and board members. The UK Bribery Act of 2010 forced a shift and now many anticorruption policies explicitly address both the US and the UK’s laws. But then in 2013, Brazil enacted its Clean Companies Act that became effective January 2014. On March 30, 2016, France registered a draft law called “Transparency, the Fight Against Corruption and the Modernization of Economic Life.” On July 18, 2016 Mexico enacted a new National Anti-Corruption System. At the same time we’ve seen domestic enforcement efforts step up in foreign countries, such as China that fined GlaxoSmithKline $489 million in 2014 and imposed a (suspended) prison sentence on an executive for bribing doctors …
The writing is on the wall.
Executives and board members are no longer going to be able to satisfy themselves with a US-based anticorruption policy. A company operating internationally must now address anti-corruption laws from an increasing number of jurisdictions. This adds significantly complexity.
Luckily, the profession as a whole is ramping up to meet this challenge. To help, we now have international standards for “Anti-bribery management systems.”
ISO is an international standard setting body that is recognized worldwide as a leader. ISO standards are often the benchmark used to conduct business across borders. This month, ISO published the first-ever international standards for the prevention and detection of bribery – ISO 37001. It is based on input from people around the globe and professes to meet the expectations of U.S., German, Canadian, and other enforcement authorities around the world.
ISO 37001 is a “requirements standard.” Companies will be able to obtain certifications from accredited third parties that their anti-corruption and anti-bribery management systems meet the ISO 37001 standard. When ISO issued management standards, they became the benchmark for companies worldwide. Will that also happen for ISO 37001? I think it is likely.
It is important to keep in mind that ISO 37001 is not a replacement for a compliance program; it is a tool to ensure that certain basic components are in place. It emphasizes business operations, uses a risk-based approach, and specifies certain required procedures and controls. The process of putting these compliance program components into place (or assessing whether your existing program meets the standard) will necessarily improve your compliance program – and therefore increase your chances of preventing a violation that could result in hefty fines or criminal liability.
These standards are important for the profession to take into account. As we move towards an increasingly global definition of anticorruption, companies will need policies and procedures that reflect this. The ISO standard help us define a “minimum” compliance program anywhere in the world and requires “certification” by a third-party auditor. This will not only help companies with their own programs, but also offer a new due diligence tool.
Companies should use ISO 37001 as a chance to review their compliance program and make sure it meets regulators expectations of an “effective” compliance program.