A Closer Look at ISO37001 – Something Old or Something New? (Part I of V)
The release of ISO 37001 has triggered an important discussion among legal and compliance professionals. In a five-part series, I plan to address the value of ISO 37001, provide a substantive analysis, and to evaluate the contribution ISO 37001 has made (or will make) in the compliance field.
First, I recommend that everyone spend time studying ISO 37001. It is a mistake to write off ISO 37001 as contributing nothing “new” to compliance. A number of authors have concluded that ISO 37001 offers only minimal improvements to existing guidance. In fact, as I will point out in future posts there are some valuable new ideas and requirements contained in ISO 37001 that should be considered when designing and implementing an ethics and compliance program.
Second, and perhaps most importantly, the new ISO 37001 raises some critical issues surrounding enforcement credit and the ISO 37001 certification process itself.
- What is the value of earning an ISO 37001 certification?
- How much, if any, credit will be given to companies investigated by the Justice Department, Securities and Exchange Commission, the Serious Fraud Office and other law enforcement agencies?
- How will the certification process actually work and how will consistency be maintained in the certification process?
The Justice Department and the SEC have provided significant guidance on anti-corruption enforcement and compliance. They have attempted to increase transparency in its enforcement policies and standards under which they exercise prosecutorial discretion. Specifically, building on the basic elements defined in the US Sentencing Guidelines, DOJ and the SEC issued The FCPA Guidance in November 2012, the FCPA Pilot Program in April 2016, and a compliance guidance document in March 2017. Of course, DOJ and the SEC could do more to improve their efforts, but the guidance provided so far has been unprecedented in terms of scope and quality. Many prosecutors, however, are not very comfortable providing such guidance because it may act to constrain prosecutorial discretion in certain situations.
While ISO 37001 provides some helpful ideas on effective anti-bribery strategies, the fundamental difference between ISO 37001 and prior DOJ and SEC guidance is the availability of earning a certification of compliance with ISO 37001. DOJ and the SEC have not defined the amount of credit, if any, to be awarded to a company for maintaining an effective anti-corruption compliance program as defined under ISO 37001.
The relevance of ISO 37001, however, may apply only in circumstances when companies seek to remediate their existing compliance programs after a violation has occurred. DOJ and the SEC have not awarded credit to companies for implementing an effective existing compliance program before the violation occurred.
The ISO 37001 certification may create an opportunity for companies to argue for some credit to offset against an FCPA violation. A company that meets such a standard could argue that such certification reflects the company’s commitment to ethics and compliance and that it should be taken into account when weighing the overall penalty for a violation.
Unfortunately, DOJ and the SEC have not embraced the ISO 37001 standard, and are unlikely to do so. Therefore, the prospective value of obtaining such a certification is unlikely to be significant, except that companies can argue the benefits of the certification to law enforcement and prosecutors.
The ISO 37001 standard requires certification by trained evaluators. The review and assessment process has been defined and the application of such evaluation criteria will be an important aspect of the certification process. The intricacies for such evaluations will be interesting since such an evaluation necessarily involves judgment calls as to the sufficiency and quality of specific components of an anti-corruption compliance program.
Apart from the uncertainty surrounding the legal credit for the ISO 37001, the standard does provide some valuable benchmarking insights for companies seeking to design and implement an effective anti-corruption compliance program. Companies always have questions pertaining to design and implementation of a program, and ISO 37001 creates some guidance on a variety of subjects, as will be explained in further postings on the issue.
As with any important compliance guidance program, ISO 37001 is sure to contribute to the overall implementation of effective ethics and compliance programs. It is hard to predict at this point how much of an impact ISO 37001 will have on ethics and compliance programs. For now, ethics and compliance program officers should take this new resource and tool into account in carrying out their responsibilities.