ISO 37001: The Good, The Bad and the Ugly (Part II of V)
In Part II of my continuing series, I identify in broad strokes some of the more significant positive and negative aspects of ISO 37001. While it is easy to second-guess the ISO 37001 authors, there are some interesting issues that are addressed and some missed opportunities to advance ethics and compliance systems.
On the positive side, ISO 37001 is keyed to a valuable concept of “reasonable and proportionate” responses and strategies to mitigate bribery risk. I acknowledge that “reasonable and proportionate” is not so easy to define but with time and precedent, such a concept will become a helpful benchmark for companies to use in designing and implementing an effective anti-bribery risk management system.
ISO 37001 is replete with requirements that anti-bribery management systems document their compliance programs. As everyone knows and has heard me repeat over and over, documentation is a critical aspect of every compliance program. If an action or decision is not documented, then prosecutors are unlikely to believe that the event occurred. A compliance program without documentation is by definition an ineffective compliance program.
ISO 37001 also establishes, for the first time, a focus on due diligence and hiring of employees as a key control to mitigate bribery risks. This is a sound requirement and long overdue. So much attention has been paid to third party bribery risks that internal hiring, employee monitoring and associated risks have been ignored. Going forward, companies should look to its internal systems for screening and hiring or transferring employees to positions where they will encounter bribery risks.
On the negative side, ISO 37001 missed an important opportunity to define the relationship between anti-bribery risk management systems and financial controls. ISO 37001 includes only a general, one-line requirement that a company implement financial controls to mitigate bribery risks. That requirement is so general that it is in reality meaningless. Instead, compliance officers need a seat at the financial table when it comes to designing effective accounting controls. CCOs need visibility into the financial controls in order to cull out important data and information needed to monitor an anti-bribery system. After all, bribery requires unauthorized access to money and this is where bribery risks meet with the reality of corporate financial operations.
Too often in the corporate governance world, financial management systems operate separately from other parts of the company. Much of this reflects the historical impact of Sarbanes-Oxley that generated a much-needed improvement of internal controls, financial reporting and enhancement of the role of internal auditors. In the end, financial executives and staff created an internal monolith of financial controls and surrounding compliance with such controls.
The compliance function was not included in this revamp of corporate financial reporting. As a consequence, CCOs did not have a seat at the table. With the rise of the CCO and attendant responsibilities, CCOs have to inject themselves into the financial controls given the obvious connection between unauthorized access to money for theft, bribery and other illegal schemes. It is impossible for CCOs to complete their responsibilities without entry into the financial silo.
Unfortunately, ISO 37001 ignored this trend and failed to address this critical opportunity to transform the CCO into a major play when it comes to anti-bribery risk management systems.
Nonetheless, ISO 37001 is a step forward and a valuable contribution to the ethics and compliance field. As noted in my original post, there are still many remaining questions about the ultimate impact that ISO 37001 will have on anti-corruption enforcement and on the ethics and compliance field in general.