Third Party Risk Management: Require ISO 37001 Certification from Your Third Parties
Lauren Connell, Managing Associate at The Volkov Law Group, rejoins us for a posting about ISO 37001 certification for your third parties. Lauren can be reached at firstname.lastname@example.org.
A lot of the focus on ISO 37001 so far has been on its value for companies considering certification as evidence of the quality of their own compliance program. With the SEC and DOJ both providing ample guidance to companies in what elements they expect to see as part of an “effective” compliance program, some people have debated the value of ISO 37001 certification. Many raise valid points and the DOJ is not going to outsource their evaluation of compliance programs. While ISO 37001 compliance indicates you likely have the right components of an effective program in place, it by no means assures that your program actually is “effective.”
These debates are missing an important point. Where ISO 37001 holds great promise is in managing third party risk. After a recent conversation with Ian Beers of MSS Global, I am optimistic that ISO 37001 will offer companies a way to reduce their third party corruption risk and may simplify the due diligence process
The FCPA prohibits payments by “any person, while knowing that all or a portion of such money or thing of value will be offered, given, or promised, directly or indirectly” to a government official as a bribe. The key word here is “knowing,” which is defined as:
- is aware that [he] is engaging in such conduct, that such circumstance exists, or that such result is substantially certain to occur; or
- has a firm belief that such circumstance exists or that such result is substantially certain to occur.
So how do you prove that your company’s employees did not know, or even strongly suspect, that a third party is going to use some of their fees to bribe a government official to get their job done? That is where third party due diligence comes in.
Companies conduct third party due diligence to verify that a third party is going to uphold their expectation for legal and ethical conduct. We often help companies conduct third party due diligence – this includes both doing background research on the company and its principals and asking them for information on how they conduct business.
- Do they have a code of conduct?
- Do they have an anti-corruption policy?
- Have they communicated the policy to everyone in their organization?
- Have they provided anti-corruption training to their employees?
- Do they conduct due diligence on their own third parties?
- Is the third party committed to a culture of compliance at its highest levels?
The list of questions to ask could go on and on. Ultimately, a company has to draw the line somewhere. That is where ISO 37001 may come in.
Becoming ISO 37001 certified requires answering all these questions (and many many many more). The process forces a company to audit its anti-corruption program and ensure that it meets certain minimum standards.
Mr. Beers shared with me some of the elements ISO 37001 certification will require, and they are very similar to the types of questions a company should ask its third parties when conducting due diligence. If you are conducting third party due diligence on a company and they hand you an ISO 37001 certificate, your job gets easier. You still have to ask about beneficial ownership, but you don’t have to ask the list of questions from above because someone else already has.
If the ISO 37001 standard is implemented with rigor, it may offer a dependable means to complete a large chunk of third party due diligence with one sheet of paper.
Of course, similar to what we’ve seen with the TRACE certification standard, we still have to wait and see if the certifying bodies themselves will hold companies to the letter and spirit of the requirements. However, if they do, we may see companies promoting their ISO 37001 certifications as a competitive advantage – something that says loudly and clearly “we present low corruption risk” and will quickly pass your legal/ compliance due diligence review process. That is something any compliance department will be happy to see.