Private sector certifications were particularly strong in Europe and Peru, UKAS (United Kingdom Accreditation Service) accreditations were obtained by several large certifying bodies, and Southeast Asia made significant ISO 37001 – related strides.
Many US-focused service providers also saw a significant uptick in ISO 37001 inquiries during the last few months of the year. But particularly striking was the standard’s varied global public sector embrace.
ISO 37001 is a global “business” or “organizational” standard. It is not a national legal standard. And yet, governments in Asia, Europe and Latin America used it to advance institutional anti-bribery priorities during 2018 in “soft” (internal usage with encouragement to external counterparties) and “hard” (law enforcement) versions.
SKK Migas, the country’s oil and gas regulator, became certified in October 2018. Implementation started in mid 2017, leveraging the organizational familiarity with the ISO 9001 (Quality) and 14001 (Environmental) management systems.
In an April 5, 2018 press release describing SKK Migas implementation progress, the regulator noted: “It is expected that these … Contractors will apply SNI ISO 37001:2016 [Indonesia’s verbatim adoption of ISO 37001] in the future within each of their organization. It is necessary to understand that the upstream oil and gas industry has a long and multi-party business chain. This kind of situation creates an opportunity for bribery. On the other hand, the existence of SNI ISO 37001:2016 will certainly minimize such risk.”
In November 2018, Prime Minister Tun Dr Mahathir Mohamad announced an ambitious plan to obtain ISO 37001 certification for “all ministries, agencies, departments and government-linked companies (GLCs) that are at high risk in order to prevent corruption and develop a culture of integrity.”
This multi-year process is part of the National Anti-Corruption Plan – a series of measures designed to address the socio-political environment that spawned the on-going 1MDB scandal and related investigations by authorities in Malaysia, the US and elsewhere.
In October 2018 remarks at the US State Department – sponsored Conference on Prosperity and Security in Central America, Guatemalan President Morales stated that the General Secretariat of the Office of the President had become ISO 37001 and ISO 9001-certified.
Odebrecht S.A., a large Brazilian construction and engineering firm with global operations, entered into a broad July ’18 leniency agreement that featured the company’s promise to undertake ISO 37001 certification as a condition subsequent.
Additionally, the company will pay approximately R$ 2.7 billion over an extended period in the largest ever corruption settlement agreement of its kind involving The Ministry of Transparency and the Federal Controller General (CGU) and the Office of the General Counsel for the Federal Government (AGU).
Atea Denmark, a Nordic region IT company, settled with the Danish public prosecutor in July 2018 following bribery-related indictments and an extended investigation. Prior to entering into the settlement, and as part of its good faith remediation efforts, the company became ISO 37001 certified.
In an unreported 2018 case, Singaporean authorities made ISO 37001 certification a condition of settlement concerning a corruption case involving a corporate defendant. This action is consistent with the country’s Standards, Productivity and Innovation Board (SPRING) and Corrupt Practices Investigation Bureau 2017 launch of Singapore Standard ISO 37001 as a voluntary (and openly encouraged) competitive tool for Singaporean companies.
Signals from these public sector initiatives?
The ISO 37001 public sector adopters’ countries referenced above reflect a wide range on the 2017 Transparency International Corruption Perception Index – from favorable, high ranking Denmark (#2) and Singapore (#6) to Guatemala towards the bottom (#143). But to use a geo-political analogy, each of these governmental entities, in their own ways and to varying degrees, are using ISO 37001 to project power. And the power they are projecting is that of the standard – not their own.
We recognize that we have significant corruption and related reputational issues in our country
With the Brazilian, Guatemalan, Indonesian and Malaysian governmental entities, power projection involves leveraging ISO 37001 to change their respective (“bribery challenged environment”) narratives. In effect, each is saying “we recognize that we have significant corruption and related reputational issues in our country; as an indication of our seriousness to make needed and substantive anti-bribery changes, we’re now going to align with the global anti-bribery management systems standard”. In so doing, by leap-frogging over their own institutional and other applicable anti-bribery limitations, they are able to focus stakeholder attention on the “going forward”, rather than the past.
In the case of Denmark and Singapore, ISO 37001’s usage supports what’s working (strong governance institutions and mechanisms) rather than to fix what’s broken. On appropriate facts and circumstances, prosecutors in these countries (and Brazil) are now demonstrating a willingness to consider using the standard as the organizational defendant’s operational remediation component of overall settlement agreements.
The Brazilian, Danish and Singaporean “hard” power projection are likely to be used by other countries’ prosecutors. The standard’s management system detail, business logic, relative clarity and global nature offers a readily available tool that has cost and administrative advantages for both defendants and law enforcement.
The various existing “soft” power projection forms are in their early stages, are more open-ended and difficult to evaluate at present. Those doing business in these and any future “soft” ISO 37001 usage jurisdictions or spheres should track the evolution of the initiatives, and any related changes in governmental involvement and expectations. It will be important to see progress in, and relatively transparent communications about, these efforts from these governmental entities; abandonment, inactivity or malfeasance will hurt not only the entity involved, but also the credibility of the standard itself.
A guiding principle behind the use of the ISO 37001 organizational anti-bribery tool is flexibility. Anti-Bribery Management Systems should be “reasonable, risk-based and proportionate”, and apply to organizations of all types and sizes. This theme was clearly followed in numerous creative instances in 2018 – with the public sector somewhat surprisingly leading the way.