worthdmacm

Three predictions for the future of ISO 37001

This article was originally published by the FCPA blog on 13 February 2019
http://www.fcpablog.com/blog/2019/2/13/three-predictions-for-the-future-of-iso-37001.html

2018 was an eventful year in ISO 37001’s adoption journey. The Anti-Bribery standard’s flexibility was demonstrated through a variety of first-time (for ISO 37001) public and private sector uses.

The Brazilian and Danish prosecutors’ use of ISO 37001 in bribery settlement agreements, and the Korean Pharmaceutical and Bio-Pharma Manufacturers Association assistance to its 194 members with a phased ISO 37001 adoption approach, for example.

The United States has been slower to appreciate ISO 37001’s value

Brazil, Italy and Peru lead in terms of the number of certified ISO 37001 organisations. The United States, as is normal with ISO standard adoption, has been slower to appreciate ISO 37001’s value.

What to expect concerning ISO 37001 adoption and evolution in 2019?

This question was posed to senior executives within the community that best knows the world of standard certifications (some have been in the field for over a hundred years) – the accredited certifying bodies (CBs) that are performing ISO 37001 Anti-Bribery Management Systems audits on a global basis.

The CBs’ predictions and themes for this year?

Organisations will better understand the symbiotic relationship between ISO 27001 (Information Security Management Systems) and ISO 37001

Bruno Samuel, Executive Director, Sales & Marketing, North America for DNV-GL highlights ISO 37001’s particular value for organisations that have adopted other ISO management system standards. “ISO 37001 uses the same structure for implementation as certain other ISO standards, such as Information Security Management Systems – ISO 27001 or ISO 9001 – Quality Management Systems. This feature allows organisations to easily leverage the work done in other areas and implement an Anti-Bribery Management System which can encompass the entire organisation and integrates with other management systems.”

Observation: As with 2018, many U.S. corporate boards in 2019 will apply priority oversight to two organisational risk management areas: anti-bribery and cybersecurity. ISO 27001 certification demand has dramatically increased in recent years, particularly in the government contracting, manufacturing, IT and professional services sectors – as one indicia of cyber preparedness.

Boards (and management teams) of companies that are ISO 27001, ISO 14001 (Environmental Management Systems) or 9001-certified can use the same familiar ISO management system structural “lens” to review and manage anti-bribery activities by adopting ISO 37001.

Scott Lane, President at ETHIC Intelligence notes “if organisations can push down certification requirements to their partners, they can pass the costs (and time) associated with screening third parties to the third parties themselves. This will make third parties responsible for representing their commitment to anti-bribery, as a pre-requisite for working with reputable organisations.”

David Muil, VP of Global Business Development, Business Assurance at Intertek adds: “Given the nature of what is happening in the industry and things that are coming to light with risk mitigation and brand protection, you are going to see this become a contractual requirement of doing business from organisations. The industry is already seeing it now with governments in some parts of the world who have mandated on their RFQs that you must be compliant to the intent of ISO 37001.”

Observation: For cost and general bribery risk management reasons, expect this “shifting” trend to continue in 2019. For companies, this practice is particularly attractive to those with global operations and a large supplier base.

In the public sector, this activity may offer advantages to governmental organisations within countries farther down the TI CPI Index (e.g. lesser-developed countries with abundant natural resource holdings) – making relative improvements to a project anti-bribery environment through enlisting commercial partner commitment to ISO 37001.

The public sector will continue to creatively influence the standard’s adoption.png

The global public sector creatively embraced ISO 37001 in 2018. “Soft” forms of adoption were used in Indonesia, Malaysia, Singapore and Peru; governmental entities in those countries officially recognised the standard and encouraged its adoption. Brazil, Denmark and Singapore used “hard” forms: ISO 37001 certification was required by prosecutors as a condition of bribery allegation settlement.

For governmental entities that are within countries or regions with historically high bribery risk, using ISO 37001 provides distinct advantages. It allows them to project the power of ISO (the globally-respected standards body) and its bribery management system, incorporating both applicable law and leading global anti-bribery practices and procedures.

And as noted by the General Counsel of ISO 37001-certified Alstom, Pierrick Le Goff in ICC Netherlands’ Integrity publication, “[i]n a globalised economy, the ISO 37001 certification can provide a standardised tool for public bodies to assess the quality of the anti-bribery programs of their bidders“.

Observation: For classic “standardisation advantage” reasons (e.g. efficiency, quality, cost-savings, certainty) and building on the momentum from 2018, the public sector will continue to play a significant, if not driving, role in ISO 37001’s evolution in 2019 and beyond. Over time, certain public sector “suggestions” in some locales and/or sectors may evolve into “recommendations” before finally becoming “requirements”.

How did the public sector use ISO 37001 in 2018? Creatively!

Private sector certifications were particularly strong in Europe and Peru, UKAS (United Kingdom Accreditation Service) accreditations were obtained by several large certifying bodies, and Southeast Asia made significant ISO 37001 – related strides.

Many US-focused service providers also saw a significant uptick in ISO 37001 inquiries during the last few months of the year. But particularly striking was the standard’s varied global public sector embrace.

ISO 37001 is a global “business” or “organizational” standard. It is not a national legal standard. And yet, governments in Asia, Europe and Latin America used it to advance institutional anti-bribery priorities during 2018 in “soft” (internal usage with encouragement to external counterparties) and “hard” (law enforcement) versions.

Soft usage

SKK Migas, the country’s oil and gas regulator, became certified in October 2018. Implementation started in mid 2017, leveraging the organizational familiarity with the ISO 9001 (Quality) and 14001 (Environmental) management systems.

In an April 5, 2018 press release describing SKK Migas implementation progress, the regulator noted: “It is expected that these … Contractors will apply SNI ISO 37001:2016 [Indonesia’s verbatim adoption of ISO 37001] in the future within each of their organization. It is necessary to understand that the upstream oil and gas industry has a long and multi-party business chain. This kind of situation creates an opportunity for bribery. On the other hand, the existence of SNI ISO 37001:2016 will certainly minimize such risk.”

See: https://skkmigas.go.id/detail/2467/skk-migas-starts-implementing-sni-iso-37001-2016-on-anti-bribery-management-system-smap and https://skkmigas.go.id/detail/2641/skk-migas-resmi-terakreditasi-sni-iso-37001

In November 2018, Prime Minister Tun Dr Mahathir Mohamad announced an ambitious plan to obtain ISO 37001 certification for “all ministries, agencies, departments and government-linked companies (GLCs) that are at high risk in order to prevent corruption and develop a culture of integrity.”

This multi-year process is part of the National Anti-Corruption Plan – a series of measures designed to address the socio-political environment that spawned the on-going 1MDB scandal and related investigations by authorities in Malaysia, the US and elsewhere.

See: http://www.theedgemarkets.com/article/antigraft-system-highrisk-depts

Odebrecht S.A., a large Brazilian construction and engineering firm with global operations, entered into a broad July ’18 leniency agreement that featured the company’s promise to undertake ISO 37001 certification as a condition subsequent.

Additionally, the company will pay approximately R$ 2.7 billion over an extended period in the largest ever corruption settlement agreement of its kind involving The Ministry of Transparency and the Federal Controller General (CGU) and the Office of the General Counsel for the Federal Government (AGU).

See: http://www.publicnow.com/view/F40A482B9E92DDB02E824064A66E9A0BF629A99C

In an unreported 2018 case, Singaporean authorities made ISO 37001 certification a condition of settlement concerning a corruption case involving a corporate defendant. This action is consistent with the country’s Standards, Productivity and Innovation Board (SPRING) and Corrupt Practices Investigation Bureau 2017 launch of Singapore Standard ISO 37001 as a voluntary (and openly encouraged) competitive tool for Singaporean companies.

See: https://www.bakermckenzie.com/en/insight/publications/2017/05/singapore-adopts-iso-standard

Signals from these public sector initiatives?

The ISO 37001 public sector adopters’ countries referenced above reflect a wide range on the 2017 Transparency International Corruption Perception Index – from favorable, high ranking Denmark (#2) and Singapore (#6) to Guatemala towards the bottom (#143). But to use a geo-political analogy, each of these governmental entities, in their own ways and to varying degrees, are using ISO 37001 to project power. And the power they are projecting is that of the standard – not their own.

We recognize that we have significant corruption and related reputational issues in our country

With the Brazilian, Guatemalan, Indonesian and Malaysian governmental entities, power projection involves leveraging ISO 37001 to change their respective (“bribery challenged environment”) narratives. In effect, each is saying “we recognize that we have significant corruption and related reputational issues in our country; as an indication of our seriousness to make needed and substantive anti-bribery changes, we’re now going to align with the global anti-bribery management systems standard”. In so doing, by leap-frogging over their own institutional and other applicable anti-bribery limitations, they are able to focus stakeholder attention on the “going forward”, rather than the past.

In the case of Denmark and Singapore, ISO 37001’s usage supports what’s working (strong governance institutions and mechanisms) rather than to fix what’s broken. On appropriate facts and circumstances, prosecutors in these countries (and Brazil) are now demonstrating a willingness to consider using the standard as the organizational defendant’s operational remediation component of overall settlement agreements.

The Brazilian, Danish and Singaporean “hard” power projection are likely to be used by other countries’ prosecutors. The standard’s management system detail, business logic, relative clarity and global nature offers a readily available tool that has cost and administrative advantages for both defendants and law enforcement.

The various existing “soft” power projection forms are in their early stages, are more open-ended and difficult to evaluate at present. Those doing business in these and any future “soft” ISO 37001 usage jurisdictions or spheres should track the evolution of the initiatives, and any related changes in governmental involvement and expectations. It will be important to see progress in, and relatively transparent communications about, these efforts from these governmental entities; abandonment, inactivity or malfeasance will hurt not only the entity involved, but also the credibility of the standard itself.

A guiding principle behind the use of the ISO 37001 organizational anti-bribery tool is flexibility. Anti-Bribery Management Systems should be “reasonable, risk-based and proportionate”, and apply to organizations of all types and sizes. This theme was clearly followed in numerous creative instances in 2018 – with the public sector somewhat surprisingly leading the way.

Foreign Corrupt Practices Act ≠ ISO 37001. Here’s why!

This piece appeared in the FCPA blog on 13 June 2018

The conventional wisdom among many of those responsible for managing organizational FCPA risks is that the existence of a reasonably good program equates to having an ISO 37001 Anti-Bribery Management System “covered.”

The Foreign Corrupt Practices Act of 1977 (FCPA) is a United States federal law that prohibits bribery of foreign officials and addresses accounting transparency requirements under the Securities Exchange Act of 1934.

The implicit suggestion is that the requirements of the FCPA legal standard are virtually the same as the ISO 37001 business standard, or that, at a minimum, not many program changes would be required to obtain ISO 37001 certification.

I respectfully disagree; it is the rare program in my experience that requires only tweaks to bring it to ISO 37001 certification readiness.

Why are these distinctions important?

In the ISO 37001 certification audit process, a major non-conformity (e.g. a requirement is found not to exist or is totally ineffective) prevents certification until correction. Programs may have undocumented practices or “unwritten rules” that are beneficial, and that support a given Anti-Bribery Management System (ABMS) component, but these will be problematic in the certification process.

An ABMS necessarily incorporates applicable legal standards, but it also has its own unique requirements (subject always to “reasonable and proportionate” considerations (4.3)).

As an initial ABMS evaluation exercise, FCPA Risk Managers (whether in legal, compliance, internal audit and/or operations) may thus want to test their organization’s program (and its particular facts and circumstances) by asking ISO 37001-based questions in several basic areas:

Documentation

If the proverbial three most important words in real estate are location, location and location, then the ISO 37001 equivalents are documentation, documentation, and documentation.

The standard requires that certain specifically identified information shall be documented (7.5.1 a), such as the Anti-Bribery policy (5.2) and training procedures, content and instances (7.3).

But does your company also document those other Management System aspects that are more conceptual, but that are nevertheless explicitly tied to documentation, for example: information necessary for the effectiveness of the Management System (7.5.1 b); the Management Systems scope — to include external and internal contextual issues, the needs and expectations of stakeholders and bribery risk assessment results (4.3); and, with respect to operational planning and control, information to the extent necessary to have confidence that the processes have been carried out as planned? (8.1 c)

Operationalization

ISO Management Systems standards (see also ISO 9001 Quality Management, ISO 14001 Environmental Management System, and ISO 27001 Information Security) have a process bias; the word process appears twelve times in ISO 37001’s definitions alone (3). A primary theme of the overall standard is that Anti-Bribery controls are most effective when placed within company operations – preferably embedded within the process that presents the identified bribery risk.

On this theme:

Does your company’s top management demonstrate leadership and commitment by ensuring the integration of ISO 37001 requirements into organizational processes? (5.1.2 b);
Is the bribery risk assessment reviewed (and any changes reflected in the ABMS, including its scope) when there are significant changes to the company’s structure or operations (4.5.3 b); and,
Per the documentation discussion above, what are the processes involved and what documentation exists to evidence their operations?

Employees

FCPA programs have historically focused on bribery risk reduction through employee training, tone at the top emphasis and hot line access.

As noted in an earlier post for the FCPA Blog, DOJ’s revised FCPA Policy is consistent with ISO 37001 in its prioritization of organizational culture, but the business standard is more granular.

In the hiring or promotion of employees to positions with more than a low bribery risk, for example, does your organization have due diligence procedures for due diligence and incentive-based compensation (to contain reasonable safeguards that do not act to encourage bribery)? (7.2.2.2 a)

Also, as part of your organization’s ABMS planning process (6), have ABMS objectives (that are communicated, monitored and (if practicable, measured)) been set at all relevant functions and levels (including within sales, contract management and other possible more than low bribery risk situations)? (6.2)

Certification

ISO 37001 certifications are about to become more commonplace in the US. Early this summer, a premier business standards accreditation body UKAS (United Kingdom Accreditation Service) is expected to accredit certain respected global certifying bodies (CBs) to conduct ISO 37001 certifications.

Various U.S.-based Fortune 500 companies are waiting for these accreditation events to select a CB and begin the ISO 37001 certification process.

It may be an opportune time to challenge the (misplaced) conventional wisdom concerning FCPA programs “covering” ISO 37001, and dig into ABMS details – as the ISO 37001 certification becomes an accepted and widely-used bribery and Supply Chain Risk Management tool.

Author: worthdmacm

Three predictions for the future of ISO 37001