The International Organization for Standardisation has issued a draft standard addressing anti-bribery management systems, which is intended to help organizations fight bribery and promote an ethical business culture.
While discussions on the merits of ISO 19600 (Compliance Management System) are still on-going, the International Organization for Standardization (ISO) has provided yet another draft with regard to compliance and corporate fraud, the ISO 37001 for Anti-Bribery Management Systems. While one could think that such a topic should already be included in ISO 19600 and, therefore, the new draft will add nothing new, there are two good reasons to treat this upcoming standard differently and have a closer look at it.
First, the new standard will be a “type A” standard, which means that it must be certified and audited, while ISO 19600 is a “type B” standard only, designed to give guidance on the topics covered.
Secondly, the timing of the standard is likely to coincide with deadlines imposed by European Union legislation. The so-called CSR-Directive, directive 2014/95/EU (amending directive 2013/34/EU) as regards disclosure of non-financial and diversity information by certain large undertakings and groups, requires from such undertakings a non-financial statement, “of its activity relating to anti-corruption and bribery matters including (…) a description of the policies pursued by the undertaking in relation to those matters, including due diligence processes implemented and the outcome of those policies”. The transposition deadline for the national legislator ends on 6 December 2016. This date will probably coincide closely with the publication date of the final ISO37001. It would also not be surprising if this coincidence in time and subject will result in substantial attention to the new draft by large multi-nationals, which will be subject to the new rules of the CSR-Directive.
ISO 37001 is derived from UK Bribery Act and the British standard 10500. The process was started in June 2013 and publication of the final draft is scheduled for the end of this year. The draft has been submitted to the national member organizations of ISO in order to receive their comments and proposals.
The text of the draft of ISO 37001 falls into two parts: the regulations of the standard and guidance as to its use. After the foreword, normative reference and terms and definitions, the standard is divided into seven paragraphs (4-10), which in its title and scope sound familiar to all who work in the field of corporate crime prevention and compliance.
The first material paragraph, entitled “Context of the Organization,” deals with the preliminary works of establishing a corresponding system, namely understanding the organization and its context and the needs and expectations of its stakeholders. It describes the scope of the anti-bribery management systems and the paragraph ends with the familiar aspect of risk assessment in which the bribery risks are identified and then assessed and prioritised.
The second paragraph deals with “Leadership” and demonstrates once again that the so-called “Tone from Top” is an essential and vital part of each and every anti-bribery management system.
The following paragraph deals with the planning of the anti-bribery system and refers to the steps of identifying and assessing the risks set out in the first paragraph.
The fourth paragraph, “Support,” shows that all the paperwork of risk assessment, guidelines and information needs adequate and appropriate human and financial resources to establish an effective anti-bribery management system. The other part of this paragraph is directed towards the employees of the organization and starts with requiring a due diligence process both for initial employment but also for the promotion of personnel. The paragraph lastly addresses adequate and appropriate training, communication of the anti-bribery management system and documentation of the information provided.
The section, “Operation,” deals with a very important aspect, the operational planning and control of the system which includes due diligence processes, financial controls and non-financial controls. The organization will be required to ensure adequate systems not only within its own borders but for all controlled organizations and, depending on the risk assessment, its business associates. This again indicates the potentially significant impact of the new standard. Even though the CSR-directive focusses on certain large entities, their obligation to provide adequate systems in their controlled entities and in relation to their business associates will effectively widen the scope of the non-financial reports under the CSR-directive. The section ends with notes on the aspect of reporting of suspected and actual bribery and the investigation on and dealing with such findings.
The last two paragraphs deal with performance monitoring of the system and any improvements resulting from such monitoring or from the detection of bribery cases. The draft concludes with the following statement: “the organization shall continually improve the suitability, adequacy and effectiveness of the anti-bribery management system.” This shows that preventing corporate crime is not a “once in a while” matter, but a continuous process which needs to be combined with and integrated into the operational processes of each organization. Based on the current draft, it appears that ISO 37001 will provide a suitable means of carrying out this task. If you do not already have adequate procedures in place, 2016 should be the year to start with the implementation of an anti-bribery management system such that, by 2017, you are able to report on effective measures in place and to confirm to your business associates that you have done so.