After several years of development, involving input from over 50 countries, the International Organisation for Standardisation (ISO) has finally published ISO 37001: Anti-Bribery Management Systems Standard - a new international standard designed to assist organisations worldwide in implementing and maintaining effective anti-bribery systems.
ISO 37001 comprises the first global set of requirements which organisations can refer to when establishing or updating policies, procedures and controls to address bribery risks.
Compliance with the standard is voluntary, and compliance does not guarantee that bribery will not occur within an organisation or provide absolute protection against prosecution of the organisation where its employees, agents or intermediaries have engaged in bribery. However, conformity with the standard may:
- better equip organisations to detect and prevent acts of bribery;
- assist organisations to defend prosecutions, including when seeking to evidence:
- the appropriate "corporate culture" (in defending a prosecution under the Australian Criminal Code);
- "adequate procedures" (in defending a prosecution under the UK Bribery Act); or
- an "effective compliance and ethics program" (as referred to in the Federal Sentencing Guidelines Manual that applies to prosecutions under the US Foreign Corrupt Practices Act);
- provide organisations with a competitive advantage when tendering for business.
What is ISO 37001?
ISO 37001 is a framework which specifies minimum requirements for establishing, implementing, maintaining, reviewing and improving the anti-bribery management and compliance system of an organisation. The requirements and guidance contained in ISO 37001 are designed to address acts of bribery:
- by an organisation, or by its personnel or business associates acting on the organisation's behalf or for its benefit; and
- of an organisation, or of its personnel or business associates in relation to the organisation's activities.
Corporations can simply use ISO 37001 as an internal reference tool, but because ISO 37001 is a "Type A requirements" standard which prescribes specific minimum requirements (as opposed to a framework of 'guidelines') it is capable of independent certification. Therefore corporations can seek to obtain certification from independent third party providers which they then can use to demonstrate their compliance externally.
Can ISO 37001 be used by my organisation?
ISO 37001 is intended to be used by any organisation worldwide, regardless of its size, field of industry or activity, and whether or not it is a public, private or not-for-profit organization.
Is my organisation required to adopt ISO 37001?
There is currently no obligation under any legislation in Australia, or globally, to have a compliance programme which complies with the minimum requirements set out in ISO 37001 or to obtain certification of compliance with ISO 37001. It is for each organisation to determine whether it wants to adopt those requirements. However, some entities may require corporations to have ISO 37001 certification if they wish to tender for projects or contracts.
What are the requirements imposed by ISO 37001?
To comply with ISO 37001, an organisation must implement certain specified minimum requirements in a manner which is reasonable and proportionate to the bribery risk faced by the organisation. These requirements include the following:
- Implementation of an anti-bribery policy and programme.
- Communication of the policy and programme to all relevant personnel and business associates (joint venture partners, sub-contractors, suppliers, consultants etc.).
- Appointment of a compliance manager (full time or part time) to oversee the programme.
- Provision of appropriate anti-bribery training to personnel.
- Assessment of bribery risks, including undertaking appropriate due diligence.
- The taking of reasonable steps to ensure that controlled organisations and business associates have implemented appropriate anti-bribery controls.
- Verification as far as reasonable that personnel will comply with the anti-bribery policy.
- The setting up of mechanisms and policies to control gifts, hospitality, donations and similar benefits to ensure that they do not have a corrupt purpose.
- Implementation of appropriate financial, procurement, contractual and other commercial controls so as to help prevent the risk of bribery.
- Implementation of reporting (whistle-blowing) procedures.
- Investigation and appropriate treatment of any actual or suspected bribery.
- The monitoring and review the effectiveness of the programme, including the making of improvements where necessary.
There is guidance provided, in Annex A to ISO 37001, to organisations on how to implement and comply with the prescribed requirements.
If we obtain ISO 37001 certification does that mean my organisation has "adequate procedures" as required by the UK Bribery Act?
ISO 37001 is based on British Standard 10500 Anti-bribery Management System, which was developed with reference to guidance provided by the UK Ministry of Justice in relation to the requirement for companies to establish that they have "adequate procedures" in order to avoid corporate criminal liability under the UK Bribery Act 2010. Although obtaining ISO 37001 certification will not provide a corporation with a guarantee that a Court will find that the corporation had adequate procedures, it is likely to be a persuasive piece of evidence.
In Australia, companies can be exposed to prosecution if they fail to create and maintain a corporate culture that requires compliance with the anti-bribery provisions of the Criminal Code Act 1995 (Cth) and if an agent of the organisation then engages in bribery. Although there is currently no case law to assist corporations to determine what is necessary to establish the relevant corporate culture, compliance with ISO 37001 is likely to be strong evidence on which an organisation can rely in establishing that it had taken reasonable and appropriate steps to create such a culture.
In relation to FCPA prosecutions, which remain the highest area of prosecution risk for multinational companies with a relevant connection to the US, certification will again not provide a guarantee against protection. However, it is likely to be relevant to establishing that the organisation had an "effective compliance and ethics program" (as referred to in the Federal Sentencing Guidelines Manual that applies to prosecutions under the US Foreign Corrupt Practices Act 1977).
If an organisation has ISO 37001 certification are they safe to do business with?
Certification cannot guarantee that no corrupt activity is to be found within an organisation, and similarly a lack of certification does not mean that an organisation is corrupt or does not have sufficient anti-bribery measures in place. Certification should be considered to be one relevant factor in due diligence undertaken when engaging intermediaries, entering into joint ventures or contracting with entities. The age of the certification will also be a relevant factor.
Each organisation will have to weigh up whether the costs associated with third party certification under ISO 37001 will be worthwhile, but as a starting point a review of your organisation's anti-bribery measures against the requirements could provide you with significant reassurance, or a much needed wake-up call, in relation to how your organisation measures up against the global standard expected of companies in establishing and maintaining anti-bribery management systems.