The International Organization for Standardization (the ISO) recently published an anti-bribery management system standard (ISO 37001 or the Standard) aimed at helping companies comply with “international good practice” across multiple jurisdictions and legal frameworks.
The Standard provides a global framework for compliance programs that may serve as a helpful reference for companies when creating and reviewing their anti-bribery and corruption controls. It covers topics such as risk assessments, the investigation of bribery and third-party due diligence. It also provides a benchmark against which local ISO certifying organizations can, at a company’s request and expense, evaluate and certify the company’s anti-bribery compliance.
While it is important to understand what the Standard does not do – such as provide an automatic legal defense to bribery charges, or serve as a proxy for performing robust due diligence – the Standard has an undoubted immediate benefit: it provides an objective, independent benchmark of international compliance principles and best practices, some of which are more detailed and more stringent than those currently required by some anti-bribery and corruption statutes or in regulators’ anti-bribery and corruption guidance. The Standard thus functions as a tool to guide compliance officers as they work to determine where and how to deploy resources, and also as a benchmark that can be used to justify such deployment to company leadership, regulators and key stakeholders.
What the Standard does not do
The Standard does not eliminate the judgment calls that companies must already make in implementing their compliance programs; nor does the ISO seek to divorce a company’s compliance strategy from the company’s own specific culture, risk profile and legal obligations. Instead, the Standard’s requirements are generally qualified by what is practicable, reasonable and proportionate, which reflects the risk-based approach already outlined in formal guidance on the US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act (UKBA).
As a result, companies should not count on having ISO 37001 certification serve as a legal defense to FCPA or UKBA charges, and how much “credit” regulators and prosecutors ultimately give a company for obtaining certification may depend upon whether, under the particular circumstances of a case, they share the company’s view of what is reasonable, proportionate and adequate. But, while regulators may ultimately disagree with a company’s assessment of its own risk profile, the fact that a company has made the effort to conform to an independent Standard will almost certainly help certified companies if they are later called upon to explain or defend their anti-bribery and corruption compliance.
Finally, the Standard’s certification regime does not obviate the need for performing due diligence on targets or counterparties. Regulators and stakeholders are unlikely to forgive bribery- or corruption-related transgressions based solely on the fact that an implicated agent was ISO 37001 certified.
What challenges and opportunities does the Standard present?
The Standard reflects the general convergence of compliance standards internationally, drawing heavily from Organization for Economic Cooperation and Development guidance and echoing many principles outlined in governmental guidance.
Many companies may nonetheless have to tweak their current compliance programs in order to achieve all of the Standard’s elements, particularly those companies that are not already subject to the FCPA or UKBA. As a result, some companies may find themselves expending significant resources in order to design and implement a program that will be eligible to receive ISO 37001 certification, and, presumably, many will decide not to incur the expense. Yet even for those that do not seek ISO certification, the Standard may still serve as a “best practices” guide that provides an opportunity for companies to gauge and benchmark their own approaches to compliance and refine their existing practices.
Some of the logistical challenges of the Standard, such as the requirement that employees in areas with “more than a low risk” of bribery sign regular compliance declarations, while potentially burdensome, will likely prove to be a long-run benefit to companies, especially if called to account for individuals involved in corporate wrongdoing. Further, companies that follow the Standard may be able to demonstrate to stakeholders their commitment to adopting an international and independent anti-bribery and corruption benchmarking.
What impact might the Standard have?
There may be important market impacts of ISO certification. Stakeholders like customers and shareholders already study companies’ compliance programs in evaluating transaction and investment risk, and being able to check which companies have independently been deemed “ISO 37001 certified” will certainly make these risk assessments easier and more efficient. Similarly, the certification scheme could be very useful in the M&A and third-party due diligence contexts, providing an international benchmark to rank targets and counterparties according to bribery and corruption risk. Absent other red flags, due diligence inquiries into compliance controls could be reduced, although not eliminated entirely, saving time and resources.
But the impact of ISO certification will likely depend upon how universally the Standard is adopted. Even assuming that the Standard gains traction, ISO certification will likely never be more than a reasonable indicator of a company’s compliance controls (rather than a legal defense).
For now, the real value of the Standard is that it has provided compliance officers with an independent benchmark that they can present to their companies and the world. Before ISO 37001, anti-bribery and corruption compliance guidance to companies and compliance officers had to be gleaned from high-level statements offered by regulators and lessons learned from settlements and case law. Now, compliance officers have an objective standard to reference in adopting and executing their respective anti-bribery and corruption compliance programs; the ability to benchmark against an objective anti-bribery and corruption compliance standard will certainly be more useful, and more defensible, than reading the proverbial tea leaves. Moreover, as companies become more aware of, and begin to follow, the Standard – whether or not they ultimately seek third-party ISO certification – we are likely to see increased international convergence on compliance best practices.