ISO 37001: Checking the Box on “Doing Compliance”

This is a post from Ramsey Kazem:

In October 2016, the International Organization of Standardization (“ISO”) published ISO 37001, the first global standard for the development and implementation of an anti-bribery management system.  The emergence of ISO 37001 was a welcomed development as it provides a universal framework for managing bribery risk that can be used by organizations of all sizes, industries, regions and risk profiles.  To date, Peru, Singapore and the Philippines have adopted ISO 37001 as their respective government’s standard, and other countries are expected to follow their lead.

A unique feature of ISO 37001 is that an organization can demonstrate compliance with the standard by obtaining a certification from an independent, accredited auditor.  The certification brings substantial value to an organization as it provides an objective means by which it can outwardly demonstrate its commitment to combating bribery.  Not only does this provide a competitive advantage over an organization’s non-certified competitors, but it also levels the playing field (from a bribery risk management perspective) for smaller organizations competing against large multinational corporations or foreign domestic firms. 

ISO 37001 is not without its critics.  The criticism, however, is generally not directed at the standard itself.  Instead, the critics take issue with the certification of the standard.  A common theme of their arguments is that the certification process is merely a check-the-box exercise where an auditor only confirms the existence of a “paper program”.  The critics argue that the process falls short because it makes no determination as to whether the program is actually put into action.  They also contend that the certification only reflects the status of the program at a given moment in time (i.e. the evaluation period) and, thus, lacks any predictive value as to how the organization will conduct itself in the future.   In short, they conclude the certification is worthless because it does not ensure that the certified organization is “doing anti-bribery compliance” or will “do anti-bribery compliance” in the future. 

There are three fundamental flaws with the critics’ argument.  First, the argument misconstrues the mandatory requirements of ISO 37001.  As will be explained in more detail below, it is impossible to meet the requirements of the standard without verifiable proof that the program is, and has been, operationalized.  Second, the argument misunderstands the scope, scale, and thoroughness of the ISO 37001 certification process.  Third, the argument does not recognize that the standard, through its documentation requirements, provides a mechanism by which an organization can reliably determine whether its certified business partners are “doing compliance” and continuing to meet their obligations under ISO 37001.  I will address each of these points in turn. 

ISO 37001 Mandatory Requirements

The critics’ contention that the certification process is deficient because it does not ensure that an organization is “doing compliance” misunderstands the mandatory requirements of ISO 37001.  ISO 37001 is not a standard that simply requires the development of policies and procedures to address certain high-risk areas of an organization.  Instead, the standard mandates the development and implementation of an anti-bribery management system.  The system must be designed to achieve measurable objectives, be adequately resourced, and contain effective measures to prevent, detect and respond to bribery.  The standard also mandates the implementation of processes to monitor, evaluate and continually improve the effectiveness of the overall system.  Contrary to the suggestions of the critics, an organization simply cannot get by with a “paper program” because the standard – by its express terms – requires the system be put in action. 

More significantly, the standard requires that activities related to developing, implementing, reviewing and improving the system be documented.  For example, with respect to training, the standard not only requires an organization to provide anti-bribery training to its personnel, but it also mandates that the organization document its training procedures, the content of the training, and when, and to whom, the training was provided.  Similarly, under the standard, senior management must conduct periodic reviews of the system to ensure its adequacy and effectiveness.  The standard requires that the results of these reviews be documented.  By mandating these and other key activities be documented, the standard effectively precludes an organization from having an anti-bribery management system in name only. 

Certification process

By characterizing the certification process as a check-the-box review that only confirms the existence of a “paper program”, the critics demonstrate a basic misunderstanding as to the thoroughness of the ISO 37001 audit.  The ISO 37001 audit is a comprehensive evaluation performed by independent, accredited auditors.  These audits include on-site visits to an organization’s headquarters and select subsidiaries, and interviews with senior leaders, managers and employees representing a cross section of the organization.  While it is true that the auditors review an organization’s compliance with the mandatory documentation requirements, this review is not limited to merely confirming that the organization maintains a written policy on certain topics.  The auditors seek documented evidence to determine whether required policies, procedures and processes are in fact implemented and followed, and to validate (in real-time) representations offered during the on-site interviews with organization leaders, managers and employees. 

It is important to note, failing to comply with the mandatory documentation requirements is a per se bar to attaining certification.    Accordingly, the argument that the certification does not ensure that the organization is “doing compliance” is simply wrong.  An organization can only achieve certification with documented evidence that the mandated policies, procedures and process are implemented and followed.  Such documentation cannot exist unless the organization is actually performing the activities mandated by the standard. 

In addition, to ensure an organization remains in compliance with the standard during the three-year certification period, a certified organization is subject to annual surveillance audits.  These annual reviews are not as detailed as the audit performed during the certification process, but focus on key areas to verify that the organization is following through on its responsibilities under the standard.  Accordingly, these audits provide reasonable assurance that the organization is continuing to “do compliance” in accordance with the standard. 

Required Documentation

The argument that the ISO 37001 certification is deficient because it does not guarantee that the certified organization will “do compliance” in the future is a red herring.  No certification purports to ensure the future performance of the qualifying person or entity.  That is not the purpose of the designation.  A certification is an attestation that a person or organization has the requisite qualifications, attributes and abilities to meet the mandatory requirements of a given standard.  With respect to ISO 37001, the certification verifies that an organization invested the necessary time, effort and resources to develop and implement an effective anti-bribery management system that conforms to international best practices. 

That said, the standard, through its mandatory documentation requirements, provides a mechanism by which one can reliably determine whether a certified organization continues to “do compliance” in accordance with the standard.  That is, under ISO 37001, every critical activity for the effective performance of the anti-bribery management system must be documented by the organization.  This includes, but is not limited to: (1) establishing measurable objectives; (2) performing risk assessments; (3) developing policies and procedures; (4) training employees; (5) vetting third-parties; (6) investigating allegations of non-conformance; (7) developing internal controls; (8) maintaining an internal reporting process; (9) monitoring system performance; and (10) responding to deficiencies in the system and opportunities for improvement.  To determine whether a certified organization continues to perform in accordance with the standard, the business counterpart should simply request to review this mandatory documentation (or a sampling thereof) during its third-party due diligence or monitoring processes.  With a clear understanding of what should be documented, any non-compliant organization will easily be exposed. 

Conclusion

ISO 37001 is not without its critics.  And, while there are valid points of discussion, the suggestion that the certification is worthless because it does not ensure that the certified organization is “doing compliance” or will “do compliance” in the future demonstrates a fundamental misunderstanding as to the standard’s mandates, the certification process, and the mandatory documentation requirements.  In the final analysis, the ISO 37001 certification brings substantial value as it provides an objective means by which an organization can demonstrate that its anti-bribery management system conforms to international best practices.  Moreover, and contrary to the critics’ argument, the certification provides implicit assurances that the certified organization is and will continue “to do compliance”.  You can check the box on that. 

Ramsey Kazem is an anti-bribery specialist working in Atlanta.  He can be reached at rkazem@sparkcompliance.com.  

This article originally appeared in Compliance and Ethics Professional Magazine.