In October 2016, the International Organization of Standardization (“ISO”) published ISO 37001, the first global standard for the development and implementation of an anti-bribery management system. The emergence of ISO 37001 was a welcomed development as it provides a universal framework for managing bribery risk that can be used by organizations of all sizes, industries, regions and risk profiles. To date, Peru, Singapore and the Philippines have adopted ISO 37001 as their respective government’s standard, and other countries are expected to follow their lead.
A unique feature of ISO 37001 is that an organization can demonstrate compliance with the standard by obtaining a certification from an independent, accredited auditor. The certification brings substantial value to an organization as it provides an objective means by which it can outwardly demonstrate its commitment to combating bribery. Not only does this provide a competitive advantage over an organization’s non-certified competitors, but it also levels the playing field (from a bribery risk management perspective) for smaller organizations competing against large multinational corporations or foreign domestic firms.
ISO 37001 is not without its critics. The criticism, however, is generally not directed at the standard itself. Instead, the critics take issue with the certification of the standard. A common theme of their arguments is that the certification process is merely a check-the-box exercise where an auditor only confirms the existence of a “paper program”. The critics argue that the process falls short because it makes no determination as to whether the program is actually put into action. They also contend that the certification only reflects the status of the program at a given moment in time (i.e. the evaluation period) and, thus, lacks any predictive value as to how the organization will conduct itself in the future. In short, they conclude the certification is worthless because it does not ensure that the certified organization is “doing anti-bribery compliance” or will “do anti-bribery compliance” in the future.
There are three fundamental flaws with the critics’ argument...