Operation Car Wash in Brazil began making international headlines in 2014. The scandal, which has resulted in various indictments of executives and businesses, is another example of the increased prevalence of bribery claims around the world. As more claims come to the fore, a vital question revolves around what companies can do to prevent, detect, and respond to bribery.
In May 2016, the International Monetary Fund published a report indicating the cost of bribery amounts to $1.5 trillion to $2 trillion each year, resulting in an imbalance in the marketplace or a competitive advantage for companies willing to commit bribery. The International Organization for Standardization (ISO), an independent nongovernmental organization consisting of 162 national standards bodies, has taken a step forward in the direction of providing guidance and measures to assist companies in preventing and detecting bribery through the publication of the first international anti-bribery management system standard, known as ISO 37001.
ISO is an independent nongovernmental organization consisting of 162 national standards bodies, all of which collaborated in publishing ISO 37001. In addition to the 162 national standards bodies, various other stakeholders collaborated on ISO 37001, including experts in various industries; legal, consulting, and audit committees; and academic and government professionals.
ISO 37001 is a homogenization of anti-bribery best practices resulting in a standard that provides guidance for anti-bribery management systems and, more specifically, provides “a series of measures to help organizations prevent, detect, and address bribery.” Countries and governments around the world are currently assessing the effectiveness of the standard, while other countries and governments have expressed interest in requiring organizations to adopt the standard in order to participate in government contracts. For example, Peru, Zimbabwe, Malaysia, and Mexico are currently expressing interest in requiring a company to be ISO 37001 certified in order to participate in public procurement.
ISO 37001 was created to provide a global standard that companies could reference to identify best practices and controls that should be considered and implemented when developing, supplementing, or improving an anti-bribery management system. The best practices and guidance included in ISO 37001 are intended to help reduce the risk of bribery being committed by an organization or anyone acting on behalf of the organization. Additionally, implementation of the standard allows organizations to demonstrate a robust resistance to bribery through the presence of globally recognized anti-bribery controls.
ISO 37001 is considered a requirements standard that allows organizations implementing the standard to be certified. ISO 37001 was developed to be flexible to allow “a wide range of organizations, irrespective of size, sector, structure, geography, or jurisdiction” to implement the standard. Third-party auditors or certification bodies “that demonstrate competence to audit and certify organizations conforming with management systems standards” have the authority to provide ISO 37001 certification to organizations that effectively implement the standard.
According to a presentation prepared by the ISO, “an organization must implement a series of measures and controls in a reasonable and proportionate manner to help prevent, detect, and [respond to] bribery.” More specifically, an organization is required to have the following best practices and/or controls implemented as part of its anti-bribery management systems:
While the standard provides some specificity regarding the requirements, ISO 37001 is also broad in nature. For example, the standard requires an organization to implement measures and controls in a reasonable and proportionate manner. The standard, however, does not specifically define what is meant by a reasonable and proportionate manner. The broadness of the standard allows executives to use their professional judgment in developing the appropriate controls to prevent, detect, and respond to bribery based on many factors, such as the company’s industry, size and nature of contracts, types of customers (governmental or non-governmental, public or private, etc.), and number of employees.
Even though ISO 37001 is in its infancy, there are potential benefits a company could gain by embarking on the journey to becoming ISO 37001 certified. A few of the potential benefits are discussed in detail below.
The FCPA Corporate Enforcement Policy (the FCPA Policy) promulgated by the Department of Justice (DOJ) incentivizes companies and individuals to self-report and cooperate in investigations regarding bribery claims. The FCPA Policy provides guidance on certain requirements that a company needs to meet to qualify for mitigation credit, including timely and appropriate remediation. A requirement for a company to receive credit with regard to timely and appropriate remediation is the implementation of an effective compliance and ethics program, which may include a provision to audit the compliance program to ensure its effectiveness. While it remains to be seen whether the DOJ will accept, on its face, ISO 37001 certification as evidence of an effective compliance and ethics program, at a minimum, the certification will provide tangible evidence that a compliance program was in place at the time of the alleged bribery actions.
The U.K. Bribery Act has a provision that a company can defend itself against alleged violations if the company can prove that it “had in place adequate procedures designed to prevent persons associated with [the company] from undertaking such conduct.” Again, it is unknown whether the U.K. prosecutors will accept, on its face, ISO 37001 certification as evidence that adequate procedures were in place; however, the certification will provide the company with tangible and prima facie evidence from a third-party auditor or certification body attesting to an effective compliance and ethics program.
A company’s ability to demonstrate to its vendors, customers, and the market as a whole that the company has an effective compliance and ethics program should have a positive effect on the company’s operations. The existence of a certified compliance and ethics program should demonstrate the company’s willingness and commitment to preventing, detecting, and addressing bribery, corruption, and fraud. Ultimately, implementation of ISO 37001 can provide a company with “a competitive advantage and increase stakeholder, shareholder, and customer trust.”
Similar to the benefits of becoming ISO 37001 certified, there are several potential roadblocks, detailed below, that a company should consider when evaluating whether to begin the journey to becoming ISO 37001 certified.
There are very few companies that have been and/or decided to attempt to be ISO 37001 certified to date. With very little history of the nature of the auditing process, the broadness of the standard will require executives to rely on professional judgment when implementing measures and controls that will be compliant with the requirements of ISO 37001. As more companies decide to become ISO 37001 certified and undergo the auditing process, general insights and precedence regarding the requirements to pass such an audit will become available. It also remains to be seen how much it will cost to 1) implement a compliance program that meets the requirements of ISO 37001 and 2) comply with the requests of the auditor or certification body.
The DOJ recently updated its FCPA Policy on November 29, 2017. With regard to a company receiving full credit for timely and appropriate remediation, the company must have “appropriate retention of business records, and [prohibit] the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications …” The evolution of the FCPA Policy can create differences between the requirements of ISO 37001 and what is required by the DOJ for leniency in the event of FCPA violations. As a result, the requirements for ISO 37001 certification will need to continually evolve, which can lend itself to obsolescence and/or outdated best practices. Ultimately, this could lead to an expensive process of having to not only update the requirements of ISO 37001 but also for companies to update their compliance and ethics program and potentially seek recertification.
As previously discussed, a potential benefit of becoming ISO 37001 certified is the ability to provide tangible evidence of an effective compliance and ethics program being implemented at the time of an alleged violation. However, with ISO 37001 still in its infancy, it is yet to be seen how much weight a prosecuting agency will give to the fact that a company has been ISO 37001 certified. It is possible that a certificate provided by a third-party auditor or a certification body will not meet the requirement of a prosecuting agency in terms of being able to provide leniency to the company. In other words, we have not yet seen a case of first impression that could provide potential insights into how the DOJ or Ministry of Justice will respond to a company that is ISO 37001 certified.
The decision of whether to incur the costs to implement a compliance program that meets the requirements of ISO 37001 and would pass the audit phase is a case-by-case decision. A company trying to decide whether to implement a compliance and ethics program that meets the requirements of ISO 37001 should conduct a cost-benefit analysis that weighs the potential benefits and roadblocks outlined previously, among others. While an effective compliance and ethics program would benefit the majority of companies in the long run, each company has to assess the costs and benefits of implementing a program that would comply with the requirements of ISO 37001.
Regardless, the ISO 37001 requirements provide a legitimate and recognized framework for the implementation of a best practices-based compliance and ethics program. At the very least, ISO 37001 can be used as a means by which organizations can evaluate existing compliance and ethics programs or as a starting point for the implementation of such a program. Time will tell whether the potential benefits will outweigh the roadblocks.