Please enter your email to subscribe. By doing so, you are opting-in to receive news from Guidepost Solutions LLC.
In October 2016, the International Organization for Standardization (ISO) published ISO 37001, the first anti-bribery management system standard designed to help organizations prevent, detect and address bribery. ISO 37001 includes a series of measures and controls that represent global anti-bribery best practices. These measures and controls include the following and are designed to help an organization implement an anti-bribery management system from scratch or to enhance controls already in place:
The ISO 37001 standard is designed to be used by any organization regardless of its size (large or small) or nature (public, private or not-for-profit) and the bribery risk it faces. By implementing ISO 37001, organizations can demonstrate to its stakeholders that internationally recognized anti-bribery controls are in place. In addition, certifying compliance with this standard also lends to the organization’s credibility; certification is obtained through an audit conducted by a third-party, is valid for three years, and is subject to yearly reviews.
What do U.S. Authorities Say about ISO 37001?
It is not clear whether U.S. regulators view ISO 37001 as particularly helpful in evaluatingForeign Corrupt Practices Act (FCPA) compliance programs, and the U.S. Department of Justice (DOJ) has not stated equivocally whether it intends to adopt these standards or whether ISO 37001 certification will have meaningful value. Based on comments from the DOJ Fraud Section senior leadership, it appears that ISO 37001 certification may be factored into FCPA investigations, including efforts by companies to remediate their program by implementing ISO 37001. However, DOJ policies also require prosecutors to independently assess an organization’s compliance program, and while certifications may be a point of reference, it cannot substitute the prosecutors’ own inquiries and judgments.
Thus, ISO 37001 certification is not to be viewed as a “silver bullet” or “check the box” substitution for establishing an internal FCPA compliance program or replacing other FCPA guidance and considerations. The certification should be viewed for what it is – meeting a very high standard of leading global anti-bribery practices.
Are Organizations Adopting ISO 37001?
Some major U.S. corporations are beginning to seek ISO 37001 certification. For instance,Microsoft and Wal-Mart have announced plans to seek certification, and this will likely lead to certification efforts among their vendors, distributors, and customers.
Internationally-based companies are also obtaining certification. France’s Alstom (which was once the target of a major DOJ investigation for violating FCPA anti-bribery provisions) became one of the first companies in the world to be certified as ISO 37001 compliant. The German company, Bosch, and Italy’s Terna Group and ENI have also been certified.
Is ISO 37001 Certification Right for Your Organization?
It is sometimes difficult for an organization to make a decision about certification to new ISO standards. The United States has not fully required or endorsed this standard, and it is just gaining adoption from key large companies. In determining whether ISO 37001 certification is right for your organization, it may make sense to consider the following factors:
If none of the above characteristics apply to your organization, you may wish to refrain from seeking ISO 37001 certification, at this time. You can wait and assess the broader regulator feed. In the meantime, there are steps you can take to strengthen your anti-bribery compliance program now:
Anti-bribery is a challenging issue for companies across the globe, and ISO 37001 provides additional guidance to help organizations design and implement an effective compliance program. Although ISO 37001 certification may be appropriate for your organization, it should not be viewed as a replacement to the FCPA Resource Guide; however, certification can serve as an important supplement to those guidelines.
Julie Myers Wood focuses on regulatory compliance and investigative work and has significant experience as a monitor. She supervised a technology review and assessment of OFAC and AML capabilities for a global bank; led the monitoring team on behalf of Guidepost Solutions for DHL relating to OFAC issues; worked with New York regulators as the deputy monitor for a foreign financial institution; serves as the appointed Monitor for a certification lab; and is the appointed Independent Consultant for a global energy services firm relating to OFAC issues. Prior to joining the private sector, Ms. Wood held leadership positions with the U.S. Departments of Homeland Security, Treasury and Justice including serving as Head of Immigration and Customs Enforcement. She oversaw the agency’s AML and trade compliance (OFAC, EAR, ITAR) investigations and private sector compliance programs. Ms. Wood also served as an Assistant U.S. Attorney for the Eastern District of New York. Julie can be reached at email@example.com.