How ISO 37001 certification can help reduce internal corruption risks
INSIGHT ARTICLE |
For senior executives, it can be difficult to walk the line between running a competitive business while also enforcing strong measures to reduce potential risks of bribery, fraud or corruption activity (as required by U.S. and UK anti-corruption laws). That challenge was clearly identified in RSM’s 2016 Global Corruption Law Compliance Survey, in which 85 percent of surveyed CEOs or company presidents and 67 percent of chief compliance officers said such illicit activity was occasionally needed to keep pace with competitors in global markets.
This claim stems from the fact that existing regulatory measures–such as the Foreign Corrupt Practices Act (FCPA) and Bribery Act 2010 from the United Kingdom–have jurisdictional limits that don’t necessarily provide a level playing field for international business operations. However, the International Organization for Standardization (ISO) last fall introduced a new anti-bribery framework that not only incorporates a global view of “good practices,” but also offers companies the opportunity to certify their internal programs to fight fraudulent activity.
While ISO 37001: Anti-Bribery Management Systems should not be regarded as a silver bullet, its framework was drafted over a three-year period by business leaders from 37 countries.1 As a result, it is a well-designed tool that can be applied as a stand-alone certification device, or as a blueprint to improve or strengthen integrated prevention programs a company may already have in place. While many of the concepts are not new, ISO 37001 provides a sequential approach for “reasonable and proportionate” current-state evaluation and risk assessment, which can shape the design of anti-bribery measures.
The new standard requires organizations to develop systems to address both public and private bribery, active and passive bribery, direct and indirect bribery and facilitation payments. An organization also must establish safeguards to satisfy itself that third parties do not engage in bribery on its behalf.
Key advantages to ISO 37001 compliance
A careful look at the new ISO standard reveals several benefits for business leaders, including:
- Clear language. Unlike both the FCPA and the UK Bribery Act, both of which are heavy on regulatory and legal jargon and light on implementation support, ISO 37001 is written in straightforward, easy-to-follow terms, providing direction on leadership, planning, support operations and performance evaluation aspects of a comprehensive anti-fraud approach.
- Strong direction for risk assessments. Unlike many other anti-bribery advisory materials, ISO 37001 provides significant guidance on how to design and implement a bribery risk assessment, including examples of how an organization can choose to undertake a risk assessment and how to examine an organization’s types of business associates by category, and assess the bribery risk they pose. It helps senior leaders identify and prioritize risks, which can then be matched with appropriate controls and anti-bribery resources. Overall, this guidance is straightforward and focused more on sound processes that each business can tailor to their own specific issues and anti-bribery objectives.
- Additional operational guidance. ISO 37001 further covers the various operational parameters for an anti-bribery program, including planning, due diligence (factors for evaluation), financial and nonfinancial controls (examples of key controls), control implementation advice, the use of gifts (examples of procedures to implement) and investigations (factors to consider from inception through completion).
- Certification as added credibility. As an independent international standard with clear, auditable procedures, compliance with ISO 37001 can provide companies with a stronger position against corruption inquiries made by regulatory authorities. For example, prior existence of an effective compliance program is noted in the U.S. Attorneys’ Manual as a consideration when that office evaluates potential charges in a corporate fraud case.2 Similarly, this certification may help companies under the jurisdiction of the UK’s Bribery Act pursue an “adequate procedures” defense. According to the U.K. Ministry of Justice, “[i]t is a full defence for an organisation to prove that despite a particular case of bribery it nevertheless had adequate procedures in place to prevent persons associated with it from bribing.”3 Both U.S. and UK enforcement officials may have difficulty ignoring ISO 37001 certification as a key input when considering a compliance program’s adequacy.
- Certification as an investigational asset. In our 2016 Global Corruption Law Compliance Report, we found that companies with a documented response strategy to fraudulent activity were seven times more likely to initiate follow-up investigations versus firms that had no such road map. Clearly, an ISO 37001 certification can greatly enhance a company’s ability to detect and investigate these illicit acts.
- Competitive advantage. In a world where credible third-party validations are increasingly useful for businesses, an ISO 37001 certification may be well worth the effort. In fact, 56 percent of executives polled in a Compliance Week survey last fall said they were likely to seek certification in the near future, with nearly half (48 percent) saying they would need to make changes to their existing programs in order to meet the new standards.4
As larger multinational organizations continue to enhance their compliance programs, they will increasingly look for ways to identify business partners with more robust anti-corruption programs in markets known for high-risk activity. To the extent ISO certifications are perceived to provide high-quality review of programs, this certification may become a business advantage to many organizations.
Tips to pursue certification
While the ISO 9001 process is familiar to many business leaders, it’s a mistake to not carefully build a step-by-step plan to gain certification for this new anti-bribery standard. Certification of compliance with the standard is based on an independent third-party’s scrutiny of an organization’s anti-bribery management system. Maintaining the certification requires periodic external audits of the anti-bribery management system.
As such, organizations seeking certification should consider the following steps when pursuing initial certification:
Conducting an internal assessment. This is an important first step, because it analyzes existing anti-fraud policies, procedures and practices against standards proscribed in ISO 37001. This exercise–when coupled with the bribery risk assessment called out in section 4.5 of the ISO standard–will reveal any alignment gaps or critical areas of nonconformance. While this assessment can be performed by internal staff, the better choice may be a qualified third party with solid anti-fraud compliance expertise.
Making needed changes. After the internal assessment, leaders can use the findings to inform a corrective action plan. If done well, this plan should detail priorities, schedules and project owners for each identified change, with each action tied to how it addresses ISO gaps or nonconformances. This activity is all directed toward successful creation of an anti-bribery management system.
Auditing systems for certification review. Once a company has aligned its processes with the ISO standard, a qualified outside auditor should be engaged to determine if the revised controls are “reasonable, proportionate and risk based.” Provided the audits demonstrate that the company has successfully achieved compliance, an ISO 37001 certification can be independently confirmed. It’s worth noting that these steps do entail additional staff and consulting costs for preparation and certification, so companies that already have a robust, proven anti-fraud program may not get the best return on an ISO 37001 investment.
To learn more about tools to help your company reduce its potential exposure to fraudulent activity, contact RSM’s forensic accounting and fraud investigations team.
1. “International Anti-Bribery Standard ISO 37001,” (November 2, 2016) Transparency International UK
3. UK Ministry of Justice, The Bribery Act 2010: Guidance 6 (March 2011)
4. Trevley, D., “Certifying Your Anti-Bribery Program with ISO 37001: What’s in it for Me?” (January 23, 2017), CorporateCompliance.org