Compliance Ethics

Accreditation and certificationAlthough ISO develops standards, it doesnot — itself — certify organizations withregard to its standards. The ISO certificationprocess is administered by external certification bodies (CBs) or “registrars.” These CBsand registrars commission onsite audits of theorganization’s program to determine whetherthe program satisfies the requirements ofthe ISO standard in question. Certificationsare typically good for three years, withthe first year involving the initial certification review, and the subsequent two yearsinvolving annual surveillance reviews. In allinstances, CBs and registrars may only basetheir audit and review work on the scope ofthe standard in question. They may not auditor review aspects of the organization that areoutside of the scope of the ISO standard underconsideration.CBs and registrars are sometimes (butnot always) accredited by bodies that sitone level above the CB or registrar. Thesebodies are known as regional accreditationagencies. For example, in the United States,the ANSI-ASQ National Accreditation Board(ANAB) accredits CBs and registrars that,in turn, certify organizations with regard totheir ISO-based programs. This hierarchy isintentional, positioning accreditation one levelhigher than certification. This one-over-onemodel is analogous to higher education, wherestudents receive a degree or certification froma university that, itself, has been accredited bya higher accreditation body.13From an organizational perspective, it isrecommended — although not required — thatorganizations strive to obtain ISO certificationfrom certifying bodies and registrars that areaccredited by accreditation agencies, since thisis thought to give more weight and credibilityto the certification. In the United States, ANABappears to be positioned to accredit CBs andregistrars with regard to ISO 37001, whichANAB considers a “base standard program.”However, as of the date of this writing(February 2018), it does not appear as thoughany accredited CBs or registrars have beenestablished in the United States regardingISO 37001.14Scope and cost of certificationGenerally speaking, ISO certifications attainedat the parent company or headquarters levelof an organization are only valid for thatorganizational entity. Headquarters-levelcertifications typically do not extend to other 1 952.933.4977 or 888.277.4977corporatecompliance.orgCompliance & Ethics Professional assessment example is just one comparativeexample between one particular guidingframework (i.e., the U.S. Federal SentencingGuidelines) and ISO 37001. There are manyother examples, too — across other programmatic elements (e.g., communications andtraining) and other guiding frameworks andagency guidance.Regardless of whether ISO 37001 introduces anything fundamentally new, it isimportant to remember that ISO 37001 is aninternationally agreed-upon standard that canapply equally to public and private organizations around the world. Some of the morewell-known anti-bribery and anti-corruptionlaws and pieces of guidance, whose releasespredated the issuance of ISO 37001, arelimited to certain geographies and jurisdictions. ISO 37001, on the other hand, is trulyglobal. More than 50 countries supported thedrafting effort.Moreover, ISO 37001 is auditable, whichmeans that an independent body can certifythat an organization’s anti-bribery andanti-corruption compliance program meetsthe minimum requirements and expectationsset forth in ISO 37001.12 These are importantdistinctions between the myriad legacyanti-bribery and anti-corruption frameworksand pieces of guidance — and ISO 37001.August 2018FEATURE39

FEATUREparts of the organization, such as subsidiaries, business units, or country markets,unless those aspects of the organization wereincluded in the scope of the review performedby the CB or registrar. In most instances, eachorganizational entity must apply for its owncertification. At times, however, a “group certification” can be issued at the headquarterslevel and applied to other aspects of the organization, if the initial review or audit is scopedthat way in the first place, and if the fees takethis extended scope into consideration.15The cost of striving for ISO certificationcan vary. The cost depends on a number offactors that include: (1) the pricing models andfee ranges of the CBsand registrars; (2) theorganizational, functional, and geographicscope of the certification; and (3) the numberof organizationalentities striving forcertification.16Costs associatedwith ISO 37001 certification may also becontingent on whetherit is the first, second,or third attempt toachieve certification. Organizations oftenseek a second or third attempt when the CBor registrar identifies major non-conformities(i.e., significant gaps in the program) andminor non-conformities (i.e., minor gaps). Thepricing related to second or third attemptscan also vary depending on the remediationwindow allowed.Peru, Philippines, Malaysia, and the Chineseprovince of Shenzhen. It also appears that certain European countries are in the process ofadopting ISO 37001.In the public sector, “adoption” can meanvarious things. In some cases, a country will“adopt” ISO 37001 and create an accreditationsystem for the CBs or registrars who will, inturn, perform independent ISO 37001 certifications. For instance, the United Kingdom isin the process of developing an accreditation model of its own, but it has yet to becompleted.Other countries will “adopt” ISO 37001such that their national standards bodiesembrace the standardand encourage organizations to comply withit locally. For instance,Singapore recentlyadopted ISO 37001 andannounced its ownversion of the standard:Singapore Standard (SS)ISO 37001. Singaporehas also created anagency under itsMinistry of Tradeand Industry, whichwill provide training,consulting, and financial support for organizations interested in obtaining certification.17 Thesame sort of activity is underway in Malaysiaand China.18The Malaysia Department of Standardsand the Anti-Corruption Commission(MACC), together, implemented a countryspecific version of ISO 37001 known as theMalaysian Standard 37001. The MACC intendsto strive for ISO 37001 certification to furtherstrengthen its efforts to combat corruption. InChina, the Shenzhen Institute of Standardsand Technology (SIST) has adopted ISO 37001and intends to provide ISO 37001 certificationCompliance & Ethics Professional August 2018Costs associated withISO 37001 certificationmay also be contingenton whether it is thefirst, second, or thirdattempt to achievecertification.40Early adopters: Public sectorSince its release, several countries and localgovernments have adopted ISO 37001 as theirofficial anti-corruption standard. These countries and governments include Singapore,corporatecompliance.org 1 952.933.4977 or 888.277.4977

Early adopters: Private sectorSince the release of ISO 37001 in 2016, severalorganizations have achieved ISO 37001 certification. These organizations include TernaGroup and ENI SpA (Italy), Robert BoschMiddle East (UAE), Alstom (France), CPAGlobal (Jersey, UK), and Ekvita (Azerbaijan).In addition, research suggests that, as ofFebruary 2018, about a dozen organizationshave achieved certification in Malaysia. Inthe United States, several companies, suchas Walmart and Microsoft, have publiclyannounced their intention to strive for certification once accredited CBs and registrars areestablished in the United States.Benefits of ISO 37001 certificationMany benefits are associated with designing,implementing, and maintaining an anti-bribery and anti-corruption program in line withISO 37001. Although some of these benefitsrelate to concepts like competitive advantage or board-level assurance, it is importantto highlight the most important benefit: Aneffectively designed anti-bribery and anticorruption program reduces the risk of briberyand corruption. This is good for business. It isgood for employees, stakeholders, and communities. And it is good for the free markets.There are other benefits too.First, ISO 37001 certification may help toassure the governing authorities and executiveteams of organizations that sound, efficient,and effectively designed anti-bribery andanti-corruption controls and processes are inplace and operating as intended. This helpsthe governing authorities of organizationssatisfy their obligation to be knowledgeable about the content and operation of thecompliance programs in place within theirorganizations.Second, designing and implementing ananti-bribery and anti-corruption programin line with ISO 37001 will help to provide adefense, if there is ever a breach, regulatoryinquiry, enforcement action, or investigation.ISO 37001 provides a comprehensive, endto-end framework for managing the risk ofbribery and corruption, and it also requiresestablishing and maintaining extensive documentation, both of which will help evidence awell-designed program.Third, ISO 37001 is, at its core, a management system. Over time, management systemshave helped organizations run smoothly,efficiently, and effectively. Such systems helporganizations manage interrelated aspectsof their operations in order to achieve theirstrategic objectives. ISO 37001 helps organizations organize, streamline, and optimize theiranti-bribery and anti-corruption risk-management efforts — rather than attempting tomanage the risk of bribery and corruption in adisintegrated, siloed, or fragmented manner.Fourth, compliance is a journey in anyorganization. Even the most establishedorganizations with mature and highlyoptimized compliance programs canbenefit from incorporating additive aspectsof ISO 37001 into their programs, therebytaking their programs to the next level. New,younger, or rapidly growing organizationscan benefit from ISO 37001 too, because theprogram framework can help manage risk ina resourceful, effective manner. This can bevaluable if or when the young organizationstrives to raise capital or undertake an initialpublic offering. 1 952.933.4977 or 888.277.4977corporatecompliance.orgCompliance & Ethics Professional and guidance. The SIST continues to workacross China to generate support for adoptingISO 37001.19The third meaning of ISO 37001“adoption” in the public sector refers to whena federal, state, or local government itselfstrives for certification. Research indicates thatthe Quebec cities of Granby and Brossard willstrive for ISO 37001 certification in 2018.August 2018FEATURE41

FEATUREFifth, it is no secret that more than 75%of enforcement actions related to bribery andcorruption involve the misconduct of thirdparties.20 Over the years, some US-basedglobal organizations have struggled todevelop and implement anti-bribery andanti-corruption programs and controls withregard to the third parties with which theydo business, in part because such efforts areoften seen as US-centric exercises and FCPAfocused. ISO 37001 establishes a common,global approach to managing bribery andcorruption risk, regardless of where organizations are headquartered and where their thirdparties are conducting business.Sixth, researchsuggests that, overtime, organizationsmay begin to requireISO 37001 certificationas a condition of doingbusiness. Therefore,organizations, contractors, suppliers, andconsultants that arenot ISO 37001 certifiedwill be at a competitivedisadvantage. Similarly,the public sector maysoon require organizations that bid on government contract work tobe ISO 37001 certified. Uncertified organizations will be at a competitive disadvantagewhen it comes to government work.Seventh, even when ISO 37001 is not atender requirement, organizations that areISO 37001 certified will be able to demonstrateto the procuring organization that they havedesigned an anti-bribery and anti-corruptioncompliance program in line with internationally recognized standards — and that theyhave had the program independently certified.This may help give the certified organizationa competitive advantage over the uncertifiedorganizations that are competing with it forbusiness.Lastly, organizations that achieveISO 37001 certification will shine brightly inthe ethics and compliance community andelsewhere. ISO 37001 certified organizationswill be able to attract and retain top talentacross the organization, especially the ethicsand compliance function. Accomplished,dynamic, and forward-looking professionalsare drawn to organizations that demonstrate agenuine commitment to organizational values,long-term sustainable growth strategies, androbust and meaningful risk-managementpractices.Compliance & Ethics Professional August 2018ISO 37001 establishesa common, globalapproach to managingbribery and corruptionrisk, regardless ofwhere organizationsare headquartered.42corporatecompliance.org 1 952.933.4977 or 888.277.4977Certification readinessStriving for ISO 37001certification — as withstriving for any ISOcertification — is a substantial undertaking.It involves a significantlevel of time, resources,and documentation.Some organizationsmove through thecertification processefficiently and successfully, because they areprepared for the certification process. Otherorganizations experience challenges and findings of nonconformities, which will requireremediation and perhaps a second or thirdattempt at certification.Given the level of effort associated withstriving for certification, some organizationselect to undertake an ISO 37001 readinessassessment exercise. This helps organizationsevaluate the current state of their anti-briberyand anti-corruption program against theframework, expectations, and guidance setforth in ISO 37001. A readiness assessmenthelps organizations understand what they

FEATUREISO 37001 establishes a management systemand compliance program framework for managing the risk of bribery and corruption inboth the public and private sector. ISO issuedthis standard to help combat global corruption — a trillion-dollar problem. AlthoughISO developed the standard, it does not issuecertifications. The ISO certification process isadministered by CBs or registrars, which aresometimes accredited by higher organizations called regional accreditation agencies.Although it is debatable whether ISO37001 introduces anything fundamentallynew, ISO 37001 — by its very existence — willhelp to bring greater consistency to themanner in which anti-bribery and anticorruption compliance programs aredesigned, implemented, and audited aroundthe world. ISO 37001 certification will alsohelp organizations organize a defense iffaced with a breach, inquiry, investigation, orenforcement action.As of February 2018, several governments have adopted this new standard, andseveral organizations have become certified.The opinions in this article are the author’s and do notnecessarily represent the position of any institution.1. ISO Quality Services Ltd. website available at http://bit.ly/2N1j7aO.2. Neill Stansbury: “International Anti-bribery Standard ISO 37001”Transparency International UK. November 2, 2016. Available athttps://bit.ly/2JetvgW3. Idem.4. ISO 2600 — Social Responsibility; ISO 20121 — Event SustainabilityManagement Systems; ISO 3100 — Risk Management — A practicalguide for SMEs.5. See ISO 37001 (2016). Available at http://bit.ly/2lwYS8d6. I bid Ref #27. Diana Trevley: “Certifying Your Anti-bribery Program withISO 37001: What’s In It For Me?” Society of Corporate Complianceand Ethics, January 23, 2017. Available at https://bit.ly/2xR23kf.8. ISO 37001, Introduction (2016)9. Idem10. Mike Koehler: “ISO 37001 Is a Complete Yawner” FCPA Professor;October 24, 2016. Available at https://bit.ly/2sJjUDG11. United States Sentencing Commission, Guidelines Manual,§(8)(B)(2)(1)(c); and ISO 37001 § 4.5.1 through ISO 37001 § 4.5.412. Russ Berland and Michelle Shapiro: “International StandardsOrganization Issues Certification Standard for Anti-briberyCompliance Systems,” Lexology; November 1, 2016. Available athttps://bit.ly/2sL0BtT13. Cynthia D. Woodley: “Who Accredits the Accreditor?” ProfessionalTesting Blog; April 20, 2017. Available at https://bit.ly/2JBGwk514. Center for Responsible Enterprise and Trade: “ISO 37001: A Year inReview” November 15, 2017. Available at https://bit.ly/2M9mPOS15. Discussion with ISO representative on 28 September 201716. Spark Consulting “ISO 37001: Your Questions Answered.” Availableat http://bit.ly/2lx6tUn17. I bid, Ref #1518. Idem19. Idem20. OECD: Foreign Bribery Report: An Analysis of the Crime of Briberyand Foreign Public Officials. OECD Publishing, 2014. Available athttp://bit.ly/2lj1bLS 1 952.933.4977 or 888.277.4977corporatecompliance.orgAugust 2018ConclusionBecause more than 50 countries supportedthe development of ISO 37001, it is likely thatadditional countries will adopt the standard.It is also likely that other organizations willstrive for ISO 37001 certification, once additional CBs and registrars become accredited.While ISO 37001 continues to gaintraction around the world, many organizations remain in a wait-and-see mode, whileweighing the cost-benefit of striving forISO 37001 certification. In the meantime,some organizations will elect to undertake anISO 37001 readiness assessment, which willallow them to gain a deeper understandingof the current state of their anti-bribery andanti-corruption programs, if they eventuallydecide to go for certification — or even if theydo not. Compliance & Ethics Professional are doing well and where there may beopportunities for enhancement. Readinessassessments also help organizations pulltogether the documentation that will eventually be needed for the certification process.Even organizations that do not aspire toISO 37001 certification undertake a readinessassessment simply because it is a healthy andworthwhile exercise. They conduct readinessassessments because it establishes a baselineagainst which to enhance the program at astrategic and tactical level moving forward,and because it helps them satisfy the expectation that their programs be evaluatedperiodically, an expectation set forth inother guiding frameworks (e.g., U.S. FederalSentencing Guidelines.).43

ISO 37001 is intended to help organizations do just that. ISO 37001 sets out a framework for an organization’s anti-bribery and anti-corruption program. Notwithstanding the structure of the table of contents, the ISO 37001 program framework — when distilled to its essence