Implementing and Enhancing Anti-Bribery and Corruption Compliance Programs: The New ISO Standard

November 10, 2016

The International Organization for Standardization (ISO) recently published ISO 37001: Anti-Bribery Management Systems Standard to assist organizations in implementing and maintaining an effective anti-bribery and corruption compliance program and promoting an ethical business culture. ISO 37001 is welcomed news for organizations operating internationally and may well become a requirement for corporations as they partner with other organizations in international business. Prior to its release, organizations had to look to various standards from different countries when developing anti-bribery controls and procedures. With ISO 37001’s release, organizations can now reference a single internationally recognized set of measures addressing anti-bribery compliance.

According to the ISO release, “ISO 37001 is designed to help your organization implement an anti-bribery management system or enhance the controls you currently have. It helps to reduce the risk of bribery occurring and can demonstrate to your stakeholders that you have put in place internationally recognized good-practice anti-bribery controls.”

The ISO 37001 standard is flexible. It can be implemented in any country and adapted to a wide range of organizations, including large organizations, small and medium-sized enterprises, public and private sector organizations, and non-governmental organizations. The standard addresses the following bribery types:

  1. bribery in public, private, and nonprofit sectors;
  2. bribery by the organization, or by its personnel or business associates acting on the organization’s behalf or for its benefit;
  3. bribery of the organization, or of its personnel or business associates; and
  4. direct and indirect bribery, i.e., bribery through or by a third party.

To address these concerns, ISO 37001 requires organizations to implement controls and procedures including:

  1. adopting an anti-bribery policy;
  2. appointing a person to oversee anti-bribery compliance;
  3. obtaining approval and commitment from management;
  4. assessing and managing bribery risks;
  5. providing appropriate anti-corruption training to personnel and third parties;
  6. performing due diligence on projects and business associates;
  7. implementing financial and commercial controls;
  8. instituting reporting and investigation procedures;
  9. taking corrective actions when there is a violation; and
  10. improving continually the effectiveness of the anti-bribery system.

Certification to ISO 37001 may likely become essential for organizations operating or seeking to operate internationally. Like other ISO standards, ISO 37001 is auditable, which means that an external certification body can certify an organization’s compliance with the standard. While certification will not prevent all instances of bribery, certification or compliance with ISO 37001 will put into place measures that can substantially reduce the risk of bribery and can address bribery if it occurs. In addition, certification can help an organization attract and retain global business by demonstrating that the organization has “put in place internationally recognized good-practice anti-bribery controls."

ISO 37001’s introduction of an internationally recognized approach for the prevention and detection of bribery provides organizations with a clear and uniform set of measures for establishing, implementing, and improving their anti-bribery and corruption programs. Although it is still uncertain how regulatory authorities will treat ISO 37001, the standard it provides can benefit organization by providing:

  1. minimum requirements and supporting guidance for implementing or benchmarking an anti-bribery management system;
  2. assurance to management, investors, employees, customers, and other stakeholders that an organization is taking reasonable steps to prevent bribery;
  3. evidence in the event of an investigation that an organization has taken reasonable steps to prevent bribery.

There is no requirement that organizations comply with the ISO 37001 standard, but some entities—especially those in the public sector—may require organizations to have ISO 37001 certification as a prerequisite for certain business arrangements, most significantly for partnerships and joint venture relationships. In this regard, organizations hoping to attract or retain global business should consider the cost-benefit of obtaining compliance with ISO 37001 and perform an internal review of their anti-bribery and corruption controls and procedures against the standard’s requirements.

For additional information, please contact one of the Haynes and Boone lawyers listed below.