Keys to Compliance for New Global Anti-Bribery Standard
Bribery continues to be a rampant issue in today’s business environment. In the United States alone, 2016 has seen sizable enforcement resolutions. In September, a hedge fund agreed to pay $412 million to settle criminal and civil charges with the U.S. Department of Justice (DOJ) and Securities and Exchange Commission (SEC), including $199 million in disgorgement. That settlement is now in the fourth spot on the Foreign Corrupt Practices Act (FCPA) top 10 list and second in FCPA-related corporate disgorgements. As of October, a Brazilian company reached a $205 million resolution to settle criminal and civil charges, including $98 million in disgorgement.
Given the current global risk landscape for bribery and corruption, organizations are proactively implementing anti-bribery compliance controls. For many, however, questions remain as to the extent of controls that should be in place.
To provide companies with detailed guidance, the International Organization for Standardization (ISO) recently released the first-ever global standard for anti-bribery compliance, known as ISO 37001. Like other ISO management standards before it, the new anti-bribery standard offers a detailed, auditable framework for all organizations, regardless of geography, to use in developing or benchmarking an effective program. In short, it requires a series of anti-bribery measures and controls and provides guidance in relation to their implementation. It is designed to be risk-based.
The new standard is creating a buzz in compliance circles; however, for companies just learning about it, here are five key takeaways:
- The new standard follows other successful management system standards.
The most commonly known—ISO 9001—relates to quality management and serves as an indicator that controls are in place to ensure that a company’s products and services consistently meet requirements. Today, ISO 9001 is necessary for many procurement and supply chain dealings. It can also produce other benefits. In a 2015 survey, 67 percent of respondents reported that ISO 9001 has yielded competitive advantages, helping their company to qualify for or directly win new business.
Unique to the new global anti-bribery standard is its business-focused language.
- It requires specific requirements and guidance.
ISO 37001 requires specific risk-based measures and controls to help prevent, detect and address bribery. The standard follows the high-level structure for management systems standards and provides specifics about the set of procedures an organization needs to follow. As such, companies that seek certification to one standard find it easier to seek certification to others. New or enhanced measures can be integrated into an organization’s existing management system or can be stand-alone. While this standard addresses both inbound and outbound bribery and both commercial bribery and bribery of public officials, it does not address other forms of corruption, such as fraud or money laundering.
- ISO 37001 is informed by and builds on existing guidelines in this area.
The standard is informed by and builds on existing guidelines in the area of anti-bribery management, including the U.S. Sentencing Guidelines, the DOJ and SEC Resource Guide to the FCPA, the Ministry of Justice Bribery Act of 2010 Guidance and OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance.
- There are three reasons it is different: input, language, specifics.
While informed by existing resources, the new anti-bribery standard boasts various distinguishing characteristics. The standard was drafted over the course of three years by a group of global experts and stakeholders. Fifty-six countries and seven liaison organizations were represented in the negotiations. In addition to company representatives, lawyers, NGOs, academics and others were represented on the drafting committee to ensure the standard was both practical and rigorous. Also unique to the standard is its business-focused language. It was purposely written in non-legalistic, plain language. Further, it contains a level of detail not covered in existing guidance, paving the way for heightened uniformity and transparency.
- Voluntary certification is available.
Voluntary third-party certification for the new standard is scheduled to be available in early 2017. Auditor competency is governed by standards developed specifically for ISO 37001 to ensure that auditors have specific anti-bribery expertise and to ensure confidence, quality and reliability in the certification process. In the U.S., the ANSI-ASQ National Accreditation Board issues accreditation to auditors.
ISO 37001 certification stands to represent a benchmark for corporate responsibility, internally and with partners or potential supply chain members. Certification offers assurance to management, investors, employees, customers and other stakeholders that an organization is committed to combatting bribery. Certification may also show that an organization has taken reasonable steps to prevent bribery.
It must be noted, however, that the new standard is not a safe harbor: Adherence will not be a bar to liability, should a bribery-related event occur.