ISO 37001: Three unfounded criticisms
Since its publication in October 2016, the ISO 37001 standard on anti-bribery management systems has been the subject of many comments as well as unfounded criticisms. Read Philippe Montigny's defense of the standard that many experts, like himself, feel has been a revelation in the global compliance industry.
The ISO 37001 does not refer to the FCPA
The ISO 37001 is a universal standard drafted by a working group – Technical Committee 309 – composed of delegations from 20 countries. As a universal standard, it cannot prioritise one national law over another. It does not specifically refer to the FCPA, the Italian law decree 231, or the UK Bribery Act for instance.
Section 2 of the standard, normative references, is clear on this point. It contains one line which reads: There are no normative references in this document. There is not ONE normative reference that applies globally to all organisations, no matter if they are private, public, or not-for-profit.
However, Section 4 of the standard, which addresses an organisation’s context, requires explicitly that each organisation take into account the context in which it operates. Specifically, section 4 requires organisations to consider:
- Applicable statutory
- Regulatory contractual
- Professional obligations and duties
In other words, a company whose operations are subject to the FCPA is required to take into account the American law, just as an Italian company is required to consider whether their operations are subject to the Law Decree 231. Similarly, any organisation with activity in the United Kingdom must determine if the failure to prevent corruption offence of the UK Bribery Act applies. If so, then this UK law must be incorporated into the legal references of the organisation’s anti-bribery management system.
It is precisely because the standard does not refer exclusively to the FCPA, that organisations are obliged to consider all national anti-corruption laws and determine if they are applicable in the countries where they operate. A Mexican company holding American Depository Receipts (ADRs), with a subsidiary in Spain, which exports to the UK, must consider the Mexican General Law of Administrative Liabilities of 2017, the FCPA of 1977, the Spanish law of 2015, and the UK Bribery Act of 2010.
The lack of a specific reference to the FCPA posed no problem for the American delegation to the Working Group, as the aforementioned point 4.1 makes it clear that organisations have an implicit obligation to consider all relevant legislation to which they are subject.
Therefore, ISO 37001 explicitly requires that organisations subject to the FCPA take into account the requirements of this American law and include them in the legal references of the anti-bribery management system.
The ISO 37001 does not refer to international best practices
The most important characteristic of international best practices is their ability to evolve and adapt to developments in corruption prevention. A standard which, at the time of its publication, refers to a specific best practice will be quickly outdated.
Although the ISO 37001 does not refer to a specific best practice, section 4.2 requires organisations to identify:
a) The stakeholders that are relevant to the anti-bribery management system b) The relevant requirements of these stakeholders
In section 3 of the standard, which outlines terms and definitions, the definition of a stakeholder is given as: person or organisation that can affect, be affected by, or perceive itself to be affected by a decision or activity. This means that according to 4.2, organisations like the OECD, Transparency International, or the International Federation of Consulting Engineers (FIDIC) are stakeholders which must be identified by an organisation when it is developing its anti-bribery management system. According to 4.2.b, the organisation must also take these stakeholders’ guidelines into account if pertinent for their operations.
To continue the example, OECD guidelines must be taken into account by an organisation based in a country signatory to the OECD Anti-Bribery Convention of 1997. Companies in the defense sector are subject to Transparency International UK’s request to publish information on their corruption prevention programs. Consulting engineering firms must therefore respect the guidelines of the FIDIC when selecting consultants.
At the national level, some authorities have issued recommendations to companies. American companies follow the recommendations issued by the DOJ and the SEC in the FCPA Resource Guide of 2012, English companies recognise the UK Bribery Act Guidance of 2010, and French firms will apply recommendations made by the French Anti-Corruption Agency in 2017/2018.
Therefore, ISO 37001 requires that companies specifically identify and respect all guidelines applicable to their operations.
ISO 37001 is just a tick-the-box exercise
ISO 37001 contains a significant number of requirements which can appear, at first glance, to be somewhat of a shopping list. However, this cursory first read misses the fact that sections 5 to 10 are organised according to the traditional Plan, Do, Check, Act (PDCA) characteristics of all management system standards.
The ISO 37001 is a management system like any other and works through a series of interacting processes that help the organisation to achieve its pre-defined objectives. Therefore, the shopping list structure of the ISO 37001 is the characteristic that is held by all management systems.
The systematic nature of the ISO 37001 ensures that the management system is comprehensive, guaranteeing its efficiency.
The root of many criticisms lies in the fact that the standard is not an easy read. Given its stringent editing conditions though, this isn't surprising and wonderful work was done by the Chairman and the secretary of the TC 309, Neill Stansbury and Mike Henigan. We must keep in mind that committee members come from very diverse cultural and legal backgrounds, such as: USA, China, Nigeria, Tunisia, France, and Guatemala. Thus, discussions on the creation of these standards were occasionally long and difficult. Not to mention the fact that the standard was developed so that it could apply to any type of structure; public, private or not-for-profit.
Despite the challenges, the ISO 37001 standard is a remarkable tool to build, evaluate, and improve an anti-bribery management system.
As is the case with all ISO standards, the ISO 37001 will be evaluated after a few years of implementation. It is reasonable to assume that the evaluation might result in a simplified text. All ISO management system standards are designed for continual improvement as developments in the sector occur.
by Philippe Montigny
President, Certification & Impartiality Committees