Answering the critics

1. An ISO 37001 certification does not result in DoJ or SEC credit.

Perhaps, but it is early days and the certification will only gain in value in the eyes of national prosecutorial authorities.

2. There is too much focus on paper.

ISO 37001 audits include remote document review AND on-site audits of relevant operations and interviews with staff identified in the audit programme including checking of appropriate records and testing of the system.

3. How do the certifiers know their interpretations of ISO 37001 are correct or even consistent with other certifiers?

Credible certification body staff are trained and are experts on the subject. The value of an ISO 37001 certification stems directly from the competence of the certification body and its staff.

4. How do you know a certifier has any experience in compliance or can even validly assess your compliance programme?

As with the purchase of any product or service a minimum amount of due diligence will reveal the competence and record of providers. 

5. How can a company receive a certification for its “Anti-Bribery Management System” when members of its executive are under indictment for ‘international corruption’?

One has nothing to do with the other. There is no reason to assume that if one person is corrupt others in the company are corrupt and there is no system in place.

6. An ISO 37001 certification from a third party has no value for your company or your compliance programme and is not a defense in the event of an FCPA enforcement action.

Not necessarily, it consolidates an organisation’s objectives in corruption prevention by respecting international best practices. Still to be seen if there will be an advantage in the event of an enforcement action.

7. There is no statistical evidence to prove that the implementation of such a “management system” would be effective in actually reducing the instances of bribery.

Not for the moment, but the standard is new. Statistics will follow.

8. Where are the pilot studies? 

They are coming. The standard is too new to provide such evidence.

9. The ISO 37001 does not include every element relevant to anti-bribery laws to which an organisation might be subject.

True, but no standard or law does. The ISO 37001 covers more than others and is impressive in that it is the result of a multi-national consultation.

10. The implementation of the ISO 37001 requirements will have companies creating excessive red tape.

Point 4.5 of the ISO 37001 details the need for a bribery risk assessment so that the system is neither too light nor too heavy

11. ISO does not require third-party certification ie. a company can implement the standard without certification. In addition, a certification verifies that the system design conforms to the standard and that it has been implemented but does not certify that the organisation is in 100% compliance with applicable laws.

ISO 37001 requirements never purported to verify that an organisation was 100% in compliance with all laws but it is more comprehensive than other requirements.

12. FCPA Guidance states “compliance programs that employ a ‘check-the-box’ approach may be inefficient and, more importantly, ineffective.” ISO 37001 certification promotes “check-the-box’ compliance and gives business organisations a false sense of security.

An ISO 37001 audit is not a 'check-the-box' approach. It includes face-to-face interviews and an on-site visit. These follow a detailed examination of the company's written policies and procedures.

13. ISO 37001 is deficient because there are several best practices covered in other sources of best practices that are simply not mentioned in ISO 37001.

The ISO 37001 is more comprehensive than any other guideline currently available.

14. ISO 37001 certification does not eradicate the existence of cultural and ethical lapses within an organisation.

That is true, but it forces an organisation to focus on and support ethical business practices. 

15. There is no certification for the certifier.

Organisations need to select certification bodies who have been accredited by respected national bodies. Some accreditation bodies are less stringent than others.  

16. ISO 37001 is simply a money-making gimmick.

An ISO 37001 certification is a service designed to help companies organise their anti-bribery management system. There is no gimmick, companies choose to be certified or not.

17. ISO 37001 is difficult to read. A review and/or the guidelines will hopefully remediate this problem.

Any ISO standard  is reviewed after publication. Comments by users are taken into consideration.

18. Replace certification: it is a pass/fail standard.

Representatives from 20 countries determined that a pass/fail method was not the most efficient way to encourage compliance. Companies that do not comply with ISO 37001 requirements will fail the certification process.

19. The scope needs clarification

The Standard is published but there will be a review after a certain period.

20. Reviews should be more comprehensive

An ISO 37001 audit includes transactional reviews, field visits and interviews with employees. If it doesn’t, you have picked the wrong certification body.

21. Auditor access to audited organisation is problematic

If a certifying body does not have unhindered access to facilities, documents and staff the certification application should be rejected.

22. Where is the quality control?

ISO 37001 certifications are subject to annual surveillance audits. Accredited certification bodies are audited on a yearly basis by their accreditation body(ies).

23. The selection of auditors

Auditors and all personnel involved in the certification process have to comply with strict competence requirements (as stated in ISO 17021-9) which include thorough knowledge of bribery risk, anti-bribery controls, laws and regulations, and anti-bribery management systems.

24. There is no central data base

Each certifying body keeps meticulous records of its certified clients, but it is true that ISO does not yet have a comprehensive list of ISO 37001 certified companies and there is no obligation for a certified company to publicise its certification.

25. There should be free access to the standard

ISO has produced this standard at a certain cost. Many companies or other interested parties who request it have no intention of getting certified thus ISO would have no way to recuperate costs. It would not be cost effective or even reasonable for ISO to offer the standard free of charge.

26. Why aren't the annexes integrated into the body of the requirements?

The standard has been published so it is a bit late to change the structure. The scheduled review may result in the incorporation of the Annex.

27. The annex requirements should be moved.

ISO members are in the process of writing ISO 37001 guidance.

28. ISO 37001 does not list moral or ethical requirements

That is true, but that was never the standard's intention. Language may change after the review. 

29. There is no reference to the FCPA.

As a universal standard it cannot prioritise one national law over another. It does not specifically refer to the FCPA, nor does it refer to Italian law decree 231 or the UK Bribery Act. It is precisely because the standard does not refer exclusively to the FCPA that organisations are obliged to consider all national anti-corruption laws and determine if they are applicable in the countries where they operate.