Released in October 2016, the ISO 37001 sets a global standard for business, outlining the elements expected of a good anti-bribery management system. This article explores the basic requirements of the ISO 37001 standard and why it’s relevant to your company. It also discusses the concept of reasonable and proportional requirements and the importance of thorough documentation.
UNDERSTANDING THE ISO 37001 STANDARD
While the United States is often perceived as driving the major anti-bribery enforcements under the FCPA, the ISO 37001 is a global standard, assembled with input from international stakeholders. This global standard is important for large organizations that need to ensure compliance while operating around the world.
The standard matches the anti-bribery expectations of U.S., U.K., German, Canadian and other prosecutorial authorities; as such, it can be used to benchmark your company’s compliance program and make sure it aligns with the expectations of these international authorities. This standard has been created based on different prosecutorial actions that have taken place, and which anti-corruption controls various authorities have demanded companies put in place to become compliant.
The standard looks at different requirements, and provides guidance on a range of topics relevant to anti-bribery compliance, such as financial and non-financial controls, internal audits and risk assessments. It also covers personnel, leadership and commitment and the responsibilities of the governing body, top management and the compliance function.
It also provides a definition of public officials, controlled organizations and business associates, and provides guidance on due diligence and investigating and dealing with bribery cases. In terms of your compliance program, it sets forth requirements for employee awareness and training, having a well-designed anti-bribery policy and having reasonable and proportionate anti-bribery measures in place.
REASONABLE AND PROPORTIONATE REQUIREMENTS
You can think of the ISO 37001 standard as including elements that fall under “shall,” “must,” “should” and “may.” That’s because the requirements have different thresholds depending on the size and complexity of your organization. If your organization is large and complex, for example, you’d have need of more in-depth audits, controls, and so on. The key is making sure the requirements are reasonable and proportionate.
An important related concept is the relevance of the requirements. Let’s take anti-bribery training, for example. The training and the message should be relevant to the targeted group, and provided at the appropriate frequency. If you’re a very large company with employees based overseas, your training should be tailored for specific groups based on their location and other variables.
THE NECESSITY OF DOCUMENTATION
The ISO standard emphasizes the need to document your compliance activities, from implementing a program to ongoing monitoring to ensure your program is effective. For example, if your company’s bribery risk has changed because your company has ventured into a new market, for example, you’ll have to re-evaluate your risk and document that re-evaluation. These documentation requirements should also be proportionate to your company’s size and complexity.
Documentation provides some protection in the event of misconduct or a breach of anti-corruption laws, such as the FCPA. It’s no defense for management to claim ignorance (or “willful blindness”) about an FCPA violation, according to the Resource Guide to the U.S. Foreign Corrupt Practices Act. You need to have procedures in place that show you have actively sought to guard against misconduct taking place.
Here are three tips for effective documentation:
- Create and update documentation on all activities: This may be done manually or through an automated system.
- Maintain version control: This helps ensure you always have the latest version of documents readily available and that the right personnel has access to the documents. Examples might include gifts and hospitality thresholds, or approval requirements for third parties.
- Control access rights: Define who has the rights to access specific compliance documents, such as internal investigation files.
The ISO 37001 standard is a global standard that any company can use to benchmark its compliance program. Key concepts with this standard are keeping requirements reasonable and proportionate, as well as the importance of documentation. When it all hits the fan, your documentation is your best defense; it also helps you evaluate your compliance program and maintain an ongoing assessment of risks.