ISO 37001: A CCO’s Thoughts on the New Compliance Management Standard

Bailey Bliss


With news on the horizon that ISO 37001 was on the verge of publication, I was reminded of a conversation I had 18 months earlier with CPA Global’s Head of Legal, Patrick Mills, who had approached me to discuss further shielding the company from anti-bribery compliance (ABC) risks. He explained that intellectual property law firm agents working for CPA Global represent the highest risk third party population and therefore had to be subjected to audits certifying a defined compliance standard.

Indeed, CPA Global IP intermediaries tick all the boxes throwing them down the deep end of the corruption risk barometer; not only are they operating in countries with high levels of corruption, as flagged on Transparency International’s CPI rankings, but carry out business within these countries’ government installations, with funds we had advanced in order to pay for patent and trademark maintenance. It doesn’t get much riskier on the UK Bribery front where facilitation payments spell greater regulatory trouble than the FCPA.

This was why we required these particular intermediaries to sign policies binding them to abide by global ABC regulations including the FCPA and the UK Bribery Act. These terms are incorporated into, their vendor agreements and filing instructions with their respective patent and trademark office on the company’s behalf. CPA Global also requires its intermediaries to complete the company’s customized 25 minute on demand web training covering economic sanctions and anti-bribery regulations.

Patrick’s vision was that these audits and their consequent positive outcome would guarantee that CPA Global IP agents not only had solid knowledge of ABC standards, but also applied these to their business operations.

Patrick didn’t need to persuade me as to why an agent in Lebanon, Algeria or Ethiopia would be so willing to go through such a process once every year or two for CPA Global because I understood all too well that such a certification had transcendent value for potential agreements with other firms who were interested in their services, yet alarmed about the risks that also came along. It could be the difference in them increasing market share, even though their prices might be higher.

For a legal service that is all about managing the risk from an abandoned patent or trademark, why not add further linked assurance that the agent would not engage in practices perhaps seemed trivial and common place locally but were illegal and brought the potential for US or UK government scrutiny. Seems like a win-win, right? 

Shortly after our agents demonstrated a willingness to participate in an ABC certification process, I learned that ISO 37001 may be ready for prime time late in 2016, and rather than reinvent the proverbial wheel, I urged Patrick to delay the Company’s IP agent certification program just a little longer, in the event that CPA Global can integrate ISO 37001 into its own program.

So what does the ISO 37001 provide and way is it such a great tool for companies to be implementing?  

“There is no blueprint” is what Laura Martino, in-house counsel within the aviation finance industry and an expert in the field, and with whom I had the privilege of working closely with, used to say. Correspondingly, the term “anti-corruption compliance” can vary widely in meaning. Although significant guidance has been published by pioneers in best practices, there is still a lack of harmonization, particularly across the spectrum of industry sectors and jurisdictions. This is due largely to the myriad of laws and regulations that govern anti-bribery, anti-corruption, anti-money laundering and compliance. Accordingly, building out compliance programs like third party due diligence, often require significant customization. Furthermore, a few misnomers in the ABC realm have to be carefully considered when building out a compliance program:

  • Third party due diligence is not the same as background screening
  • Watchlist screening alone does not constitute due diligence
  • Monitoring and auditing are not the same
  • Third party risk is merely one subsection of an anti-corruption program

To be clear – there is no one-size-fits-all formula and regulators have emphasized that compliance is not a ‘check in the box’ exercise. However, practitioners do strive for a common lexicon around fundamental basics. For example, in reference to “due diligence” on a customer or third party intermediary, practitioners can agree that this entails a range of distinct activities, even if several of those activities may not apply to each and every business. Nonetheless, with the release of ISO 37001, companies can get aligned on terms, scope, policy construct, methods, and activities that make up a sound anti-bribery and corruption program.

  1. Representing the program: Think about how much time compliance personnel spend responding to questions related to anti-bribery and corruption from existing clients to prospective ones?  At CPA Global, our compliance officers have written pre-packaged narratives covering a host of anti-bribery and corruption topics, yet we still have to spend time crafting unique responses to unusual or topical combination questions. The ISO 37001 should save you much time and energy as it eliminates your customers’ need to ask whether your firm has third party anti-bribery and corruption training and AML included in your Code of Conduct, or whistleblowing reporting mechanisms. This should create a notable saving in a compliance officer’s time that can now be utilized in monitoring, or other activities that carry a greater assurance value. And most of all the company doing the vetting can depend on the certification as assurance that its supplier is upholding globally accepted compliance standards.

On the flip side, for good or bad, this likely will become a box ticking exercise that will save companies time in analyzing responses to RFP’s or questionnaires, as expectations of standards in ABC compliance will have been audited and certified.

  1. Up everyone’s game: Whereas standardization pulls us together foundationally, the proof is on execution. One way to start is to assess your program against ISO 37001 standards to identify the gaps, look for required risk relational improvements, and develop mitigation plans. Those seeking certification will undoubtedly perform such a gap assessment. When the target is clear, it can more easily be hit. What ISO brought to IT security, quality management, environmental management, occupational health and safety and 6 other disciplines, now being available for anti-bribery and corruption (#11), means more companies will be making a concerted effort to cover the criteria.
  1. Where the corruption is: For years it may have felt to some that anti-bribery and corruption was a US centric mission. But over the past decade international governments, international trade organizations, multi-lateral development banks, and non-governmental international organizations are demonstrating their commitments, which have manifested in the UK Bribery Act, World Economic Forum Partnering Against Corruption Initiative, Organization for Cooperation and Development (OECD) Convention, and World Bank. The South Korean government has also introduced its Improper Solicitation and Graft Act, restricting government employees, teachers and journalists from accepting gifts and hospitality exceeding 50 KRW ($44), and 30 KRW ($26) respectively.  Although compliance is taking root globally, there are still many more countries below the (excuse the baseball reference) “Mendoza line” when it comes to performance against Transparency International’s Corruption Perception Index (CPI). These have yet to demonstrate their role in the global fight against corruption.

“ISO 37001 is an important document that deserves support from the compliance and FCPA community. Many countries still don’t have a strong culture of anti-bribery enforcement, so even when corporations in those places want to crack down on bribery (and many do), they struggle to find a straightforward framework upon which to build their program,” said Matt Kelly, the former editor-in-chief at Compliance Week and now founder of Radical Compliance in a February article on the FCPA blog.

Factor in the commercial benefits of ISO 37001, as companies in these countries not only now have the guidelines, but they will have the impetus to begin what may over time prove to be a cultural revolution of sorts.

  1. Creating Customer Value: Selling the value proposition of ISO 37001 certification should not be too difficult as its value out of the gate in winning and retaining customers should be rather easy to articulate. What ISO 27001 has become for IT assurance; ISO 37001 will accomplish for ABC compliance. It creates a direct link between a compliance initiative and the commercial strategy. Talk the talk may have prevailed previously, but now it’s walk the ABC walk.

At CPA Global I had developed narratives, slides and diagrams to educate customers that what our industry provides is unique. Our value proposition as the best in the industry included our ABC program which managed our customer’s risk on a few levels. Now my secret sauce may not be so secret with the ISO 37001 standard, but competitors will still need to implement it before they can claim they provide this value.

  1. Reducing Customer Risk: For the company looking to certify, having a strong anti-bribery and corruption program may also directly lower its customer’s risk, especially when the vendor or its subsidiaries act directly as intermediaries along the revenue or supply chain continuum.  In these cases, customer risk is at its highest given that over 90% of FCPA enforcement actions have included intermediaries as one of the culprits.
  2. Responsible Sourcing: As just referenced, customer attention to vendor compliance focused on bribery and corruption regulations has increased dramatically over the past 18 months. In fact, you will likely have noticed Corporate Global (as opposed to Corporate America) is beginning to police itself by requiring its vendors do more than just be the best at whatever it is they are doing.  Some companies are taking what is referred to as sourcing responsibility a bit further. For instance, some companies are requiring its vendors to demonstrate commitment to corporate social responsibility, with some customers requiring audits to prove it. Nestlé, in Vevey, Switzerland requires over 10K of its vendors to demonstrate they Create Shared Values (CSV), equating to corporate social responsibilities, as part of their responsible sourcing policy. In the summer of last year, Facebook in its own crusade to ensure fair pay to workers, began requiring its vendors to pay up to a minimum of $15, or more than twice the then federal minimum wage.  Underpaying is one form of exploitation, slavery another. The 2016 UK Modern Slavery Act brings the exploitation of individuals to the foreground by fining companies dealing with third parties who participate in what amounts to human subjugation and trafficking. These corporate behaviors and regulatory trends underpin the importance of having suppliers not just deliver on its Statement of Work (SOW), but demonstrate a corporate governance structure and even ethical behavior across the board.

So it will be no surprise that many companies will begin requesting ISO 37001 certification of its existing vendors and requiring it as a pre-requisite for its prospective vendors. Acquiring this certification will certainly give companies a leg up on its competition and in some cases will justify going with a premium provider with offerings with a higher price structure.

I suspect ISO 37001 will also undoubtedly bring professional disagreements on a variety of topics and may not decide any debate that may exist on what activities belong to each level of third party due diligence for instance. However, there’s always room for improvement and that’s what revisions are for.

But when you look at how ISO 37001 certification goes such a long way in making ABC compliance clearer than ever before, and creates true motivation for companies to certify in the near future, this just might be the ISO program that has the most important long term impact on the plague that continues to ruin markets, disrupt trade, and erode business trust all over the globe. And hopefully it’s 1/15th of the cost of SOX to get there.

Mark Speck is the Chief Compliance Officer and Head of Audit at CPA Global and globally recognized expert on anti-corruption compliance. He’s a guest contributor to the GAN Compliance Connection Blog. Learn more about Mark and CPA Global at: