A new standard for anti-bribery management systems, ISO 37001, has been published by the International Standards Organisation (ISO). The standard is intended to help organisations establish a new anti-bribery compliance programme or to improve an existing one.
The new standard has international application, despite the fact that national anti-bribery laws can take different shapes. In the UK, for example, Section 7 of the Bribery Act 2010 imposes a strict liability offence for commercial organisations of failure to prevent bribery. This applies to the activities of “associated persons” such as third party associates and intermediaries, as well as of an organisation’s own employees. It also applies even where the conduct has taken place outside the UK. To have a defence to a section 7 offence, an organisation needs to show that it had “adequate procedures” designed to prevent bribery. Having these in place is therefore a critical risk management measure.
The new ISO 37001 aims to assist organisations by providing a benchmark. In reality, though, many organisations will already have more comprehensive measures in place, and the ISO is not a guarantee of compliance, so should be approached with a degree of caution. That said, as an ISO it may find its way into contractual and procurement processes.
ISO 37001 is intended to be applicable to all organisations, regardless of size, industry, sector, or location. It is also designed to integrate easily with existing management processes and other risk management processes.
It requires organisations to take a series of measures, proportionate to their circumstances, to prevent, discover and address bribery, including:
- adopting an anti-bribery policy;
- appointing a compliance officer;
- vetting and training employees;
- undertaking risk assessments;
- implementing financial and commercial controls;
- instigating reporting and investigation procedures; and
- communicating the policies, procedures and requirements to all staff, contractors, suppliers, and other third parties.
Rather than creating new ways of combatting bribery, ISO 37001 generally incorporates and codifies the typical existing practices. Its main proposals and requirements should therefore be familiar to many organisations.
Given the variation of the definition of bribery between countries, the standard provides a generic definition of bribery and accompanying guidance, but leaves organisations to implement measures that are relevant to their place(s) of operation.
The standard is also capable of third party certification, which may assist in demonstrating proper compliance with the standard and commitment to tackling bribery and corruption (for example, where required by public procurement rules or supply contracts). The cost of certification will depend in part on the size and complexity of the organisation . It remains to be seen to what extent customers or partners will require ISO certification as part of procurement and tender processes or other business ventures.
It is important to note that ISO 37001 only applies to bribery. It does not extend to or address money-laundering, fraud, or anti-competitive practices. It therefore covers only one aspect of an organisation’s risk management processes.
Practical effects on commercial organisations
The principal benefits of having in place a robust anti-bribery program, which complies with ISO 37001, include :
- reducing the risk of bribery occurring in the first place;
- assisting in the defence of criminal or civil proceedings and investigations, where bribery does occur;
- demonstrating to regulators and authorities a pro-active anti-bribery culture;
- complying with obligations to customers, partners, investors and other stakeholders; and
- assisting on due diligence requirements on the disposal of a business.
Implementation and certification of ISO 37001 is entirely voluntary and compliance with it is not a legal requirement. It may, however, come to represent international best practice in the procedures organisations should put in place, or at least a base threshold should organisations not have their own more bespoke policies and procedures.
ISO 37001 certification will not, however, provide an organisation an automatic defence to a charge of failure to prevent bribery. Whilst certification or compliance may be influential in a regulator’s decision whether to pursue charges, or a court’s assessment of the evidence, ultimately, the organisation will need to demonstrate that it has adequate procedures in place to prevent bribery according to local law, in order to avail itself of the relevant defence.
Maintaining the defence against strict liability
Organisations applying for ISO 37001 certification should be using the opportunity to take a fresh look at their anti-bribery procedures, how these integrate with other business functions and whether they are future-proofed against changing circumstances and standards.
Irrespective of ISO 37001, however, to maintain applicable “adequate procedures” that will protect against the offences such as the UK’s strict liability offence, organisations need to periodically monitor and review their risk profile and experiences, and update their policies and refresh training appropriately.
Failure to do so can lead to the protection afforded by “adequate procedures” being lost. Any organisation which has not carried out a review and updated its policies since they were first introduced should therefore do so now.