An inside perspective from Leslie Benton, one of the drafters of ISO 37001, on how the standard can be used to protect organizations from bribery.
- November 20, 2017
- Leslie Benton
We are privileged to have Leslie Benton, VP for Advocacy and Stakeholder Engagement of CREATe.org, share her thoughts on ISO 37001 and the impact that the global anti-bribery standard can have as companies work to combat bribery. Leslie is also one of the drafters of the standard as a member of the U.S. Technical Advisory Group to the ISO Committee that developed the standard. Her insight for this post was originally shared in the Opus webinar, Inside ISO 37001: Protect Your Organization from Anti-Bribery.
Let’s get one question out of the way: Is an anti-bribery standard really necessary? With so much guidance available, some find deciphering anti-bribery best practices a cumbersome task. Yet for organizations large and small, staying compliant with anti-bribery regulations is imperative.
Surveying the anti-bribery guidance already available, we see a global convergence around what good compliance looks like. Until a little over a year ago, in late 2016, what was lacking was a single, (voluntary) certifiable standard on how to design and implement a compliance program.
Now, the new ISO 37001 standard is offering organizations a detailed and consolidated view on anti-bribery compliance. Crafted by a group of global stakeholders from industry, the legal and audit communities and others, ISO 37001 provides a harmonization of existing anti-bribery guidance that is intentionally broad in its application. Sophisticated practitioners of anti-bribery compliance may not find the standard revolutionary, but what it offers to all is a single source for existing leading practices and a level of detail not found in most other guidelines.
We should recognize up front that the standard can be used in two ways and both can be valuable depending upon a company’s circumstances: as a benchmark and for certification purposes. ISO 37001 is a tool companies can use to design a new anti-bribery program or to measure and continually improve an existing program. Applicable globally, it provides organizations several key benefits. Here are five reasons why ISO 37001 helps companies looking to improve or start an anti-bribery program.
1. The standard is flexible.
ISO 37001 is meant to be relevant for many types of organizations, both small and large. It is flexible, allowing companies to implement requirements based on their level of and tolerance for risk and in a manner that is “reasonable and proportionate” to that risk. The standard recognizes that every organization is different and thus its policies, procedures and controls will be different too. By bringing together existing anti-bribery leading practices, ISO 37001 serves as a good benchmark for a company to measure the effectiveness of their program.
2. Centralizes and standardizes anti-bribery programs.
ISO 37001 gives companies a single global framework to use across an entire organization. Standardizing an anti-bribery program can help companies reduce costs and give better insight into how their compliance program is implemented across the organization. This is particularly helpful for multinational companies with centralized compliance programs that have been localized by subsidiaries around the globe.
3. Demonstrates compliance.
ISO 37001 requirements place a strong emphasis on detail and documentation. The standard requires that companies not only take steps to strengthen their anti-bribery program, but that they document those steps as well. If an auditor – or a regulator — comes to look at the program, the company will have some evidence the program was designed properly and implemented effectively and in good faith.
4. Results in better third-party risk management.
Third parties are a significant bribery risk area for companies. ISO 37001 can be an effective way to measure third-party behavior. Whether used to monitor high-risk third parties or as part of onboarding, the standard provides benchmarks companies can use for third-party risk management and making sure third parties meet compliance expectations.
5. Certification can offer organizations a competitive advantage.
Conformance to the requirements of ISO 37001 can provide organizations with a tangible demonstration of a company’s commitment to good anti-bribery practices. As a result, when entering a new market or starting a new business relationship, a company’s new partner may have some assurance that the company takes compliance seriously. Certification has the potential to be a differentiator that boosts confidence and leads to new business.
Steps Toward Implementing ISO 37001
As I alluded to above, the linchpin of ISO 37001 is a company’s risk assessment. It should include an analysis of risks posed by organizational size and structure (including whether their anti-bribery program is centralized or decentralized), industry and business model, use and type of third parties, among other things. It also shoud include an understanding of the requirements of stakeholders, whether investors or others, and regulatory and contractual requirements.
The goal of a risk assessment is to make sure companies have a real understanding of their context and risk so that they inform the anti-bribery program and its scope. For companies that are new to dealing with bribery regulations, this step is even more important.
Once a company has completed a risk assessment and determined the scope of the program and implement required, it should assess its existing anti-bribery policies, procedures and controls and develop additional controls where there are gaps. As noted above, ISO 37001 recognizes that these should be reasonable and proportionate to a company’s assessed risk. Each company can determine what they consider high, medium or low risk, but it is important to note that when implementing controls, they should consider all areas that present more than a low risk, not just those that rate the highest.
Finally, implementing ISO 37001 means having proper documentation — it’s a key piece of the standard. Good documentation will ensure that companies have a record of their actions in establishing an anti-bribery program.
Conformity with ISO 37001 is not a guarantee that no bribery will occur within an organization. It’s not a substitute for ensuring compliance with all relevant laws, or for doing due diligence on a company’s third-parties. It does offer companies a benchmark against which to measure their risk management, and for some it may reduce confusion surrounding anti-bribery leading practices, provide a global perspective and offer a flexible solution across all sectors.
What was missing in anti-bribery compliance was a single, detailed and certifiable standard that was global in perspective. No longer.
For more from our webinar, Inside ISO 37001: Protect Your Organization from Bribery, download the full recording.