Companies adopt a wait-and-see approach to ISO 37001
Although ISO committee members described the new ISO 37001 anti-bribery standards as a turning point for anti-corruption compliance programmes, many organisations appear content to rely on their ability to create programmes that align with their own risk profiles. London-based Janos Kūhn (JK), director of ethics and compliance – EMEA at VMWare, and Frankfurt-based Dr Bartosz Makowicz (BM), university professor at the Law Faculty of the European University Viadrina Frankfurt (Oder), tell Compliance Insider® that this is unlikely to change until there is further clarification.
CI: Although there seems to be some level of awareness of the new ISO 37001 anti-bribery standards, some 66 percent of respondents to a recent Compliance Insider® survey admit to not being prepared for them. To what extent does this surprise you and what should companies be doing to prepare?
BM: The result does not surprise me at all. Firstly, the standard is a brand new one. While there has been some communication and marketing, the true effort to make the standard well known will probably be undertaken by national bodies after publication. In some countries, such as in Germany, it is usually the case that companies are not aware of new standards unless they are translated into the local language. The process of translation may take up to two years.
Secondly, I am not sure if companies should do anything right now to prepare for the standard since we still do not know if this standard will gain importance on the global stage (for example, ISO 19600 is still struggling for awareness). In my personal opinion, which is also the official opinion, there was no real need for this special standard since ISO has just published its compliance management standard (ISO 19600), which is sufficient enough to manage anti-bribery risks.
JK: I agree it’s not surprising at all. We are primarily dependent on and monitoring guidance from the DOJ and the SEC. When they comment on the new anti-bribery standards, that will raise its profile.
When the DOJ hired Hui Chen from Standard Chartered Bank in November 2015, many expected her to come forward with specific guidance to interfere with ISO. But such clarity has been lacking.
The fact is that DOJ and SEC guidance is what is driving us, but we acknowledge that our industries may be different. We develop our programmes in accordance with relevant FCPA guidance and best practice within the industry.
If this gets endorsed then an intensive benchmarking exercise will be needed. As soon as there is official endorsement and more clarity from the DOJ, SEC and ISO, then many companies will conduct a gap analysis and then immediately upgrade to these standards.
CI: Some 56 percent of survey respondents are not sure if they will comply with ISO 37001. Meanwhile, those that say they will carry out an internal audit of their anti-bribery programme to prepare for certification are in no rush to do so. How surprising is this given that ISO committee members described the standard as a turning point for anti-corruption compliance programmes (as there will now be recognised principles in the prevention and detection of corruption and therefore a known international ‘best practice’ to measure against)?
BM: In my modest opinion, the statement that ISO 37001 will be a turning point for anti-corruption compliance programmes is going much too far. It is usually neither ISO nor its committee that decides on the success of its standards but economic operators – in this case, companies. Our experience in Germany is that companies are generally very sceptical regarding the standardisation of compliance management systems (including anti-bribery programmes). I am not sure if there is a real need for such programmes since most companies manage their anti-bribery risks as typical compliance risks within their compliance management systems. It is common practice, and also the approach of ISO 19600, to integrate management systems and thus handle anti-bribery risks together with other compliance risks such as those around data protection, antitrust and the environment. That could be another reason for the result of your survey.
JK: There are many organisations that make such claims, but the authorities that matter the most have not yet said anything. Once that is clearer, there will be a scramble.
Over the past decade, the likes of the Big Four as well as many leading law firms advocated their own specific approvals and best practice materials, so companies had the opportunity to pick what they wanted. At the moment this looks like another one, so people will want to look for a true differentiator. I can see this as a game-changer once this clarification is offered by the DOJ and SEC.
CI: Some 51 percent of survey respondents say that their decision to comply is influenced by the fact that ISO 37001 is a certifiable requirement standard rather than a guideline (this made it difficult to achieve consensus on measures that required approval from all participatory delegations). To what extent do you feel that this diluted the ambition of the some of the standard’s measures?
BM: ISO 37001 should have been published as a guideline standard like ISO 19600. With regards to organisational complexity that is influenced by socio-cultural diversity in different countries, as well as the heterogeneity of compliance risks, it is almost impossible to describe common management systems that will suit all types of organisations. Based upon this approach, it was the decision of the ISO committee to create the ISO 19600 standard as a guideline. With ISO 37001 published as a requirement (although it is also dealing with compliance risks), it might be frightening for some organisations that are not able to comply with all requirements of the standards. I can imagine that the problem might occur especially with small and medium sized companies, as we have to remember that they still account for 99 percent of all companies in the European Union.
JK: Companies are content on their ability to create compliance programmes for themselves that align with their risk profiles. They are currently receiving materials from various vendors on benchmarking their programmes and regularly reviewing this. But as soon as these standards are endorsed, they will create another set of binding metrics to which to aspire.
ISO is not law, it is best practice. But whose ‘best practice’ it is needs to be defined because companies have their own versions.
CI: Some 77 percent of respondents described it as ‘important’ or ‘very important’ that the ISO 37001 measures were designed to be integrated with existing management processes and controls (and therefore do not require a standalone management system). Given such a strong response, to what extent do you think there is insufficient awareness of this aspect of the standards?
BM: It might have something to do with general knowledge of the ISO management standards. The activities of ISO in the area of compliance is quite new. Most of our partners do not realise that all new ISO management standards follow the same overarching structure, which is the so-called HLS or high level structure. It makes the integration approach a very easy game within companies. When I explain to audiences in trainings or conferences that ISO 19600 follows the same structure as ISO 9001, and that those who have had some exposure to ISO 9001 will already know the ISO 19600 structure and its elements, they are usually very surprised. This is the task of ISO and the national standardisation bodies – to be stronger with their marketing measures.
JK: We’ve been spending a lot on all sorts of tools to ensure that our processes are appropriately addressed. We understand the necessity of investing in infrastructure, so it will hurt if these standards mean additional investment. The DOJ’s hiring of Hui Chen was partly recognition of the need to provide guidance on human resource requirements.
CI: More than 65 percent of respondents are neutral or not sure on the importance of becoming ISO 37001 certified. However:
- 52 percent of respondents are either ‘interested’ or ‘very interested’ in using certification to compare their anti-bribery programmes with those of other companies
- Only four percent of respondents say they would not be more likely to conduct business with a third party that was ISO 37001 certified; and
- 56 percent of respondents confirmed that certification would influence the level of due diligence they would conduct on a third party.
To what extent do you agree that the above results suggest that many organisations, while unsure if they will comply with ISO 37001 and become certified themselves, do see value in being able to benchmark their anti-bribery programmes with those other companies and third parties?
BM: Well, these are very interesting results. They tell us that respondents on the one hand acknowledge the standard as a global anti-bribery standard. On the other hand, however, they want to wait some time probably to see what the perception of the standard will be all over the world before they decide to undergo the certification process. There could also be cases, similar to those observed by us with ISO 19600, where companies will internally compare their anti-bribery efforts with those in the standard without deciding yet on certification.
JK: Organisations are looking for guidance on what is sufficient and what is sub-standard. If there is no common ground, they will look for ways to establish that benchmarking. I think ISO could be a very important building block to this. As long as it can be adapted to multiple markets then it will work.
While certification could impact the average cost of due diligence, the real return on investment is the ability to access a commonly adopted benchmark.
CI: To what extent do you think that the new ISO 37001 anti-bribery standards will only become a ‘game changer’ once they receive strong endorsement from United States institutions?
BM: I do not think that United States institutions will play any role in this development. The chances of ISO 37001 becoming a ‘game changer’ depend on several key aspects. Firstly, it is still uncertain if and when ISO will succeed in the standardisation of compliance management systems. The failure here was to create two competing standards, since ISO 19600 is already a standard for compliance risks (thus also bribery risks). To be consistent, ISO should now follow with further standards on other compliance risks, such as antitrust compliance and data protection compliance. However, this will also not be welcomed by business, and so the basis for the success of ISO 37001 is not the best.
Secondly, it is really in the hands of organisations – especially companies – as to whether they will acknowledge compliance standardisation at all (so far they are very reserved but this attitude is changing slowly).
Thirdly, we have to see the other aspects. For example, as we have got to know recently, ISO will probably work on a new standard for organisational governance that could also be a kind of overarching standard for ISO 37001.
Finally, regardless of all other aspects, the real chance for ISO 37001 to be a success could be in the hands of United Kingdom businesses and institutions. As you know, it was the British Standards Institution (the BSI) that initiated the new ISO 37001. On the other hand, with its Bribery Act, the United Kingdom has the most severe anti-bribery legislation applicable exterritorialy. But if an organisation provides evidence of having adequate procedures or compliance systems, then it may avoid sanctioning.
I am not sure to what extent ISO 37001 covers the United Kingdom Ministry of Justice requirements around ‘adequate procedures’, but if it fully embraces those requirements then that could be its chance. Assuming that is the case, United Kingdom companies could exert huge pressure on their partners abroad to present the ISO 37001 certificate and, from there, a ‘snowball effect’ could commence. But, however it plays out, the future of ISO 37001 and global compliance standardisation in general remains thrilling.