Que? Speaking the Same Anti-Bribery Language in an International World

Note: This is a guest post by attorney and compliance expert Ramsey Kazem.

Many years ago, as an employee of a retail store, I witnessed an incident where the inability to communicate in like terms undermined a sales transaction that otherwise would have been simple and straightforward.  A German tourist entered the store, selected a shoe from the shelf and asked the salesman to bring him a size 45.  The salesman recognized the customer was offering his European shoe size, but was unsure how to convert it to a U.S. standard – after all, this was at a time before smart phones, wi-fi and easy access to the internet; one could not simply “Google it”.  The salesman explained he was not familiar with European sizes, but pointed to the measuring tool in the corner and offered to measure the customer’s shoe size.  The customer, already knowing his size, refused and barked: “I am size 45.  Get me size 45!!!”  No longer interested in being helpful, the salesman sarcastically replied: “I don’t know what that is.  This is America.”  The German angrily stormed out of the store without completing the purchase. 

While all the ingredients for a successful sale were present, the inability to understand each other not only sabotaged the deal but it caused hard feelings in the process. This incident provides an important reminder that people of different cultures often say the same thing, differently.  Both parties were communicating in English, but speaking a different language. 

In international business, discussions regarding applicable anti-bribery and corruption standards can lead to similar misunderstandings between business partners of different countries.  While bribery is a global phenomenon, compliance standards to root it out are not universal.  What is expected and acceptable in one region of the world may not be adequate in others.  Adding to the confusion, terms such as “due diligence”, “risk assessment”, “training” (and others) are nebulous and may mean different things to different people.  Confronted with these challenges, organizations reflexively insist on the standards with which they are most familiar.  An American company, for example, may insist on standards articulated in the U.S. Sentencing Guidelines, the FCPA Resource Guide or published DOJ or SEC settlement agreements.  A U.K. company may default to standards published in the guidance to the U.K. Bribery Act.  And, on and on.  The foreign counterparts, however, may not be familiar with, or receptive to, these requirements.  Worse yet, the insistence on mandating standards of jurisdictions in which the business partner does not operate could strain the relationship between the parties.         

On October 15, 2016, after years of study and in collaboration with delegations from 56 countries, the International Organization for Standardization (“ISO”) published ISO 37001, the first global standard for the development and implementation of an anti-bribery management system.  The emergence of ISO 37001 was a welcomed development as it provides a universal framework for managing bribery risk.  Moreover, it allows business partners from all regions to communicate in a common language.  ISO 37001 means ISO 37001 in any language.   

Why Using ISO is like Building a House

                To understand the benefits of ISO 37001 it is important to know what it is (and what it is not).  ISO 37001 provides a framework for the development and implementation of an anti-bribery management system.  The standard sets forth mandatory requirements that an organization’s anti-bribery management system must meet, but generally leaves the means and methods for satisfying those requirements to the discretion of the organization.  To that end, the standard includes guidance for meeting the mandatory requirements.  These global best practices are non-mandatory – an organization must only implement these measures to the extent they are reasonable and proportionate to the organization’s bribery risks.  In other words, ISO 37001 is not a one size fits all mandate, but allows sufficient flexibility to tailor the system to the unique risks of the organization.  As such, ISO 37001 applies to organizations of all sizes, industries, regions and risk profiles. 

                By way of analogy, if you were constructing a house, ISO 37001’s mandatory requirements would mandate items essential to a stable and effective structure – e.g., a roof, load bearing walls, mechanical, plumbing and electrical systems, etc.  The standard’s non-mandatory requirements, on the other hand, provide a home owner the flexibility to customize the structure – e.g., select finishes, decide where to invest in upgrades, modify the layout, and comply with requirements of local ordinances.  Just as in a design for a new home, ISO 37001’s mandatory and non-mandatory requirements work together to ensure the anti-bribery management system is both: (1) stable and effective; and (2) tailored to the unique risk of the organization. 

                ISO 37001 is not only a roadmap for developing new anti-bribery programs, it also provides a globally accepted benchmark against which to evaluate and improve existing programs.  When properly implemented, the standard will reduce an organization’s bribery risk and improve its overall ethical culture.  Moreover, to demonstrate a commitment to combating bribery, organizations can obtain an ISO 37001 certification from accredited auditors.  The certification not only confirms an organization’s compliance with the standard but, in many instances, will provide a competitive advantage over non-certified competitors in its industry.  Finally, as a global standard, ISO 37001 provides a common language for international business partners.  As will be discussed below, organizations should seek out ISO 37001 certified partners to transact business with as the common baseline for managing bribery risk will lead to more reliable and effective communications to address the issue in their transaction.   

Let’s All Get On the Same Page

                At the outset, it is important to mention that an ISO 37001 certification does not ensure that no bribery has occurred or will occur within the certified organization.  More importantly, business partners of a certified organization are not absolved from their due diligence and monitoring obligations.  The point of the certification is not to guarantee that an organization presents no bribery risk.  Instead, the certification process provides an objective mechanism by which an entity can demonstrate to its stakeholders that its anti-bribery management system complies with the requirements of ISO 37001.  Transacting business with an ISO 37001 certified business partner results in several important advantages, including: 

                A common understanding of terms and concepts.  Prior to ISO 37001, there was no global standard for managing bribery risk.  While the various existing standards used similar terminology, individual terms and concepts did not have a fixed definition.  Even a concept as fundamental as “bribery” itself was subject to various definitions.  Under the FCPA, for example, bribery was limited to corrupt payments to foreign government officials.  And, so-called facilitating payments – minor bribe payments to secure routine governmental action – are excepted from the definition and entirely permissible.  The U.K. Bribery Act, on the other hand, takes a more expansive approach to bribery and precludes corrupt payments in governmental and commercial transactions.  Moreover, facilitating payments are not exempt and are likewise prohibited.  Consequently, when a business partner claims to have an anti-bribery program it is entirely unclear as to the precise conduct the program is designed to manage and mitigate.  Obviously, a program designed to meet the standards of the FCPA is likely to have narrower prohibitions than one designed to meet the requirements of the U.K. Bribery Act. 

Inconsistencies in terms create uncertainty and confusion in assessing to what extent a foreign business partner is managing its bribery risk, if at all.  With ISO 37001, organizations are not confronted with this issue.  Key terms are precisely defined in the standard’s definitional provision.  Moreover, concepts such as “risk assessment”, “due diligence”, and “training”, which are not subject to an exact definition and may vary by circumstance, are nonetheless subject to a defined process and criteria.  Even if the ultimate output is different, an organization will understand the process undertaken and the factors considered in tailoring these procedures.  This leads to more productive communications regarding the scope, scale and effectiveness of the anti-bribery management system as ISO 370001 certified business partners will be communicating from a common baseline and in like terms.

Efficiencies in key processes.  Transacting business with an ISO 37001 certified business partner does not eliminate an organization’s due diligence and monitoring obligations.  However, it does make these and other processes more efficient, reliable, and effective.  For example, the due diligence process can be more targeted.  An organization will know the processes required to be implemented, the information that must be documented, and the controls required to be in place.  With this understanding, an organization can be very specific in its due diligence and more deeply scrutinize the high-risk areas of the relationship.  Moreover, because both sides of the transaction are working from the same playbook, an organization can gain tremendous insight into a potential business partner’s approach to managing its bribery risk.  Decisions where to invest anti-bribery compliance resources, how to assess and prioritize risk areas, which of the suggested best practices to implement, and under what circumstances to go beyond the minimum requirements of the standards can be very revealing.     

    Likewise, working with an ISO 37001 certified business partner allows an organization to take a more targeted approach with respect to monitoring.  ISO 37001 includes significant mandatory documentation requirements.  An organization, therefore, can be very strategic in exercising its audit rights and review documentation specific to the areas of the business relationship that require closer scrutiny.  Moreover, a comprehensive understanding of what the standard requires enhances an organization’s ability to identify red-flags in a business partner’s performance. 

Stability in the standard.  While it is a stretch to suggest that the other standards are subject to sudden and unexpected modifications, recent political changes around the world have caused some to question whether, and to what extent, anti-bribery standards and enforcement actions will be impacted.  Time will tell whether these concerns are well founded, but it is unlikely that any significant changes will be forthcoming or tolerated.  After all, no political party has campaigned on a platform to make bribery legal again.  Nevertheless, it is worth noting that ISO 37001 is not impacted by the political climate of the day.  It was developed by a non-governmental organization with the collaboration of compliance standards experts representing 56 countries.  The standard reflects global best business practices and will change only as new, more effective techniques for addressing bribery risk are developed and globally recognized.         


ISO 37001 is the first global standard for the development and implementation of an anti-bribery management system.  By developing a universal framework, organizations from all regions of the world can more effectively address bribery risk with their foreign counterparts as both sides of the transaction will be working from a common baseline of understanding.  Moreover, it allows international business partners to communicate in a common language – perhaps, even a German tourist and an American shoe salesman.

 Ramsey Kazem can be contacted at  +1-404.872.5615 or by email at info@thethreetwelvegroup.com.



When Can I See You Again? Spring Conference Season!

When Can I See You Again? Spring Conference Season!

10 days, 5 speeches, 3 countries, 2 continents…it must be Spring Conference season!  I’m gearing up for a massive two weeks of learning, speaking, networking, connecting and finding out what’s new in compliance.  Shall we meet up in person?


This weekend kicks off in National Harbor, Maryland with the Health Care Compliance Association’s 21st annual Compliance Institute.  We’re expecting 3,000 people.  I’m giving the keynote on Monday morning, titled…what else?  How to Be a Wildly Effective Compliance Officer.  That afternoon the fabulous Calin Elardi and I will be presenting, “Yeah, but what’s in it for me?  Making training and communications Impactful, Relevant and FUN!” 

Read More

Wildly Effective Compliance Officer Tip of the Week - 47

When there is a change in management or leadership at a company, there is often a big shift in how people relate to compliance.  In many industries, compliance hasn’t fully developed as a career, and new leaders may not know how to relate to you or understand the value of what you do.  At times like this, it is important to remember that building your relationship with the new leader is important, but also, that part of your job may be to educate the leader about what you do and the direct value you bring to the organization.  Try not to be frustrated if this takes some time.  New leaders can become great advocates, but they may need to understand what we do first.

How to Build Instant Rapport


The dictionary defines rapport as an “especially harmonious or sympathetic relation.”  A study from the Georgia Institute of Technology found that job seekers who created rapport early in their interactions with the interviewer scored higher overall than those who performed equally well in the technical part of the interview but failed to generate an early sense of connection.  So how does one build that elusive sense of rapport? 

Finding Common Ground

The fastest way to build rapport is find common ground.  Let’s say you are meeting the new manager of sales and you need to find a way to interest her in compliance.  Prior to the meeting you can view her LinkedIn, Facebook or Twitter profile to find out information about her history and preferences.  Where did she go to school?  Where did she grow up?  Does she list any volunteer activities that might show her interests?  Do you have any connections in common?  Any of these small pieces of information can build an instant connection between you and the person you’re meeting, especially if you bring them up early in the conversation.

Notice the Details

When you meet someone in person, look for details which could conjure commonalities.  What photo is the person using for his screen-saver?  Is it his children, pets, or vacation photo?  Are there mementos or pictures in her office which show that she has an interest in a certain sports team, outdoor activity, or the arts?  Try to find something to comment on where you have a shared interest or passion.  This will immediately give the listener the feeling that you understand him or her, which immediately builds rapport.


If you can’t easily find something in common to discuss, try starting with a compliment.  For example, “I heard from [name of boss or co-worker] that you did a great job on [thing], well done!”  If you’re in a new office or location, try praising the city, building, artwork or anything else that catches your eye.  Beginning with a compliment or positive statement lets the listener know that you have already associated good things with him or her.   

Rapport-building is the art of making someone feel at ease and as if they already know you.  Highlighting common experience or interests, noticing the little details and giving genuine compliments can ensure that the listener comes away from your conversation saying, “I like you.  You remind me of me.”



Wildly Effective Compliance Officer Tip of the Week - 46

Many compliance officers are uncomfortable using social media sites like Twitter or LinkedIn to promote themselves or comment on what’s happening in the profession.  While it is always important to be courteous and professional, social media allows people to connect across the world.  Your network can expand rapidly without even leaving your desk, and when you meet people in person at conferences that you’ve connected with virtually, you’ll have an immediate warm contact instead of a cold introduction. 

Quiz: What’s Your Type?

Quiz: What’s Your Type?

All of us enjoy working in a way that suits our personality and proclivities, but is your natural way of working helping you to be a Wildly Strategic compliance officer?  Perhaps you love to collaborate with other functions, or perhaps you’re the type who likes to run everything yourself.  Identifying your type can help you to see your own strengths and weaknesses, which in turn will allow you to strategically identify how you work with the business.

Read More

Wildly Effective Compliance Officer Tip of the Week - 45

Keeping up with news in the profession is an important part of a compliance officer’s job.  I recommend that you schedule 20 minutes each day to check blogs and news services.  Free sources like the FCPA Blog and Tom Fox’s blog can help you keep up with the latest enforcement actions, while the SCCE Blog and my blog at Compliance Kristy can help you keep up with best practices, which influence regulator expectations.  By spending a few minutes a day investing in your ongoing learning, you can make yourself even more effective.

How Conferences Helped Me To Answer Three Critical Career Questions

“I don’t have time this year to attend a conference.  I’m too busy with work!”  It’s easy to tell ourselves that we can’t get to a conference this time.  After all, there’s the travel to the conference, the cost, time awaiting reimbursement and the never-ending ding of the mobile device letting you know that while you’re in sessions, people at your organization still need you to be doing your compliance work.  But while it may seem easy to skip conference attendance, you shouldn’t.  Going to conferences helped (and continues to help) me to answer three critical career-defining questions.

Question 1: What do I do if I’m downsized or ready for a promotion?

About a month ago I got a call from a former colleague of mine.  After 15 years in the same blue-chip company, the compliance function had been moved to an office in another state, and he wasn’t invited to go.  He was devastated.  He’d seen an ad for a job he was interested in, and he noted that I was connected to the hiring manager via LinkedIn.  Could I offer an introduction?  You bet I could.

The reason I could help him was because I’d met the hiring manager at a conference three years earlier.  We’d kept in touch and I was able to put them in contact and send his resume along.  Guess what?  He got the job.  There is truth to the adage that you must create your network BEFORE you need it.  The best jobs are almost always filled by people who come with a recommendation from a trusted source.  By attending conferences you build your network now, before you need it. 

If you find yourself downsized or your company goes out of business, there’s nothing like a vibrant network to help you find your next role.  Alternatively, if you’ve outgrown your current job, your network can be your eyes and ears to get you that promotion you so richly deserve.

Question 2: How am I supposed to know what best practices are and what other companies are doing?

“Well, what are other companies doing?”  This vexing question is asked a hundred times a day throughout the world when compliance officers meet with management to discuss new laws.  Whether it’s the new European General Data Protection Regulation or the UK Modern Slavery Act, people at your company not only expect you to know the law- they also expect you to know what to do about complying with it.  Conferences are fantastic places to learn what other companies are doing with the same challenges you’re facing. 

We’re lucky in compliance in that we’re able to share our work strategies with each other without fear of antitrust violations.  The ability to take advantage of other people and company’s knowledge is one of the best things about conference attendance.

Question 3: Why is she having such a good time?

When I left legal private practice to go in-house, my boss sent me to the European SCCE Compliance and Ethics Institute.  I was miserable.  I didn’t know anyone and I felt lonely and uncomfortable standing by myself.  However, by the afternoon of the first day I’d introduced myself to one of the speakers, and she and I struck up a conversation.  That conversation turned into a friendship, and she invited me to talk to some of her other friends in the industry. 

This year I’m performing the Keynote at the Health Care Compliance Institute and the European Compliance and Ethics Institute in Maryland, as well as performing break-out sessions at the SCCE conference in Las Vegas this fall.  I’ll also be speaking at the Women in Compliance Conference in London in March.  I’m genuinely looking forward to it, because I have friends that I only get to see at the conferences.  By working through my discomfort at the first conference, I built relationships that make it so I’m thrilled to be going to the conference this year. 

So what do you say, shall we meet up this year?  National City, London, Prague or Vegas?  All four?  Fantastic.  I can’t wait to see you there. 

Wildly Effective Compliance Officer Tip of the Week - 44

There’s a quote I love from Sun Tzu quote I love that says, “Every battle is won before it is fought.”  Keeping this in mind, you must consider strategy as it relates to your program.  Choose areas of focus and give yourself specific deliverables with timelines.  Although you may have to take time to fight fires, when you’re not fighting fires you can focus on one or two areas where you can have the most impact.  This will make you highly effective.

Join Me At The Women in Compliance Conference, March 29-30 in London

The third annual Women in Compliance Conference is taking place March 29 and 30 at the Radisson Blu in London’s beautiful Marylebone neighborhood.  Join me and eminent thought leaders from companies like the HSBC, Royal Mail, Tesco, Travelport and others while we talk about the things that matter to women in business and women building careers in compliance.

I’m speaking on using top sales techniques to sell compliance to your internal audience.  Trust me, you don’t want to miss this.  There will be glitter. 

The annual conference culminates with the Women in Compliance Awards.  Click here for more information and registration: https://www.c5-online.com/women-compliance-conference/