ISO 37001: Who's doing the certifying (and other responses to Hui Chen)

Hui Chen recently published a post sharing her opinions on the ISO 37001 Anti-Bribery Management Standard and ISO 37001 certification. She made some important points. 

She also asked questions and drew comparisons that should be evaluated in the context of how the ISO 37001 certification process occurs, and what it means for companies and organizations seeking it.

I want to respond to ensure the conversation is balanced and that another point of view is considered.

1. It is correct that “Prosecutors will not outsource their responsibilities.” Ms. Chen begins by stating that prosecutors won’t rely on ISO 37001 certification, but will always do a proper investigation. Ms. Chen makes an important point that is often misunderstood by the compliance community. 

There is a misconception that the only value in obtaining ISO 37001 certification is to avoid prosecution for bribery. This could not be farther from the truth. There is no silver bullet that protects against prosecution. Just as having a compliance program that follows the Federal Sentencing Guidelines will not shield an organization from investigation or prosecution, organizations that obtain ISO 37001 certification are not exempt either.

Organizations that implement ISO 37001 should do so in order to mitigate bribery risk and ensure their program meets global regulatory expectations and best practices, including adhering to elements of an effective compliance program set forth in the Federal Sentencing Guidelines. No certification can protect against prosecution, nor should it. 

2. The challenge of empirical evidence and compliance programs. Ms. Chen’s post compares the ISO 37001 Standard to the World Health Organization’s Surgical Safety Checklist, noting that ISO 37001’s anti-bribery requirements don’t have empirical research showing that bribery is reduced at companies with ISO 37001 certification.  ISO 37001 is still in its infancy and there aren’t enough companies that have been certified long enough for such research to exist.

However, as noted above, ISO 37001 incorporates all of the elements of the Federal Sentencing Guidelines, as well as the UK’s Ministry of Justice’s guidelines for the adequate procedures defense.  And, as all compliance professionals know, measuring your program’s value is a constant challenge -- how do you prove how many bribes your company would have made without a compliance program?  Proving something in the negative is almost impossible. Ms. Chen is correct that empirical evidence is not available, but this isn’t an ISO-related problem -- empirical evidence is a problem in proving the worth of all compliance programs.

3. Measurement IS required under ISO 37001. Ms. Chen notes that the Standard includes the requirement to measure the objectives of the company’s anti-bribery program in Section 6.2. However, in addition to Section 6.2, Section 9, titled “Performance evaluation” requires continuous “monitoring, measurement, analysis and evaluation” of the effectiveness of the anti-bribery program. It also requires periodic auditing of the anti-bribery program’s implementation, and periodic program performance evaluations. 

In addition, Section 10, titled “Continuous improvement” requires that an organization improve its program based on the measurements enumerated in Section 9 and other data on its program. The monitoring, auditing, performance evaluations and efforts towards improvement must all be documented. A program that has not been continuously monitored, measured, analyzed and evaluated would NOT be eligible for certification or re-certification.

4. Who is doing the certification? Excellent question! Ms. Chen asks the question, “Who is doing the certification?” This is a critically important question and there is currently confusion as to which body to use to get certified. ISO created two standards, ISO 17021-1 and ISO 17021-9, which contain requirements for certifying bodies to follow when certifying anti-bribery management systems. These separate ISO standards are meant to ensure that certification audits are conducted in a fair, impartial and consistent manner by auditors who have specific anti-bribery experience.

The U.S.’s accrediting bodies (ANAB / ANSI) and the UK’s accrediting body (UKAS) are in the process of evaluating certification bodies under these two standards so they can be designated as accredited certifiers. Companies like ETHIC Intelligence, the British Standards Institute and LRQA are all going through the accreditation process. We expect that some or all of these (and others) will be accredited by mid-next-year. Many companies are waiting to obtain certification until an accredited certification body is available, while others are moving forward with reputable certification bodies that are in the process of being accredited.

No organization should get ISO 37001 certification by a body that is not working toward accreditation. If your company is interested in obtaining certification, ASK if the certifying body is working to ISO 17021-1 and -9 standards, what methodology it is using to audit, and if it is in the process of receiving accreditation. You should also ask to see an auditor’s credentials to ensure they have the proper knowledge and experience before allowing them to conduct the ISO 37001 certification audit. If you want your ISO 37001 certification to have value, to your company and to the DOJ or any other prosecutorial authority, there are all critically factors. If the certification body can’t or won’t provide this information, find another certification body.  

5. The purpose that certification serves. At the end of her post, Ms. Chen suggests that some companies are interested in ISO 37001 certification as a PR exercise. Maybe that’s true in some cases.  But I’ve watched compliance programs be transformed by using the ISO 37001 framework. Too many compliance professionals are forced to sit outside of Board meetings waiting for a measly 15 minutes to present a year’s worth of efforts. But ISO 37001 doesn’t let top management pass the buck. If the company wants certification, it has to do more. ISO 37001 requires proper resourcing for the compliance department -- financial resources and human resources, as well as any necessary tools - and real involvement of the C-suite and Board.

Moreover, I can think of at least three reasons for a company to seek certification: (1) it wants to ensure that it’s meeting global best practices, including, but not just limited to the U.S. DOJ’s guidance, (2) it wants a way to systematically prove to the world, including its shareholders, that it is serious about anti-bribery in a verifiable way, and (3) so it can require its suppliers and subsidiaries to meet the same objective standard by asking them to obtain ISO 37001 certification as a pre-condition of working with them.

Ms. Chen concludes with a statement with which I wholeheartedly agree: “It’s time the E&C profession recognizes that we need data to back-up our claims that our programs are accomplishing anything other than spending and bureaucracy.” 

We do need to back up our claims -- and ISO 37001 certification is a great tool for doing so.

This piece originally appeared at the FCPA Blog on Oct. 24, 2017, available at: