Iso publishes standard on anti-corruption measures: independent certification or gentle reassurance?

Five years on from the UK Bribery Act entering into force, tackling bribery and corruption remains a domestic and international political priority. With enforcement actions becoming more common, and offending corporates incurring substantial financial penalties, the pressure is on for businesses to implement and follow effective anti-bribery procedures.

However, with the US Foreign Corrupt Practices Act (FCPA) and UK Bribery Act (UKBA) both having extensive international reach, and with numerous other jurisdictions having their own strict anti-bribery laws, there is quite a tangle of legislation to comply with – for all parts of a business, wherever in the world it is operating.

On top of that, it is not enough for an organisation to mind its own procedures – it must also mind those of almost any organisation with whom it does business.

Against that background, the International Organisation for Standardisation (ISO) has produced a draft standard, ISO 37001 (ISO) to help organisations implement what it calls "anti-bribery management systems" (ABMS).

The aim of the ISO is to produce a standard that reflects international good practice (taking into account relevant laws including the FCPA and UKBA) and is applicable across all jurisdictions and organisations of all sizes and sectors.

Organisations may seek certification of their compliance with the ISO if they wish. Certification may be carried out by an independent certification body, which would conduct an audit then issue a certificate verifying compliance with the standard. The organisation may then assert that its ABMS is "ISO 37001 certified", or similar.

The ISO sets out a step-by-step process for implementing an ABMS: from the initial risk assessment through to the planning, operational and review phases. Sections 1 to 3 are the preamble, covering the Scope and Definitions; sections 4 to 6 cover Context, Leadership, Planning and Support, section 8 Operation, and sections 9 and 10 Performance evaluation and Improvement. Annex A provides more in-depth guidance. The sections likely to be of most interest are highlighted below.

Within those sections are requirements that will be familiar to UK lawyers and compliance officers as they reflect the six principles of "adequate procedures" set out in the UK Ministry of Justice's Guidance to Section 7 of the Bribery Act.

This section explains that appropriate work must be done at the outset to understand what risks the company faces, and how best to address them. It highlights that a company should assess its risks, based on its size, the sectors and countries in which it operates, etc – but the ISO provides the questions rather than the answers; the conduct of the risk assessment is for the company itself.

It is important, in this section and throughout the ISO, not to underestimate the amount of work that might be involved in meeting its requirements - for a large, complex organisation a risk assessment is likely to involve a wide-scale long-term review and cannot be simply a tick-box exercise.

This section of the ISO sets out and fits with the principle of top-level commitment under the MoJ Guidance. In addition to stipulating that leadership by "top management" is vital, there is a sub-section relating solely to the anti-bribery compliance function. It specifies not only that the function should have a key role in the design and implementation of the ABMS, but that the function should be adequately resourced, with direct and prompt access to the top management should concerns need to be raised.

This is an important section as it highlights that it is not sufficient to have an ABMS in place; it must also be supervised by an adequate compliance function.

Regardless of careful implementation of policies and training, the realities of doing business mean that bribery risks cannot be entirely eradicated. This section sets out measures for minimising risk, such as conducting due diligence on partner organisations, implementing controls, providing whistleblowing hotlines and setting out procedures for investigating bribery allegations.

Importantly, it also makes clear that those safeguards should apply to business partners as well as the organisation itself. Third-party dealings are a significant challenge for organisations and an aspect of anti-bribery compliance that it is important to get right.

Finally, Annex A provides colour and elaboration around the process set out in the rest of the ISO –elaborating on terms used and providing practical guidance. The ISO should be read alongside its Annex for a full understanding of the process.

As the ISO itself recognises, there is no "one size fits all" approach; every business has a different risk profile. The ISO cannot stipulate, for example, which of an organisation’s suppliers should be subject to enhanced due diligence, or which forms of training will be most effective in different parts of the business. Companies must still consider these issues carefully with their compliance and legal advisers.

It will also be important not to rely upon the ISO to the exclusion of the law. While certification with regard to the ISO may reassure an organisation that its procedures are robust, and may go some way to persuading the DoJ or SFO of the same, there are no guarantees that this would, for example, form a full defence to section 7 UKBA. A keen eye must also be kept on developing case law and local laws which may not be covered by the ISO.

That said, the ISO provides a helpful checklist of items that compliance officers should consider when creating and implementing an ABMS. It may also be a useful tool to encourage standardisation across supply chains and in other business relationships – future commercial agreements may well feature as standard a term requiring compliance with ISO 37001.

To what extent the ISO will be adopted, how regularly companies will seek independent certification, and what impact that will have on the overall compliance environment will remain to be seen. In the meantime, however, the attempt to streamline the requirements of myriad laws and set out practical steps to help implement them may provide some guidance and reassurance to increasingly busy compliance officers.