But does it really work? The value of ISO certification of anti-bribery compliance

The highly-anticipated ISO standard for anti-bribery management systems - ISO 37001 - was recently published. The standard and its guidance represent the outcome of an arduous process, where stakeholders from many nations and representing a range of interests agreed a set of principles that organisations of all sizes (whether public, private or not-for-profit) can use to design anti-bribery management programmes. The ISO does not intend or purport to create new ground, but rather consolidates existing guidance from regulators, intergovernmental organisations and NGOs.

Organisations might consider obtaining ISO certification for any range of reasons. First and foremost, such a certification can indicate to a company’s customers, business partners, investors and any others exposed to the company’s risk profile that the organisation’s programme meets baseline standards.

However, companies considering certification should be mindful that an ISO 37001 certification means that an anti-bribery management programme of a certain design exists, with all of the constituent parts prescribed by ISO; it does not mean that the programme really works. This is an important point, as any government agency looking to take enforcement action against an organisation for bribery and corruption related offences will inevitably undertake its own assessment of whether that organisation’s compliance programme is genuinely effective in its day-to-day application.

In terms of content, ISO 37001 defines bribery by reference to the laws applicable to each organisation and prescribes various actions, measures and controls that would be familiar to experienced legal, compliance and risk professionals. These include:

• Conducting a risk assessment to determine the risks faced by the organisation;
• Providing related training for all relevant employees and business associates;
• Conducting appropriate due diligence to assess bribery risks;
• Top management leadership and commitment;
• Providing appropriate resources for the operation of the anti-bribery management system;
• Implementing appropriate financial and commercial controls to mitigate the risk of bribery;
• Having whistle-blowing procedures in place; and
• Monitoring and testing the programme’s effectiveness on a regular basis.

ISO certification can be a useful indication to external stakeholders that these elements exist within an organisation. For the business partner who requests information about a company's anti-bribery management programme, ISO certification could be shorthand for describing the various elements in place.

Further, regulators who want to encourage a compliance culture in jurisdictions with less enforcement history than the United States or United Kingdom may point to ISO 37001 as guidance for local organisations. Because ISO37001 is a global commercial standard, it may be better received than standards promulgated by the US or UK regulators, whose extraterritorial reach is sometimes perceived as unreasonable.

Anti-bribery management programmes have two main aims:

1. to mitigate the risk and incidence of corruption within an organisation and
2. to provide a credible response to prosecutors when, despite best efforts, a corrupt act occurs.

Programmes that achieve those two aims are those that actually work, rather than just exist.

The message from relevant authorities is unambiguous: only truly effective anti-bribery management programmes merit consideration in terms of penalty mitigation or, where applicable, an affirmative defence. In fact, the UK Government Guidance on Corporate Prosecutions¹ lists an ineffective compliance programme as an aggravating factor that should encourage a decision to prosecute. Similar language appears in the UK Deferred Prosecution Agreements Code of Practice.² A key takeaway from the Standard Bank DPA is that ineffective anti-bribery programmes will not be considered “adequate procedures, despite the moving parts that may exist.³

US authorities ask “three basic questions: Is the company's compliance programme well designed? Is it applied in good faith? Does it work?”.⁴ US regulators often give some weight to a respondent's compliance programme, but mitigation is only awarded in cases where the programme is truly effective - and where the alleged corrupt activity took place despite the company's best efforts.

ISO certification could certainly be a valuable exercise for any organisation looking to ascertain whether its programme - or at least its plan for developing the programme - hits all the right marks. Seeking certification should not, however, direct company resources away from focussing on meeting the standards regulators set: is the programme mitigating the risk and incidence of corruption, and is it providing a credible response when impropriety nonetheless occurs?

Achieving these goals - as opposed to a certification - is hard work and takes planning, expertise and cultural change management. Reflecting this, the ISO standard notes in its appendix that senior managers must have “genuine intent” and a “genuine commitment to prevent, detect and address bribery in relation to the organisation's business”.⁵ This matches various guidance documents issued by the authorities, such as the UK Ministry of Justice Bribery Act Guidance,⁶ the FCPA Resource Guide⁷ and the US Federal Sentencing Guidelines.⁸

The dangers of an over-reliance on certification were highlighted earlier this year when Australian journalists alleged that Monaco-based Unaoil had helped various multi-national companies secure government licences using improper payments. Unaoil had previously been certified by a well-known due diligence provider. The matter is now subject to a number of criminal inquiries by authorities including the SFO, and the press has labelled the agent, “The Intermediary That Allegedly Bribed The Entire Oil Industry”.⁹

Ensuring that your anti-bribery management programme really works takes genuine review and assurance: not just an auditing process, but substantive transaction testing to ensure that legal risks are being appropriately identified and mitigated, that processes are being followed and that the correct decisions are being made by businesses, legal and compliance personnel. Such an outcomes-based assessment provides metrics and management information to executives and boards, which enables a company to determine with confidence whether their programme really works. The same can be done, albeit with more qualitative feedback, with respect to development of ethical culture and training effectiveness. What dilemmas are facing your managers, and how effectively does their reflex meet the challenge? Is your training programme changing hearts and minds, and how can you do better? Is your message being heard?

Real commitment and action is the challenge in any organisation and the key to effective anti-bribery management programmes. The new ISO standard gives corporates a set of tools by which they can meet that challenge, but whether those tools are deployed effectively is a matter of real testing and assurance.

Norton Rose Fulbright was delighted to be represented as the only legal practice on the UK based BSi Anti-Bribery Committee which worked on the ISO standard on anti-bribery (ISO 37001). This followed our earlier work on the British Standards Institute’s panel in connection with the drafting of the first British Standard on Anti-Bribery (BS 10500).