Have you ever sat across from your joint venture partner in Indonesia. Romania or Taiwan trying to explain why the United States Federal Sentencing Guidelines make it so their employees should be provided with anti-bribery training? I have, and it isn’t a fun conversation.
The long, strong arm of the FCPA, as Dick Cassin has called it, can create reactive, fear-driven compliance programs that try to protect against enforcement by the local agencies. When a compliance officer visits joint venture partners, agents or companies in the supply chain outside the U.S. or UK, getting buy-in for adherence to standard compliance program elements like anti-bribery training, whistleblower mechanisms, and audit and terminations clauses for cause in contracts can be an uphill battle.
Enter the global ISO 37001 standard.
ISO 37001 is expected to be finalized next month and available at the end of the year. As Matt Kelly noted, “U.S. compliance officers can rest easy: this standard is nothing that you are not doing already.”
Alexandra Wrage added, “Compliance professionals working in jurisdictions with a credible threat of anti-bribery enforcement — the U.S., UK, Canada, Germany — will find nothing new in this standard.”
But that’s just the point — companies outside of the U.S., UK, Canada and Germany will now have a positive, pro-active standard to adhere to, and the certification to prove it.
Worth MacMurray and Leslie Benton said the ISO standard was developed by businesses for business, and input on the standard was provided by delegates from 40 countries. Businesses are used to the certification process for other ISO standards, and many flaunt their ISO certifications as a competitive differentiator.
My company has helped other companies prepare for their ISO 27001 certification audits (data privacy and security). I’ve seen supply chain and provider audits from multi-national companies requiring maintenance of ISO 27001 certification from their providers, as it is seen as a baseline requirement for doing business. If the global business community adopts the ISO 37001 certification as a baseline requirement, we’ll be in a much better place than we are now.
But what about Alexandra Wrage’s argument that an outside auditor cannot fully understand the risks the company faces, and will either rubber-stamp the program or impose his or her own judgments from a less informed position? While these are surely risks, I believe for most compliance officers, certification and re-certification of the compliance program to the ISO standard will be welcome.
The audit requires the provision of resources — both for the audit itself and for the creation or continuation of the compliance program underlying the certification. You can’t prove you did training without having a training budget and records of attendance. Compliance frequently struggles with the removal of resources when a crisis hasn’t occurred or is far in the past. The annual ISO audit and re-certification process will ensure a basic level of resources and structure for the compliance program, which in many places throughout the world is infinitely more than they have now.
The ISO 37001 standard won’t be a panacea for risk or a fool-proof protection against prosecution. But it will be a global standard of what constitutes a “good” anti-bribery compliance program. That’s a welcome and exciting development for the compliance world.