Note: This is a guest post by attorney and compliance expert Ramsey Kazem.
Many years ago, as an employee of a retail store, I witnessed an incident where the inability to communicate in like terms undermined a sales transaction that otherwise would have been simple and straightforward. A German tourist entered the store, selected a shoe from the shelf and asked the salesman to bring him a size 45. The salesman recognized the customer was offering his European shoe size, but was unsure how to convert it to a U.S. standard – after all, this was at a time before smart phones, wi-fi and easy access to the internet; one could not simply “Google it”. The salesman explained he was not familiar with European sizes, but pointed to the measuring tool in the corner and offered to measure the customer’s shoe size. The customer, already knowing his size, refused and barked: “I am size 45. Get me size 45!!!” No longer interested in being helpful, the salesman sarcastically replied: “I don’t know what that is. This is America.” The German angrily stormed out of the store without completing the purchase.
While all the ingredients for a successful sale were present, the inability to understand each other not only sabotaged the deal but it caused hard feelings in the process. This incident provides an important reminder that people of different cultures often say the same thing, differently. Both parties were communicating in English, but speaking a different language.
In international business, discussions regarding applicable anti-bribery and corruption standards can lead to similar misunderstandings between business partners of different countries. While bribery is a global phenomenon, compliance standards to root it out are not universal. What is expected and acceptable in one region of the world may not be adequate in others. Adding to the confusion, terms such as “due diligence”, “risk assessment”, “training” (and others) are nebulous and may mean different things to different people. Confronted with these challenges, organizations reflexively insist on the standards with which they are most familiar. An American company, for example, may insist on standards articulated in the U.S. Sentencing Guidelines, the FCPA Resource Guide or published DOJ or SEC settlement agreements. A U.K. company may default to standards published in the guidance to the U.K. Bribery Act. And, on and on. The foreign counterparts, however, may not be familiar with, or receptive to, these requirements. Worse yet, the insistence on mandating standards of jurisdictions in which the business partner does not operate could strain the relationship between the parties.
On October 15, 2016, after years of study and in collaboration with delegations from 56 countries, the International Organization for Standardization (“ISO”) published ISO 37001, the first global standard for the development and implementation of an anti-bribery management system. The emergence of ISO 37001 was a welcomed development as it provides a universal framework for managing bribery risk. Moreover, it allows business partners from all regions to communicate in a common language. ISO 37001 means ISO 37001 in any language.
Why Using ISO is like Building a House
To understand the benefits of ISO 37001 it is important to know what it is (and what it is not). ISO 37001 provides a framework for the development and implementation of an anti-bribery management system. The standard sets forth mandatory requirements that an organization’s anti-bribery management system must meet, but generally leaves the means and methods for satisfying those requirements to the discretion of the organization. To that end, the standard includes guidance for meeting the mandatory requirements. These global best practices are non-mandatory – an organization must only implement these measures to the extent they are reasonable and proportionate to the organization’s bribery risks. In other words, ISO 37001 is not a one size fits all mandate, but allows sufficient flexibility to tailor the system to the unique risks of the organization. As such, ISO 37001 applies to organizations of all sizes, industries, regions and risk profiles.
By way of analogy, if you were constructing a house, ISO 37001’s mandatory requirements would mandate items essential to a stable and effective structure – e.g., a roof, load bearing walls, mechanical, plumbing and electrical systems, etc. The standard’s non-mandatory requirements, on the other hand, provide a home owner the flexibility to customize the structure – e.g., select finishes, decide where to invest in upgrades, modify the layout, and comply with requirements of local ordinances. Just as in a design for a new home, ISO 37001’s mandatory and non-mandatory requirements work together to ensure the anti-bribery management system is both: (1) stable and effective; and (2) tailored to the unique risk of the organization.
ISO 37001 is not only a roadmap for developing new anti-bribery programs, it also provides a globally accepted benchmark against which to evaluate and improve existing programs. When properly implemented, the standard will reduce an organization’s bribery risk and improve its overall ethical culture. Moreover, to demonstrate a commitment to combating bribery, organizations can obtain an ISO 37001 certification from accredited auditors. The certification not only confirms an organization’s compliance with the standard but, in many instances, will provide a competitive advantage over non-certified competitors in its industry. Finally, as a global standard, ISO 37001 provides a common language for international business partners. As will be discussed below, organizations should seek out ISO 37001 certified partners to transact business with as the common baseline for managing bribery risk will lead to more reliable and effective communications to address the issue in their transaction.
Let’s All Get On the Same Page
At the outset, it is important to mention that an ISO 37001 certification does not ensure that no bribery has occurred or will occur within the certified organization. More importantly, business partners of a certified organization are not absolved from their due diligence and monitoring obligations. The point of the certification is not to guarantee that an organization presents no bribery risk. Instead, the certification process provides an objective mechanism by which an entity can demonstrate to its stakeholders that its anti-bribery management system complies with the requirements of ISO 37001. Transacting business with an ISO 37001 certified business partner results in several important advantages, including:
A common understanding of terms and concepts. Prior to ISO 37001, there was no global standar
d for managing bribery risk. While the various existing standards used similar terminology, individual terms and concepts did not have a fixed definition. Even a concept as fundamental as “bribery” itself was subject to various definitions. Under the FCPA, for example, bribery was limited to corrupt payments to foreign government officials. And, so-called facilitating payments – minor bribe payments to secure routine governmental action – are excepted from the definition and entirely permissible. The U.K. Bribery Act, on the other hand, takes a more expansive approach to bribery and precludes corrupt payments in governmental and commercial transactions. Moreover, facilitating payments are not exempt and are likewise prohibited. Consequently, when a business partner claims to have an anti-bribery program it is entirely unclear as to the precise conduct the program is designed to manage and mitigate. Obviously, a program designed to meet the standards of the FCPA is likely to have narrower prohibitions than one designed to meet the requirements of the U.K. Bribery Act.
Inconsistencies in terms create uncertainty and confusion in assessing to what extent a foreign business partner is managing its bribery risk, if at all. With ISO 37001, organizations are not confronted with this issue. Key terms are precisely defined in the standard’s definitional provision. Moreover, concepts such as “risk assessment”, “due diligence”, and “training”, which are not subject to an exact definition and may vary by circumstance, are nonetheless subject to a defined process and criteria. Even if the ultimate output is different, an organization will understand the process undertaken and the factors considered in tailoring these procedures. This leads to more productive communications regarding the scope, scale and effectiveness of the anti-bribery management system as ISO 370001 certified business partners will be communicating from a common baseline and in like terms.
Efficiencies in key processes. Transacting business with an ISO 37001 certified business partner does not eliminate an organization’s due diligence and monitoring obligations. However, it does make these and other processes more efficient, reliable, and effective. For example, the due diligence process can be more targeted. An organization will know the processes required to be implemented, the information that must be documented, and the controls required to be in place. With this understanding, an organization can be very specific in its due diligence and more deeply scrutinize the high-risk areas of the relationship. Moreover, because both sides of the transaction are working from the same playbook, an organization can gain tremendous insight into a potential business partner’s approach to managing its bribery risk. Decisions where to invest anti-bribery compliance resources, how to assess and prioritize risk areas, which of the suggested best practices to implement, and under what circumstances to go beyond the minimum requirements of the standards can be very revealing.
Likewise, working with an ISO 37001 certified business partner allows an organization to take a more targeted approach with respect to monitoring. ISO 37001 includes significant mandatory documentation requirements. An organization, therefore, can be very strategic in exercising its audit rights and review documentation specific to the areas of the business relationship that require closer scrutiny. Moreover, a comprehensive understanding of what the standard requires enhances an organization’s ability to identify red-flags in a business partner’s performance.
Stability in the standard. While it is a stretch to suggest that the other standards are subject to sudden and unexpected modifications, recent political changes around the world have caused some to question whether, and to what extent, anti-bribery standards and enforcement actions will be impacted. Time will tell whether these concerns are well founded, but it is unlikely that any significant changes will be forthcoming or tolerated. After all, no political party has campaigned on a platform to make bribery legal again. Nevertheless, it is worth noting that ISO 37001 is not impacted by the political climate of the day. It was developed by a non-governmental organization with the collaboration of compliance standards experts representing 56 countries. The standard reflects global best business practices and will change only as new, more effective techniques for addressing bribery risk are developed and globally recognized.
ISO 37001 is the first global standard for the development and implementation of an anti-bribery management system. By developing a universal framework, organizations from all regions of the world can more effectively address bribery risk with their foreign counterparts as both sides of the transaction will be working from a common baseline of understanding. Moreover, it allows international business partners to communicate in a common language – perhaps, even a German tourist and an American shoe salesman.
Ramsey Kazem can be contacted at +1-404.872.5615 or by email at firstname.lastname@example.org.