Background to ISO 37001
Five years on from its implementation, the UK Bribery Act 2010 remains the most stringent anti-corruption regime in the world. Complying with the Act’s requirements can prove challenging. This is particularly so in respect of the Section 7 strict liability "corporate offence" under which companies will be criminally liable for bribery by their agents, representatives and employees, unless they can demonstrate that they had in place "adequate procedures" to prevent bribery.
The Serious Fraud Office has now brought three major prosecutions under this offence.
Amidst this background, a new draft standard aimed at tackling bribery has been produced by ISO. The standard, "ISO 37001 – Anti-bribery management systems", aims to combat bribery by specifying and providing guidance as to how organisations can implement, maintain and improve an “anti-bribery management system” (“ABMS”).
In the event of a bribery investigation, the existence of an ISO 37001 ABMS may help companies and organisations to demonstrate that they have “adequate procedures” for the purposes of Section 7 of the Bribery Act 2010.
ISO 37001 is a 'Type A’ standard: it contains binding requirements that are independently verifiable and certifiable. This allows organisations, once certified, to make statements to the effect that their ABMS is “ISO 37001 certified”. The standard will be flexible and can be adopted by organisations regardless of their country, associations, sector or authority. It is also highly adaptable providing a reasonable approach to implementation of an ABMS which is proportionate to the risks an organisation faces. This enables small and medium-sized organisations to use ISO 37001 without encountering excessive and unnecessary bureaucracy.
ISO 37001 – a closer look
The standard is divided into two parts: the main body which details the regulations and requirements of the standard, and Annex A which provides guidance as to its use. Many of the regulations will be familiar to those experienced in fraud and white collar crime, as they mirror the six principles of corporate corruption prevention in the Ministry of Justice’s Guidance.
ISO 37001 recognises that there is no “one-size-fits-all” approach and instead adopts a step-by-step, risk-based approach. The standard details how to implement an ABMS from the initial risk assessment to its review. The following sections are likely to be of particular importance:
Context of the organisation
This section deals with the preliminary tasks of establishing an ABMS. It highlights the need for organisations to undertake a bribery risk assessment based on a number of factors including their size and the sectors they operate in. The onus of such an extensive task, however, is left to the discretion of the organisation, with ISO 37001 providing little guidance as to the conduct of this risk assessment.
Leadership
This section impresses the importance for organisations to have ‘top management’ that demonstrate leadership and commitment with respect to the ABMS. This section also highlights the need for an adequate compliance function – making it clear that an organisation cannot rely solely upon the implementation of an ABMS, but such a system must be maintained and regularly supervised by a suitable compliance function.
Support
This section highlights the importance of having in place appropriate human, physical and financial resources to ensure the effective running of an ABMS. Organisations are required to determine, maintain and document the competence of persons doing work under their control in relation to the ABMS. The section also addresses the need for adequate training, communication and documentation with respect to the system.
Operation
This section is primarily concerned with the operational planning and running of the ABMS. Due diligence is an important part of this section and the regulations require that organisations ensure that they have adequate systems in place for both business associates and the organisation itself. The section provides further measures for minimising risk including implementing appropriate financial controls to manage bribery, suitable procedures for investigating bribery and effective whistleblowing processes.
Annex A – guidance
Annex A provides general illustrative guidance on the implementation of ISO 37001 and helps to give both context and clarity to the regulations in the body of ISO 37001. For a thorough and complete understanding of the ABMS process, the regulations should be read alongside guidance provided in the Annex.
Comment
Whilst demonstrating that a certified ABMS is in place is by no means a guaranteed defence to bribery allegations, the standard is likely to help organisations demonstrate that adequate procedures have been put in place to prevent bribery, for the purposes of Section 7 of the Bribery Act 2010.
Furthermore, ISO 37001 provides organisations with an important tool that enables them to measure their own policies and procedures against the regulations specified in the standard. This should help to provide reassurance to the board and shareholders of organisations that any gaps in defences have been dealt with in a risk based and proportionate manner.
We recommend that our clients keep abreast of developments in relation to ISO 37001 and consider, on a cost-benefit basis, and in light of the corruption risks faced, whether to seek certification. View the draft ISO 37001.
Points to consider
- Do I understand how the UK Bribery Act 2010 affects my business?
- Have the senior management communicated to all staff the business' zero-tolerance approach to bribery?
- Have we carried out a recent anti-bribery risk assessment, focusing on opportunities for bribery, existing behaviours, high risk jurisdictions etc?
- Do we have a clear and overarching anti-bribery policy that deals with these risks?
- Are our employees adequately trained with respect to anti-bribery laws? Is there a written record of this?
- How do my organisation's anti-bribery policies and procedures reflect the requirements in ISO 37001?
- How much time and cost would my organisation be exposed to in order to reach the standard?