The drumbeat of those supporting ISO 37001 continues. However, I still find it to be misplaced as anything close to the international standard for anti-bribery/anti-corruption programs. It leads both the recipients of the certification and those who make the mistake of relying upon it in the same position, worrying more about the paper part of compliance than actually doing compliance through operationalizing it into the DNA of your organization. At this point I see three major defects in the ISO 37001 certification process.
Structural Defects
While there is certainly nothing wrong with laying what should go into a compliance program, ISO 37001 has features that make it less than ideal as a basis to do so. The first is the almost evangelic approach taken by its advocates who seem to claim it is as good as law. Unfortunately for anyone who adopts it, the standard is not law. As Mike Volkov noted in his excellent five-part review of it “The relevance of ISO 37001, however, may apply only in circumstances when companies seek to remediate their existing compliance programs after a violation has occurred. DOJ and the SEC have not awarded credit to companies for implementing an effective existing compliance program before the violation occurred.” (Part I)
Next is the focus on having a paper program. ENI, the first company to receive an ISO 37001 certification, said in its Press Release after receiving its ISO certification its program had a “quality of the system of rules and controls aimed at preventing corruption”. More on the ENI certification later but suffice to say, the standard does not work towards a company operationalizing compliance because it is only setting out the spine without requiring a company to do compliance. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) jointly issued 2012 FCPA Guidance made clear that an effective compliance program is based upon a company assessing its own risks and then setting up a program to manage those risks going forward through training, incentives and discipline and ongoing monitoring. The Ten Hallmarks were designed to be flexible to allow each company to assess and then manage its risks. This type of approach is sorely lacking from the ISO standard.
The ISO standard also misses the boat on internal controls. Volkov, Part II, stated, “On the negative side, ISO 37001 missed an important opportunity to define the relationship between anti-bribery risk management systems and financial controls. ISO 37001 includes only a general, one-line requirement that a company implement financial controls to mitigate bribery risks. That requirement is so general that it is in reality meaningless.” [emphasis supplied] As internal controls are in reality financial controls; the more robust your internal compliance controls are the better your organization will be run from a financial controls perspective. But if you do not fully implement internal controls, not only will you fail to have an effective compliance program, but you will fail to meet the requirements of the Foreign Corrupt Practices Act (FCPA).
Hui Chen takes an even more basic approach in her criticism. In a post she noted, “The most fundamental flaw is that there is no statistical evidence to prove that the implementation of such a “management system” would be effective in actually reducing the instances of bribery.” She goes on to ask “Where are the statistics and pilot studies for ISO 37001?” Chen has extensively advocated, both in her former role as DOJ Compliance Counsel and current private practice role, to back up your claims with data. She takes this a step further by then asking, if you have data how have you used it to inform your program? ISO 37001 is not based on either. Finally, and perhaps most critically, Chen hones in on the lack of ISO 37001 to measure the effectiveness of a compliance program, stating “nowhere else does the document mandates or even suggests that organizations should actually measure the effectiveness of their programs and actions.”
Certification Defects
Beyond the structural defects noted above, there are an equal number of problems around the certification process that many ISO 37001 advocates are bandying about. They claim that by doing business with certified counter-parties, they will somehow be protected. Nothing could be further from the truth. One need only consider that Unaoil had a TRACE Certification to understand how said certification protected the company’s that hired Unaoil. It does not matter how many certifications a third party might have; the issue is whether they are doing compliance. That is why the most crucial step in the third-party management lifecycle is the fifth and final step; managing the relationship after the contract is signed. Put another way, the key issue for any company is whether their third-parties are doing business in compliance, under the terms and conditions of the contract and under the statements, promises and obligations set out in the five-step third party management process.
Equally important in understanding this is Who is doing the certification? Is it a person or company trained by ISO? How do the certifiers know their interpretations of ISO 37001 are correct or even consistent with other certifiers? The bottom line is how do you know a certifier has any experience in compliance or can even validly assess your compliance program? The short answer is you cannot.
There obviously are certifiers out there who can assess your compliance program. ISO is extraordinarily lucky to have one who is a staunch advocate, Kristy Grant-Hart. I know Kristy and would trust her to assess any company’s compliance program under any international standard around, beginning with the US Sentencing Guidelines, to the OECD 13 Good Practices, to the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance, to the Six Principles of Adequate Procedures under the UK Bribery Act. Perhaps if cloning were more developed perhaps Kristy clones could fan out across the globe and perform assessments under the ISO 37001 standard. Alas such technology does not exist.
Cultural Defects
The same week that ENI proudly announced its ISO 37001 certification, Italian authorities announced both the company’s current and most recent Chief Executive Officers (CEOs) would stand trial for approving bribes paid by the company. In a 2017 Financial Times (FT) article, entitled “Eni chief Claudio Descalzi charged with international corruption”, James Politi stated, “Claudio Descalzi, chief executive of Eni, has suffered a setback after Italian prosecutors charged him with international corruption following a lengthy investigation into the Italian energy group’s 2011 purchase of a Nigerian exploration licence. Mr Descalzi was asked to stand trial along with Paolo Scaroni, the former chief executive of Eni, as well as nine other individuals who were involved in the $1.3bn transaction, according to Fabio De Pasquale, the lead prosecutor on the case.”
One might reasonably ask how a company could receive a certification for its “AntiBribery Management Systems” when both its current and former CEO’s were under indictment for ‘international corruption’? The ENI ISO Press Release went on to state that since 2009, Eni has enshrined the principle of “zero tolerance” as “expressed in its Code of Ethics.” I wonder if either the current or former ENI CEO’s under indictment read or even knew about this robust ENI Code of Ethics. Interestingly, the Press Release also stated that Stage 2 of the ISO 37001 certification process involved “interviews with people on the ground” to assure compliance with the program. It is safe to assume these interviews did not include the current or former CEO’s.
What would you conclude about the culture of compliance at a company where the sitting CEO is under indictment for corruption? Would it give you comfort that they had a very robust paper program in place that claimed there was ‘zero tolerance’ for corruption and had a ISO 37001 certification to back it up? What is a counter-party to ENI to conclude about the robustness of its anti-corruption compliance program? How about any other company that has an ISO 37001 certification?
This is where I find the new ISO 37001 certification to be worse than useless. People might actually think that this certification affirms the company that holds it is committed to doing compliance and will continue to do so going forward. The counter-party who does business with such a certificate holder may well assume this certification forms some basis of protection against a FCPA, UK Bribery Act or (you name the law) investigation for bribery and corruption. Nothing could be further from the truth.
The DOJ, SEC and UK Serious Fraud Office (SFO) continually make it abundantly clear that a company is responsible for its counter-parties not violating applicable anti-corruption laws. Put another way, a third-party, with an ISO 37001 certification that violates the FCPA, UK Bribery Act or any other similar law puts your company at just as much risk as a third-party with no ISO 37001 certification. Putting it as simply as I can, an ISO 37001 certification from a counter-party is of less than zero worth to your company, your compliance program or indeed any defense against a FCPA enforcement action.
[View source.]
