ISO37001 is NOT the Answer to Corruption

The words standard and corruption in the same sentence have very little sense; whoever has been living and doing business outside its own courtyard will agree with that.

 Besides that, the said ISO standard does not add anything new that legal specialists are not already aware about, in particular, best practices in the anticorruption framework, already set forth in several international fora (e.g. COSO Framework, US Federal Sentencing Guidelines, OECD Good Practices Guidelines on Internal Controls and The Bribery Act 2010 Guidance, issued by the UK Ministry of Justice).

 I am not going to repeat again here the necessary steps to make sure your organisation is fully compliant; there are plenty of articles, books and publications on the topic. Here I would like to underline a potential pitfall of the ISO system; the box ticking exercise.

  Getting certified does not, per se, guarantee an organisation’s full commitment (which is up to the board) nor any type of immunity. Eventually, a personal consideration; corruption is a crime, therefore, like any other misconduct, its repression is a prerogative of the relevant law enforcement agencies In furtherance of an appropriate legal and political environment.

ISO37001 is not a step further in anti-corruption

 As you may have noticed, anti bribery laws are not equally enforced. That being said, before starting a redundant policies for the private sector that would mostly benefit training providers and certification, civil society should vigorously demand more seriousness in fighting crime at local and international level. As long as there will be corrupted politicians and public officials, any other effort will simply be pointless.

Always perform Due Diligence

Since the newly created ISO 37001 has been published, in October, many professionals are talking about anti-corruption which is, per se, already great. Not enough to fight the problem though.

 Why my concern?

 Because, among these super enthusiastic articles, I read one thing that made me think. people would be more keen to do business with certified companies not to perform, or, at least, to perform some sort of ‘slim’ audit on them.

 This idea is spreading quite rapidly and this is not good, especially in light that between 60% and 90% of corruption happen via third parties.

 ISO37001 is not, in fact, the law, therefore, it cannot be used as a defense for not having performed appropriate due diligence and/or audit; adherence to the standard is certified by private entities whose statements can be very well ignored by a Prosecutor or other relevant Authority.

 Besides performing due diligence and exercising audit rights, I aways suggest my clients to use the ‘walking away’ anti-corruption clauses while negotiating with third parties.

 If, from one side, it is crucial raising awareness towards bribery, it is equally important not to create a false sense of security.

You can read, on this regard, the Circular 1/2016 issued by the Spanish General Prosecutor.

 For the sake of completeness, I need to point out that compliance programs may – in accordance with applicable laws – be used as a corporate defense in case of misconduct, that is why is very important considering the local legal framework throughout the entire length of the business entity/relationship.

Some  may argue that, notwithstanding the above, the Standard may be still used at commercial level.

I wonder how this can even be possible. Why should I (or anyone else) accept the Standard as a proof of my counterpart’s attitude towards corruption if authorities are reluctant to do so? I suggest to be very careful in making assumptions, on this regard, you may also find useful this post about due diligence and this practical guide.

  • Certification, which is issued by a private business after having performed Enhanced Due Diligence (hopefully) on your organization (including vendors, agents, suppliers and consultants).

Are you actually comfortable in having an external company looking into these matters?

Have you considered that your legal/compliance department or your legal advisor may set the same quality program?

 As one of my professors used to say; “Always think with your own head and check the local law!”.