Global free trade may still have its critics in 2016 but one of its undeniable benefits has been the viral spread of action to combat bribery around the world. In particular, the growing threat of legal sanctions for bribery has had a ripple effect throughout global supply chains, forcing companies with a higher bribery risk to tighten their controls.
Against this backdrop, the new international anti-bribery standard, ISO 37001, is certainly well timed and supporters argue that it fulfils a need.
“While there is a plethora of guidance on how to manage bribery risk, of varying qualities, there has been no single benchmarking standard that is internationally recognised,” says Howard Shaw, head of anti-corruption and whistleblowing services at Mazars in the UK.
On the other hand, critics are unconvinced that the new standard will drive improvements in anti-bribery risk management, given the potential for variations in its implementation and certification.
One thing is certain, however—board directors have a crucial role to play in ensuring that bribery risk is monitored and minimised. Companies that regard the new standard as a box-ticking exercise leave themselves exposed to the increasing risk of criminal sanctions.
The case for a standard
After a three-year process of international consultation and drafting meetings, IS0 37001 was published by the International Standards Organisation (ISO) on 15 October 2016.
“The point of a standard is that it should be able to be used by any company, anywhere, irrespective of local legal requirement,” says Shaw, who was involved in shaping the standard as head of the UK delegation to the ISO. “That can lead to a race to the bottom but the surprise outcome in the case of ISO 37001 is that the benchmark has been raised above many of the existing guidance documents.”
The final version was voted on by representatives from 37 participating countries, and had many supporters in countries that have traditionally had a higher incidence of corruption.
Sign of quality
If there was one factor that convinced the ISO of the need for a new anti-bribery standard it was the widespread take-up of the British Standard,BS 10500, after its introduction in 2011.
UK companies increasingly saw the benefit of the British Standard as a source of evidence for the quality of their anti-bribery procedures—a key defence in the event of a UK Bribery Act prosecution. They were not alone. With anti-bribery legislation in the pipeline in other countries, many non-UK companies also adopted BS 10500.
–Howard Shaw, Mazars
“For example, the OECD Anti-Corruption Convention is one of the prime instruments aimed at criminalising bribery, and captures 41 signatory countries that represent more than 60% of global trade”, says Shaw.
Many of the signatory countries to the OECD Convention are adopting similar legislation to the UK’s Bribery Act 2010. “As a result, there is an expectation and almost a de facto requirement for companies involved in multinational trade to specifically manage bribery risk,” says Shaw.
What’s new?
ISO 37001 has much in common with the British Standard but goes a step further by adding more specific detail about requirements as well as more guidance. For example, it sets out in detail what an anti-bribery training programme should look like and what’s required of an internal audit. These aspects are not explored in detail in the British Standard. “Its strength is that it draws together good practice from a wide range of international sources and codifies it within a single document,” says Shaw.
Reaching agreement on some aspects was legally challenging, according to Shaw. One complex area concerned whistleblowing and the right for people to raise concerns and be protected. This was challenging because of the various data-protection regimes around the world—for example, in many countries, anonymous reporting is either not encouraged or is illegal.
Certification
One of the complaints about ISO 37001 is that there is no quality control when it comes to third-party certification. With no governing body or standardisation of certifying regimes, variations in quality are inevitable. Despite these weaknesses, Shaw rejects the argument that ISO 37001 is just a mechanism for third parties to earn money through certification. “It is a genuine attempt to codify global best practice and raise the bar in international business for the right reasons,” he says.
As an alternative to using a third party, companies can also opt for self-certification or peer certification, which can take place across divisions within a multinational. “If the model is robust then self-certification is as good as independent certification,” says Shaw. However, it is worth remembering that no model is fail-safe. “Certification is just a snapshot of a company’s anti-bribery programme at any given time. It’s like a car MOT: it doesn’t provide any guarantees,” says Shaw.
What boards need to do
The first step is for boards to ensure that they assess bribery risk within the broader context of the organisation’s strategic goals and its enterprise risk management (ERM) model. How might bribery risk affect the achievement of its goals?
Often when companies start to ask these questions they find they have to improve the way the ERM model functions, says Shaw. The weak link is often the quality of a company’s overall risk-assessment processes. “The whole anti-bribery programme hangs off the risk-assessment process, and should be an integral part of ERM. If bribery risk is not assessed properly then the anti-bribery programme will not be comprehensive,” he says.
Many companies are also spending a lot of time designing ways to proactively manage organisational culture. This helps to reduce the risk of people acting dishonestly within the organisation and can support a statutory defence in the event of a bribery prosecution.
Although ISO 37001 does not set up requirements to manage culture, it is clearly a critical risk-management issue. “We all know that people can act outside of a company’s policies but within the culture of the organisation,” says Shaw.
In the short-term, boards need to familiarise themselves with the growing requirements to manage bribery risk. Over the longer term, anti-bribery measures will become a standardised element of corporate risk management and a cornerstone of international trade.
This article has been prepared in collaboration with Mazars, a supporter of Board Agenda.