On October 14 2016, the International Standards Organisation published a new standard that companies and organisations can use to certify their anti-bribery and corruption compliance procedures. Companies can meet the ISO 37001 standard if they implement a series of requirements to demonstrate their efforts to prevent bribery and corruption. ISO 37001 certification does not automatically mean a company will receive a reduced sentence for financial crime. But the principles underpinning the standard are used by many regulators around the world. So should a company seek to become certified?
Certification could be good for business
Some commentators believe companies that adopt the standard might win new and lucrative deals because it shows them to be honest and accountable. Lynne Gray, director at commercial law firm Burness Paull, thinks the standard will enable companies to gain new contracts. 'It is likely to be important for attracting and retaining global business,' she writes in Scottish Legal News.
A reputation for transparency and integrity has been shown to improve the bottom line. For example, a recent report by ethiXbase says that Singapore's tough stance on corruption has given the country "a significant competitive advantage" over its neighbours. "It provides predictability and openness to investors that are lacking in many other countries in Asia-Pacific,' the report says.
If companies find that ISO 37001 certification gives a good return on investment, it will surely persuade others of the benefits of compliance.
Hopes for adoption in high-risk markets
The requirements for ISO 37001 certification are not dissimilar to existing anti-bribery and corruption legislation in the USA and the UK. But where the standard might be most useful is in countries which have a greater risk of corruption and less regulation. In an article for the FCPA blog, Fernando Cevallos and Brian Mich of consulting firm Control Risks point out that in many Latin American governments, "credibility is still lacking due to low enforcement" of bribery and corruption. They predict the ISO 37001 could provide guidance for companies operating in these countries to help them address corruption.
Countries with high risks of corruption, including Brazil, Iraq, China, Cameroon and India, are among the 37 to agree the standard. Multinational companies that operate in these countries might feel more secure trading with firms that are ISO 37001-certified. If this is the case, it could encourage companies based in these countries to pay more attention to compliance, even if their rivals do not.
A flexible approach to compliance
The ISO hopes the new standard will not only be adopted by major global firms with large compliance budgets. It is also designed to be used by small and medium-sized companies that might not normally think about investing in compliance. Neil Stansbury, chair of the committee responsible for the ISO 37001, says organisations need only to implement "reasonable and proportionate policies, procedures and controls" to be certified.
This approach also shows how important it is for companies to implement a risk-based approach to compliance. In practice, this might mean applying minimal checks on clients and suppliers that seem to pose a low risk of financial crime, and scaling up due diligence investigations with companies or individuals operating in high-risk countries and industries.
Watch this space
Ultimately, the success of the ISO 37001 will only become clear with time. Its effectiveness depends on the willingness of regulators and companies to take it seriously. Nonetheless, the principles behind the standard are ones which should be followed by all companies. Whether or not they seek ISO 37001 certification, companies should:
- Adopt a risk-based approach to compliance, with proportionate due diligence depending on the risk level
- Strengthen its compliance procedures to help support business growth in new markets.
- Invest in compliance no matter what size the company. Using a risk-based approach can help a company to spend as efficiently as possible.
Do you need help with you risk management? Check out our risk & compliance solutions.
