ME PoV Summer 2016 issue
ISO 37001 will be the new standard in anti-bribery compliance
Until recently, it had been difficult to say precisely what “best practice” is in Antibribery and Corruption (ABAC) compliance. A company’s location, among other factors, may expose it to different laws, regulations, and standards governing companies’ behavior. But when it comes to implementing an ABAC compliance program, there is a noticeable difference between an organization that takes the task seriously and one that does not. There are basic components that every company needs to implement and that are the litmus test for compliance standards.
The International Standards Organization (ISO) published a draft standard for Anti- Bribery Management Systems in January 2016. This draft standard–ISO 37001–was approved by vote in April and may soon become the chosen method by those companies that are serious about compliance. Unfortunately many companies in the region do not have the basics in place and ISO 37001 will make it clear who does–and who does not.
What’s the big deal?
The world of ABAC is led by the U.S. government authorities under the Foreign Corrupt Practices Act (FCPA). In 2014, the U.S. Department of Justice and U.S. Securities and Exchange Commission jointly published “The Guide,” a lengthy compendium of guidance rules that remains the gold standard of compliance advice today.
So far, compliance with the provisions laid out in The Guide has been very subjective. The codification of ISO 37001 signifies the beginning of a more objective system, with an auditable, certifiable standard of ABAC compliance available for the first time. In its current draft, ISO 37001 lays out 10 categories of compliance and, within each category, prescriptive guidance that serves two purposes:
1) act as a checklist for a company to use in rolling out its ABAC compliance program, and,
2) form a scorecard against which an independent certifier can evaluate this program.
There are four fundamental differences between ISO 37001 and the standing U.S. guidance. The first two bear a resemblance to the UK Bribery Act: prohibition of all commercial bribery whether it involves a (foreign) public official or not, and prohibition of “grease” or “extortion” payments. The third calls for an independent Anti-Bribery Director, making the fairly obvious point that if compliance were not an individual’s primary responsibility, their effectiveness may be compromised. Finally, it also addresses corruption of an organization, which signals a true departure from the likes of the FCPA and suggests that ISO 37001 may be equally relevant to the large state-owned enterprises (SOE) in the Middle East that have typically been more concerned with the bribery of their people (rather than by their people.)
It will be interesting to see whether this last point makes it through the voting process, or whether it is stripped out into a separate certifiable standard on preventing internal fraud and corruption. The controls that an organization must have in place to monitor the demand side of bribery are fundamentally different from those governing the supply side.
What does it mean for the Middle East?
There may be a misconception among many companies in the region that think they are immune to the FCPA–and there may be some who are. However, the reach of the U.S. authorities extends far and multinationals are now expecting compliance, not just by their own operations, but by their distributors, agents, joint venture (JV) partners, and everyone else they engage with. We are seeing similar expectations from the SOEs concerned about the interaction of suppliers with their people.
Be under no illusion about the weight of SOEs and tie-ups with multinationals in the Gulf Cooperation Council (GCC) economy. Now, the savvy Middle Eastern company can proactively seek ISO certification. This will have a real, direct impact on partnering and business decisions by the multinationals. Consider how easy the decision will be between two companies of relatively equal merit, when one of them has ISO 37001 certification and the other does not. It will become an advantage and a differentiator in this very competitive market. Further, should a multinational choose to go with the partner that did not have certification, and something goes wrong, they will have a very difficult time explaining their decision to the relevant authorities.
A final version of the standard might be in place by end-2016. In the meantime, there is no reason not to start working on the components of the ABAC compliance program as laid out in the standard. Even if some aspects ultimately do not make it into the standard, they are generally good guidance principles to follow. Some of the points will take a fair amount of work and it will not be an easy process for many companies. However, there is no time like the present to get started, especially if a company wants to be in the first wave of certification when the time comes.
by Collin Keeney, Director, Forensic, Deloitte Corporate Finance Limited
Key components of ISO 37001:
- Conducting a risk assessment.
- Establishing a policy governing ABAC and a program to enforce it.
- Setting up a compliance function to monitor effectiveness of the program.
- Communication of the policy to all relevant personnel and business associates (meaning, related parties/distributors, etc.)
- Training of personnel and business associates.
- Verifying their compliance.
- Monitoring high-risk payments and benefits to ensure they do not connote a corrupt intent.
- Implementing controls throughout the business to prevent bribery risk.
- Instituting “whistleblowing” procedures.
- Setting up a formal process for investigating and dealing with any allegations of potential or suspected bribery.