ISO 37001 has been enacted

In a previous edition of this magazine (Middle East Point of View, Summer 2016) we wrote about a pending vote by the International Standards Organization (ISO) on Standard 37001: “Anti-bribery management systems–Requirements with guidance for use.” The standard did pass voting and a final version was published in October.

What ISO 37001 does is normalize the wide variety of competing and overlapping guidance from international regulators and agencies into an auditable set of ABAC policies and controls. It is the outline of an ABAC structure, which is useful for private sector companies in a) organizing their compliance efforts in a way to minimize the risk of committing violations of international ABAC laws, and b) availing of leniency offered in the event that a violation occurs. Leading enforcers of ABAC standards, such as the United States Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) employ a carrot-and-stick approach to enforcement—they want to reward companies for taking the matter seriously and making an honest effort to prevent violations. If a company can demonstrate that it takes ABAC compliance seriously, and has put in place a sincere, and leading-practice compliance program (also known as “adequate procedures”) both the US and UK authorities typically offer credit against the penalties levied in the event that a violation still does occur.  An ISO 37001 certification may well become the benchmark for these authorities in evaluating the quality and intent of an organization’s ABAC efforts. While the ISO certification will not denote that a company has done absolutely everything possible to prevent violations, it will show that companies have taken note and gone through a process to bring themselves in line with international standards—at least at a minimum level. While there is always a risk that some companies will view it as a simple box-ticking exercise and attempt to game the system, a more hopeful view is that it demonstrates a company’s commitment to ethical standards–a commendable principle, regardless of any potential regulatory or compliance motivation.

However, the main reason for pursuing ISO 37001 certification may not be regulatory–it may well become a business imperative. One of the significant questions we had about the final version of the standard was whether it would retain the provision for bribery of the organization, as compared to focusing on bribery by the organization. It is now clear that bribery of an organization’s personnel is on equal footing to the offering of a bribe. This significant inclusion extends the scope of the standard to the public sector as well as international bodies and Non-Governmental Organizations (NGO)–the most significant targets of bribery. Since these organizations now have a reason to pursue certification, they will likely expect the same of companies looking to do business with them. ISO 37001 certification may well become the first check box on a procurement officer’s list.

A look at the list of countries that participated in developing ISO 37001 shows how seriously the Middle East and North Africa (MENA) region has begun to take this topic. Six of the 37 countries involved in crafting the standard came from the MENA region. Representatives of the standards bodies of Saudi Arabia, Iraq, Egypt, Lebanon, Morocco and Tunisia all joined the process–an outsized delegation for the region. We hope that their involvement signals a heightened commitment to transparency and accountability originating from authorities at the highest levels within MENA governments. I would not be surprised to see public agencies from these countries among the first to require ISO 37001 certification of would-be bidders on public contracts.

So now what? Some independent certification bodies and consultancies have begun offering certification assessments. Some organizations, with existing robust ABAC policies may be able to pass certification without much alteration of their existing framework—as the standard is designed to be flexible and to be integrated within an organization’s existing management structure and controls. However, for organizations that do not have much experience with the subject, or a dedicated ABAC aspect to their compliance regime, a good place to start is conducting an ABAC risk and compliance assessment prior to engaging a certifier. We also recommend taking a critical look internally at your company’s compliance regime. A good amount of the preparatory work can be conducted internally, at least as a dry run before engaging a consultant to give an independent view on the program.

by Collin Keeney, Director, Forensic, Financial Advisory, Deloitte, Middle East