Implementing ISO 37001 alongside a fully implemented compliance program

By Segev Shani, PhD, MHA, MBA, LLB

Segev Shani (segevshani@neopharmgroup.com) is Chief Compliance & Regulatory Officer at Neopharm Ltd., Petach Tikva, and Senior Lecturer at the Department of Health Systems Management & School of Pharmacy at Ben-Gurion University in Beer Sheva, Israel.

Corruption is defined as the abuse of entrusted power for private gain. Corruption affects societies in a multitude of ways, and in the worst cases, it costs lives. Short of this, it costs people their freedom, health, or money. Corruption is a major obstacle to the rule of law. Economically, corruption depletes national wealth. Corruption also hinders the development of fair market structures and distorts competition, which in turn deters investment. Corruption undermines people’s trust in the political system, in its institutions, and in its leadership.

Corruption may be defeated by transparency and by prohibition of and enforcement against corrupt acts. Transparency is about shedding light on rules, processes, and actions. It ensures that public officials, civil servants, managers, board members, and businesspeople act visibly and understandably, and provide a full account of their activities. Transparency also means that the public can hold them accountable. It guards against corruption and helps increase trust in the people and institutions on which our futures depend.

The modern concept that all countries have a responsibility for global society, not just the local one, led to the issuance of new anti-bribery national legislation such as the US Foreign Corrupt Practices Act and the UK Anti-Bribery Act, and international agreements such as the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. Following the enactment of these laws and agreements, multinational corporations began implementing internal compliance programs in order to assure the organization meets all legal requirements in this context.

In October 2016, the International Standards Organization (ISO) introduced a new international standard—ISO 37001: Anti-bribery management systems – Requirements with guidance for use. The introduction of ISO 37001 divided the compliance community with the debate about whether this standard is relevant or offers any advantage to organizations that already implemented a full compliance program. Therefore, the objective of this article is to discuss the pros and cons of getting an ISO 37001 certification for organizations that have already implemented a compliance program.

ISO 37001: Anti-bribery management systems

An anti-bribery management system is designed to instill an anti-bribery culture within an organization and implement appropriate controls, which will in turn increase the chance of detecting bribery and reduce its incidence in the first place.

ISO 37001 specifies a series of measures to help organizations prevent, detect, and address bribery. These include adopting an anti-bribery policy, appointing a person to oversee anti-bribery compliance, training, performing risk assessments and due diligence on projects and business associates, implementing financial and commercial controls, and instituting reporting (whistleblowing) procedures that encourage and enable individuals to report suspected bribery, and investigation procedures. Furthermore, it requires that the organization should monitor, measure, and evaluate the effectiveness of the anti-bribery management system, including performing internal audits and implementing corrective actions.

Implementing an anti-bribery management system requires leadership and input from top management, and the policy and program must be communicated to all staff and external parties such as contractors, suppliers, and joint venture partners.

ISO 37001 stipulates the requirements and guidance for establishing, implementing, maintaining, and improving an anti-bribery management system designed to help an organization to prevent, detect, and respond to bribery acts and comply with anti-bribery laws and voluntary commitments applicable to its activities. The system can be independent of, or integrated into, an overall management system. It covers bribery in the public, private, and not-for-profit sectors, including bribery by and against an organization or its staff, and bribes paid or received through or by a third party. The bribery can take place anywhere, be of any value, and can involve financial or nonfinancial advantages or benefits.

The requirements of ISO 37001 are generic and are intended to be applicable to all organizations (or parts of an organization), regardless of type, size, and nature of activity, and whether in the public, private, or not-for-profit sectors. However, ISO 37001 is applicable only to bribery.

There is no obligation on an organization to obtain independent certification to ISO 37001. An organization may simply ensure that its procedures are compliant with the standard.

ISO 37001: Pros and cons

Pros

  • ISO 37001 is designed to help organizations implement an anti-bribery management system, or enhance the controls they already have. It helps to reduce the risk of bribery occurring and can demonstrate to the organization’s management, employees, owners, funders, customers, suppliers, and other business associates that the organization has put in place internationally recognized good-practice anti-bribery controls.

  • Organizations may require their major contractors, suppliers, and consultants to provide evidence of compliance with ISO 37001 as part of their prequalification or supply chain approval process.

  • In the event of a bribery investigation that involves the organization, it helps provide evidence to the prosecutors or courts that the organization has taken reasonable steps to prevent bribery. It can therefore help avoid a prosecution or mitigate the outcome.

Cons

  • It is not possible for a standard to be too specific, because each company’s circumstances will vary by size, territories it operates in, commercial sector, etc. However, ISO 37001 has been criticized for not being very specific.

  • ISO 37001 does not specifically address fraud, cartels, and other anti-trust/competition offenses, money-laundering, or other activities related to corrupt practices, although an organization can choose to extend the scope of the management system to include such activities.

  • ISO 37001 implementation and certification require additional resources from the organization, and it may not address current best practices. When certification is issued, it might be already out of date because the company’s risks, personnel, and program are constantly changing.

Conclusion

A management system is a set of policies and procedures that can be implemented by the organization to help it control a specific risk or to help produce a specific outcome. Although one might claim that an organization with a fully implemented compliance program might not find any advantage in implementing the ISO 37001 standard, I would argue that the true value of ISO 37001 is the establishment of or integration into an effective management system that includes more efficient use of resources, improved risk management, and consistency across the organization. ISO 37001 presents a clear methodology for the organization to plan, establish, implement, monitor, and control its compliance program based on quality management, and streamlines the interface with other internal processes in the organization.

Furthermore, establishing a commercial relation with an organization that has an ISO 37001 certification may help demonstrate that due diligence did not raise any red flags.

Such certification may also boost the organization’s reputation, because its compliance program received certification/accreditation from a third-party independent auditor. In case of authorities’ investigation, ISO 37001 certification might present proof that the organization committed to and implemented internal controls. Finally, it might also set the company apart from its competitors and speed up due diligence enquiries from potential customers or suppliers and other interested stakeholders.

The opinions expressed in this article are the author’s personal views and do not necessarily represent his workplace.

Takeaways

  • ISO 37001 is an international standard that sets a worldwide benchmark for a structured anti-bribery and anti-corruption management system.

  • It is designed to help organizations implement an anti-bribery management system or enhance controls, and helps to reduce the risk of bribery.

  • ISO 37001 applies to bribery of government officials by the organization and business-to-business bribery, including the receipt of bribes by the organization’s employees.

  • ISO 37001 does not specifically address fraud, cartels, and other anti-trust/competition offenses, money-laundering, or other activities related to corrupt practices.

  • It presents a clear methodology for the organization to plan, establish, implement, monitor, and control its compliance program based on a quality management system.

This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings