March 29, 2016
Original Publication: “Alexandra Wrage: The Pros and (Substantial) Cons of an ISO Anti-Bribery Standard” was originally published by TRACE President & Founder Alexandra Wrage on The FCPA Blog.
The international business community wins when companies across supply and marketing chains work to the same high standards. There is less risk and more predictability, which promotes confidence among business partners. Benchmarking among peers and establishing and sharing model language and best practices all help to ensure that companies set their sights on a reasonable common denominator for compliance.
But standardization can only go so far.
Anyone who doubts this need only review the language of the U.S. Federal Sentencing Guidelines, the DOJ/SEC Resource Guide to the FCPA or the Guidance to the UK Bribery Act each of which resorts, of necessity, to references to programs that are "reasonable", "appropriate" and "proportionate."
Anti-bribery compliance isn't like a fire code or a health standard. There is an objectively established ideal number of fire extinguishers per square foot of office space. There is scientific data supporting the optimal shelf life for food products. Anti-bribery compliance is both simpler (don't provide something you shouldn't in exchange for something you're not entitled to) and more complicated (risks faced by companies of different sizes, in different industries and operating in different countries differ dramatically). There is no fire extinguisher standard for anti-bribery compliance, so the compliance community struggles with what's reasonable and appropriate.
The new anti-bribery standard proposed by the International Standards Organization (ISO 37001) reflects this same “reasonable and appropriate” language. Compliance professionals working in jurisdictions with a credible threat of anti-bribery enforcement -- the U.S., UK, Canada, Germany -- will find nothing new in this standard.
So where does it add value?
The well-respected Geneva-based ISO lends an air of neutrality to principles otherwise promulgated by the U.S. and UK enforcement agencies. This is particularly important for entirely domestic companies and state-owned entities. A large Indonesian company, traded solely on the Indonesian stock exchange, or a Saudi national oil company, for example, may well prefer to debate "reasonable" and "appropriate" in the context of an ISO document rather than against the backdrop of the U.S. sentencing guidelines. Anything that reduces resistance to better compliance is welcome.
ISO 37001 can be treated as another guidance document, or it can be used as an audit standard. As a guidance document, it is fine but it offers nothing new for U.S. companies. Like the DOJ/SEC Guidance, it addresses tone at the top, due diligence, training, gifts and hospitality, books and records and risk assessments. And, like the guidance, each section promotes a standard that is "reasonable."
As an audit standard for U.S. companies, ISO 37001 is more worrying. The ISO standard states that "different types of business associates are likely to require different levels of due diligence." This is a sensible and well-recognized principle. Companies may vary the scope of their due diligence as a result of the markets they’re in, deal size, interaction with the government, contingent as opposed to fixed-fee compensation and known industry risks.
The ISO standard provides no guidance on how that should be done, just as the DOJ/SEC Guidance doesn't. They wisely recognize that it's a matter of context and judgment. That judgment should be exercised by the compliance professionals within the company, together with their legal and other advisers, because they're most familiar with the company and the risks it faces.
“The vision of an external compliance inspector arriving at the front door, staying for a week or two, and using that time to replace the compliance professional's judgment with his or her own is worrying.”
So how, then, will an ISO inspector opine on the propriety of those judgment calls? Either the inspector, one of hundreds approved to undertake ISO inspections, will simply rubber stamp the decisions of the company's compliance team, noting that "different types of business associates … require different levels of due diligence," for example, or they will challenge the judgment of the company's compliance team and seek to replace it with their own, necessarily less informed position. I am not sure which is worse. The former results in a faux credential that adds nothing of real value and the latter undermines the compliance team struggling to get these issues right. (The third option, that a company will fail the inspection because they've done nothing at all seems unlikely; what company in that situation would waste time and resources by initiating a doomed ISO inspection?)
Anti-bribery compliance issues are difficult. Compliance officers struggle every day with questions of how frequently to refresh due diligence, whether to train managers alongside sales teams or separately, how expensive a meal can be before it's no longer reasonable, no longer appropriate. There is no fire extinguisher standard to which they can turn. The vision of an external compliance inspector arriving at the front door, staying for a week or two, and using that time to replace the compliance professional's judgment with his or her own is worrying.
A lot of thought has gone into the proposed ISO standard, just as a lot of thought went into the DOJ and UK guidance documents. Compliance professionals should read it and note the few minor distinctions between it and existing standards.
But compliance officers are good at what they do because they know their corporate culture and reputation. They understand their companies' appetite for or aversion to risk, their industries and their markets. They are in the best possible position to assess the reasonableness and appropriateness of their programs.
FOR MORE ON THIS TOPIC, PLEASE SEE THE FOLLOWING RESOURCES:
ISO 37001 - Anti-Bribery Management Systems
Top 3 Supply Chain Audit Challenges
The DOJ and SEC Issue FCPA Guidance
Tailoring Compliance Programs to Country-Specific Risks
Q&A with DOJ Fraud Chief Andrew Weissmann
Click here to subscribe to TRACE Trends: A Compliance Conversation and receive email notifications as new posts are published.