The ISO organisation takes up the battle against bribery. A new norm supports companies in implementing anti-corruption processes in their organisations and will be published at the end of 2016. Although ISO 37001 on ‘Anti-Corruption Management Systems’ is currently in development, there are some questions that can already be answered with the status quo. What is the background of the norm? Who participates in its development? What will be details of ISO 37001?
We have collected some valuable information about ISO 37001 for you.
The ISO 37001: Anti-Bribery Management Systems standard is a new international standard currently being developed by the International Organization for Standardization (ISO).
The standard aims to reflect existing principles, such as guidance on the UK Bribery Act, and make them accessible. As a cross-border and cross-industry body of rules, ISO 37001 will provide a uniform understanding and corresponding benchmarks for developing, implementing, operating and improving anti-bribery management systems in various types of organisation. The standard specifies a range of measures and controls that companies should implement to prevent and uncover bribery and corruption. They are based on globally representative anti-corruption practices.
The suggestion to draft an ISO anti-bribery standard came from the British Standards Institute (BSI). ISO began looking at this in late 2012 and asked all of its members whether there was any interest in a new standard of this kind. After the majority of ISO members accepted the standard proposal, the organisation established a draft committee under the name ISO/PC 278. Specialists from 28 countries, including Germany and a representative from digital spirit, are currently involved in developing the standard. There are also 19 countries with observer status and seven liaison organisations.
The draft standard was fine-tuned even further by over 80 experts at the most recent meeting in Kuala Lumpur in September 2015. What began as a relatively small affair in London in June 2013 has now become an extensive initiative with representatives from North, Central and South America, Europe, North Africa, Asia and Oceania all working together towards a common goal.
ISO 37001 sets out in a logical manner how an anti-bribery management system can function. As this is a risk-based standard, risk analysis plays a special role. Risks are identified, analysed and evaluated in order to determine compliance requirements and establish controls. Countermeasures, weighted according to priority, should be applied for the highest risks. Due diligence is also a central aspect, particularly scrutinising business partners. This is a key area with regard to bribery and corruption. As a result, it makes sense that the standard addresses this issue. The importance and protection of whistleblowers is also to be highlighted.
The standard is flexible and can be used by all kinds of organisations in any country. This includes companies of all sizes, foundations, associations, authorities and other organisations, both private and public.
ISO 37001 is highly adaptable, as it has been designed to be applied by many different types of organisations. It provides that measures must be adapted to the size, structure, location, industry, scale, complexity of the activities and the risks of the individual organisation, whether it be a large company or an association, and measures should always be proportionate. In line with this principle of reasonableness, organisations do not need to have any concerns over excessive bureaucracy.
Although ISO 37001 is an independent management system in itself, the required measures are designed in such a way that they can be integrated into existing management processes and controls. Similar to the widely used ISO 9001 standard (quality management), ISO 37001 also follows the common ‘High Level Structure’ for management system standards. Accordingly, ISO 37001 stipulates a range of measures and controls that deal with bribery and are intended to prevent and uncover it.
The ISO 37001 project ultimately developed as a result of the UK Bribery Act and the British BS 10500 standard. The introduction of the UK Bribery Act 2010 (UKBA) in the United Kingdom raised the question of how to prove compliance with the requirements of the UKBA. Guidance from the Ministry of Justice setting out the six principles of corporate corruption prevention provided a first approach. As a further response, the British Standards Institute (BSI) developed the BS 10500 national anti-bribery standard, which has already been implemented in some companies and now serves as a template and basis for ISO 37001.
The standard is based on three fundamental models, which have been brought together to form one compliance management system model. This includes the ‘Risk Management System’, making ISO 37001 a risk-based standard. In line with the ‘High Level Structure’ model, the new standard follows the structure of other management systems and can be integrated into or combined with existing management systems without any problems. The PDCA cycle is the third model that underpins the standard. PDCA stands for ‘Plan, Do, Check, Act’ and aims to establish a continuous improvement process.
It is expected that ISO 37001 will enter into force at the end of 2016.
ISO 37001 is a requirement standard (type A) that goes beyond providing recommendations, making it independently certifiable.
The standard does not provide its own definition of bribery. It relies on the fact that bribery and corruption are clearly described in many national jurisdictions. Nevertheless, ISO 37001 provides an explanation of what bribery means for the purposes of the standard. As a general rule, national law always applies.
As a general rule, the importance of combating corruption and its international dimension are indisputable. However, because ISO standards are voluntary, organisations and companies must independently decide whether to accept ISO 37001 so that the standard gains traction at a national and international level.
It fundamentally provides an opportunity to step up the fight against bribery internationally by bringing the issue of combating corruption and therefore (legal) compliance to the fore in day-to-day business and integrating it into existing and often dynamic processes and behaviours.
The standard should also be beneficial to organisations and companies when it comes to participating in international bids, as it sends a strong signal to buyers, customers and consumers. The formal, strong commitment of an organisation to combating corruption can result in competitive advantages and help strengthen the organisation’s reputation. On the supplier side, the opportunity to be part of international supply chains becomes a reality. Globally, corruption is one of the most significant compliance issues and extreme care is needed when selecting business partners. An internationally understood and externally verifiable standard can be of assistance here.
The standard provides organisations with minimum requirements and helpful explanations for implementing and benchmarking an anti-bribery management system. It provides managers, investors, employees, customers and other stakeholders the reassurance that steps are being taken to minimise the risk of corruption. If organisations base their conduct on the standard, it is regarded as proof that reasonable steps have been taken to prevent corruption and bribery.
If the applicable law of a country prohibits a specific requirement of the standard, the organisation is not obliged to follow that requirement. However, the organisation can still comply with the rest of the standard.
In the event of an investigation, the standard helps companies and organisations demonstrate that reasonable steps have been taken to prevent corruption. This already has a mitigating effect in some jurisdictions.
Basically, the standard is designed in such a way that it can be applied to all organisations that want to protect themselves against corrupt practices. In terms of organisation size, the experts that developed the standard have attached significant importance to flexibility. This has resulted in requirements that have been formulated with a sense of proportion and taking reasonableness into account, making it possible for small and medium-sized companies and organisations to use ISO 37001. The standard also provides guidance on how to introduce an anti-bribery management system.
ISO 37001 and ISO 19600 differ in two essential points. First, ISO 19600 is a type B or recommendation-only standard, while as a type A standard ISO 37001 contains binding requirements that are therefore verifiable and certifiable. Second, ISO 37001 is a standard about an important individual compliance issue, while ISO 19600 takes a holistic approach, by providing recommendations on an interdisciplinary compliance management system.
Together, the two standards cover the ISO principles for management systems, such as the risk-based approach and the Plan-Do-Check-Act process. This enables and facilitates expansion in both directions, from a thematic approach that includes certification right through to a broader approach or from a broader approach through to a more in-depth examination of the issue of protection against corruption.
(Last updated: 31 October 2015)
The Australians took the initiative by making a proposal for a global ISO standard for a compliance management system in June 2012. This proposal was based on the AS 3806 standard from 2006, which was also developed in Australia. After the majority of ISO members accepted the standard proposal, the organisation established a draft committee under the name ISO/PC 271. Specialists from 11 countries, including Germany and a representative from digital spirit, then began developing the standard while collaborating with a further 20 countries with monitoring status.
The standard aims to improve and expand on existing compliance management approaches, which are largely tailored to specific applications (such as assessment with PS 980) or topics (such as the six guiding principles of the UK Bribery Act). ISO 19600 is intended to standardise reliable guidelines used around the world for the use of compliance management systems.
ISO 19600 sets out how a compliance management system should function in a logical manner. As this is a risk-based standard, risk analysis takes a special position. Risks are identified, analysed and evaluated in order to meet compliance requirements and establish controls. Countermeasures, weighted according to priority, should be applied for the highest compliance risks. The evaluation of the effectiveness of compliance measures as well as ongoing process improvement also plays a role, alongside internal and external communication. Last but not least, the standard focuses on the roles and responsibilities of senior and line managers as well as employees. The independence of the compliance officers is also reviewed in detail.
The extent of the application of ISO 19600 depends on the size and the degree of maturity of an organisation’s compliance management system. This is referred to several times in the standard. This includes the context, nature and complexity of organisational activities, including a type of specification sheet for compliance measures. Flexibility and proportionality should also always be considered in the application.
The standard provides a valuable improvement in that it can be applied to organisations. It is not exclusively designed for large companies; instead it defines recommendations for a compliance management system that can be used by many different types of organisations. This includes companies of all sizes, foundations, associations, authorities and other organisations, both private and public. It is not necessary to register on a corresponding registry. This way, ISO 19600 covers industries and types of companies for which there were previously no recommendations.
ISO 19600 is highly adaptable, as it has been designed as a guideline and can be applied to many different types of organisations. This is why there are annotations in numerous places, noting that measures must be adapted to the size and risks of the individual organisation, whether it be a large company or an association, and should always be proportionate.
There were already standards in place for setting up compliance management systems before ISO 19600. For example, the Institute of Public Auditors in Germany implemented the PS 980 audit standard in 2011. There has been an Austrian standard – ONR 192050 – since 2013. It provides information on how companies should organise themselves in order to identify risks and handle them appropriately. This also includes mapping a CMS in the individual organisation as well as measures that can contribute to a change in behaviour among the employees. However, one of the first standards for compliance management systems is the AS 3806 Australian standard, which has been in use since 2006. ISO 19600 is based on this standard in particular.
Both standards are highly similar in terms of content, although ISO 19600 is more clearly structured and easier to understand. The basic difference is that the new standard does not define any auditing requirements, but instead provides recommendations for introducing and implementing compliance management systems. This makes it easier for organisations to adapt the standard to their requirements.
It can be assumed that controlling bodies and the justice system can benefit from the standard as a benchmark during procedures that aim to ascertain whether managers have sufficiently fulfilled their monitoring and supervisory duties. This is the only way to refute accusations that business leaders have not fulfilled their duties in a satisfactory manner.
SMEs can be sure that their interests are strongly represented in the working committees for ISO 19600 and by digital spirit, among others. This is reflected in the standard’s recommendations that give SMEs a greater degree of freedom to ensure compliance using their own appropriate methods.
That is why the standard expressly states that the size, structure, nature and complexity of the organisation must be taken into account. This is particularly relevant when it comes to defining compliance programs, allocating roles and resources, the scope of documentation and information procurement, for example, by using a risk management system. Otherwise, SMEs can benefit from the fact that the standard is based on the principle of proportionality and it should be possible to apply it flexibly.
In addition, ISO 19600 places particular emphasis on the role of management in establishing a compliance culture, which is crucial for the success of an effective compliance management system. There is often a strong culture of integrity and leadership in owner-run SMEs. This can be further developed, making it unnecessary to establish excessive control systems as in large anonymous companies.
No, the standard does not replace any other policies in the German-speaking world. Standards such as PS 980 or the Austrian ONR 192050 standard remain valid and are used to audit compliance management systems.
The standard is based on three fundamental models, which have been compiled into one compliance management system model. This includes the ‘Risk Management System’, making ISO 19600 a risk-based standard. In line with the ‘High Level Structure’ model, the new standard complies with the structure of other management systems and can be integrated into or combined with existing management systems without any problems. The PDCA cycle is the third model that the standard is based on. PDCA stands for ‘Plan, Do, Check, Act’ and aims to establish a continuous improvement process.
One of the unique features of ISO 19600 is that it is a guideline. The standard does not set out any specific requirements, but rather provides recommendations. This is made clear time and again by the use of the verb ‘should’. As a result, it is easier to apply the standard in the day-to-day business environment. It gives organisations more room to implement a compliance management system that is proportionate and can be adapted to individual requirements. As the standard is based on the ISO High Level Structure model for management of system standards, it can be combined with or integrated into already existing management systems.
Furthermore, ISO 19600 does not just apply only to companies, but rather every type of organisation. Companies of all sizes as well as associations and foundations obtain useful rules that can be flexibly applied in various areas.
In order to sustainably implement compliance, it must play a central role in the culture of an organisation and in the behaviour and attitude of its employees. The standard places particular emphasis on the role of management in establishing a compliance culture, which is crucial for the success of a functioning compliance management system.
The term compliance is defined in greater detail in the guideline and goes beyond adhering to relevant laws. In addition to compliance obligations that an organisation must adhere to, ISO 19600 includes duties that organisations would like to fulfil. This includes complying with voluntary principles, industry standards and agreements with non-governmental organisations (NGOs).
ISO 19600 entered into force on 5 December 2014.
ISO standards are highly regarded around the world and therefore have great potential for wider acceptance. Greater transparency and manageability will also prove beneficial when it comes to business relationships, whether with suppliers on a national level or with business associates and third parties on an international level. Globally uniform compliance standards would have a positive impact on the operational activities of globally active companies. With this in mind, there is a realistic chance that ISO 19600 could receive international attention and acceptance as an international standard.