HomeReviewsISO 37001: A year on

ISO 37001: A year on

Attention towards compliance is constantly growing. Consequently, data protection, anti-money laundering and anti-corruption have witnessed many businesses offering certifications to organisations and individuals.

This ‘certification-mania’ reached a new peak in October 2016 when the International Standard Organisation issued the ISO 37001 anti-bribery management system. Naturally, this system has been abundantly advertised by ISO providers, who also happen to be its strongest supporters.

The anti-corruption management system is meant to help organisations in minimising their corruption risks as ‘specifies requirements and provides guidance for establishing, implementing, maintaining, reviewing and improving an anti-bribery management system. The system can be stand-alone or can be integrated into an overall management system’.

Repetita iuvant — corruption is a serious crime

To be awarded ISO 37001 certification, auditors, who are normally private persons, should certify an organisation’s adherence to the principles above. That said, I am afraid the ISO 37001 does not specify any requirements on the aforementioned regard, for two reasons:

  • It’s not the law – therefore, it lacks any authority whatsoever to specify any requirement, and its application is completely on a volunteer basis
  • The anti-corruption principles mentioned in the standard were made available long before publication in October 2016

Regarding the latter point, it is worth pointing out that back in 1991, the Federal Sentencing Guidelines considered the adoption of a compliance programme as a mitigating factor in sentencing – the very same approach was echoed in the Sarbones-Oxley Act in 2002.

Moreover, the importance of a well-functioning compliance programme has also been stressed by the UK Bribery Act Guidance, issued by the UK’s Ministry of Justice and by the OECD in Recommendation for Further Combating Bribery of Foreign Public Officials in International Business Transactions.

A thorough dissertation on international guidelines would be beyond the scope of this article, nonetheless, all have been published by public or international organisations sources and are available for free to the public. Consequently, commonly recognised best practices on anti-corruption can be retrieved, used and implemented by any organisation, regardless its geographical location. I will now examine ISO 37001 limitations.

It is not new

This is the first critique to the ISO 37001; as mentioned above, its principles were made available publicly years before its publication, therefore, its application is unlikely to represent a valuable asset for any organisation genuinely committed toward compliance and anti-corruption. No more likely than any well-drafted, implemented and reviewed compliance programme, anyway.

It could not be otherwise, as the standard is not the law and the fight against international corruption requires political, legislative and judicial efforts, which go well beyond the powers of a non-governmental organisation.

Therefore, a question arises, why pay for a set of best practices that are publicly available and easily accessible with an internet search?

The auditors

International corruption is a multifaceted issue, which, to be tackled effectively, may need the involvement of several professionals, from a proactive (drafting or updating a compliance programme) or a responsive (internal investigations) perspective:

  • Legal experts to understand the local-legal framework and interact with regulators and relevant authorities
  • Forensic accountants to identify any off-the-books or concealed payment or disproportionate or incongruous intermediary fees. Their role is also quintessential in financial due diligence, particularly when extraordinary operations, such as mergers and acquisition or joint ventures, are foreseen
  • Investigators, since workers, particularly in high-risk countries, may be victim of extortion or may be blackmailed by criminal organisations. Very often, in fact, we imagine that bribes are only paid to secure an advantage like signing contracts for which others are more qualified or, in general, to gain an undue advantage

While this may certainly be true, it cannot be denied that sometimes bribes are paid to save one’s reputation or personal safety. It goes without saying that private investigators cannot be a substitute for law enforcement agencies but their function is supporting those facing such unpleasant situations in not feeling alone.


It is worth remembering, in fact, that the workforce normally dealing with these challenges is very far away from a company’s headquarters and must face a completely different legal and business environment, oftentimes weak institutions as well. In my opinion, the most common mistake they can possibly make is pay out of their pockets. That is why, as part of a broader compliant corporate culture, no one should be afraid nor ashamed to speak up and should expect appropriate support.

All the problems outlined can be tackled efficiently and effectively with mutual collaboration to ensure that no one is ‘left behind’.

IT and cybersecurity specialists

Being that most of our professional, and I would say also personal, lives are related to computers, tablets and smartphones, these specialists’ role is acquiring more and more importance as wrongdoers usually leave digital fingerprints of their misconducts, be it emails, SMS, instant messaging chats, databases, intranets, archives, basically anything could be relevant evidence.

However, IT and cyber security specialists’ activity should be directed only in retrieving relevant data, leaving  aside personal or unrelated documents. It is a delicate task since there must be compliance with applicable privacy laws, which should be completed having data protection specialists on board as well.


It should not be assumed that everyone is fluent in English or another European language because it is not always the case, rather the opposite, in my experience. Codes of conducts must be widely understood and acknowledged group-wide to be effective, and it is essential that everyone, everywhere understands them.

Moreover, internal investigations require significant work on the ground, which means interviewing local stakeholders able to provide useful information, in local dialects sometimes. Translators make sure that nothing gets ‘lost in translation’ and words are taken for their true meaning. It would be a shame to miss important red flags for a misunderstanding, wouldn’t it?

Furthermore, labour and safety experts may also be needed to ensure, for instance, that a foreign workforce to which part of the production has been outsourced is safe in the workplace. Besides being a moral responsibility, this would protect a foreign company from legal and reputational liabilities as there are human lives at stake.

We just outlined how diverse and professionally qualified the compliance team has to be; advanced degrees (issued by recognised universities, of course), state exams and professional accreditations released by public bodies are necessary to perform such duties.

An ISO 37001 auditor may very well possess the aforementioned qualifications and skills, that is beyond discussion. However, it is important to mention that the auditor qualification is awarded by private bodies.

Lastly, auditors do not know your company, its culture, its employees, its challenges and its strengths. Why not then empower the internal legal/compliance team to fortify anti-corruption? It might be an excellent lead to create and develop robust and trustworthy relationships across all the business areas.

ISO 37001 is not a defence in case of corporate misconduct

As pointed out above, only a serious compliance programme can exclude or mitigate liability and the fact that an external auditor has approved an organisation’s anti-bribery management system does not represent an asset in this regard as the adoption of the standard does not – per se – exclude nor mitigate corporate responsibility.

For instance, the US Department of Justice, in its recently released Evaluation of Corporate Compliance Programs has not even mentioned the ISO 37001 or other certifications. The French anti-corruption Agency had the same approach. It is also crucial to understand that contracting with an ISO 37001 certified counterparty does not exempt a company from due diligence duties, which have to be carried out regardless. Any ‘light’ due diligence must be avoided for the same reasons.


Any thorough audit implies the knowledge of confidential information about the target organisation and anti-corruption audits are no different. Financial statements, possible participation in public tenders, names of agents and consultants and their role in securing contracts, are just a few examples of the priceless information that should be released to the auditor (to whom the attorney-client privilege may not apply).

Most likely confidentiality clauses will be signed, but the ISO 37001 audit nevertheless poses unnecessary risks.

Companies under investigation

Past episodes of corporate misconduct do not impede a shift toward compliance; conversely, oftentimes, these episodes trigger an interest toward ethical business, however, the situation is slightly different when organisations are under investigation or trial.

Anyone with a legal background knows the golden rule ‘innocent until proven guilty’. However, issuing an anti-corruption certification while a corruption trial is pending is problematic for three reasons:

Judgement ascertains responsibilities A judgement defines if a misconduct actually took place. What would be the purpose of certifying a company prior to this assessment?

Judgement identifies weaknesses If bribes were paid, something went wrong and only a final judgement can say where and when; lack of training or communication, business goals too ambitious or unrealistic business goals and lack of due diligence are the most common root causes. A ruling is normally the result of a complex trial where responsibilities are ascertained; this may throw light on where internal controls or managerial guidance were lacking, and a company should acknowledge such findings to strengthen its anti-corruption initiative and implement appropriate corrective measures for the future. At this point the question is, So, how is it possible to certify that an entity is able to deter, prevent and respond appropriately to corruption while still under trial?

Certification undermines respect for the judiciary Without quoting Montesquieu, anyone familiar with public and constitutional law knows that, along with executive and legislative power, judicial power is autonomous and its autonomy is fundamental for any democracy. Acknowledging its decision, it’s an act of respect for the institutions.


What happens if a doctor certifies that a person is healthy, but it turns out he isn’t. What happens if a chief engineer establishes that a building is safe to live in or a bridge can carry daily commuters when, in reality, they are not?


The aforementioned are obviously oversimplified examples, but the point is, certifying implies some degree of responsibility. What responsibility and what accountability is there for the auditor if a certified entity is found responsible for corruption?

More than year after the publication of the ISO 37001, this question remains unanswered; even though it might be possible to foresee some kind of contractual liability under which the organisation and its management would be held accountable.

Being ISO 37001 certified is not a guarantee of absolute absence of corruption nor best practices and the auditors cannot be held responsible for others wrongdoings. So, what is the purpose of being certified other than for the certifiers’ benefit?

In conclusion, this ‘new’ anti-bribery standard is very unlikely to represent a real step forward in fighting corruption since, as we have shown, it contains some serious pitfalls. More importantly, it cannot harmonise the international efforts in fighting corruption; the ISO 37001 is not the law.

For the same reason, it cannot strengthen the anti-corruption initiative in developing countries, the most affected by international bribery. These nations would rather need a serious political commitment, which cannot be substituted by external initiatives.

Rather, compliance must be embedded with an organisation’s culture at a local level in order to function properly. This means that those responsible for corruption are held accountable for their actions; that the management collaborates proactively with internal and external stakeholders to identify transgressions without trying to cover them up; that whistle-blowers are not afraid to speak up because they do not fear retaliation or humiliation (sadly, this is sometimes still the case).

Besides being favourably perceived by relevant authorities, a compliant attitude brings several advantages; corruption is almost never a stand-alone offence, oftentimes bribes are paid to gain an undue advantage that can negatively (sometimes tragically) affect others; an authorisation released without having the requisite controls in place in practice and not just on paper is an example of how corruption can seriously jeopardise a company’s reputation in the market, adding economic consequences to the legal ones.

Finally, one last consideration. Compliance serves the business purpose but it should not be a business per se.


Ethical Boardroom is a premier website dedicated to providing the latest news, insights, and analyses on corporate governance, sustainability, and boardroom practices.

Ethical Boardroom is a premier website dedicated to providing the latest news, insights, and analyses on corporate governance, sustainability, and boardroom practices.


Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular