For those managing and working with anti-bribery programs, the world has fundamentally changed. Pre-37001, varying and less-than-clear legal standards formed the basis for preventive and detective program activities. The stick of “the government could be knocking at the door someday” was sometimes needed to convince business colleagues to allocate resources, convey appropriate messaging to the workforce and otherwise support an effective program.
Post-37001, internationally agreed-upon anti-bribery business procedures now exist, with accompanying business opportunities: competitive differentiation to help drive revenue, supply chain simplification and compliance program administration cost and time savings – to name a few.
Compliance chiefs can now lead their management colleagues through a psychological pivot: what was once a “program” containing a set of activities that to some seemed murky and/or imprecise (the negative) can now be recast as a globally recognized “management system” focused on business processes with accompanying business opportunities (a positive) through adopting and becoming certified under 37001.
But how to get there? Some of the basic initial questions a compliance chief may want to consider as he/she begins applying 37001 are:
Strategically, how should I think about 37001?
This is a question that should be revisited periodically, as your company’s business, regulatory and other facts and circumstances change. Initially, however, consider using 37001 as a business tool and as a way of supporting the organization’s business goals. Make management aware of how standard certification could help drive revenue (e.g., generally, as a positive differentiator in the market, and specifically with customers, as a voluntary measure taken by the company to decrease collective risk) deserving of new business. Illustrate to colleagues how 37001 adoption helps achieve efficiencies and better resource application by re-tasking staff previously assigned to narrow administrative tasks and moving them (with appropriate training) to more analytical roles that support the standard’s emphasis on system measurement and monitoring.
On the flip side, query under what circumstances your company may need to adopt 37001 because of business or legal developments. Commercially, certain public procurement bodies and several larger companies are already reviewing 37001 as a possible requirement for their bidders and/or supply chain participants going forward. There is also the possibility that competitors may become 37001 certified and use that status to add a new competitive dynamic to the sales environment.
From a legal and reputational perspective, fellow participants in a sector where a key player is undergoing investigatory scrutiny may feel that 37001 certification is necessary to strengthen their overall position – to underscore both the comprehensiveness of their programs and to show that they are good corporate citizens. If your company should also be investigated and has not followed the same course, its commitment to fight bribery may be questioned by not having adopted 37001 while others similarly situated did so.
There may be advantages to getting out in front and adopting 37001 on your own terms and at your own speed, rather than under pressure from the emergence of factors outside your control.
Where is my anti-bribery program now?
This is the “look yourself in the mirror,” brutally honest question – not where you aspire to be with the program, or hoped you would be, but where you are now.
Among the related questions: How many gaps, of what size, exist in which areas vis-a-vis the legal standards applicable to your entity? Are you able to objectively assess those gaps or should outside resources be brought in to accomplish this task more quickly and objectively? What are the reasons for the gaps? What is the underlying corporate culture and does it: (a) align with the existing anti-bribery program and (b) provide a basis for believing that it will or could support a more proactive and embedded 37001-compliant program?
Your program and company facts and circumstances will dictate when and at what speed to begin the 37001-adoption process. For some situations, and because of its business-oriented focus, 37001 may provide the reason(s) and momentum to systematically mitigate or eliminate long-standing internal obstacles to a stronger program. In other cases, it may be best to set 37001 as a goal for a future period and to concentrate on filling basic programmatic gaps.
How different is 37001, and how will I need to start thinking differently in the process of adopting the standard?
37001 is not “same old, same old” to most entities with anti-bribery programs – numerous recent blogs to the contrary notwithstanding. The underlying principles and goals are essentially consistent with, albeit broader than, the FCPA, but the “how to” is different. This becomes clear as one applies the standard.
37001’s requirements are distinctly more granular, specific and business-oriented than the anti-bribery legal standards U.S. compliance chiefs typically use and apply. At its core, 37001 is an ISO “management system.” As with other such ISO systems, the essential activities required to establish and maintain an anti-bribery system revolve around identification of objectives, documentation, implementation, review (to include measuring and monitoring) and improvement – “including the processes needed and their interactions.” (Sec. 4.4) The system should be “reasonable and proportionate” to the organization’s particular facts and circumstances.
Documentation is a requirement in many instances, some of which may be outside a compliance chief’s typical coverage in his/her program (e.g., with respect to the various processes needed to meet 37001 requirements, process criteria and controls needed to be established and implemented, as well as documentation “to the extent necessary to have confidence that processes have been carried out as planned.” (Sec. 8.1.c)
In contrast to the U.S. Sentencing Guidelines’ relatively brief and conceptual treatment of effective programs, 37001’s management system contains detailed separate sections on leadership, planning, support and operations. An extensive Annex provides nonbinding guidance on topics and issues likely to be encountered as one implements and operates 37001.
Given the above, and if 37001 adoption is a likely priority within the next year, compliance chiefs should begin immersing themselves in the standard: skim it – to understand its organization and basic contents; read it word by word – to begin understanding the section interrelationships and levels of documentation (including process) detail either required or advisable even if not required; and map it – to specifically identify “need to do’s,” internal and external strategic and tactical relationships/dependencies and related timelines. Lastly, get comfortable with a process management or idea organization software package; it may become your constant companion.
37001 is a voluntary business (not legal) standard and only recently (October 14, 2016) took effect – but the need is large and growing for a globally recognized anti-bribery standard that provides the basis for independent certification. Many compliance chiefs see it as a rare opportunity to align with their business colleagues around a business “system” while simultaneously improving (for legal and reputational reasons) their anti-corruption “programs.”
This article is intended to be used for general business purposes only. It does not provide business, legal or other professional advice or services, and is not intended to be a substitute for legal advice or services. The author disclaims any and all liability for use of or reliance on any article content.