ISO 37001: Testing the Ability to Implement a Global Anti-Bribery Standard

Alerts / December 20, 2017

A year after a global anti-bribery standard was implemented by the International Standards Organization (“ISO”), a slow trend is emerging among major corporations, such as Microsoft and Wal-Mart, announcing they will seek certification under the standard. This presents an opportunity for companies to obtain a best practices certification concerning its anti-corruption controls, which could serve as a favorable factor for lenience for the corporation from criminal or civil enforcement authorities, should a problem arise.

The ISO is an independent, non-governmental international organization that aims to create international standards for various industries including technology, food safety, agriculture and healthcare. On October 14, 2016, the ISO adopted ISO 37001, a global standard aimed at implementing an anti-bribery management system designed to help prevent, detect and mitigate bribery. This is a significant step towards solidifying a global anti-bribery standard for companies across the world. ISO 37001 is based on previous guidance from organizations such as the International Chamber of Commerce, the Organization for Economic Cooperation and Development, and the U.S. Department of Justice (“DOJ”) and Securities and Exchange Commission’s (“SEC”) “A Resource Guide to the US Foreign Corrupt Practices Act.”

The standard applies to public, private and not-for-profit sectors of all sizes. The standard not only prevents and addresses bribery by or on behalf of an organization, but also bribery by its employees or business associates. ISO 37001 states “[t]he anti-bribery policy and supporting management system helps an organization to avoid or mitigate the costs, risks and damage of involvement in bribery, to promote trust and confidence in business dealings and to enhance its reputation.”[1] The ISO has cautioned, however, that conformity with ISO 37001 does not provide assurance that no bribery has occurred, or will occur. There is no guarantee that a company will not be investigated or prosecuted for allegations of bribery, even if certified as compliant with ISO 37001.

ISO 37001 certification requires that an accredited third party confirm that an organization’s anti-bribery system meets the ISO standards. To become certified under ISO 37001, a company must implement and meet requirements for anti-bribery policy and procedures; management commitment and responsibility; oversight by a compliance manager; anti-bribery training; risk assessments and due diligence on projects and business associates; financial, procurement, commercial and contractual controls; reporting, monitoring, investigation, and review; and corrective action and continual improvement. This is a principles-based approach rather than a rules based approach.

Since the announcement of ISO 37001, several prominent corporations have announced they would seek to be certified. Notably, Alstom, SA, a company targeted by the DOJ and SEC for Foreign Corrupt Practices Act (“FCPA”) violations in 2014, was certified for its European operations in June. In March 2017, Microsoft announced that it was seeking ISO 37001 certification and in May 2017, Wal-Mart Stores announced it was seeking certification.

David Howard, Microsoft’s Corporate Vice President & Deputy General Counsel, Litigation, Competition Law and Compliance, has endorsed this approach: “[w]e think a consistent approach to anti-corruption is a good thing. That, along with an objective and independent certification process, should give governments around the world confidence that the companies which achieve certification are doing everything they reasonably can do to reduce corruption.”[2] While some major companies seem to support ISO 37001, Wal-Mart noted a hurdle to certification is that there are currently no accredited U.S. testers to certify companies.[3] As of November 7, 2017, PECB was the first North American management system certification body accredited by the International Accreditation Service, one of two bodies that provides accreditation related to ISO standards, to certify compliance with ISO 37001.

While the benefits of ISO 37001 will take time to ascertain, with major companies like Microsoft and Wal-Mart seeking compliance certification, it is likely that more companies will follow suit. Although there is no guarantee that the DOJ or SEC will not come knocking at a company’s door, ISO 37001 certification may lead to a competitive advantage, provide assurance to customers that the company has a robust anti-bribery program, and show governments that companies are serious about complying with anti-bribery laws. Clients are urged to consider whether certification should be sought and to determine the necessary steps to ensure compliance with ISO 37001.

Please feel free to contact any member of BakerHostetler’s White Collar Defense and Corporate Investigations team with any questions or concerns.

Authorship credit: George A. Stamboulidis, Lauren J. Resnick, Shawn P. Hough and Lauren P. Berglin

[1] ISO 37001: 2016, Anti-bribery management systems – Requirements with guidance for use.
[2] David Howard, “Why Microsoft is Adopting the New International Anti-Bribery Standard,”, May 17, 2017.
[3] Henry Cutter, ISO’s Anti-Bribery Standard Gets Slow Adoption, Wall St. J., Oct. 18, 2017.

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.