Exclusive Interview ISO 37001
Compliance Q&A: ISO 37001 Expert shares insights into boosting the effectiveness of anti-bribery and corruption efforts
Jean-Pierre Mean is an anti-corruption lawyer who played a leading role in the development of ISO 37001, a recent global standard by which companies can measure their anti-bribery and corruption policies. He is now leading the working group which looks after the implementation of the standard. Mr. Mean invited LexisNexis to speak with him about the standard at his Geneva home, just a stone’s throw from the famed Swiss lake. There, he explained why the standard has been developed, how governments and companies have reacted to it so far, and how companies will benefit from seeking accreditation.
Does the new standard change things for the fight against bribery and corruption?
The new standard is not reinventing the wheel, it is really built on best practices which have developed in the past 10 years. Fifteen years ago, there was rather little available on anti-corruption practices and in the past 10 or 15 years various instruments have been developed. ISO 37001 is in a way a codification of best practices.
What feedback have you had from companies so far?
Certification companies need to be accredited in order to certify according to a specific standard so there are two or three companies which have been accredited so far, but there are four candidates in Germany, two candidates in France and others in Britain. It is expected that these companies will be accredited this summer and that accredited certification will come then. So, I think this process is really starting now.
I have conducted certification audits myself according to other standards. There was a precursor to the ISO 37001 in Britain (BS 10500). An audit is not an exam, it is not like the company is on the witness stand; it is an exchange and that is the way it has to be perceived. If it is conducted well, there is an exchange between the compliance officer and the auditor. The auditor has first-hand knowledge of best practices which should be of interest to the compliance officer, and for the compliance officer, it is also interesting to have a third party look at their system and tell them where the weaknesses are, so they can correct them.
What are the main benefits to a company of seeking ISO accreditation?
The main benefit is first of all that it’s benchmarking; you know whether you have done the right things, so it’s the demonstration to yourself of the effectiveness of your system. It also demonstrates that you have a system that works to stakeholders, personnel, shareholders, and the community at large.
In legal proceedings it can also be used to demonstrate what you have done to prevent corruption from happening. It is not going to be an absolute defence—any judge will want to convince himself of the effectiveness of the prevention measures which have been put in place, but it will help.
I don’t think that increased revenues are key—if you implement the standard you should not do this to increase your revenue or profit. I think that having an anti-bribery policy or management system in place in the long run will improve or make the business more sustainable, but it may not increase revenue depending on what your policy has been in the past. You may lose some business at the beginning if some of your business was based on paying bribes. The question you have to ask yourself is whether that business was strategically business that the company should get into or whether it was only easy to obtain by paying bribes. To measure the standard, I would rather look at the atmosphere in the company. I think people should feel proud of the culture reflected in the standard.
How have governments reacted to the ISO 37001?
Some governments have been quite positive because they see it as a way to know more about the companies they are dealing with. Some are a bit more reluctant—generally the UK is favourable to certification and to norms, the United States less so.
What was the first company to be certified?
The first company which has been certified is Eni, the Italian company, and the Italian certifier was the first to have been accredited. The Italians have been much more efficient apparently than the French, Germans, and Brits. They have been able to accredit a company in early 2017 around six months after the standard was published.
Unfortunately, two weeks later the CEO of Eni was investigated for corruption. This optically doesn’t look very good, but the facts for which he was investigated were a couple of years before the certification took place.
Which sectors will benefit most from certification?
Companies in the oil and gas sector may want to have themselves audited because they are exposed to corruption. Also, large companies involved in dealing with governments, the armament industry, companies like Siemens, Alstom, and others involved in electrical equipment and transport equipment where they sell to governments. Banks as well may consider it—Credit Agricole has been certified in France. I think large companies active internationally in countries where corruption is rampant of course are going to be more interested in the standard than others.
Why did the standard happen now?
I was surprised when the standard came about, but there have been quite a few instruments developed to fight corruption over the past 15 years. There were too many instruments and quite a few people were a bit confused about the different instruments, which were not all as detailed as they might have been, so it was an appropriate time to sum up and come up with a global instrument.
ISO is represented by around 170 members so it’s really covering the whole world. The previous British standard BSI 10500 was really aimed at Britain. The ISO is the global organisation and ISO standards are the global standards.
How is it that companies of different sizes can use this single standard?
The standard is risk-based, so the first thing that you have to do when you want to implement an antibribery management system is to define, to map your corruption risks. Based on this mapping you will decide how to implement the standard. For example, if you are dealing exclusively in Scandinavia, maybe you will not need quite the same measures than if you are dealing in Eastern Europe or Asia or Africa where corruption is more of a risk.
If you have a centralised management system, it is going to be easier to implement the standard than if you have a decentralised management system and you have to adapt to different units. If you have one language it is going to be simple, if you are a large international company it will probably take about 30 different translations so that is quite a different task than doing anything in one language. For an antibribery policy, you do need translations and cannot rely on English everywhere.
What is most important to the success of an anti-bribery and corruption policy?
The most important thing is leadership. If the head of a company or its governing body are not convinced of the value of an anti-bribery management system, it is not going to work, so they have to be convinced and they have to lead the whole exercise. It is not something you can measure or create from nothing, it is a change of culture and that has to come from the top. It has to filter down and everybody in the company has to be involved. If you are able to manage this cultural change, you have already done a big step.
Another element of the system is that you have to appoint a compliance or an anti-bribery officer, it can be somebody who is involved in compliance at large, but you have to dedicate resources— people and finance—to an anti-bribery function.
You have to write an anti-bribery policy and you have to organise training on that because if you distribute a document in a company of 20,000 employees, there are so many documents flying around that many people will not read it although they may well sign that they have. It is important that people are shown the impact of the new rules or the policy in their daily lives.
You also have to have a whistleblowing alert system, you have to guarantee confidentiality and permit anonymity if it is required and you have to investigate if there are violations of the policy and sanction them.
How can the standard help businesses to gain the trust of others?
Implementing the standard is not just about writing rules and telling people what they should do. If you look at an anti-bribery policy, some are very detailed with articles and sub-sections. When you see a policy like this you have to be a bit suspicious because if you want to create a culture of integrity and trust you should use short sentences simple words not legalese. When you have this in place, you can communicate it to the outside world so that it will be recognised as an expression of integrity and your company will be more trusted.
What have been the main trends in regulation and legislation during your career?
The main trend is that there are now many more cases. In 2002 I can remember bribery legislation was in place in the United States and in other countries—apart from the UK which was a bit slower until the Bribery Act of 2010—but there were no cases. All the big cases have been all in the past ten years. The United States has been the most active country, but just now I think the rest of the world has bypassed the United States in the number of investigations of international bribery—the UK, Germany and Switzerland also have active implementation of their legislation on foreign bribery. Other countries are improving as well.
France has put some additional legislation in place [Sapin II].They have created an anti-corruption authority so there will be cases as well—the former President of France [Nicolas Sarkozy] is now under investigation for alleged corruption from Libya.
Do today’s investors and consumers expect companies to be more ethical?
Yes, there are more expectations. It is difficult for companies to prove that they are better than others because it is also difficult to prove which companies are not as good as the others, so the idea of certification is that instead of identifying the bad companies you identify the good companies.
Finally, what is your message for companies?
I think there are two approaches: there is the values-based approach and the rules-based approach, and I think you don’t get the same result with the rules-based approach as you do with a values-based approach, that is really the message I want to get through.