Toward a Standardized Approach of Tackling Corruption on Global Level
Bartosz Makowicz, Prof. Dr., CPG Senior Research Fellow, Director of Viadrina Compliance Center, European-University Viadrina Frankfurt (Oder), Head of German Delegation to the ISO Project Committee 278 on anti-bribery management systems
In the current globalized world national economies and markets are linked to each other to such an extent that they together form a common global market place. In this space new compliance risks emerge such as corruption resulting every year in an immense damage not only for the states but also for the market, society and the ordinary people. Fighting corruption has therefore become one of the biggest challenges for state authorities. Some of them concentrate on their national markets, some of them try to make their legal acts exterritorialy applicable, like the United Kingdom with the UK Bribery Act 2010 or the United States with the Foreign Corrupted Practiced Act. Finally, in the act of desperation some of them introduce severe penalties like the death penalty for certain corruption offense as the Kingdom of Thailand recently did in the Amendment of the Organic Act on Anti-Corruption (No. 3) 2015.
Apart from the above mentioned national efforts international organizations have also been recently trying to make their contribution to the fight against global corruption. Several of them have therefore published guidelines or rules on combating corruption. Worth mentioning are especially the “ICC Rules on Combating Corruption” published by the International Chamber of Commerce (ICC) or the “Anti-corruption instruments and the OECD guidelines for multinational enterprises” published by the Organization for Economic Co-operation and Development (OECD). The weak point of these guidelines is, however, that they are not legally binding laws, and thus the acceptance and willingness across the business world is quite limited to particular organizations that have adopted them.
However the globalized world needs global answers for its compliance risks. It is therefore obvious that also international organizations are contributing to the fight against corruption. One of the attempts to make the global business cleaner from corrupted practices started in 2013 when the British Standards Institute (BSI) made a proposal and initiated the proceedings to the International Organization for Standardization (ISO) to draft and publish the new standard ISO 37001 anti-bribery systems. It is the purpose of this article to give an overview over the status quo of the proceedings (2) and their applicability and characteristics (3) as well as to explore some key ideas on the implementation of an anti-bribery system proposed by the ISO (4). Some final remarks including the impact the proceedings can have on the ASEAN countries (5) and a résumé (6) will complete this paper.
II. Drafting Global Standards
- General Remarks
The most recognizable international standards are those published by the ISO. The ISO is a global association of national standardization bodies which are members of the ISO. The German DIN (German Standards Institute) or the Thai Industrial Standards Institute (TISI) are only two members out of more then 150 members within ISO.
ISO standards can be distinguished between those of type A (stating requirements and well known as industrial standards) and those of type B (stating guidelines). Only the type A standards are eligible to be certified. On the other hand, regarding the matter regulated by a standard a distinction must be made between “industrial standards” and “management standards”.
First it must be noticed that ISO standards are not legal acts. So, they are not legally binding but can be voluntary adopted by the organizations. The fact that standards are developed by a private organization which the ISO is results in both advantages and disadvantages. Since standards are not legal acts there is a lack of democratic legitimation. On the other hand, the same fact can be perceived as an advantage: the development of the standards is free from political influences which sometime can be destructive and make particular legal proposals ineffective.
The ISO standards are drafted neither by politicians nor by members of national parliaments but by the very experts on the matter that is to be covered by the standard. By this means the ISO has so far published approximately 20.000 standards (both industrial and management standards).
- ISO Project Committees
The works on new standards are taking place in either technical committees (TC) or project committees (PC). These global working groups consist of the delegations of the national standardization bodies and meet several times per year to proceed with the standard drafting. The amount of the national bodies participating in the drafting works depends on the meaning of the new standard and interest in it in the particular member country. Usually any national body creates on the national level a so called mirroring committee which again consists of national experts on the particular topic. Depending on the interest any member body may restrain from working on the standard, it can switch into the observation status or active status where national bodies may comment on the standard and by that way contribute to the development of the standard.
- Compliance Standards ISO 19600 and ISO 37001
ISO has currently two compliance system standards. The first of them was drafted by the ISO/PC 271. This project committee developed the “ISO 19600 Compliance Management Systems” in December 2014 and has been dissolved after having done its work. ISO 19600 is a generic standard of the type B (guidelines) constructed as an overarching management standard for compliance risks. It can be implemented by any organization due to its flexibility, proportionality and the rules of good governance.
The other compliance management standard is currently still under development on the agenda of the ISO/PC 278. The committee works on the development of the ISO 37001 anti-bribery management systems which that is the subject of this article.
- Initiation of ISO 37001 Anti-bribery Management Systems
The proceedings to create the new anti-bribery standard have been initiated by the Great Britain in 2013. Since then five global meetings have taken place in London, Madrid, Miami, Paris and in September/October 2015 in Kuala Lumpur. Currently around 50 countries and 7 liaisons are involved in this process. According to the future agenda adopted during the last meeting in Malaysia the standard is supposed to be published by the end of 2016.
III. Key facts on ISO 37001
- General Provisions
ISO 37001 is being developed as an anti-bribery management system standard aiming to help an organization establish, implement, maintain and improve the above mentioned anti-bribery systems. It is supposed to have a universal applicability to any organization. Regarding its requirements the standards includes several operational and structural methods that represent the globally recognized know-how on preventing organizations and its members from corrupted actions.
The Standard as a management system follows the new High Level Structure (HLS) that has been developed by ISO for all management standards. It is therefore not a stand-alone management system but should be integrated into existing management processes and controls. Finally, as a type A standard it is eligible to independent certification (for example made by independent auditors).
One of the most important goals of global standardization is the simplification and unification of rules and regulations apart from the legislative bodies. The standard therefore aims to be universally applicable to different kinds of organizations. Due to its flexibility the standard can be adapted to a wide range of organizations, including large organizations, small and medium sized enterprises, public and private sector organizations, non-governmental organizations, regardless the country of operation.
- Scope: Bribery
The scope of the Standard is quite clear and narrow. It is applicable to bribery. It was one of the most demanding challenges to find a common and harmonized definition of bribery during one of the initial meetings of the ISO/PC 278. Finally the committee decided, due to the great range of different national definitions originating from the national laws, not to define the bribery in the standard.
However the Standard provides guidance on what is meant by bribery to help users understand its intention and scope. According to its draft provisions the term “bribery” is used to refer to the offering, promising, giving, accepting or soliciting of an undue advantage of any value (which could be financial or non-financial), directly or indirectly, and irrespective of location(s), as a minimum in violation of applicable law, as an inducement or reward for a person acting or refraining from acting in relation to the performance of that person’s duties.
IV. Implementation of Anti-bribery Systems
- HLS, PDCA and RMS
First, as already mentioned, ISO 37001 being the new ISO Management Systems follow the High Level Structure. The crucial point and huge advantage is that HLS offers users of the standards an already well known and recognized environment. Once an organization has introduced any management system following the HLS – and most of them have implemented the ISO 9001 – the new standard will be a user-friendly guidance to integrate the other management system into the existing structures and procedures.
Also in a methodological point of view ISO 37001 has been developed as a quality system. It follows a well-known improvement cycle invented already at the beginning of 20th century. It is the so called PDCA-cycle aiming to plan
(P) the implementation of a measure, then to do it (D) which means to implement it. In the third step the effectiveness of the measure should be checked (C) and one has to act (A) which means to improve the action if there is any need for improvement. The cycle should be continued over and over at lower and lower cost, as it was stressed by its inventor.
Finally, again in its methodological point of view, the ISO 37001 is based on the risk approach. It means that any attempt of establishing or running an anti-bribery system should start with assessing the risks which would be in this context bribery risks. The Standard requires the effective assessment of the bribery risks and consequently to address the stated risks by appropriate measures on structural and procedural level.
- Overview over the Implementation of ISO 37001
The very core of the Standard states the requirement for establishing, developing, maintaining and improving anti-bribery management systems. In its eight simple requirements the standard covers the modern approaches and god practice. Every requirement is, however, to be understood as a result of compromise since it is obvious that measures of fighting corruption on the level of an organization may vary from continent to continent and from country to country, sometimes even from organization to organization within the same country of origin.
The following steps cover the fundamental elements of a management system under the HLS and reflect also the compliance management systems under ISO 19600. The following structure shows the main steps of an anti- bribery system under the ISO 37001:
2.1 Context of the Organization
The starting point of establishing and running the system is gathering of information. The context of the organization is the absolute basis for any further action against corruption in the organization. The information that are to be determined are the compliance obligations and goals of the organization, the interest of its stakeholders, the scope of application of the system and finally, one of the most important measures within a compliance system, the assessment of anti-bribery risks.
2.2 Leadership and Assigning Responsibilities
The leadership plays the crucial role for a successful anti-bribery system. It must not only commit itself to the compliance and anti-bribery policy but also enable the effective anti-bribery system by providing adequate resources: both financial and personal.
Not only is the literal commitment necessary. The Standard requires an active commitment at all levels of management, wide and clear communication of the commitment, adequate resources allocated to the anti-bribery function and other.
It is not any more a wisdom that it is not the compliance officer or the anti-bribery function who is responsible for compliance or briberies in the organization. It is clear and also required by the Standard that the responsibility should be assigned at all levels in the personal hierarchy of the organization: the message that each person is responsible for anti-bribery in the organization must be clearly sent and repeated through the organization in order to build and support the anti-bribery awareness of employees.
Finally there is the so called anti-bribery function that is required by the Standard. By this term the Standard means a person or a group of persons who will be responsible for the anti-bribery management systems. Some of her or his tasks are conducting anti-bribery trainings, maintaining the systems, reporting, etc. However, it is finally to be stressed that the anti-bribery function is not responsible for bribery committed by other members of the organization.
2.3 Anti-bribery Policy
After the context of the organization has been determined and at least the initial risk assessment has been conducted there is a substantial basis of crucial enabling to draft the anti-bribery policy. It contains the determinations regarding fundamentals of anti-bribery strategy and should be published as an accessible document, communicated easily and accurately in an easy-to- understand language (native). The anti-bribery policy should be continually improved. It is highly recommendable to integrate the anti-bribery policy in the overarching compliance policy which itself will be the part of the overall corporate strategy. By putting the anti-bribery policy on that level the perception of corruption issues among the members of the organization will increase.
In the next step the operational planning is to be undertaken. Once the organization knows its anti-bribery risks it is able to address them by implementing appropriate measures and adjusting existing structures. The actions should address the risks and opportunities. The operational plan contains anti-bribery objectives and planning to achieve them. It should foresee detailed provisions on who, where, how and what measures should be undertaken. A clear and adjusted plan will contribute to an effective and efficient system.
The supporting actions are the core of the operational measures within the anti- bribery management system. It consists of a wide range of different methods that should be adjusted to the particular anti-bribery risks of the organization (as stated in the risk assessment). The top management should ensure that appropriate resources are provided to run an effective anti-bribery system. The Standard requires different supporting methods: anti-bribery employment procedures, awareness building and training, appropriate communication and finally documentation of the systems steps and systematical updates.
2.6 Operation: Anti-bribery Special Methods
Regardless the substantial supporting actions the Standard require several operational methods aiming to tackle corruption. It requires from the third party due diligence, anti-bribery controls and the usage of anti-bribery contract term. It furthermore contains particular rules on handling gifts and hospitalities or requires internal investigation in case of possible irregularities. To gain a better impression on the standard and its operations two of the mentioned methods are to be discussed more closely.
2.6.1 Handling Gifts and Hospitalities
The Standard contains particular methods pertaining to the question on how an organization may handle gifts and hospitalities. In any case transparency and documentation are crucial elements. An organization should adopt a policy that will be appropriate to its needs. It may be the necessity of approval in advance or different control mechanisms like total prohibition (zero tolerance policy) and permitting only a limited access regarding different key aspects like maximum value, frequency or timing.
2.6.2 Anti-bribery Contract Terms
Another good example for operational methods that can be adjusted to anti- bribery systems originate from the situation in which there is no organization that would be willing to be infected by compliance problems of its business partners. To assess such risk on the bribery area towards business associates with more than a low bribery risk it is recommendable to include provisions into the contract providing expresis verbis that bribery in the relation to the contract are prohibited and the right to terminate the contract in the event of bribery, including even, if necessary, audit rights.
The anti-bribery system recommended in ISO 37001 would not be complete and thus the system ineffective if it would not require continuous evaluation and improvement. It therefore requires particular monitoring and analysis methods and review of the system by the anti-bribery function, internal audit and the top management.
2.8 Continuous Improvement
Once non-conformity occurs particular steps must be undertaken to react. To clarify the case and address its consequences internal investigations should be conducted. The most important methods within the improvement stage are corrections (as a direct reaction to the non-compliance) and corrective actions (as a reaction toward the system if the bribery was caused by the failure in the system). Regarding the type of the non-compliance the whole system must be evaluated, which could result in reassessment of risks, redrafting the anti- bribery policy, etc. At latest at this stage it becomes obvious that the anti- bribery system proposed by ISO 37001 is a quality system based on the approach of continuous improvement.
V. Final Remarks
There have been discussions in the ISO/PC 278 on the question if the Standard should be published as a type A or B. Putting it in other words: if it should state guidelines or requirements open to certification. Both have advantages and disadvantages. One of the advantages is that being certificable the Standard could reach a higher level of unification of anti-bribery systems. On the other hand the same can result in an unnecessary economic burden for organizations since the certification process can create huge costs. There also is an obvious contradiction between the very ISO standards, when the overarching ISO 19600 has been published as a type B, while ISO 37001 is going to be type A. Finally, the bribery risk landscape all over the globe may and will vary from country to country and the measures to address them should be adjusted to the particular needs of the organization (to its particular risks). It is at least questionable if the Standard will be flexible to an extent which will enable to adjust itself to all cases.
- Relation to ISO 19600
Highly controversial is also the relation between ISO 19600 and ISO 37001. Since the latter aims to tackle corruption risks – these kinds of risks are typical compliance risks –, the justified question arises what should be the scope left for ISO 19600. This standard has been designed to manage all compliance risks, including corruption risks, data protection risks, product liability risks, and other compliance risks. Publishing another standard on anti-bribery management ISO seems to act inconsistently. On the other hand, however, corruption is a very complicated and delicate phenomenon that would require detailed measures and operations. To this extent it may make sense to go with another standard.
Finally, since the ISO 37001 is following the HLS it could work in the practice in such a way that organizations would implement the ISO 19600 as a basis and integrate in it the special provisions of ISO 37001. The simpler and more transparent solution – especially a more user-friendly one – would have to be drafted as an annex to the ISO 19600 on the particular and detailed applicability of this standard to the corruption risks.
- Relation to other Anti-bribery Systems
Neither ISO 19600, which is covering not only corruption but all compliance risks, nor ISO 37001 are contradictory to other already existing anti-bribery guidelines or standards like those published by the OECD or ICC. Besides its ordinary members the ISO/PC 278 concluded several liaisons to international organizations such as the OECD in order to achieve conformity with the mentioned standards. The ISO 37001 is therefore not only compliant to those standards but even covers most elements recommended by those standards for an effective anti-bribery management system. Keeping in mind the high grade of visibility and global acknowledgment for ISO standards, the ISO 37001 could succeed as the global standard against corruption.
- Small and Medium Sized Enterprises (SMEs)
Some troubles may finally occur regarding the SMEs. The Standard contains several requirements that could pose a high burden on such types of enterprises that do not have huge financial and personal resources for their management systems. For example the Standard requires a compliance function and a formal risk assessment. Those points are quite costly and especially the latter one could by substituted by other alternative methods of gathering of information. Having still a couple of global rounds and hundreds of comments to discuss it is desirable that the Standard will be made even more SME-friendly.
- Possible Meaning for ASEAN
The situation in the ASEAN countries regarding corruption is dramatic. Just to give some examples: Most of these countries are ranked on the last positions in the Transparency International Corruption Perception Index. Excluding Singapore that has an excellent position number 7 in the list, the rest of the ASEAN countries closes the list: Cambodia on 156, Laos 145, Vietnam 119, Indonesia 107, Philippines and Thailand on 85 and slightly better Malaysia on position 50.
It is therefore obvious that those countries, their economies and people are highly affected by corruption and the destroying consequences of it. It is also obvious that those countries, albeit with different intensity and different methods, are fighting against corruption with usually more and more sever fines and penalties like the recent introduction of death penalty in Thailand.
However, only enacting severe laws has already failed in many other countries in combating corruption. Repression is only one of several methods. Corruption is a highly complicated phenomenon deeply rooted in the socio- cultural structures of a given society. Education at a very early stage (young age) is therefore necessary to create awareness of non-corruption and a sustainable compliance culture.
Another successful measure can be seen in preventive structures in organizations from which corrupted practices may be conducted. Since the standards und guidance are, however, not legally binding the leaders of the organization must be encouraged by incentive measures of the state to implement particular anti-bribery systems. It may be done by enacting regulations that could provide lower sanctions or a waiver in case of proven and documented effective compliance management systems. The national legislators unfortunately to often forget that their role is not only to penalize unlawful behavior but also to promote any effort on the micro level of the organizations to prevent such a behavior.
Finally, also another possible scenario could result in a quite positive consequence of the ISO 37001 for countries deeply affected by corruption: Since ISO 37001 is a standard eligible for certification – and such certificates could be common in countries in which there is a possibility of liability for corrupted practices of the business contractors –, these organizations may insist that their partners obtain the same certificate and offer them by that a certain safety and security. Since ISO standards are acknowledged and recognized all over the world it is quite possible that foreign companies by using their economic dominance force foreign partners to implement anti-bribery systems like those recommended in the ISO 37001.
The main purpose of the last meeting of ISO/PC 278 in Kuala Lumpur was to discuss the comments from the national bodies and to bring the standard to the next stage. The committee had a hard working week and a substantial progress to the Standard has been achieved. It was also not a coincidence that the meeting took place in Malaysia, one of the ASEAN countries. While the Standard is planned to be published by the end of 2016, the next comment round on the national level is running. At this stage it is the last call for other ASEAN countries to take part in the process of drafting the anti-bribery standard that could one day become the global standard aga
 See http://www.iccwbo.org/Advocacy-Codes-and-Rules/Document-centre/2011/ICC-Rules-on-Combating- Corruption.
 See http://www.oecd.org/corporate/mne/2638728.pdf.
 DIN stands for Deutsches Institut für Normung e.V., German Standards Institute.
 The most famous management standard is the ISO 9000 (later known as ISO 9001) the quality management standard.
 Usually member states are enabled to work on the standards, however the so called liaisons with relevant international organizations can be concluded to cooperate on the drafting works.
 Recently also already existing management standards has been adjusted to the HLS. See for example the new ISO 9001 quality management of 2015.
 Definition from Sec. 1 ISO 37001.
 Following steps originate from the planned requirements of the ISO 37001. Please notice that since the standard is still under development, its requirements may vary in the final version, the so called Final Draft International Standard (FDIS).
 9 On the other hand this responsibility in the terms of liability may be regulated differently depending on the provisions in the national legislation.
 Source: www.transparency.org/cpi2014/results.
 A similar regulation exists already in the UK Bribery Act and other national laws and is being currently discussed by the legislator in Germany.