Does ISO 37001 provide a legal defense?
The publication of the ISO Standard 37001 and the fact that it is certifiable has caused companies to get in touch with us for clarification as to whether the standard offers legal protection in the event of the discovery of an act of corruption at the company. As corruption is an offense that can result in the criminal prosecution of corporations, companies want to know what kind of legal protection comes with an ISO 37001 certification.
In particular, companies are eager to learn if an ISO 37001 certification would offer an affirmative defense to any company accused of corruption subsequent to the certification of the company’s corruption prevention system.
The short answer is no.
ISO 37001 certification does not provide a legal defense, but it does support a defendant’s contention that he has made his best efforts.
A judge will not accept the fact that a company has been certified as an adequate defense for an act of corruption. He or she will want to understand the how and the why of the offense. However, the corporate defendant can demonstrate that the company made its best efforts to prevent corruption. The defense could put forward the theory that the offense was committed in spite of all the efforts made by the company to prevent corruption. It is possible that the lawyer will be able to convince the judge that by having its corruption prevention system certified, the company has demonstrated its desire to do business with integrity.
It is within this context that it is relevant to note that in its decision of 22 November 2011 during a case involving a multinational company, a court in Bern, Switzerland, concluded that an order to dismiss was the most appropriate action noting that, subsequent to the acts in question, “… efforts had already been made for years to improve the organization of the compliance department. The latter fact also becomes manifest in the fact that ETHIC Intelligence Agency in 2007 issued a certificate grading the Company’s integrity Programme as good.”
The stakes for an ISO 37001 certified company under investigation or prosecution are not whether it has an anti-corruption compliance program, but whether this program is adapted to the company’s specific risks.
ISO 37001 certification provides solid evidence for an affirmative defense vis-à-vis the UKBA’s “failure to prevent corruption.”
For those companies subject to the UK Bribery Act (UKBA), a second, more nuanced answer, is necessary.
In addition to the primary corruption offense, this 2010 law includes the second offense of failure to prevent corruption, which concerns any company “which is doing business in the UK .” The UKBA does however provide for an affirmative defense for those companies who have implemented an anti-corruption compliance program according to the six principles of the UK Bribery Act Guidance. To accomplish this certification constitutes a strong defense for the company.
Specifically, paragraph 6.4 — to which ETHIC Intelligence contributed an opinion at the time of the drafting of the document — specifies that “Some organisations may be able to apply for certified compliance with one of the independently-verified anti-bribery standards maintained by industrial sector associations or multilateral bodies.” The British authorities also noted: “However, such certification may not necessarily mean that a commercial organisation’s bribery prevention procedures are ‘adequate’ for all purposes where an offence under section 7 of the Bribery Act could be charged.”
ISO 37001 certification demonstrates the company’s willingness to abide by DoJ recommendations
Certification ISO 37001 demonstrates that management has tried to ensure that the corporate anti-corruption compliance system meets international best practices. Certification ISO 37001 also demonstrates the company’s willingness to have its anti-corruption compliance system regularly verified as recommended by the American authorities: “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.” (The FCPA Resources Guide p 61)
ISO certifications always involve an initial audit and an annual surveillance audit. The latter aims to verify how areas for improvement have been dealt with by the organisation. The very nature of ISO certification is to demonstrate that a company is committed to and engaged in continuous improvement.
ISO 37001 expects companies to identify their own legal requirements and assess their own corruption risk.
ISO 37001 certification provides a legal assurance, but which is intrinsically limited
As indicated above, Certification ISO 37001 provides a certain level of legal assurance but it does not verify that implemented procedures are either effective or appropriate to the company’s specific risk. It merely confirms that the company’s anti-corruption compliance system exists and that it meets the Standard’s requirements. This is important but does not constitute an affirmative defense per se.
The stakes for an ISO 37001 certified company under investigation or prosecution are not whether it has an anti-corruption compliance program, but whether this program is adapted to the company’s specific risks. Section 4 of the standard “Context of the organization” is one of the shortest but by far the most complex and most important for the company. This is where the ISO 37001 is really challenging for companies: Section 4 states the expectation that companies identify their own legal requirements, assess their own corruption risks and decide alone what is appropriate in terms of mitigation. An ISO 37001 Certificate attests that a company has done so, but does not say more on the subject.
That is why the ETHIC Intelligence certification process incorporating the ISO 37001 standard offers an independent review of the anti-corruption audit by international lawyers renowned for their experience in anti-corruption. These experts verify a company’s efforts on corruption prevention beyond the requirements of ISO 37001 by ensuring that the corporate compliance system is appropriate to its specific business risk.
The ETHIC Intelligence Certification process is intended to provide the highest level of assurance — and of legal defense -, in the always possible case of corruption, keeping in mind that a magistrate will never take any Certification as sufficient. He or she will always want to examine a case with no “pre-conceptions.”