26 April 2017 | The Ukrainian Journal of Business Law | www.ujbl.info

History of iso 37001 and general aspects

On 15 October 2016 the first edition of the new ISO 37001 standard (the Stand-ard) was published. It is a new international standard for anti-bribery-management sys-tems in all types of organizations, whether private or public.

The Standard was initiated in late 2013. Experts from 50 countries were involved in developing the Standard that, as every ISO standard, is not obligatory, but reflects the best practices in the field of establishing and implementing an anti-bribery management system within an organization.

However, the Standard contains generic requirements, which are applicable to all organizations or parts thereof, regardless of type, size and nature of the activity or com-pany sectors. It can serve as a valid founda-tion for a tailored anti-bribery management system or as a new part of an already exist-ing company compliance system.

definition of bribeThe definition of bribe used largely

reflects that used in the UNCAC. Based on that, a bribe is

— offering, promising, giving, accepting or soliciting

— of an undue advantage of any value (which could be financial or non-financial),

— directly or indirectly, and — irrespective of location(s), — in violation of applicable law, — as an inducement or reward for a per-

son acting or refraining from acting in re-lation to the performance of that person’s duties.

This definition includes all possible par-ties and is not limited only to government

officials, but also includes business partners or private individuals. Furthermore, no fac-tual payment or “success” of a bribe is need-ed. Based on the definition of bribe used by the Standard, any offer or promise is already sufficient to constitute a bribe.

tHe scope of iso 37001The Standard addresses bribery of com-

panies in the public, private and non-for-profit sectors. It includes the bribes by and of:

— the company itself;— its personnel;— its representatives; and— business associates acting on the or-

ganization’s behalf or for its benefit.The Standard only addresses compliance

issues in connection with bribery. It does not

cover other areas like e.g. fraud, anti-trust/competition offences, money-laundering or other activities related to corrupt practices.

company size, environment and structure define tHe needs of tHe system

An anti-bribery management system cannot and should not be the same for all companies. Many companies differ in terms of, e.g. business areas, business environ-ment, company size and their organiza-tional structure. It is essential to study the existing company structures and to build a tailored program with the exact needs for the existing structure.

Organizational structures can be di-vided and examined from two points of views: internal and external structures. Internal organizational structures can in-clude, e.g.:

— size and structure of the company;— decision-making authority; and— business model.External organizational structures can

include:— locations and sectors of operation;— features of activities;— nature, scale and complexity of ac-

tivities and operations; — nature and extent of interactions with

public officials; and— entities controlling, or controlled by,

the organization and/or business partners.Another important aspect for the as-

sessment of a specific anti-bribery manage-ment system are the needs and expectations

New ISO 37001 — International Standard for Anti-bribery-Management Systems

Jean-Pierre MÉAN* is an anti-corruption expert, Counsel Eigenmann Associés, member of the ISO 37001 Project Committee

Ario DEHGHANI is a counsel, head of the Compliance and EU law practices at Redcliffe Partners

* Chair of the Working Group on iSO 37001 Auditors’ Competencies; Chair of the Ad Hoc Group on iSO 37001 post-publication issues; member of the ICC Commission on Corporate Responsibility and Anti-Corruption

IN RE

On 15 October 2016 the first edition of the new ISO 37001 standard

(the Standard) was published. It is a new

international standard for anti-bribery-management

systems in all types of organizations, whether

private or public

27 www.ujbl.info | The Ukrainian Journal of Business Law | April 2017

ANTI-BRIBERY-MANAGEMENT

IN RE

of a company’s stakeholders, no matter whether they are mandatory or non-manda-tory in nature.

The company size, environment and structure is further essential for risk assess-ment, which should be conducted on a regu-lar basis. The regularity and details of a risk assessment depend mainly on the severity of consequences and the probability of a violation. Facts that could potentially influ-ence the risk level are, as examples:

— size of company;— industry sector;— country environment and possibility

of bribes;— contact with government officials in a

country were bribery is common approach; or — dependence on business partners.The Standard is also addressing the

needed due diligence of business partners. Companies could be liable for the miscon-duct of their business partners, if they are acting on their behalf or for their benefit. Every company should run a due diligence process, through which its business partners are checked on the basis of international standards and best practices. Such due dili-gence is recommended when the bribery risk is medium or high with regard to:

— specific categories of transactions, projects, activities;

— planned or on-going relationships with specific categories of business associ-ates; and

— specific categories of personnel.As a practical approach and for cases in

which business partners show a medium or high bribery risk and if a system can mitigate those bribery risks, companies are advised to evaluate the existing system of their business partners. If no system has been implemented companies should ask their business partners to implement anti-bribery controls and sys-tems. If the respective business partner re-fuses to provide information or to implement such control systems, the company should re-evaluate the relationship. If an identified bribery risk in connection with a business partner cannot be managed, the company should terminate, discontinue, suspend, or withdraw from the transaction, project and activity with the respective business partner.

Based on best practices, it is advisable to include contractual clauses in business partner contracts, including a commitment to prevent bribery as well as the obligation to report potential misconduct. In cases of a close relationship, business partners should be included in internal company compliance training sessions.

important roles of leadersHip and officers

One of the most important require-ments for a robust anti-bribery manage-ment system is the so— called “tone from the top”. A company’s leadership needs to show leadership and commitment towards the anti-bribery management system. The Standard identifies 4 possible levels of lead-ership with different responsibilities with regard to the system. These 4 possible levels of leadership are the following:

— governing body (e.g. supervisory board);

— top management (e.g. board, CEO, CFO);— managers at all levels; and— compliance officer (“compliance

function”).The responsibilities of top management

are in scope and detail higher than those of governing bodies. The reason for this is that management is closer to business and has more control over business activities, including the avoidance of bribery, than the governing body.

The responsibilities of governing bodies are e.g. the following:

— approving anti-bribery policy and system;

— ensuring that system and policy are aligned with an organization’s strategy;

— accompaniment of top management regarding implementation and effectiveness of a system;

— requiring adequate and appropriate resources; and

— setting intervals for reports about content and operation of the system.

The responsibilities of top management are, for example, the following:

— ensuring that the system is estab-lished, implemented, maintained and regu-larly reviewed, all with an adequate scope and detail based on the company’s structure;

— ensuring integration of the system’s requirements in all other processes;

— deploying adequate and appropriate resources to run the system;

— communicating internally and exter-nally about the system;

— ensuring that the system is adequate-ly designed based on the company’s current structure;

— directing and supporting personnel to contribute to the effectiveness of the system;

— promoting an appropriate anti-brib-ery culture;

— encouraging the use of an ‘easy to use’ reporting system;

— ensuring that no personnel will suffer retaliation for reports of possible miscon-ducts; and

— regularly reporting to the governing body on content, effectiveness and allega-tions and outcome of reported violations.

In case of a delegation of decisions or actions, the Standard requests that the com-pany must establish, maintain and regularly assess the delegated decision making pro-cess and the set of controls.

Possible responsibilities for the Com-pliance Function (e.g. Compliance Officer or Compliance Office) are, for example, the following:

— to oversee the system’s design and implementation;

— to provide advice and guidance to personnel;

— to ensure that the system complies with the ISO standard;

— to report the system’s performance, alleged violations and investigations to gov-erning body and top management;

— to be staffed with adequate competence, status, authority and independence; and

— to have direct link to governing body and to top management in cases of concern.

The Compliance Function may out-source some of its compliance activities to outside counsel or other in-house functions. Nevertheless, delegation or outsourcing cannot shift the responsibility to another institution or person.

possible actions and goals for tHe company

The Standard includes several recom-mendations in terms of possible goals and actions for companies, like:

— to understand the organization struc-ture and context;

— to understand the needs and expecta-tions of stakeholders;

— to conduct thorough and appropriate bribery risk assessments on a regular basis;

— actions to address existing possible risks;

One of the most important requirements for a robust anti-bribery management system is the so— called

“tone from the top”