ISO publishes new Standard 37001 – Anti-bribery management systems
Implementation of ISO 37001 may benefit local and international Swiss businesses
On October 15, the International Organization for Standardization (ISO) published the new Standard 37001 Anti-bribery management systems. The ISO 37001 specifies requirements and provides guidance for establishing, implementing, maintaining, reviewing and improving anti-bribery management systems. Local and international businesses in Switzerland (and elsewhere) may benefit from implementing the new standard – in particular since bribery in the private sector is subject to stricter rules under Swiss criminal law since July 1, 2016 and can more easily lead to criminal prosecution. A cost-benefit analysis for a business needs to include a careful analysis of the existing anti-bribery measures.
Key takeaways:
- ISO published the final version of the new standard 37001 Anti-bribery management systems
- ISO 37001 does not significantly deviate from standards and best practices typically adviced to multinationals
- ISO 37001 is a "Type A"-Standard and therefore available for third party certification
- ISO 37001 is designed for broad application (e.g. large and small enterprises)
- ISO 37001 certification can reduce the risk of bribery occurring in any company
- In case of bribery occurring, ISO 37001 certification can reduce the risk of criminal and civil liability of a company and its top management / the board members
- It remains to be seen, if the new standard becomes "best practice"
1. Content and design of ISO 37001
ISO 37001 is aimed to assist the process of implementation or enhancement of anti-bribery management or control systems. It requires the implementation of a series of measures such as adopting an anti-bribery policy, appointing someone to oversee compliance with that policy, vetting and training employees, undertaking risk assessments on projects and business associates, implementing financial and commercial controls, and instituting reporting and investigation procedures.
The new standard is designed for a broad application. It covers bribery
- in all kinds of industries,
- regardless of type, size and nature of the activity,
- be it in the public, private or non-profit sector,
- including bribery by and against an organization or its staff, and
- bribes paid or received through or by a third party.
ISO 37001 is designed in a way that allows to use it either as a standalone system or to integrate it into a pre-existing overall management system.
ISO 37001 is a "type A" standard. This means that third parties can certify an organization’s compliance with the standard in the same way as for other ISO standards such as ISO 9001. This also differentiates the new bribery specific standard from the general ISO 19600 compliance standard, which covers all areas of compliance and was designed by the ISO as a "type B" standard, aimed to provide recommendations and a bench mark rather than an enforceable and certifiable standard (although there are third party certifications available for the ISO 19600 certification, in particular in Austria).
2. Benefits of ISO 37001
Implementation of and conformity with ISO 37001 cannot provide 100% assurance that no bribery occurs in relation to a company. It is not possible to completely eliminate the risk of bribery.
However, ISO 37001 can help companies to implement reasonable and proportionate measures to prevent, detect and respond to bribery. Thereby the risk of bribery occurring can be reduced.
Given that ISO is widely known – to date the organisation's national standard bodies in 163 member countries have developped nearly 20'000 voluntary international standards across industries and sectors – ISO 37001 certification can be a useful means of assuring customers, business partners, potential investors, employees and management across the world that the company has taken meaningful steps to prevent bribery.
In addition, in case bribery occurs in relation to a company, implementation of and conformity with ISO 37001 can help to reduce the risk of criminal and civil liability of such company and its top management / board members personally, by strengthening the argument that adequate prevention measures had been adopted.
The latter must be viewed against the requirements of the recently amended Swiss law, according to which, in particular
- the company will be penalized in addition to the individual(s) who committed (i) "active" bribery, if it is found responsible for having failed to take all reasonably required organizational measures to prevent the bribery occurring in the first place (art. 102 para. 2 StGB) or (ii) "passive" bribery if the individual(s) who committed the crime cannot be identified and the company is found responsible for having failed to take all the reasonably required organizational measures in order that the perpetrator(s) of such acts could be identified (art. 102 para. 1 StGB); and
- failure of the board to implement adequate measures to prevent bribery can lead to personal civil liability of the board members (breach of fiduciary duty, art. 754 of the Swiss Code of Obligations). In addition, a criminal prosecution against management or members of the board cannot be excluded in circumstances where they fail to implement measures to prevent bribery within the organization. These individual(s) may be convicted due to such omissions ("strafrechtliche Geschäftsherrenhaftung").
We see an ISO 37001 certification as one potential element of a successful legal defence, be it in criminal or civil (fiduciary duty) prosecutions and court proceedings.
To which extent the ISO 37001 will gain relevance in Swiss court rooms will mainly depend on whether this new standard can establish itself as an international best practice. However, the fact that the new standard is based on already well established guidelines, for example guidelines with respect to the UK Bribery Act (BS 10500), and the fact that the ISO standard was drafted and agreed by numerous international bodies already shows its relevance.
Another potential benefit of ISO 37001 may come into play once a company is up for sale.
Given that acts of bribery are by definition difficult to detect, it can be difficult to comprehensively address the respective risks for the company (e.g. fine of up to CHF 5 million, confiscation of the profits from deals involving bribery) with the representations and warranties' regime traditionally used in Swiss law governed m&a transactions. The long limitation periods under Swiss criminal law (of up to 15 years) make it possible for the above risks to materialize years after the sale of a company, long after the warranty period has lapsed.
Depending on the circumstances of the company's business and the market, an ISO 37001 certification can positively influence the pricing of any remaining risks relating to bribery occuring before the sale and thereby increase the sale price for the seller.
3. Limitations of ISO 37001
As mentioned before, implementation of and conformity with ISO 37001 is no guarantee that bribery does not occur in a company.
Also, ISO 37001 does not create global uniformity with respect to what exactly is permissible or prohibited. Instead, the standard provides for a generic definition of "bribery" and defers to the applicable laws to establish which practices are prohibited.
As a result, a company wishing to implement ISO 37001 has to carefully assess the anti-bribery laws applicable to its business. This is at basis of any anti-bribery policy.
4. Bottom Line
Implementation of, conformity with and certification of ISO 37001 can have benefits for local and international businesses in Switzerland. The risk that acts of bribery occur can be reduced. In case bribery occurs nonetheless, the defence against criminal and civil liability of the company as well as of the management and the members of the board can be strengthened. Also, adherence to a standard of ISO, which is widely known, may be an efficient means of assuring customers and business partners across the world that the company has taken meaningful steps to prevent bribery.
In order to assess whether the benefits outweigh the costs, an individual cost-benefit analysis is required including a careful review of the existing anti-bribery measures of the company.
It has to be kept in mind that ISO 37001 does not create global uniformity with respect to what exactly is permissible or prohibited. Thus, if a company decides to implement ISO 37001 it still has to carefully assess the anti-bribery laws applicable to its business.