ISO 37001 - Panacea or just the beginning?

October 2018

By Peter Viksnins, Director and Core Forensic Services & Anti-Corruption Leader, PwC Malaysia 

It’s no surprise that bribery and corruption continues to be on the rise across South East Asia. According to PwC’s Global Economic Crime and Fraud Survey 2018, nearly a quarter of South East Asian organisations (23%) have been asked to pay a bribe in the last two years (vs 14% in 2016). With new technology, comes new risks and complexities to grapple with. Are companies addressing and adapting to these risks fast enough? Are they aware of changing regulations and compliance standards?

The ISO 37001: Anti Bribery Management Systems was recently published globally to combat bribery and promote an ethical business culture. In fact, many of South East Asia’s standard-setting organisations, including in Malaysia, Singapore, Indonesia, and the Philippines, have adopted this standard. Some of the leading companies and government agencies in the region have taken a step further to get certified. So how are companies responding to this standard in the different parts of the region?

In this blog, I will explore three key questions: what is this standard, why is it popular in the region, and what actions should companies consider taking now that it's been published?


What is ISO 37001?

ISO 37001 has variants specific to different countries, but it’s essentially recognised as an Anti-Bribery Management System. Some companies already have existing Anti-Bribery / Anti-Corruption (ABAC) compliance programmes. So, assuming that companies follow existing guidance for developed economies, most of the content of ISO 37001 will be familiar territory.

Guidance on ABAC compliance programmes has been published by a number of governments and non-governmental organisations for years. ISO 37001 definitely stands on the shoulders of their predecessors, including:

  1. the US Sentencing Guidelines and the FCPA Guide published by the US Department of Justice and the Securities and Exchange Commission
  2. the United Kingdom’s Ministry of Justice’s Guidance on the UK Bribery Act 2010
  3. the OECD’s Good Practice Guidance on Internal Controls, Ethics and Compliance

For some companies, the only “new” piece of the ISO 37001 standard is the requirement for some level of due diligence on individual employees in risky or sensitive positions. But this sort of requirement can in fact be found in the US Sentencing Guidelines Chapter 8.


Why is ISO 37001 popular in South East Asia?

  • A number of government agencies and key companies like Petronas have been certified.
  • The standard is further bolstered by backing from the Malaysian Anti-Corruption Commission (MACC).
    • Recently, the Malaysian Parliament tabled amendments to the MACC Act 2009 to include corporate liability. With the potential change in the law, adopting this certification can be seen as a measure to help corporations mitigate that liability.
  • The Standards, Productivity and Innovation Board (SPRING) and Corrupt Practices Investigation Bureau (CPIB) launched the Singapore Standard (SS) ISO 37001 in September 2017.
    • This standard is designed to provide guidelines to help Singapore companies strengthen their anti-bribery compliance systems and processes and ensure compliance with anti-bribery laws.
    • Although the standard is voluntary, its endorsement and promotion by the government clearly indicates the high threshold of expectations set by the authorities for companies to comply.
    • Following a recent bribery and corruption investigation, being ISO certified was a specific condition imposed by CPIB on a local organisation as part of its remediation action. We expect this to be the trend moving forward.
  • SKK Migas, Indonesia’s Oil and Gas Supervisory regulator, became certified last year.
    • While this regulator is keen for their stakeholders (e.g. companies, contractors, sub-contractors/vendors) to be certified also, it hasn’t made it mandatory.
  • The Indonesian Anti-corruption Commission (KPK), at recent public forums advised that it was not in favour of requiring all organisations to become certified as this could be a resource and financial burden to smaller entities.
    • Instead, they encourage organisations to work towards anti-corruption and have appropriate policies, procedures and risk mitigation measures in place.
  • The Department of Trade and Industry’s Bureau of Philippine Standards (DTI-BPS) adopted the ISO 37001 standard in April 2017.
  • While this standard hasn’t been widely reported in the media, many private, public and academic sector stakeholders have championed relevant ethical behaviour via the Integrity Initiative, Inc.
    • Like ISO 37001, it seeks to implement a certifiable, independently auditable standard for participants to follow, and has been incorporated as an NGO in the Philippines since mid-2013.
  • Many listed companies in the financial and non-financial sectors are interested in adopting ISO 37001, even though the Office of the National Anti-Corruption Commission does not advocate it.
    • This is because most Thai listed companies are members of Thailand’s Private Sector Collective Action Coalition against Corruption (CAC), whose operations are sponsored by the US-based Center for International Private Enterprise (CIPE) and the U.K. Prosperity Fund.
    • Companies who already have a certificate from the CAC believe that the next step is to get certified with an international standard like ISO 37001. For them, the application process isn’t too difficult, similar to obtaining a CAC certificate. The CAC includes many leading Thai private sector associations.

It can be argued that the popularity of the standard is a result of its global nature – after all, it doesn’t have the force of law, and is an international standard, rather than being advocated only by Western governments like the US FCPA or UK Bribery Act 2010. It is also not restricted to particular groups or international associations (like guidance from the OECD or EU might be perceived to be). Thus, for entities of the Malaysian, Singaporean or other regional governments to suggest the standard doesn’t necessarily mean they have to adopt another government’s legislation.


What can companies do to protect themselves from corruption risk?

I recommend that companies approach certification with caution before embarking on it. This certification carries with it ongoing obligations including audits, training and risk assessments. Some companies may feel that it is more prudent to implement a robust anti-bribery management system consistent with the principles of ISO 37001, rather than committing both time and financial resources to be certified with the standard. As shared, many of those ISO 37001 principles are already encapsulated in numerous other authoritative documents that can be used to set up the framework for such a compliance programme.

I strongly recommend that companies perform a corruption risk assessment as a first step. Only one-third of Asia-Pacific respondents in PwC’s Global Economic Crime and Fraud Survey 2018 indicated that they had performed such an assessment in the past two years – clearly an area for improvement.

Risk assessments do not always need to be significant exercises conducted by external consultants. Very often organisations can perform the sufficient basics of a corruption risk assessment themselves. As with any risk assessment process, the first step is to identify the actual and potential risks, and assess their likelihood and impact. Then existing controls and mitigating factors can be bolstered until the remaining corruption risk is acceptably low. Any risk assessment undertaken should be regular, formal and well documented.

More than a risk assessment alone, what’s needed is a customised compliance programme to prevent and mitigate the risks faced by companies. A well designed compliance programme must have significant top level commitment, and be clearly informed by robust risk assessment and planning. With a strong foundation of clear and concise policies and procedures, third party risk and other high risk areas can effectively be managed. Once implemented, any compliance programme must be combined with a comprehensive communications and training plan, and be subject to ongoing monitoring, review and continuous improvement. This will help companies up their game in detecting, monitoring and preventing future incidences of bribery. Look for fraud in the right places. And you’ve won half the battle in addressing its risks.

Contact us

Follow us