Segoe UI 20 bold

Webinar

February 2019

ETHIC INTELLIGENCEWhy ISO 37001 Certification Matters in 2019

Segoe UI 20 bold

ETHIC Intelligence

Introductions

Varun Chandrasekaran

Product Manager

The Red Flag Group®

Scott Lane

Chief Executive Officer and Chairman

The Red Flag Group®

Christie Alexander

Field Marketing Manager

The Red Flag Group®

Segoe UI 20 bold

• Objectives and Overview of ISO 37001

• Proof Through Certification

• Comparison to ISO 9001

• The Certification Process

• Q&A

Segoe UI 20 bold

01Objectives and Overview of ISO 37001

Segoe UI 20 bold

ETHIC Intelligence

• Most legal and compliance professionals are aware of the ISO 37001 standard, but may need help to understand:

• The standard’s requirements and how they align to anti-bribery best practices

• The business value of certification

• The benefits of benchmarking against an international standard

• The objective of this webinar is to help you understand and explain the value of ISO 37001 certification to internal stakeholders, so you can take steps towards getting your organization certified and strengthen your anti-bribery program

Objectives

Segoe UI 20 bold

Overview of the ISO 37001 Standard

ISO 37001:2016 on “Anti-Bribery

Management Systems” provides a global

standard that organizations can reference

to identify best practices and controls that

should be implemented when developing,

supplementing, or improving an anti-

bribery management system

Segoe UI 20 bold

ISO 37001 –

Globally Accepted Harmonizes guidelines from major

anti-corruption regulations (FCPA,

UKBA) and international guidance

(OECD)

Supported through independent

audits by qualified certification

agencies

Developed by experts

from 38 countries

ISO Standards are an internationally recognized way to prove commitment to and implementation of best practices and controls.

Segoe UI 20 bold

ETHIC Intelligence

• How are you measuring/benchmarking your anti-bribery program now?

• Against the 10 Hallmarks of an Effective Compliance Program or other U.S. government issued guidance

• Against guidance issued by another country

• Against another non-governmental compliance standard

• Against KPIs or standards we have developed on our own

• We are not measuring/benchmarking our program

Poll Question 1

Segoe UI 20 bold

02Proof Through Certification

Segoe UI 20 bold

ETHIC Intelligence

Certification against ISO 37001 matters, because it provides organizations with tangible proof attesting to the strength of their anti-bribery programs, including:

• An anti-bribery program that meets the general requirements of global anti-bribery regulations

• The ability, resources, and processes to manage issues in a streamlined manner

• A monitoring program to detect and prevent issues

• A third party onboarding program that supports the business through selection of high integrity partners in a reasonable amount of time

Why ISO Certification Matters in 2019 – Proof Through Certification

Segoe UI 20 bold

ETHIC Intelligence

• Proof is important because it:• Provides a single, internationally accepted method

to represent the organization’s commitment and approach to managing anti-bribery issues

• For CEOs and top management, highlights their commitment to leading an ethical company with a strong reputation, free of bribery issues

• For Compliance officers, demonstrates to stakeholders the value of compliance and helps integrate compliance with overall business strategy

Why Proof is Important

Segoe UI 20 bold

ETHIC Intelligence

• Certification against ISO 37001 helps organizations manage global anti-bribery risks because:

• The standard harmonizes global anti-bribery best practices (FCPA, UKBA) and international guidance (OECD)

• Reflects multi-stakeholder agreements on bribery

• As an ISO standard, must be applicable around the globe, and not favor any single region

• Is reviewed every 5 years to incorporate new best practices

Meeting the General Requirements of Global Anti-Bribery Risks

Segoe UI 20 bold

ETHIC Intelligence

• Companies that are certified against ISO 37001 are more likely to have programs that allow them to do business internationally lawfully and with confidence because:

• Their program meets the key core requirements of global anti-bribery legislations

• Their programs are not narrowly tailored to a specific region and can help to represent integrity to a broader group of stakeholders

• They have a trusted credential that separates them from competitors

Manage Global Anti-Bribery Risks

Segoe UI 20 bold

ETHIC Intelligence

• How confident are you that your organization’s anti-bribery program meets global requirements?

• Very confident

• Somewhat confident

• Not very confident

• Not confident

Poll Question 2

Segoe UI 20 bold

ETHIC Intelligence

• Certification against ISO 37001 requires organizations to have the ability, resources and processes to manage anti-bribery issues.

• As a result, certified organizations are more likely to be able to manage issues systematically, efficiently, and without disruption to the business

Ability, Resources and Processes to Manage Anti-Bribery Issues

Segoe UI 20 bold

ETHIC Intelligence

• Identifying and understanding relevant risks (Section 4.5)

• Leadership commitment and tone from the top (Section 5.1)

• Clearly defined roles and responsibilities (Section 5.3)

• Raising competent resources for compliance function (Section 7)

Key Requirements of ISO 37001 for Certification

Segoe UI 20 bold

ETHIC Intelligence

• Awareness and training program (Section 7.3)

• Compliance documentation (Section 7.5)

• Due Diligence (Section 8.2)

• Financial and non-financial controls (Section 8.3-8.4)

• Anti-bribery controls for business associates and controlled organizations (Section 8.5)

• Whistleblowing and raising concerns (Section 8.9)

• Investigating and dealing with bribery (Section 8.10)

Ability, Resources and Processes to Manage Anti-Bribery Issues

Segoe UI 20 bold

ETHIC Intelligence

• Certified companies are more likely to be able to prevent issues because:

• ISO 37001 requires organizations to have a monitoring program

• Certifications are valid for three years, requiring organizations to continuously improve their programs

• Certified organizations must undergo surveillance audits in years 2 and 3

Preventing Issues by Establishing a Monitoring and Continuous Improvement System

Segoe UI 20 bold

ETHIC Intelligence

• Certified organizations are more likely to support the business because:

• They must have an efficient third party onboarding program in place that is appropriate to the risks faced by the organization

• The onboarding program must be sufficiently embedded into the overall business process

• A well established third party onboarding program helps the business select trusted, high integrity partners and could reduce onboarding cycle times

A Third Party Onboarding Program that Creates Value for the Business

Segoe UI 20 bold

ETHIC Intelligence

• What are your greatest challenges in articulating the value of your anti-bribery program to the business?

• Understanding which program areas create value for the business

• Measuring compliance’s impact to the business

• Getting the business to buy into anti-bribery initiatives

• Other

Poll Question 3

Segoe UI 20 bold

03Comparison to ISO 9001

Segoe UI 20 bold

ETHIC Intelligence

• Some compliance professionals are concerned that certification against ISO 37001 won’t mean much to authorities, stakeholders and peers

• Some have drawn comparisons to ISO 9001 (on quality management systems), which over 1 million organizations have certified to, as evidence that certification is a mere formality and will not provide sufficient proof of strength in anti-bribery

Comparison to 9001

Segoe UI 20 bold

ETHIC Intelligence

• ISO 37001 is one of the few standards, where violation of the underlying issue (bribery) could lead to criminal penalties

• As a result, audits against the standard must be provided by certification bodies with a high degree of expertise in bribery

Why ISO 37001 is Distinct

Segoe UI 20 bold

ETHIC Intelligence

• Unlike other ISO standards, fulfillment of the core requirements of ISO 37001 is based on:

• The context of the organization

• Its business model, and

• Must be “reasonable and proportionate” based on the risks faced by the organization (the words “appropriate”, “as needed”, “proportionate” and the like are used over 100 times)

• As a result, certification against ISO 37001 is based on a clear understanding of the organization, its risks and operations, and thus cannot be granted on a “tick the box” basis

ISO 37001 Must Be Implemented Reasonably

Segoe UI 20 bold

04The Certification Process

Segoe UI 20 bold

Steps to follow to increase chances of successful certification

A process which optimizes chances of success

Request for ISO 37001

Certification Services

Develop Audit Program

ISO 37001 Audit and

Certification

Pre Audit

Pre-Certification

Assessment

Management Briefings

Program requires

further development

To qualify for audit

No obvious

program gaps

Organizational buy-in

Complete Application

Questionnaire

Segoe UI 20 bold

How does the certification process work?

Audit plan Kick-off meeting Document review

Certification Body prepares the

audit plan (appointment of the

auditors, selection of documents

to review and employees to

interview).

The organization validates the

audit plan during a kick-off

meeting with the auditors three

weeks prior to the audit’s launch.

The lead auditor reviews the

documents provided by the

organization (policies, procedures,

documented information and

administrative statements).

On-site audit

Interviews with selected

executives and employees

and drafting of the audit

report by the Lead Auditor.

Technical committee

The audit report is reviewed by

the Technical Committee which

validates the audit findings and

awards or denies the certificate.

Attribution of the certificate

The certificate is awarded for a period

of 3 years.

Surveillance audit

A month prior to each anniversary of

the certification, a surveillance audit

is conducted to ensure the continual

improvement of the system.

Segoe UI 20 bold

ETHIC Intelligence

• Is your organization interested in taking steps to look into ISO 37001?

• Yes, and we are well into the process already

• Yes, but only to gather preliminary information

• No, but we are researching ISO 37001 on our own

• No, because ISO 37001 is totally new to me

Poll Question 4

Segoe UI 20 bold

Questions?

Segoe UI 20 bold

www.redflaggroup.com

© The Red Flag Group. All rights reserved.

• Email: contact@ethic-intelligence.com

• Website: https://www.ethic-intelligence.com

Contact us