why iso 37001 certification matters in 2019...iso standards are an internationally recognized way to...
TRANSCRIPT
Segoe UI 20 bold
Webinar
February 2019
ETHIC INTELLIGENCEWhy ISO 37001 Certification Matters in 2019
Segoe UI 20 bold
ETHIC Intelligence
Introductions
Varun Chandrasekaran
Product Manager
The Red Flag Group®
Scott Lane
Chief Executive Officer and Chairman
The Red Flag Group®
Christie Alexander
Field Marketing Manager
The Red Flag Group®
Segoe UI 20 bold
• Objectives and Overview of ISO 37001
• Proof Through Certification
• Comparison to ISO 9001
• The Certification Process
• Q&A
Segoe UI 20 bold
01Objectives and Overview of ISO 37001
Segoe UI 20 bold
ETHIC Intelligence
• Most legal and compliance professionals are aware of the ISO 37001 standard, but may need help to understand:
• The standard’s requirements and how they align to anti-bribery best practices
• The business value of certification
• The benefits of benchmarking against an international standard
• The objective of this webinar is to help you understand and explain the value of ISO 37001 certification to internal stakeholders, so you can take steps towards getting your organization certified and strengthen your anti-bribery program
Objectives
Segoe UI 20 bold
Overview of the ISO 37001 Standard
ISO 37001:2016 on “Anti-Bribery
Management Systems” provides a global
standard that organizations can reference
to identify best practices and controls that
should be implemented when developing,
supplementing, or improving an anti-
bribery management system
Segoe UI 20 bold
ISO 37001 –
Globally Accepted Harmonizes guidelines from major
anti-corruption regulations (FCPA,
UKBA) and international guidance
(OECD)
Supported through independent
audits by qualified certification
agencies
Developed by experts
from 38 countries
ISO Standards are an internationally recognized way to prove commitment to and implementation of best practices and controls.
Segoe UI 20 bold
ETHIC Intelligence
• How are you measuring/benchmarking your anti-bribery program now?
• Against the 10 Hallmarks of an Effective Compliance Program or other U.S. government issued guidance
• Against guidance issued by another country
• Against another non-governmental compliance standard
• Against KPIs or standards we have developed on our own
• We are not measuring/benchmarking our program
Poll Question 1
Segoe UI 20 bold
02Proof Through Certification
Segoe UI 20 bold
ETHIC Intelligence
Certification against ISO 37001 matters, because it provides organizations with tangible proof attesting to the strength of their anti-bribery programs, including:
• An anti-bribery program that meets the general requirements of global anti-bribery regulations
• The ability, resources, and processes to manage issues in a streamlined manner
• A monitoring program to detect and prevent issues
• A third party onboarding program that supports the business through selection of high integrity partners in a reasonable amount of time
Why ISO Certification Matters in 2019 – Proof Through Certification
Segoe UI 20 bold
ETHIC Intelligence
• Proof is important because it:• Provides a single, internationally accepted method
to represent the organization’s commitment and approach to managing anti-bribery issues
• For CEOs and top management, highlights their commitment to leading an ethical company with a strong reputation, free of bribery issues
• For Compliance officers, demonstrates to stakeholders the value of compliance and helps integrate compliance with overall business strategy
Why Proof is Important
Segoe UI 20 bold
ETHIC Intelligence
• Certification against ISO 37001 helps organizations manage global anti-bribery risks because:
• The standard harmonizes global anti-bribery best practices (FCPA, UKBA) and international guidance (OECD)
• Reflects multi-stakeholder agreements on bribery
• As an ISO standard, must be applicable around the globe, and not favor any single region
• Is reviewed every 5 years to incorporate new best practices
Meeting the General Requirements of Global Anti-Bribery Risks
Segoe UI 20 bold
ETHIC Intelligence
• Companies that are certified against ISO 37001 are more likely to have programs that allow them to do business internationally lawfully and with confidence because:
• Their program meets the key core requirements of global anti-bribery legislations
• Their programs are not narrowly tailored to a specific region and can help to represent integrity to a broader group of stakeholders
• They have a trusted credential that separates them from competitors
Manage Global Anti-Bribery Risks
Segoe UI 20 bold
ETHIC Intelligence
• How confident are you that your organization’s anti-bribery program meets global requirements?
• Very confident
• Somewhat confident
• Not very confident
• Not confident
Poll Question 2
Segoe UI 20 bold
ETHIC Intelligence
• Certification against ISO 37001 requires organizations to have the ability, resources and processes to manage anti-bribery issues.
• As a result, certified organizations are more likely to be able to manage issues systematically, efficiently, and without disruption to the business
Ability, Resources and Processes to Manage Anti-Bribery Issues
Segoe UI 20 bold
ETHIC Intelligence
• Identifying and understanding relevant risks (Section 4.5)
• Leadership commitment and tone from the top (Section 5.1)
• Clearly defined roles and responsibilities (Section 5.3)
• Raising competent resources for compliance function (Section 7)
Key Requirements of ISO 37001 for Certification
Segoe UI 20 bold
ETHIC Intelligence
• Awareness and training program (Section 7.3)
• Compliance documentation (Section 7.5)
• Due Diligence (Section 8.2)
• Financial and non-financial controls (Section 8.3-8.4)
• Anti-bribery controls for business associates and controlled organizations (Section 8.5)
• Whistleblowing and raising concerns (Section 8.9)
• Investigating and dealing with bribery (Section 8.10)
Ability, Resources and Processes to Manage Anti-Bribery Issues
Segoe UI 20 bold
ETHIC Intelligence
• Certified companies are more likely to be able to prevent issues because:
• ISO 37001 requires organizations to have a monitoring program
• Certifications are valid for three years, requiring organizations to continuously improve their programs
• Certified organizations must undergo surveillance audits in years 2 and 3
Preventing Issues by Establishing a Monitoring and Continuous Improvement System
Segoe UI 20 bold
ETHIC Intelligence
• Certified organizations are more likely to support the business because:
• They must have an efficient third party onboarding program in place that is appropriate to the risks faced by the organization
• The onboarding program must be sufficiently embedded into the overall business process
• A well established third party onboarding program helps the business select trusted, high integrity partners and could reduce onboarding cycle times
A Third Party Onboarding Program that Creates Value for the Business
Segoe UI 20 bold
ETHIC Intelligence
• What are your greatest challenges in articulating the value of your anti-bribery program to the business?
• Understanding which program areas create value for the business
• Measuring compliance’s impact to the business
• Getting the business to buy into anti-bribery initiatives
• Other
Poll Question 3
Segoe UI 20 bold
03Comparison to ISO 9001
Segoe UI 20 bold
ETHIC Intelligence
• Some compliance professionals are concerned that certification against ISO 37001 won’t mean much to authorities, stakeholders and peers
• Some have drawn comparisons to ISO 9001 (on quality management systems), which over 1 million organizations have certified to, as evidence that certification is a mere formality and will not provide sufficient proof of strength in anti-bribery
Comparison to 9001
Segoe UI 20 bold
ETHIC Intelligence
• ISO 37001 is one of the few standards, where violation of the underlying issue (bribery) could lead to criminal penalties
• As a result, audits against the standard must be provided by certification bodies with a high degree of expertise in bribery
Why ISO 37001 is Distinct
Segoe UI 20 bold
ETHIC Intelligence
• Unlike other ISO standards, fulfillment of the core requirements of ISO 37001 is based on:
• The context of the organization
• Its business model, and
• Must be “reasonable and proportionate” based on the risks faced by the organization (the words “appropriate”, “as needed”, “proportionate” and the like are used over 100 times)
• As a result, certification against ISO 37001 is based on a clear understanding of the organization, its risks and operations, and thus cannot be granted on a “tick the box” basis
ISO 37001 Must Be Implemented Reasonably
Segoe UI 20 bold
04The Certification Process
Segoe UI 20 bold
Steps to follow to increase chances of successful certification
A process which optimizes chances of success
Request for ISO 37001
Certification Services
Develop Audit Program
ISO 37001 Audit and
Certification
Pre Audit
Pre-Certification
Assessment
Management Briefings
Program requires
further development
To qualify for audit
No obvious
program gaps
Organizational buy-in
Complete Application
Questionnaire
Segoe UI 20 bold
How does the certification process work?
Audit plan Kick-off meeting Document review
Certification Body prepares the
audit plan (appointment of the
auditors, selection of documents
to review and employees to
interview).
The organization validates the
audit plan during a kick-off
meeting with the auditors three
weeks prior to the audit’s launch.
The lead auditor reviews the
documents provided by the
organization (policies, procedures,
documented information and
administrative statements).
On-site audit
Interviews with selected
executives and employees
and drafting of the audit
report by the Lead Auditor.
Technical committee
The audit report is reviewed by
the Technical Committee which
validates the audit findings and
awards or denies the certificate.
Attribution of the certificate
The certificate is awarded for a period
of 3 years.
Surveillance audit
A month prior to each anniversary of
the certification, a surveillance audit
is conducted to ensure the continual
improvement of the system.
Segoe UI 20 bold
ETHIC Intelligence
• Is your organization interested in taking steps to look into ISO 37001?
• Yes, and we are well into the process already
• Yes, but only to gather preliminary information
• No, but we are researching ISO 37001 on our own
• No, because ISO 37001 is totally new to me
Poll Question 4
Segoe UI 20 bold
Questions?
Segoe UI 20 bold
www.redflaggroup.com
© The Red Flag Group. All rights reserved.
• Email: [email protected]
• Website: https://www.ethic-intelligence.com
Contact us