Podcast: Implementing ISO 37001

Compliance officers have heard a lot in the last year about ISO 37001, the new standard for managing anti-bribery programs published by ISO in 2016.

Microsoft and Walmart both say they plan to implement it, as a formalized structure to manage their FCPA risks. Then again, Italian oil company ENI announced in January that it already had implemented ISO 37001—and two weeks later, its CEO was charged with corruption. So some skepticism exists about how well ISO 37001 actually works.

Today we’re going to explore the standard more deeply with CPA Global, a London firm that announced last week that it had implemented ISO 37001. CPA Global’s head of audit and compliance, Mark Speck, graciously agreed to talk with me about how the experience went.

You can hear our full conversation (17 minutes) in the podcast below. Meanwhile, a few of my thoughts below.

First, a company is going to make what it wants of this standard. I’ve known Speck for years and he’s no slouch at running effective compliance programs. I’m not surprised that he spent many months trying to implement ISO 37001, including certification from an outside audit firm. I’m also not surprised that a state-owned enterprise in Italy would complete its ISO 37001 implementation in a fraction of that time, and see its sitting CEO charged in a corruption scandal two weeks later.

To my thinking, ISO 37001 is much like a SOC 2 audit (the audit service companies perform to verify their data security controls). SOC 2 audits can be great tools and provide the assurance that other parties want, but service companies design these audits themselves. Unscrupulous parties can design SOC 2 audits in their favor; careless parties can design them poorly so they don’t capture the true security risk a service company might have.

ISO standards aren’t as loosey-goosey as SOC audits, but they still depend foremost on the intent of the company implementing them. The heads of compliance and Microsoft and Walmart, like Speck, are serious people who want ISO 37001 to work. All companies should be so lucky to have that determination.

Second, ISO sells better in Europe than the United States. Let’s remember that CPA Global is based in Britain, with operations in more than 190 countries. The company manages intellectual property for other businesses, so a large part of CPA Global’s “workforce” are local law firms working as agents for it at patent offices around the world.

As such, CPA Global needs an anti-bribery system that non-U.S. audiences can understand and respect. ISO standards meet that description. ISO is more popular in Europe than here. New ISO standards can fit with older ISO standards the company might use, such as the 31000 standard for risk management. (I didn’t ask Speck whether CPA Global uses any other ISO standards already.) ISO carries an air of neutrality, rather than the “regulatory imperialism” some people like to complain about when the U.S. compliance crew shows up talking about the Foreign Corrupt Practices Act.

Third, an audit is still an audit. I asked Speck what the most difficult parts of implementation were. Not surprisingly, he cited the mechanics of identifying gaps between CPA Global’s existing compliance program and the ISO 37001 standards; closing those gaps through process improvements or control changes; and going through the audit.

That is, the toughest part of this process was doing the work—not mustering the executive will to do the work. (“It was something the company immediately wanted to pursue,” Speck says.)

For example, CPA Global’s operational controls are in London, while the functional controls are with Speck in the United States. That made for some extra work when ETHIC Intelligence performed an outside audit. The audit itself, Speck says, was vigorous: “I’ve been through some ISO audits that I didn’t think were very demanding… but this one I found very challenging.” (See previous point, that ISO standards are what you make of them, above.)

What’s next? CPA Global’s ISO 37001 certification is good for three years. Its compliance program will get annual reviews until then, although those findings are usually more recommendations than urgent, “fix this or else” red flags that might cause a company to lose its certification. In 2020, the process starts all over again.

You can hear our podcast below, or listen to it on YouTube.

Leave a Comment

You must be logged in to post a comment.