DEVELOPING A MANAGEMENT STANDARD TO PREVENT BRIBERY: ISO 37001 OFFERS A NEW APPROACH, 2012-2019 SYNOPSIS After the United Nations Convention against Corruption went into effect in 2005, pressure grew on private firms as well as governments to prevent their agents and employees-high officials as well as the rank and file-from offering or receiving money or other gifts as illicit inducements in the conduct of business. But in the years that followed, it became apparent that leaders were hard-pressed to identify and establish ways to address those problems. Drawing on his experience in the international construction sector, British lawyer Neill Stansbury recognized the need for operational standards that would enable organizations of all types to reduce or eliminate the structures and behaviors that contributed to bribery risk. In 2013, Stansbury and experts representing 37 countries and eight international organizations came together under the umbrella of the International Organization for Standardization to craft ISO 37001-the first international antibribery management system standard, which laid out specific policies and procedures firms and governments could use to identify and address vulnerabilities before problems occurred. Initially, adoption was slow for three main reasons: companies were focusing their attention on compliance with applicable national laws; introduction of the new standard would demand significant amounts of management time; and final certification would require costly review by an independent third party. A high-profile bribery scandal at one of the first certified companies also raised credibility concerns. As efforts to implement ISO 37001 continued, experience revealed both the advantages and the limitations of adhering to an international management standard to change inappropriate behaviors and create a level playing field in global commerce. Tyler McBrien drafted this case study based on interviews conducted in April and May 2020. Case published July 2020. INTRODUCTION In June 2015, Brazilian authorities arrested Marcelo Odebrecht, chief executive of Grupo Odebrecht, Latin America's largest construction conglomerate, as part of their sprawling investigation into financial mismanagement and wrongdoing at state-owned oil company Petrobras.1 The investigation, known as Operation Car Wash because of the location where authorities first found so-called dirty money, began as a probe into low-level money laundering but eventually unearthed corruption valued at billions of dollars. The fallout brought down Brazil's former president and dozens of other politicians and uncovered wrongdoing in at least 11 countries.2 Although the Odebrecht scandal shed light on an extensive network of backroom deals and shady payments, the case illuminated only a small piece of the global corruption problem. A 2005 World Bank report estimated that over US$1 trillion of bribes changed hands in a single year, but the costs were more than monetary. Martin Manuhwa, an engineering consultant and chair of the Federation of African Engineering Organisations, a Nigeria-based nongovernmental organization (NGO), said public works projects awarded through illicit means rather than honest and open bidding often resulted in shoddy workmanship. In such cases, he added: "Infrastructure collapses. Roads develop potholes, and people die. Basically, corruption kills." Neill Stansbury had been well acquainted with the scale and impact of global corruption long before the Odebrecht scandal made headlines. Since 2002, Stansbury, a UK lawyer, had worked in the field of corruption prevention and compliance in the international infrastructure sector. In his experience, many people in business and government wanted a level, corruption-free playing field, but in few places was that the norm. Changing practices intentionally hidden from sight or entrenched by social norms was a vexing challenge. When it came to bribery in contracting-one of the areas with the highest bribery risk-he recognized the complicity of both the public and private sectors. "If no one pays, no one receives," Stansbury said. "And if no one asks, no one pays. So, you need two people ready to participate in bribery: a payer and a recipient." After many years of working with global construction firms, Stansbury saw the importance of trying to change behaviors. He had concluded that people generally fell into three categories. "I would say about 10% of businesspeople are always inherently ethical and just wouldn't do anything wrong," he said. "Another 10% are always inherently unethical and will do everything possible to do anything wrong. Then you have this massive pack of people in the middle, that 80%, who will react according to social and business norms." In 2008, Stansbury cofounded the Global Infrastructure Anti-Corruption Centre (GIACC) in the United Kingdom with Catherine Stansbury, a lawyer specializing in construction and commercial litigation (the two are married). He said their strategy was simple in principle: "If there are 10 companies in a sector and you can't get all 10 to turn the tap off, you have to get 9 of them to turn the tap off and make sure the enforcement regime is good enough to stop the 10th." Stansbury said GIACC adopted a collaborative strategy because past efforts had failed to convince individual organizations to put operational controls in place to prevent corruption. "The core of GIACC's approach was to assemble a coalition," he said. "It can't be just NGOs. You've got to get a coalition of contractors, engineers, business leaders, and government officials to be anticorruption leaders." GIACC spent years approaching industry leaders to build such a coalition, Stansbury said. The organization also published a variety of anticorruption advice, information, and best practices on its website. But many organizations found it confusing and time-consuming to evaluate the many different, largely statute-based antibribery requirements and guidelines that governments and civic organizations had established. The US Department of Justice, Transparency International, the International Chamber of Commerce, and the Organisation for Economic Co-operation and Development (OECD), among others, all offered guidance on the components and characteristics of compliance programs but said little about implementation. And none of them established an auditable minimum management standard. The Big Four global accounting firms reportedly had twice tried and failed to create an audit methodology they could use to help firms comply with the many rules governments had promulgated. A significant step forward came in 2011, when the United Kingdom's new Bribery Act took effect. The law placed the burden of proof on companies accused of wrongdoing to show that they had "adequate procedures" in place to prevent bribery. As Stansbury explained it: "If the offense is committed in the name of, on behalf of, or for the benefit of the company, the company can be convicted. But the law gave one defense: if the company, in good faith, had implemented adequate procedures designed to stop bribery from taking place." In such instances, employees alleged to have committed offenses would bear individual responsibility for their own actions, and in that knowledge, they would be less likely to engage in shady practices-at least in theory. As UK companies confronted the implications of the new law, the British Standards Institution (BSI), which set technical standards for many products and services and served as the UK national standards body, approached Stansbury's organization. "In 2011, when the Bribery Act was published, the BSI got in touch with us," Stansbury recalled. "They were wondering whether an antibribery management system would be something suitable for a national standard. They were pushing at an open door, of course, because we had been recommending that for many years." Stansbury said he embraced the idea not only as an opportunity to address the problem of bribery in the United Kingdom but also as an occasion to create the foundation of an international antibribery management standard that would combine the best ideas from around the world. Under the auspices of the BSI, Stansbury led a working group made up of engineering firms, contractors, banks, accounting firms, law firms, the government (including prosecutors), pharmaceutical companies, and a small business federation to develop the guidelines. British Standard 10500, the result of their work, laid out specific measures that companies should implement to reduce the risk of bribery. The UK government could require and monitor BS 10500 adherence in the companies with which it did business, and courts could apply the standard as part of analyses to assess whether companies had taken adequate procedures to prevent bribery, should a problem arise. The BSI published BS 10500 in late 2011, but for Stansbury and others, a more far-reaching goal remained: to develop an inclusive, international standard that organizations of any size, sector, or country of origin could understand and implement. THE CHALLENGE There was precedent for such a type of voluntary international standard. Beginning in the early 2000s, a growing movement among governments and NGOs had pushed the private sector to adopt management systems related to labor, health and safety, environmental protection, and quality management through a set of standards published by the International Organization for Standardization (ISO), an NGO based in Geneva. ISO (pronounced \EYE-so\, the short form of the name based on the Greek word isos, meaning equal) published globally recognized standards on everything-from the dimensions of freight containers to the components that make up an information security management system. In 2020, its total membership consisted of 164 national standards bodies. In theory, the management system standards encouraged companies to enact good-housekeeping measures in order to avoid criminal sanctions or fines under existing laws, as well as to bolster their public images-though not everyone agreed that they played a useful role (text box 1). Box 1: Advantages and limitations of international standards in fighting corruption Not everyone in the anticorruption movement saw a new international standard backed by certification as more valuable or more effective than other reform strategies. A 2014 report by Transparency International USA (now the Coalition for Integrity) outlined several concerns. “A certification is a public statement of the state of a company’s compliance program,” the authors wrote, but “its validity depends on the ability of the public to understand what it means.”1 One of the authors, Shruti Shah, president and CEO of the Coalition for Integrity, said in an interview that such understanding is never ensured. “The concern with certifications is that it is not really clear what the scope of the review is, whether it is for a particular division or the entire company,” said Shah. “And when you think of a multinational company, it’s continually changing. So to express that a set of controls is going to remain in place for a long period of time, which would be what a certification may falsely show, is not really realistic. It might give a false sense of security.” Mark Pyman, founder of London-based nonprofit Curbing Corruption and formerly chief financial officer at a large international company, argued that more progress would be made when governments, companies, and agencies concentrated on corruption reduction in specific sectors, such as the defense industry. Pyman said that policies and procedures tailored to solving specific problems, rather a one-size-fits-all approach, better served specific needs. But others saw distinct advantages to an international standard that would combine the best antibribery approaches with various countries’ requirements. Elaine Dezenski, founder and managing partner of an international risk-advisory firm and former World Economic Forum executive, said an effective international standard could codify common needs and operating language. Worth MacMurray, a Washington, D.C., lawyer and subject-matter auditor for ISO 37001, agreed. “If a large Ecuadoran company wants to work with a US counterpart, there is typically a lot of back and forth in the antibribery contractual provisions negotiation phase,” he said. “I can’t tell you how much time it takes to negotiate these things from scratch. But if you have certification by a globally recognized standard, everyone speaks the same antibribery language no matter whether they’re speaking Spanish or English.” 1 Fritz Heimann, Claudia J. Dumas, Shruti Shah, Verification of Anti-corruption Compliance Programs, Transparency International USA, July 2014:29-30, https://www.transparency.nl/wp-content/uploads/2016/12/TI-USA_2014_verificationreportfinal.pdf. The process for developing an international standard wasn't easy. First, a national standards body, such as the BSI, had to develop a formal proposal for submission to ISO, whose standards typically took three years to develop. After ISO members voted to move ahead with an initial proposal, the next step was to form a project committee that included a broad spectrum of international stakeholders, ranging from subject-matter experts representing civil society to technocrats representing national standards bodies. Over many months, ISO members then met in person and in conference calls to discuss outlines, concepts, and working drafts; to form technical working groups; and, finally, to vote for or against publication of the final standard version. The ISO 37001 drafters anticipated that various third parties such as compliance firms, lawyers, and nonprofits would begin to offer certification services to provide assurance for the public-and potential clients and customers-that organizations that said that they had adopted the standard actually complied with its various requirements. Those types of services had evolved for vetting adherence to other standards, such as standards governing supply chain management. One of the features of ISO 37001 is that organizations could implement the standard without going through the independent accredited third-party audit process, but the assurance and additional credibility that certification offered would attract potential customers and clients-in the case of businesses-or reassure taxpayers their money was being used as intended-in the case of governments. Given ISO's international scope, one of the first daunting challenges was to develop a standard broad enough to encompass different forms of antibribery best practices-or so-called leading practices-for organizations of all sizes across all countries, with different contexts and legal standards, while still maintaining enough specificity to be effective. ISO's stated commitment to consensus-based decision making, whereby the organization worked hard to take all points of view into account, could make it difficult to incorporate disparate voices into a coherent standard-especially if various groups started far apart in their opinions. For instance, some participants might want to water down the principles to the lowest common denominator; some minority holdouts might gain an outsized voice in the final decision; and the entire process might break down without agreement. The ISO project committee also ran the risk of actually lowering the bar if the standard it created was less stringent than existing national antibribery laws, such as the US Foreign Corrupt Practices Act, which prohibits US entities and citizens from bribing foreign officials anywhere in the world to benefit their commercial interests. The whole idea behind the management standard was to enable companies to comply with the law more easily, not to serve as a substitute; but for it to work, the standard had to take the toughest of those laws as its reference point. And even if the ISO 37001 team reached agreement on a standard, implementation challenges remained. Proponents of this approach, including the experts and country representatives who served on ISO project committees, hoped a new standard would see widespread adoption. But it was not immediately clear who would promote it or how. For some firms, the case for a management standard was compelling. Shruti Shah, president and CEO of the Coalition for Integrity, based in Washington, D.C., said that third-party certification could be especially attractive to companies that wanted to establish their status as good business partners, even if they were located in countries where anticorruption enforcement was weak. Philippe Montigny, who founded Paris-based consultancy and certifying body ETHIC Intelligence, recalled that in the early 2000s, when he began to help companies develop codes of conduct and integrity training for employees, many of the firms that were investing in anticorruption measures had no way to communicate credibly to stakeholders that their efforts were genuine.3 Adopting the ISO standard and securing independent accredited certification gave them a way to show they not only had antibribery policies on their books but also were enforcing those policies. Third-party certification was especially important in the areas of public contracting, in which governments usually had little financial or staff capacity to verify a company's compliance with detailed corruption requirements.4 In that context, requiring a third-party audit and certification could result in lower risks and lower enforcement costs as well as greater effectiveness. Still, the up-front expense and complications of certification might discourage some companies from participating.5 Absent efforts by governments, business associations, or civic organizations to encourage compliance-and a consequent market advantage for those who did so-the standard might just sit on the shelf. In addition, companies that conducted audits and awarded certificates around the world had to ensure that their certifications carried credibility and commanded respect. As Montigny pointed out, "The credibility of the audit is absolutely key in the entire process." FRAMING A RESPONSE BS 10500 was the first antibribery management system standard of its kind, and Stansbury intended to use it as the basis for an international standard. The team that created it had decided to focus on bribery's supply side-the offer of money or favors, usually from private companies, in return for benefit-rather than on the demand side, which usually involved public officials who solicited bribes. For Stansbury, structure was key: "It's all controls: controls over the money, controls over the people, controls over the buying, and controls over the selling." Proponents of the approach had to undergo a multistep process set up by ISO. The first step involved submission of a formal proposal from the BSI, the UK national standards authority, for approval by the other national standards bodies that constituted the ISO membership. All new standards were required to (1) start as national standards, (2) respond to a need in the market, (3) reflect global expert opinions, (4) develop through a multistakeholder process, and (5) result from broad consensus among members. After a favorable vote, the next step was to empower a project committee that would design the standard. The project committee's docket focused on three significant elements: ironing out a definition of bribery that would be valid around the world, nailing down the essential components of an antibribery management system that spanned cultures and borders, and setting forth the requirements for third-party certification that would be meaningful to a global audience. The ISO decision rules required consensus among committee members-and then consensus among national standards bodies-through several rounds of voting. All of the standards that ISO approved traversed that same development process. The final step was to get governments and companies to adopt and implement the standard. ISO had no capacity to advertise the finished product and did not consider advertising as part of its mission. The organization's theory of change rested on faith that firms and governments would find the standard an effective way to deal with an important and difficult problem and would gradually adopt the measures it proposed-and try to get the word out-to give themselves a competitive edge and build trust with the public. GETTING DOWN TO WORK In November 2012, the BSI formally submitted its proposal to ISO to create an international antibribery standard based on its own BS 10500. Some national members were not initially convinced that the proposal should go through the process, and the proposed standard almost died at that first stage. Among the votes against were ISO member organizations representing countries that believed their own anticorruption laws were strong and needed no additional backing. In response, Stansbury said, he stressed that "the purpose of the standard is to help compliance with the law. It doesn't usurp the law." Stansbury's argument won the day. In June 2013, ISO members voted to establish an official project committee, with Stansbury as chair and secretary-general of Transparency International Malaysia KM Loi, who has a doctorate in business administration, as vice chair. Negotiating the standard Experts representing 37 countries and eight international organizations came together to form the project committee, which served as the vehicle for drafting and deliberation.6 As chair, Stansbury led the effort to adapt BS 10500 to fit the same template as ISO's other management system standards, such as those for quality assurance and safety. "Following the same template means that a company can get certified to quality, safety, environment, antibribery, and information technology all at the same time, following the same process," he said. The initial draft was then submitted to the ISO negotiation process, and subsequent drafts reflected ideas and proposals from all over the world. Stansbury recalled that one particular draft elicited more than 800 comments from 22 countries. Participating countries, or countries that set up national committees to formally submit feedback on the standard, sent their draft comments to ISO to compile, and the project committee dealt with proposed amendments and comments and built consensus through six in-person meetings during the course of three years. One particularly contentious issue involved whether the proposed management system standard should be advisory or mandatory. In the ISO domain, management standards, which involved actions and controls, were categorized as either guidance, which merely provided information and leading practices, or requirements, which were specific and measurable and led to certification through auditing. Two groups of participating countries coalesced, with most of them favoring a requirement standard, Stansbury remembered. The majority, including Stansbury, said a guidance standard would be too weak because it would provide no avenue for independent verification of compliance. "There's no point in having an international guidance standard," he said. "You can read the OECD guidance. You can read the Transparency International guidance. You get guidance from many sources. The only way we were going to make a breakthrough internationally was if we made it a certifiable requirement standard." The camp supporting the requirement standard ultimately prevailed. ISO's consensus-based drafting and approval approach, wherein every word of a proposed standard had to be approved by a significant majority of participating countries, imposed vigorous rigor on the process. Stansbury said he was pleased with the final draft. "Critically, what I feared might happen never happened," he said. "There was a risk that the large number of countries participating would result in a weak, compromised text. The text never became weak. We had on the project committee a superb group of international experts who had high levels of expertise and a common goal. Everyone in that room wanted a highly sophisticated, robust, and achievable standard." As the vote on the final draft approached, Stansbury grew nervous. For ISO to publish the standard, the draft had to pass a double test: more than two-thirds of participating countries had to vote in favor, and not more than 25% of all 164 ISO member countries whether participating or not could vote against. That meant that a bloc of countries could be playing no part whatsoever in the drafting process yet could still block the standard's publication at the final approval stage. In October 2016, ISO 37001 passed, with only three countries voting against publication. ISO voting was not a matter of public record. "It was carried virtually unanimously," Stansbury said. "All of us who had driven this exercise were hugely delighted. It was a great example of how representatives of so many countries speaking so many different languages can work together for the common good." The standard required organizations seeking certification to have all of the following controls in place: "(1) an anti-bribery policy and procedures; (2) top management leadership, commitment and responsibility; (3) oversight by a compliance manager or function; (4) anti-bribery training; (5) risk assessments and due diligence on projects and business associates; (6) financial, procurement, commercial and contractual controls; (7) reporting, monitoring, investigation and review; and (8) corrective action and continual improvement."7 After ISO published 37001, the standard was immediately available for purchase on the ISO's online store and through national members. The licensing fee of US$168 for ISO 37001 as of mid-2020 is meant to offset the cost of standards development.8 Alongside 37001, ISO published a second standard, 17021-9, which specified that only antibribery experts could serve as auditors and listed the auditing criteria used for determining whether a company met the standard.9 For organizations that wanted to implement substantive antibribery measures but did not want to seek certification right away, the ISO standard offered a road map. Organizations could then assert full or partial ISO 37001 compliance, though such would be only self-certifications and would carry less authority than an independent third-party certification. Setting up a certification governance system The elation of Stansbury and others on the project committee faded as the new standard hit early roadblocks in the forms of certifying body accreditation and market perceptions. To unlock the full potential of the standard, companies that implemented the antibribery system had to obtain certification by accredited independent third parties. But ISO 37001 certifications were not immediately available because the certifying bodies had not yet received the required accreditations from their respective national accreditation organizations. The latter could begin developing their accreditation methodologies and standards only once ISO issued 37001. With a few exceptions, it ended up taking more than a year for many of the national standards bodies to finish their internal ISO 37001 work and to begin accrediting certifying-body companies. Another major problem was that because of the relative novelty and complexity of antibribery subject matter, certification bodies had to invest time and resources in training or hiring specialized auditors. Many certifying-body candidate companies were unsure whether ISO 37001 would gain enough acceptance by the international community to justify the cost. "A lot of them said they were waiting to see how popular the standard would be," Stansbury said. "Why would a certification body put money into training auditors if no companies were going to take it up? And why would a company implement the standard if no certifying bodies are going to be ready to certify?" The ISO management system audit process applicable to ISO 37001 and all other ISO management systems consisted of two stages. Stage 1 consisted largely of a headquarters-based document review and, for ISO 37001, focused on the organization's antibribery management system framework applicable to its unique facts and circumstances and related components such as policies and procedures. Stage 2 consisted of field office interviews and on-site records reviews to confirm that a company's antibribery performance complied with the requirements of both ISO 37001 and the organization's policies. A certifying body would issue ISO 37001 certification to an organization only after successful completion of both stages. ISO 37001 certifications attempted to capture an organization's actions over a three-year period. Required periodic surveillance audits-conducted by the same certifying body-ensured that the management system was operational, appropriately evolving as the organization changed, and not a paper program. The follow-up audits occurred at the one-year and two-year anniversaries of the initial audit and typically covered 30% of the scope of the initial audit. The certification of antibribery management systems against a standard wasn't an easy process. A 2014 report by Transparency International USA (renamed Coalition for Integrity in March 2017) written before the development of ISO 37001 explained that unlike social and environmental programs, which have metrics that can be quantified, "verification of an anti-corruption program depends on a more qualitative evaluation."10 Shah, who served as one of the report's coauthors, said those practical differences remained relevant. Supporting company adoption Once ISO published the standard and once the certifying bodies obtained accreditation, there remained the matter of winning adoption by governments and private companies alike. ISO saw itself simply as a forum to facilitate the creation of widely accepted international standards. Widespread adoption relied on the standard's earning broad acceptance as a useful tool in the fight against bribery. In the same way as the creation of standards in other policy areas triggered private firms to supply audit services, ISO 37001 sparked a new industry of compliance services related to antibribery management systems. To encourage companies to seek voluntary certification, various certifying bodies and antibribery subject matter experts promoted the merits and desirable outcomes of certifications, and some offered pro bono certifications and/or reduced-fee consulting to early adopters. Bruno Samuel, a commercial director at the BSI, said high-level company managers had good reason to embrace the concept of certification. "From a chief compliance officer's point of view, ISO 37001 certification is a great way to not only mitigate your own risk but also, if all else fails, show due diligence in case of prosecution," he said. "If you put yourself in the shoes of a chief financial officer or a chief executive officer, just look at the amounts of the fines imposed by the United States Department of Justice. You're talking about hundreds of millions of dollars, which could potentially put a company out of business." Client demand was another incentive. For executives at Mott MacDonald, a global engineering, management, and development consultancy based in the United Kingdom, an ISO 37001 certification grew more attractive when customers began to request it. “In our tenders, the question was being asked, ‘Do you have certification to ISO 37001?,’” said Lorna Raymond, who led the ISO 37001 certification process at Mott MacDonald. “And if you didn't have certification, it would mean that you'd have to provide a lot more information and evidence of antibribery management in the company.” Some of the ISO 37001 early adopters also captured a business advantage from embracing the new standard. "As one of the first in our industry to have the certification, it made us stand out," said Raymond. "It showed us as leaders in the antibribery management space, and as a company that genuinely cares about fighting corruption." Companies that had already earned certification under other ISO management standards-such as ISO 27001 on information security or ISO 14001 on reducing negative environmental impact-and already had reasonably mature antibribery programs in place had likely already done 65 to 75% of the work required to comply with ISO 37001, said Worth MacMurray, a lawyer and ISO 37001 auditor. That made adoption relatively easy and less costly-at least in theory. However, some experts cautioned companies and governments that certification was not an insurance policy. "If you've got an ISO certification, regulators are not going to say, 'Oh, that proves that you have a sound compliance program,'" said Shah of the Coalition for Integrity. Paul Hockley, Mott MacDonald's ethics and compliance officer, concurred, but still viewed certification as a benefit. "Having international standards in your back pocket is a good demonstrator of integrity, but it's not the be all end all," said Hockley. "We need to do a lot more than just having certified standards, but it's a good start." Despite initial difficulties, the certification process gained momentum. In January 2017, just three months after ISO's adoption of the 37001 standard, Italian oil and gas giant Eni SpA became the first company to obtain certification. One company's experience: TNB Malaysia Kalivann Palanivelu, chief integrity development officer of Malaysian electricity utility TNB, said his company's ISO 37001 journey began shortly after ISO published the standard in late 2016. After a transfer to the company's integrity department (formerly known as the internal affairs department), Palanivelu was chosen to lead the department's restructuring, having received training as a certified integrity officer from the Malaysia Anti-Corruption Academy, an initiative of the Malaysian Anti-Corruption Commission. In his new role, Palanivelu's job was to design a framework to promote integrity across the entire organization, which comprised 36,000 employees and 70 subsidiaries. The broad goal was to enable TNB to address corruption and bribery proactively. Palanivelu engaged an anticorruption expert who suggested the ISO 37001 system. Palanivelu said TNB management liked the idea of an internationally vetted standard as the basis for its management system, but past experience involving certification for a different ISO standard gave them pause. Palanivelu recalled that when auditors arrived to certify one of TNB's business units for ISO 9001, covering quality management systems, "Rather than improving processes, the auditors were more focused on whether or not we had documents for a particular process. "It was very tedious, and very documented based," he said. "It took up a lot of the organization's resources. So, we had to convince management that we were not going for certification per se but wanted to develop a governance framework based on the ISO 37001 guidelines." Management agreed to Palanivelu's ISO 37001 proposal, which kicked off a two-year implementation of TNB's corporate integrity management system. Palanivelu said he divided the implementation process into several stages-one for each of the areas of the ISO 37001 framework-and added elements not required by the standard. Around that time, the Malaysia Anti-Corruption Academy, which administers training programs and courses for the Malaysian Anti-Corruption Commission, approached TNB to request that TNB participate in a pilot program to certify 10 companies for ISO 37001 on an accelerated timeline. By the end of 2018, Palanivelu had implemented the corporate integrity management system and deemed the company ready to participate in the pilot. The question then became which unit or division within the giant utility to certify. Palanivelu chose the procurement division, based on a study that found corporate purchasing functions had a relatively high bribery risk. Palanivelu described the certification process as "a learning process for everybody" when familiar problems returned. TNB hired the same local certifying body from previous certifications on the assumption that the auditors knew the company well. Plus, the cost for an international certifying body was higher than management wanted to pay. "Not many companies were being certified at that point in time, so the certifying body didn't have the expertise needed to look at the elements of the audits," he said. Still, the procurement division received its ISO 37001 certification after a four-month audit. In early 2018, after initial certification, Malaysia passed an amended corporate liability act that put pressure on TNB, a state-owned enterprise, to seek certification for additional subsidiaries despite the difficulties of doing so. Although the law did not specifically mandate that Malaysian companies implement ISO 37001, it strongly encouraged adherence to so-called TRUST principles: Top-level commitment; Risk assessment; Undertake control measures; Systematic review, monitoring, and enforcement; and Training and communication.11 "All five TRUST elements basically fell within the ISO 37001 framework," Palanivelu said. "So if a company went for ISO 37001 certification, it wouldn't mean total protection for the company, but it did mean you had adequate measures in place and the company could demonstrate that it had done its best to prevent corruption from happening." With the new legislation as motivation, TNB expanded certification to include several subsidiaries of concern. Palanivelu said that before implementing the framework, "We were doing a lot of anticorruption practices all over the place but not in a very structured manner." ISO 37001 gave TNB's fledgling integrity department a template by which to build a cohesive management system from the bottom up. Reaching out to governments As ISO 37001 slowly gained traction in the private sector, acceptance by governments lagged well behind. It became clear to proponents that they would have to engage national governments proactively and directly, but ISO had neither the capacity nor the desire to promote the standard. One of its member organizations, the American National Standards Institute (ANSI), stepped up, however. Lawyer and ISO 37001 auditor MacMurray, together with Samuel, commercial director at the British Standards Institution, traveled to Côte d'Ivoire in March 2019 to facilitate training on ISO 37001 under the auspices of the Standards Alliance, a public-private partnership between ANSI and the United States Agency for International Development that had started in 2012. The Standards Alliance had been originally designed to help countries implement the World Trade Organization's Technical Barriers to Trade Agreement, but it expanded its work to include ISO 37001. MacMurray and Samuel taught senior government officials-including experts from ANSI's counterpart in Côte d'Ivoire and private-sector representatives involved in the accreditation and certification process-about the auditing process and interpretation of the standard. Participants were especially interested in exploring various applications of the standard, including examples of what other nations had done to require private contractors to seek certification. Another question participants raised was whether to certify an entire organization or just selected divisions or units-and the trade-off between independent accredited third parties and self-certification.12 To improve the standard's utility, Loi, secretary-general of Transparency International Malaysia and vice chair of the ISO 37001 project committee, suggested that companies implement the standard in as many units and subsidiaries as possible. "It's important that the scoping of ISO 37001 not be narrow or focus only on a procurement department but be addressed across the board," he said. Following the training, participants established a national working committee on potential applications of ISO 37001, joined the ISO technical committee on the standard, and planned a pilot with the country's High Authority for Good Governance to certify select government agencies, according to Samuel's contact at ANSI. MacMurray said the training reinforced his thinking about some of the strengths and weaknesses that he perceived in ISO 37001. "The experience confirmed in my mind that the standard is equally applicable-and potentially useful-to both the public and private sectors," he said. "A primary weakness concerning adoption is the lack of available sponsored workshops or other forums to take potentially interested parties to the next substantive level." OVERCOMING OBSTACLES While ISO 37001 was struggling to generate the number of certifications many on the project committee had hoped for, a widely publicized international corruption scandal raised major concerns about the validity of the third-party certification process. Not long after Rome-based Eni announced in January 2017 that it had attained ISO 37001 certification, Italian prosecutors charged the company's two top executives with international corruption related to the purchase of a potentially highly lucrative Nigerian oil exploration license in 2011. Not surprisingly, a public relations disaster unfolded for ISO 37001 after the Financial Times published the story. In an earlier press release, Eni had touted its certification as evidence of "the quality of the system of rules and controls aimed at preventing corruption, developed by Eni since 2009 in line with the principle of 'zero tolerance' expressed in its Code of Ethics."13 The scandal laid bare a fundamental weakness in the certification process that critics had pointed out even before ISO published 37001 in October 2016. "The value of any certification depends on the scope of the review," Shah said. Online commentary was blistering. A writer on one blog that focused on the US Foreign Corrupt Practices Act (fcpacompliancereport.com), claimed in February 2017 that the scandal had revealed the standard to be "worse than useless." Thomas Fox, a Texas-based compliance lawyer, wrote: "People might actually think that this certification affirms the company which holds it is committed to doing compliance and will continue to do so going forward. The counter-party who does business with such an ISO 37001 certificate holder may well assume this certification forms some basis of protection against a Foreign Corrupt Practices Act (FCPA), UK Bribery Act or (you name the law) investigation for bribery and corruption. Nothing could be further from the truth."14 On another active compliance and anticorruption blog (fcpablog.com), Vera Cherepanova, an ethics and compliance consultant, raised similar concerns. In an April 2019 post titled "ISO 37001: Not all certifications are created equal," she discussed the Eni scandal and noted that Legg Mason, a Baltimore-based asset management firm that had received ISO 37001 certification in late 2017, only seven months later entered into a nonprosecution agreement related to a federal Justice Department investigation into violations of the Foreign Corrupt Practices Act in connection with a Libyan bribery scheme. The firm paid $64.2 million to resolve the matter. "Although these violations occurred years before the companies went through the ISO 37001 certification, nonetheless, such cases cast serious doubts if ISO certification can be regarded as evidence of an effective anti-bribery program," Cherepanova wrote.15 Some observers linked the problem to structural flaws in the accreditation-certification governance framework that allowed for varying interpretations and applications. But others saw no way around the weakness. "The reality is, it's never perfect," Samuel said. "We have to acknowledge that accreditation bodies can differ and can have different interpretations of the rules, but the existing governance model of accreditation and certification does help provide assurance that stakeholders are following the rules." Other ISO 37001 proponents downplayed the concerns, arguing that market forces would weed out certifying bodies that were excessively lenient. "It's basically a reputation game," said Manuhwa of the Federation of African Engineering Organisations. "When it comes to companies that have been around for many years, they would not risk their reputations for a few thousand dollars to certify a criminal or unethical company as clean." MacMurray agreed that rather than revealing a flaw in the governance structure, the Eni scandal had illuminated a potential flaw in the quality of the certifying body's audits. "One should not look only at the certification as a stand-alone document but also at who issued it and their track record," he advised. In early July 2020, the Eni case remained unresolved in the Milan court. ISO had a system already built into its process to address what it called post publication issues. Loi, who had served as vice chair of the project committee that developed the 37001 standard, worked on such issues through a series of committees set up to publish complementary spin-off standards on compliance management and whistle-blower management systems. Jean-Pierre Méan, a Swiss lawyer specializing in corporate governance, compliance, and anticorruption, served as chair of a committee that developed a handbook of advice for smaller companies about how to implement antibribery management systems. He also helped prepare a survey to be used in conjunction with the standard's five-year review in 2021. ASSESSING RESULTS The purpose of ISO 37001 was to boost compliance with the law, not to usurp the law-a point Stansbury continually made in his role as committee chair. The ultimate aim was to reduce the actual incidence of bribery, but assessment of impact posed many challenges-especially in the early stages. For the creators of ISO 37001, it was difficult to measure the overall success of a standard aimed at reducing bribery, because success meant the absence of something. To illustrate that challenge, Richard Messick, an attorney and anticorruption consultant in the Washington, D.C., area, asked an unanswerable question: "How many bribes weren't paid last year?" Even assessing implementation or take-up, an intermediate measure of impact, was more difficult than anticipated. The project committee that developed ISO 37001 published the standard within the conventional three-year time frame, which was a success in itself given the wide range of stakeholders and the complex issues. But adoption and implementation by companies and governments-and especially certification-proved more challenging. Compared with other management systems standards, like the popular ISO 9001 quality management standard, the number of ISO 37001 certifications remained low in mid-2020, nearly four years after its adoption by ISO. Although there was no definitive international database of certified organizations, GIACC maintained its own list of third-party certified organizations, derived from internet research and personal contacts. By the end of 2019, the list contained 548 certified companies in 52 countries, with Italy in the lead with regard to number of certifications. Stansbury noted that the list was likely incomplete because many companies may not publish such information, and the list counted only the parent company in cases in which numerous certifications were awarded to numerous subsidiaries. In 2018, ISO released a survey of management system standard certifications. With 389 valid certificates across 1,541 sites, ISO 37001 ranked last out of the 12 management system standards in terms of numbers of certifications. In comparison, the most popular management system standard, ISO 9001 (published in 2015), had 878,664 valid certificates across 1,180,965 sites. ISO was planning another survey for release later in 2020. The United States, with only two certified companies, offered the most conspicuous example of the standard's uneven adoption across the world. Ekaterina Lysova, program officer at the Washington-based Center for International Private Enterprise, theorized that the lack of adoption stemmed from an ambivalence among Department of Justice prosecutors toward the standard, which those prosecutors communicated to companies at conferences and elsewhere. "US regulators already have comprehensive guidance on the expectations of compliance programs, which they have published and which are very useful," Shah agreed. Still, there were some positive signs of wider adoption-especially in Latin America and Southeast Asia. Peru represented one notable bright spot. As a country without anticorruption laws similar to the US Foreign Corrupt Practices Act or the Brazilian Anti-Corruption Act, the Peruvian government encouraged companies to implement ISO 37001 if they wanted to do business in the public sector. The move caused a ripple effect of certifications across Peruvian companies. The total number of certifications was, however, not the only yardstick with which to measure the success of the standard. Prosecutors used ISO 37001 to set terms and conditions in settlements of high-profile corruption cases-recognition of the standard's value and purpose. As part of the settlement in the Grupo Odebrecht case, for instance, Brazilian, US, and Swiss authorities required the company to seek ISO 37001 certification in order to "ensure actions to prevent wrongful acts and to seek the highest degree of ethics and transparency in the way its companies conduct their business," according to a press release.16 Similar settlements occurred in Denmark and Singapore. Governments also used ISO 37001 as a bribery prevention tool. In November 2018, in order to combat corruption and create "a culture of integrity" as part of national anti-corruption efforts,17 Malaysia's prime minister announced a plan to obtain ISO 37001 certification for all ministries, agencies, departments, and government-linked companies deemed to have high risk of bribery. The action was in part a response to a high-profile corruption scandal in 2015, when Malaysia's prime minister and other officials were accused of transferring roughly $700 billion into private accounts. In October 2018, Guatemala's president announced the General Secretariat and Office of the President had become ISO 37001 certified. REFLECTIONS Perhaps the greatest contribution ISO 37001 made to global anticorruption governance was to codify disparate antibribery management guidelines and frameworks into a single, cohesive standard. "The major success for ISO 37001 is that it has become the reference for antibribery," said Jean-Pierre Méan, a lawyer specializing in corporate governance, compliance, and anticorruption. "There were several before, but people were a bit puzzled by all these tools, wondering, 'Which one is the good one?'" For smaller companies and those in countries with weak corruption laws and policies, ISO 37001 offered a clear benefit. The standard laid out a definitive framework to prevent or root out bribery, which carried significant legal, financial, and reputational risks for companies of any size. "Before ISO 37001, we were doing a lot of antibribery practices, but it was all over the place, and not in a very structured manner," said Kalivann Palanivelu, chief integrity development officer at Malaysian utility company and state-owned enterprise TNB. But ISO 37001 proponents still wrestled with how to improve adoption around the world-especially in the United States. "If I asked a company why they haven't obtained ISO 37001 certification, their answer would normally be that we are compliant in principle with the standard, and we don't need an independent certification to prove that," said Neill Stansbury, a lawyer specializing in anticorruption, who led the development of ISO 37001. "But in reality, some companies are afraid of potentially failing the certification. If there's a prosecution later, the prosecutors can obtain a record from the certification body that showed they failed and why." Worth MacMurray, a lawyer and ISO 37001 auditor, said overseas ISO 37001 adoption and market forces could help drive US commercial acceptance. "US companies are starting to see [requests for proposal] from overseas business partners in Asia and Latin America that contain ISO 37001 certification requirements," MacMurray said in a 2020 interview. "Assuming the trend continues, the standard's value to US companies will become more widely understood and appreciated." Though in mid-2020 Stansbury had not yet seen the level of adoption he had hoped for, he remained positive that mass certification was within reach. "If you want to see the standard become popular and widely used, you need a cascade effect," he said. "That's going to happen only if, in a major country, the public sector says, 'We are not going to allow any contractor to work on any project for us, over a certain value threshold, unless they give us a certificate of compliance with ISO 37001 issued by a reputable independent certifier.'" Stansbury added that reaching that point would represent "a massive quantum shift in governance" but that "without that quantum shift, the money is going to continue to go missing." References 1 Daniel Gallas, "Brazil's Odebrecht Corruption Scandal Explained," BBC, April 17, 2019; https://www.bbc.com/news/business-39194395. 2 Jonathan Watts, "Operation Car Wash: Is This the Biggest Corruption Scandal in History?" The Guardian, June 1, 2017; https://www.theguardian.com/world/2017/jun/01/brazil-operation-car-wash-is-this-the-biggest-corruption-scandal-in-history. 3 Neill Stansbury, "An Overview of ISO 37001 Anti-Bribery Management System Standard," Global Infrastructure Anti-Corruption Centre, September 14, 2017; https://www.cys.org.cy/images/GIACC.ISO_37001.CYPRUS.2017.pdf. 4 Victor Aguiar de Carvalho, "Requiring Public Contractors to Have Anticorruption Compliance Programs May Sound Like a Good Idea-but Not When Government Capacity Is Lacking," Global Anticorruption Blog, January 17, 2020; https://globalanticorruptionblog.com/2020/01/17/requiring-public-contractors-to-have-anticorruption-compliance-programs-may-sound-like-a-good-idea-but-not-when-government-capacity-is-lacking/. 5 Martin Manuhwa and Neill Stansbury, "Anti-Bribery Standards, Systems and Strategies for Optimising Engineering Projects Delivery"; https://www.academia.edu/19513530/Anti-Corruption_Strategies_and_Anti-Bribery_Standards_in_Engineering. 6 "International Standard ISO 37001 Anti-Bribery Management Systems Standard," Global Infrastructure Anti-Corruption Centre; https://giaccentre.org/certification-iso37001/. 7 Fraser Tennant, "ISO 37001: Yawner or Transformer?" Financier Worldwide, September 2017; https://www.financierworldwide.com/iso-37001-yawner-or-transformer#.Xp25GlNKi2w. 8 "Why Charge for Standards?" American National Standards Institute; https://www.ansi.org/help/charge_standards. 9 Kristy Grant-Hart, "Accreditation Hits the Mainstream: ISO 37001," Compliance & Ethics Blog, August 8, 2018; https://complianceandethics.org/accreditation-hits-the-mainstream-iso-37001/. 10 Claudia J. Dumas, Fritz Heimann, Shruti Shah, "Verification of Anti-Corruption Compliance Programs," Transparency International, July 2014:29-30; https://www.transparency.nl/wp-content/uploads/2016/12/TI-USA_2014_verificationreportfinal.pdf. 11 Norhisham Bahrin, "Malaysia - Corporate Liability Provision under Section 17A MACC Act 2009 and Why It Matters to You," Conventus Law, November 30, 2019; http://www.conventuslaw.com/report/malaysia-corporate-liability-provision-under/ 12 "Standards Alliance Organizes U.S.-Côte d'Ivoire Training on ISO37001: Anti-Bribery Management Systems," American National Standards Institute, April 25, 2019; https://www.ansi.org/news_publications/news_story?menuid=7&articleid=099547f3-3bf0-4219-a2a3-d36c91aae36a. 13 "Eni Becomes the First Italian Company to Obtain the ISO 37001:2016 'Antibribery Management Systems' Certificate of Conformity for Its Anti-corruption Compliance Program," Eni, January 25, 2017; https://www.eni.com/en-IT/media/press-release/2017/01/eni-becomes-the-first-italian-company-to-obtain-the-iso-370012016-antibribery-management-systems-certificate-of-conformity-for-its-anti-corruption-compliance-program.html. 14 Thomas R. Fox, "Eni Receives ISO 37001 Certification and Eni CEO Charged with Corruption," FCPA Compliance Reports, February 15, 2017; http://fcpacompliancereport.com/2017/02/eni-receives-iso-37001-certification-eni-ceo-charged-corruption/. 15 Vera Cherepanova, "ISO 37001: Not All Certifications Are Created Equal," FCPA Blog, April 3, 2019; https://fcpablog.com/2019/04/03/iso-37001-not-all-certifications-are-created-equal/. 16 "For Odebrecht, Agreement with CGU and AGU Strengthens Legal Certainty for Business Recovery," Odebrecht, July 9, 2018; https://www.odebrecht.com/en/communication/releases/odebrecht-agreement-cgu-and-agu-strengthens-legal-certainty-business-recovery. 17 "GLCs Given Two Years to Comply with New Anti-corruption Measures," New Straits Times, November 21, 2018; https://www.nst.com.my/news/nation/2018/11/433360/glcs-given-two-years-comply-new-anti-corruption-measures. Innovations for Successful Societies makes its case studies and other publications available to all at no cost, under the guidelines of the Terms of Use listed below. The ISS Web repository is intended to serve as an idea bank, enabling practitioners and scholars to evaluate the pros and cons of different reform strategies and weigh the effects of context. ISS welcomes readers' feedback, including suggestions of additional topics and questions to be considered, corrections, and how case studies are being used: iss@princeton.edu. Terms of Use Before using any materials downloaded from the Innovations for Successful Societies website, users must read and accept the terms on which we make these items available. The terms constitute a legal agreement between any person who seeks to use information available at successfulsocieties.princeton.edu and Princeton University. In downloading or otherwise employing this information, users indicate that: a. They understand that the materials downloaded from the website are protected under United States Copyright Law (Title 17, United States Code). This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/. b. They will use the material only for educational, scholarly, and other noncommercial purposes. c. They will not sell, transfer, assign, license, lease, or otherwise convey any portion of this information to any third party. Republication or display on a third party's website requires the express written permission of the Princeton University Innovations for Successful Societies program or the Princeton University Library. d. They understand that the quotes used in the case study reflect the interviewees' personal points of view. Although all efforts have been made to ensure the accuracy of the information collected, Princeton University does not warrant the accuracy, completeness, timeliness, or other characteristics of any material available online. e. They acknowledge that the content and/or format of the archive and the site may be revised, updated or otherwise modified from time to time. f. They accept that access to and use of the archive are at their own risk. They shall not hold Princeton University liable for any loss or damages resulting from the use of information in the archive. Princeton University assumes no liability for any errors or omissions with respect to the functioning of the archive. g. In all publications, presentations or other communications that incorporate or otherwise rely on information from this archive, they will acknowledge that such information was obtained through the Innovations for Successful Societies website. Our status (and that of any identified contributors) as the authors of material must always be acknowledged and a full credit given as follows: Author(s) or Editor(s) if listed, Full title, Year of publication, Innovations for Successful Societies, Princeton University, http://successfulsocieties.princeton.edu/ ISS is program of the Princeton School of Public and International Affairs: successfulsocieties.princeton.edu. ISS invites readers to share feedback and information on how these cases are being used: iss@princeton.edu. (c) 2020, Trustees of Princeton University. This case study is made available under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. Tyler McBrien Innovations for Successful Societies (c) 2020, Trustees of Princeton University Terms of use and citation format appear at the end of this document and at successfulsocieties.princeton.edu/about/terms-conditions.