ISO 37001 Anti-Bribery Management Systems Certification

The Value of ISO 37001 Readiness Support: Adding “Spark” to the Program

You know the old disclaimer often heard or seen on television, that “your results may vary” depending on a number of variables?  Well, that disclaimer does apply to how quickly CPA Global was able to achieve ISO 3700 anti-bribery management systems certification.  Although I encourage compliance officers and executive management to seek the ISO 37001 certification; I certainly would never expect nearly as quick a readiness and audit process. From the time Spark Consulting began assisting CPA Global to prepare it took exactly 4 months before we received the good word from the certification body Ethic Intelligence that we had “passed the audition.” My advice: pursue certification, but if you are mid cap sized or larger, don’t expect to get it done in less than 6 months.

So, with that disclaimer in mind, how is it then, that CPA Global a mid-market size firm (Wall Street Journal reporting Cinven sale to Green at estimated GBP 2.5B with varied income sources, offices in 14 countries spanning 4 continents could get prepared and thru an audit process in just 4 months?

Well, the answer is three-fold. One, we spent 6 ½ years perfecting our anti-bribery system in accordance with the guidance which per ISO 37001 becomes requirements. We featured;

  • An annual and continuous anti-bribery risk assessment from which annual plans and ongoing controls were based
  • Multi-tiered anti-bribery employee and associate training
  • Automated level 1 restricted party screening of all employees and counterparties daily
  • A risk rating system for counterparties
  • Differentiated monitoring including level 2 and 3 due diligence of > low-risk associates and counterparties
  • Automated whistleblower hotline with employee and associate access with automated case management
  • Automated Dashboard reports and metrics for managing compliance and success of the overall compliance program including of course anti-bribery

There is more, but you get the idea that we had all avenues very well covered using a risk-based system to ensure appropriate control activities were in place to deal commensurately with associated risk.

Number two, we had invested in automation which afforded us a readily accessible audit trail from which to draw from in an expeditious fashion. Let’s face it, if you can quickly pull lists of employee status changes and compare to automated let us say Navex records, the audit moves quickly and decidedly.  Training attendance, third party questionnaire completion, and hotline responses can be and were handled by way of automation, making it a smoother and faster ride thru the audit process.

Finally, because we hired the right women for readiness, it took only 3 months to pull support and compare to the requirements, address any gaps, obtain final board and executive approval and manager communication of pending ISO 37001 audit.  Kristy Grant-Hart and Diana Trevely of Spark made the process turnkey in that;

  1. They identified gaps to the ISO 37001 requirements, made risk relative recommendations, and evaluated remediation activities taken
  2. Gathered, categorized and made available all support for our anti-bribery system for reference throughout the process
  3. Sought out operational control examples from company staff and management
  4. Assisted with associate level, executive, and board communication
  5. Were available to speak to all levels of the organization as needed
  6. Led meetings to introduce the ISO 37001 certification process, merits and responsibilities to all appropriate parties; and finally
  7. Acted as an advocate during the audit process

Because Ms. Treveley, Spark’s West Coast Director who managed our readiness directly was so knowledgeable and hands-on, the project did not cut very much into my day to day agenda. Trevley’s expertise as an attorney, AB&C, and with corporate structures enabled her to be a quick study for what can be a complex undertaking.  The critical path really was getting approvals and paperwork from the executives and the board; and timing the announcement we were seeking ISO 37001 with a new release of our revised Code of Conduct and a whole new training course, which for a vast number of employees would act as a refresher.  Although the changes to the Code in relation to anti-bribery itself were very few and mostly specific language needed to meet the ISO 37001 requirements, the timing enabled our new campaign to be more successful out of the gate as it would have under more ordinary circumstances.  With the tome at the top communicating the importance of obtaining the certification, employees were obviously more quick to meet the 30-day mandate for taking the 30 minute online, on-demand course.

Both Trevley and Ms. Grant-Hart also helped prepare decks and participated on calls to walk key participants through the audit process so they were more than adequately prepared.

Finally, and probably most impressive to me, was having Ms. Trevley at the table during the audit interviews.  At times it seemed like a deposition with an occasional “I object, on the grounds that this question does not relate to a requirement and or guideline?  And our auditor at times would then either represent their case or move to another line of questioning or burrowing. There were times I felt like debating an auditor notation, as I felt the concern was not taking certain mitigating factors into consideration, but for sake of time and effort, Ms. Trevley advised me to accept the finding because it was just that, which is neither a major or minor nonconformance. Although findings need to be addressed at subsequent annual surveillance audits, they do not carry the weight of a minor nonconformance and unless associated and aggregated do not pose a threat to obtaining or maintaining certification. But it was this advocacy and advisory aspect of Spark’s service that I found to be unique and very effective.

I also found Ethic Intelligence’s choice of auditors in Jean Christophe Carrou and Annie Trudel to be fines selections as the feedback on any notation (non Conformance, Finding, needs improvement) were addressed either straight away or by the end of that day. In fact the end of every daily session resulted in a recap which let us know where we stood. I try not to disparage ISO auditors in general when I say Mr. Carrou and Ms. Trudel were the best ISO auditors I have worked with to date.

So, in the end, it was 3 months of readiness, 7 days of on-site auditing, an hour 1 week later going through the final report, about 10 days creating a response plan that must be approved by the auditors before they recommend certification to Ethic Intelligence the certification body.

So kudos to CPA Global, Spark, and compliance automation (Compliance management system) in making it what now seems like quick work.

Spectrum takes the away the pain associated with third party risk with the same proven, efficient, standardized, cost effective, due diligence methodology that helped earn CPA Global an ISO 37001 certification. Discover how Specktrum can seamlessly manage your third party risk today!

The Value of ISO 37001 Readiness Support: Adding “Spark” to the Program

Think about when you were back in high school and you had to take a test or be certified for entrance into college, with each college or university having its own admittance standards. In the US, the most popular today is the Scholastic Aptitude Test (SAT’s) or in the UK, the General Certificate of Education (GCE) Advanced levels (A levels), or in France, baccalauréat.  And after college, more exams follow:  for attorneys, the Bar Exam, for doctors, the Medical Licensing Exam, for accountants, the CPA Exam.  Did you have any professional assistance in your preparation for any of these very important tests?

My guess is the vast majority reading this and in the general population who have gone to college or took a professional exam, sought and received professional support before taking the exam in order to be as prepared as possible to do your best.

It is by this logic that any Chief Compliance Officer seeking ISO 37001 Anti-Bribery Management System certification would be looking to commission a credible and experienced ISO 37001 Readiness partner.

And if you want to see how you fare against the standards whether you seek the ISO 37001 certification, it makes sense to hire an ISO 37001 specialist to help you with that determination.

The Merits of ISO 37001 Readiness Support

  1. Cost Efficiency: It will be less time consuming for employees, consultants and auditors if you go into an audit fully prepared.
  2. Pre-Audit Confidence: A good Readiness Partner like Spark Compliance will give you confidence that the audit will be less stressful, less time consuming, and yield positive results:  passing without having to correct a non-conformance.
  3. Time Efficiency: If you get it right the first time, the amount of time it will take to correct non-conformities, findings and addressing suggested improvements will be almost nil.
  4. Compliance Group Credibility:  A pre-audit gap assessment will identify specifically whether there are any disparities between what you are doing and the standard. It’s better to know your gaps by way of a Readiness specialist than by the ISO 37001 auditor for a few reasons, including the impact a non-conformance or finding may have on the overall audit. For instance, having enough aggregated minor non-conformances could result in a major non-conformance.

Last October, around the time ISO 37001 was being completed, I performed my own analysis against the pre-released standards.  Although I felt by that CPA Global was in excellent stead, I began seeking a professional opinion as I did not want to pursue ISO 37001 certification through the executive suite and board without complete confidence we would pass. Just as an attorney only asks questions of a witness in court that he/she already knows the answer to, you don’t seek certification of this magnitude without complete confidence of success.

My next step was to contact a firm I could trust that had the knowledge and experience to review CPA Global’s program against the ISO 37001 requirements to provide a) a quick turnaround summary assessment which would in turn enable me to have a feel for how much work had to be done and b) an estimate of the cost and time to readiness.  If we elected to move forward, I wanted that firm to then; a) conduct a detailed gap assessment against the requirements and best practices, b) prepare materials to support the certification audit; and c) provide CPA Global personnel with training on the standard and the certification process in order to ensure a stress-free certification audit.  Get any of these crucial elements wrong and the process would be longer, costlier, increase the chances of the auditor finding a major non-conformity, and damage the credibility of the compliance department within the organization.


The Women to See

There are certain services and products where certain individuals are recognized as the best in the world are at what they do, whether it be Warren Buffet for investments, David McCullough for a biography, James Cameron for an action-epic film, or at one time, “the Man to See,” Edward Bennet Williams, for a DC defense attorney.

With the ISO 37001 standard not yet even published, I knew it might be difficult to find an ISO 37001 specialist to perform the services I required.  Fortunately for me, I had just recently met Kristy Grant-Hart at the SCCE Conference in Chicago in September 2016. Kristy, who gave a keynote at the conference and who authored the book How to Be a Wildly Successful Compliance Officer, had her own compliance & ethics consulting practice, Spark Compliance.  Together with her business partner, Diana Trevley, accomplished herself in anti-bribery and anti-corruption, they were offered a new service, ISO 37001 Readiness, for firms seeking the ISO 37001 certification.

So, it was obvious I should chat with Kristy about CPA Global’s unique business while I was in London in early November.  And after a meeting that included my Data Privacy Officer, Jennifer Aikins-Apiah, and Head of Legal, Patrick Mills, it was clear to all of us that the ladies of Spark Compliance were right for the job.

What were the bona fides that led us not to seek out their competitors?  Kristy demonstrated in that meeting that she had the right experience, having been a successful chief compliance officer at United International Pictures; that she knew the ISO process and the anti-bribery ISO 37001 requirements; and that she could see how ISO 37001 should be applied to our business.  Kristy explained to my team how she would work with us at getting us an initial assessment and then, if we decided to move forward with certification, engage with us to fully prepare us for the audit.

 

Spectrum takes the away the pain associated with third party risk with the same proven, efficient, standardized, cost effective, due diligence methodology that helped earn CPA Global an ISO 37001 certification. Discover how Specktrum can seamlessly manage your third party risk today!

Road to ISO 37001 Certification Series: Part 3

This is the latest article in the “Road to ISO 37001 Certification” series. The first article covered the 4 foundational essentials based on my ISO 37001 certification audit experience, and the second article discussed and the second article covered perfecting your risk assessment. Today’s (August 24, 2017) segment will discuss linking risk to corresponding controls.

 

Linking Risk to Corresponding Controls

As discussed in Part 2 of Road to ISO 37001 Certification series,  ISO 37001 Requirements Section 4.5.1 states “The organization shall undertake regular bribery risk assessment(s), which shall: a) identify the bribery risks the organization might reasonably anticipate, given the factors listed in 4.1; b) analyze, assess and prioritize the identified bribery risks; c) evaluate the suitability and effectiveness of the organization’s existing controls to mitigate the risks.”

Let us now look at section “b) analyze, assess and prioritize the identified bribery risks.

What our certification auditors from ETHIC Intelligence adeptly looked for here was differentiation in population or organizational risk levels and having appropriate varied control activities in place to meet the individual inherent risk demands.  For instance, certain classes of clients could present a unique bribery risk.  External factors can actually create the condition as in the case of patent litigation whereas a client might be willing to bribe a company official in order to receive special handling or induce fraudulent search results. In CPA Global’s case, this particular example cited proved to be assessed as remote due to a number of factors; and although these factors should be documented, the point raised by the auditor was a good one worth noting.

Also having a bridge that not only links the risk assessment to the corresponding controls but also differentiates the nature and extent of controls relational to the level of risk is important. The certification auditor noted that certain functions shared the same group of controls in a few instances where there were differentiated risk levels.  Say, High and Medium or Medium and Medium-Low. In our case, there was one instance where we were subjecting the lower risk third party the higher standards than a high-risk party, which not only may be inefficient, also gives the appearance that little thought was given to the nature of the controls employed against differentiated risk levels.

In some cases, the control actions should be specifically tailored, as in the case of our having given anti-bribery training in Korean to our Seoul team in response to the Kim Young Ran Act.

In the case of third party due diligence, you will want to have an action plan established based on the level of risk assessed. So at various risk levels, you may want to include only a few or all of the following;

  • Require certifications to a supplier code of conduct
  • Watchlist/sanction screening
  • PEP screening
  • Require annual certifications
  • Require anti-bribery and corruption training
  • Require completion of annual questionnaires which will, in turn, refresh your third party risk assessments
  • Perform level 2, investigatory desktop due diligence
    • Perform on a more frequent basis
  • Perform payment reconciliations
  • Institute regular payment monitoring
  • Perform on site audits using procurement or internal audit resources
  • Perform on site audit using qualified professional services firm
  • Perform discretionary on the ground due diligence using internal or external qualified personnel

Overall the new lesson I learned here is to document the connection between the risk level assessed and the commensurate action. It will demonstrate to the certification auditors that proper bribery risk analysis, assessment, and priority is being afforded each population and business function.

 

Third Party Risk Management and Due Diligence

I am pleased to see the attention that was paid to this third party risk management and due diligence by the auditors from ETHIC Intelligence, ensuring many of the items listed above were not only in place but also looking at activities relational to identified and varied risk levels.  Because I spent the last 6 years focusing on elevating our third party risk management system as a lynchpin to a greater anti-bribery system, I was confident a bright light would shine here.

When I refer to third party risk management, I am referring to all activities that ensure third parties do not present risk beyond acceptable levels; which normally include certification to an anti-bribery policy statement or supplier code of conduct (which includes an anti-bribery section), access to the whistleblowing site and hotline, sending related announcements or warnings, training requirements, and finally due diligence and monitoring activities.  In my view, Third Party Due Diligence is having qualified personnel perform original and continuous investigative activities designed to detect red flags of corruption.

Having a customized online and case managed third party anti-bribery training was well received as a differentiated activity. Because of the unique nature of the risk in relation to the U.K. Bribery Act, our anti-bribery and corruption training covers potential areas specifically, such as facilitation payments, and makes clear its prohibition. What made this slick was having software that tracked the attendance in a readily available dashboard report. What would have improved the demonstration was having a signed certificate which acted as both third party certification and training completion.

What you want to avoid (unless your third party risk profile is only 1 or 2 dimensional, which is rare for global companies) is having only 2 or 3 variations of activities based on level of risk. You will also want to consider the juncture or line in the sand for going on site or ceasing a business relationship. If the process is merely to keep monitoring, digging and investigating and never take action, how are you really avoiding bribery with your third parties?

If you take the list above and add your relative control activities there will be many that you will want to require of all your third parties or those with risks greater than low. But you will still be expected to have a differentiated approach depending on your risk segmentation.

The value of conducting third party segmentation is the opportunity to reduce the compliance burden as the more difficult and burdensome activities should only be applied more liberally as risk rises. And risk level variance can be more easily justified by having a greater variety of relevant risk factors.

So factors such as third party industry (oil; and gas, telecom, software, etc.), organization structure (private, public, equity owned), Organization type, (C-Corp, LLC, etc.), location, use of sub-contractors, governance structure, can result in 4 or more group segments (1. High; 2. High-Medium, 3. Moderate, 4. Medium-Low, 5.Low).

In order to ensure official incorporation of red flags raised by your organization or by way of continuous due diligence back into your third party risk ratings, you will want to consider having a method of elevating or lowering risk scores based on due diligence.  Our policy was to take commensurate action based on any adverse findings, which could result in a number of actions including suspending or ending the relationship. But what I failed to do was make a scoring adjustment based on one case in which a red flag resulted in our conducting a site visit and impromptu audit of an agent with a risk score of 3.9.  The auditor wondered why a 3.9 was treated with more due care than a few of our agents with higher scores. So a word to the wise:  make sure your findings are dynamically updating your risk assessments and that your actions are relational and proportionate to your risk levels.

Spectrum takes the away the pain associated with third party risk with the same proven, efficient, standardized, cost effective, due diligence methodology that helped earn CPA Global an ISO 37001 certification. Discover how Specktrum can seamlessly manage your third party risk today!

Road to ISO 37001 Certification Series: Part 2

In the last article, I discussed the 4 foundational essentials based on my ISO 37001 certification audit experience. This article walks through the selection of and engagement of your partner for ISO 37001 certification audit readiness.

 

Perfecting your Risk Assessment

The cornerstone of any compliance program is the ability to conduct thorough risk assessments so that the nature and extent of all company risk the company faces are unearthed, including where risk lies, and who it lies with.

Appropriately, section 4.5 titled “Bribery Risk Assessment” of the ISO 37001 standard states, “4.5.1 The organization shall undertake regular bribery risk assessment(s), which shall: a) identify the bribery risks the organization might reasonably anticipate, given the factors listed in 4.1; b) analyze, assess and prioritize the identified bribery risks; c) evaluate the suitability and effectiveness of the organization’s existing controls to mitigate the risks.”

I cannot emphasize enough how much time our certification auditor spent reviewing our foundational annual anti-bribery risk assessment model with me, dissecting it to the bone. This is your lifeblood because if performed haphazardly, significant risks are likely to be missed or assessed at an improper level. Sort of like having airport security only screening passengers on planes and neglecting to screen the airline crew, vendors selling food and retail items, or maintenance workers.

Our risk assessment model is fashioned to a degree by the classic top-down risk assessment internal audit often conducts as part of its annual general risk assessment.   Our version takes key vitals (elements) that relate to bribery and corruption and applies them organizationally.

Although the vitals we employ are both quantitative and qualitative; each is given a quantitative score that measures risk levels.

Some of the vitals we employ are total spend or total revenue; transaction volume; customer or supplier interaction level; government interaction; and susceptibility to bribery or fraud. We then apply each to the corporate strategic objectives, each business unit or function, and to each class of employee or contractor.

You might ask why not apply these exact criteria to all other third parties, including customers.  It’s best to look at third parties using more quantitative or fact based criteria as we already know that third parties constitute a high level of bribery risk, especially if they are responsible for sales or related activities.

At this juncture, what we are trying to assess are all the risks to the organization associated with bribery, including reputational damage.  So an agent channel would be looked at as part of the third party assessment, but the company group managing that relationship would also have a high degree of risk given their oversight role of this group.

To be successful at assessing risks at each of corporate, functional or operational levels, you really need to understand the role of the groups and how they interact in order to meet their objectives to determine what level of exposure, if any, there is to bribery or corruption.

So for instance, if you look at our firm’s analytic software business, you would need to understand the product, its uses, how it’s employed by customers, and the types of buyers and their organizations.  So in using our Analytic Software business segment as an example, in this case, we felt that the risk was low because deals were not conducive to probable acts of bribery because:

  • Software product was specialized and not enterprise based;
  • Price points were not dynamic thus reducing any potential commission kickback scheme;
  • IP attorneys were the practitioners making buying decisions (rationalization was that risk of bribery due to Legal ethical requirements and testing of profession is deemed to be much lower than those in non-legal professions);
  • Vast majority of sales came through customer service which was not in a position to offer anything of value to a decision maker

Conversely, when you look at our company’s Renewals business the inherent risk of bribery or fraud was rather high due to:

  • Use of Intellectual Property (IP) Agents
  • Agents transacting filings in government installations (Patent and Trademark Offices)
  • Number of Agents in high-risk countries (based on Transparency’s International’s Corruption Perception Index (CPI).
  • Advancing of fees to agents

The idea is that this type of narrative is included to justify your assessment.

It’s also a good idea, as I have learned through the certification audit process, to perform the same exercise with stakeholders based on what requirements and expectations they have of the organization.  This reduces the opportunity for misses during functional assessment. Performing this assessment has a dual effect: better identification of non-employee third party types, such as contractors, agents, and investors for instance. At the employee level a key role that may not be as easily identifiable through a functional view, becomes apparent when segregating and evaluating employee roles. Say a business unit has a governmental sales arm and that is missed during the operational view. It can be picked up at this juncture, with proper HR labeling.

Spectrum takes the away the pain associated with third party risk with the same proven, efficient, standardized, cost effective, due diligence methodology that helped earn CPA Global an ISO 37001 certification. Discover how Specktrum can seamlessly manage your third party risk today!

Road to ISO 37001 Certification Series: Part 1

There certainly a great deal of pride taken in knowing that my company CPA Global is among the first handful of companies in the world to have earned the ISO 37001 – Anti-Bribery Management Systems certification.  For a chief compliance officer, playing a major role in designing and advancing an anti-bribery program to this level, to achieve such a feat might be the sports equivalent of winning a championship ring.

While I am not a business thought leader pioneer in the same league of Michael Porter, Stephen Covey, or a Peter Drucker, I did spend 6 years building a highly structured anti-bribery and corruption program at a company, CPA Global, that has considerable inherent exposure, and developed metrics that inspired my confidence.

It was an easy decision to enthusiastically and expeditiously begin pursuing ISO 37001 anti-bribery management systems certification even before it became officially achievable last October 2016.

Now that CPA Global has achieved ISO 37001 certification, I would like to share how a very successful Intellectual Property Technology firm, CPA Global, got there.  Along the way I would like to cover the following:

  • Self Evaluation:  Ensuring the Essentials
  • Organizational Readiness:  Adding “Spark” to the Programme
  • Managing the Audit:  The Right scope and Organizing Resources
  • Lessons Learned:  How to have a Frictionless Path to ISO 37001 Certification

My hope is to see more organizations demonstrate their commitment to anti-bribery and anti-corruption by undertaking the ISO 37001 certification.

When I first reviewed the list of requirements for ISO 37001, I immediately began creating a checklist to see how CPA Global fared.  Interestingly, I had recently created a requirements list of my own as we sought to require our intellectual property (IP) agent population to have an independent anti-bribery and corruption evaluation via audit; thus demonstrating our focus to this area. So as I went through the ISO 37001 standards it became apparent that this might not take a great deal of work and that the cost of getting the certificate would be manageable.

My next step was to contact a firm I could trust that had the experience relative to this unique task that could review our program against the standards and a) provide a quick turnaround summary assessment which would in turn enable me to have a feel for how much work had to be done, cost and time to readiness; and, if we elected to move forward; b) conduct a detailed gap assessment against the requirements and best practices, c) prepare materials to support the certification audit; and d) coach us in order to achieve as much of a stress-free certification audit as possible.  Get any of these wrong, and either the process will be much longer, with many bumps along the way, or a major non-conformity is more likely to be found by the certification auditors.

I will devote more to this aspect in the next chapter but my decision to bring in Spark Compliance Consulting, based on their specialized compliance, anti-bribery, and ISO 37001 experience, was a winner and an essential part of achieving certification.

I will devote this first chapter to the 4 foundational essentials based on my ISO 37001 certification audit experience.  I will then pick up on ISO 37001 certification audit readiness essential #5 which is the selection of and engagement of your readiness partner in chapter 2.

 

Chapter I:  Anti-Bribery System Essentials

Tone at the Top and Culture

What really impressed our certification auditors and the certification body ETHIC Intelligence was the organizational awareness and commitment to our anti-bribery management system. In fact, it was cited as one of three “Noteworthy Efforts” in the auditor’s report (and you thought audit reports only listed issues).  When a C Level executive can speak in specifics about the history and importance of the program it can be inspiring to the rest of the employees.

It’s about equally impressive when everyone interviewed is able to identify the relational risks and controls in their respective areas and explain their view in their own way.  In fact, even I was pleasantly surprised by some of the responses to questions by our certification auditor that were not so straightforward. I attribute our success in building a culturally aware group on a few key factors. Besides being a legal and Intellectual Property support organization which by nature demands compliance to ethics and rules, and having sound clear policies; my compliance team built strong meaningful and sustained relationships organizationally.  This was accomplished via programme and policy role out; formal on-demand and in-person training; holding scheduled risk control assessments  (reviewing bribery risks and controls with stakeholders); being available for issue resolution and consultation; and by baking compliance into entity level, operational and IT/IS change management, referred to as “compliance by design.”  And this is best accomplished by making physical appearances across our global offices. This is particularly valuable when you are a global company with varied perspectives and ways of looking at policies, and have a very complex business, with multiple earning centers with distinct products and services.

If your personnel are not a tuned-in to the anti-bribery mission; and the right level of awareness does not exist; it will likely come out during the certification audit.  The certification auditors asked several pointed questions designed to see if the business was truly locked in or just following a script. And the certification body, ETHIC Intelligence, required that their certification auditors interview a wide population covering C-level to associate level.

Spectrum takes the away the pain associated with third party risk with the same proven, efficient, standardized, cost effective, due diligence methodology that helped earn CPA Global an ISO 37001 certification. Discover how Specktrum can seamlessly manage your third party risk today!