ISO 37001: A New Measuring Stick for Corporate Compliance Programs

May 24, 2016

The International Organization for Standardization is developing a certifiable international standard for “anti-bribery management systems” that could influence how the US Department of Justice, US Securities and Exchange Commission, and other regulators evaluate and grade corporate compliance programs.

In the coming days, the International Organization for Standardization (ISO) is expected to finalize and approve ISO 37001[1]—an “anti-bribery management system standard” that will likely become the new benchmark for grading anticorruption compliance programs. This LawFlash briefly examines the draft standard and its potential implications.


ISO 37001 was developed to help companies and other organizations establish, operate, and improve their anti-bribery compliance programs. It outlines the anticorruption controls considered to be “international good practice[s]” for preventing, detecting, deterring, and remediating corruption risks.[2]

To be certified as ISO 37001 compliant, an organization will be required to develop and implement an anti-bribery management system designed not only to prevent, detect, and deter bribery, but also to “comply with anti-bribery laws and voluntary commitments applicable to its activities.”[3] Such “systems” must address not only the bribery of foreign government officials, as proscribed by the Foreign Corrupt Practices Act (FCPA), but also bribery in the “private and not-for-profit sectors.”[4] In addition, anti-bribery management systems should target the risks posed by both active bribery (bribery by an organization, its personnel, and its associates) and passive bribery (bribery of an organization, its personnel, and its associates).[5] ISO 37001 is expected to recognize that organizations can be liable under laws like the FCPA and UK Bribery Act 2010 for both direct and indirect acts of bribery, and to call on organizations to account for third-party risks, such as “bribe[s] offered or accepted through or by a third party.”[6]


ISO 37001 was drafted by an ISO committee composed of advisory groups from 37 countries—including the United States—and is designed for “small, medium and large organizations in all sectors, including public, private and not-for-profit sectors.”[7] Although ISO 37001 claims to be “applicable across all jurisdictions,” it notes that “organization[s] will not be obliged to conform” with any portion of the standard that “is in conflict with, or prohibited by, any applicable law.”[8]


Like the FCPA Resource Guide, ISO 37001 will recognize that companies cannot “completely eliminate the risk of bribery” and declines to prescribe a “one-size-fits-all” model for anticorruption compliance.[9] Instead, ISO 37001 is expected to embrace a “reasonable and proportionate” risk-based approach for developing compliance programs and instructs companies to consider the following factors:

  • Size and structure of the organization
  • Locations and sectors in which the organization operates or anticipates operating
  • Nature, scale, and complexity of the organization’s activities and operations
  • Entities over which the organization has control
  • The organization’s business associates
  • Nature and the extent of interactions with public officials
  • Applicable statutory, regulatory, contractual, and professional obligations and duties[10]

Companies must also account for their “bribery risk assessment” findings when developing anticorruption compliance programs and may consult the section in ISO 37001 specifically devoted to the design, implementation, and documentation of such assessments.[11] In short, bribery risk assessments should enable companies to identify, evaluate, prioritize, and respond to bribery risks as well as assess “the suitability and effectiveness of the organization’s existing controls.”[12] Companies should use risk assessment results to make more informed decisions about the “allocation of compliance personnel, resources, and activities.”[13]

In addition to requiring risk assessments, ISO 37001 will require companies to do the following:

  • Develop and maintain compliance policies and procedures
  • Implement compliance training programs
  • Demonstrate effective tone at the top
  • Conduct risk-based due diligence
  • Obtain third-party compliance certifications and termination rights
  • Obtain compliance commitments from employees
  • Implement internal controls
  • Develop reporting channels and ensure whistleblower protections
  • Document compliance efforts
  • Periodically review and improve anticorruption compliance controls
  • Prohibit facilitation payments


ISO 37001 is expected to provide companies with a new “measuring stick” for evaluating their compliance programs and ensuring that they meet a common international standard. In addition, ISO 37001 will likely enable companies to make more informed decisions about business partners and other third-party representatives. Companies that receive an ISO 37001 certification—especially those that work in corruption-prone countries or high-risk industries or that have frequent exposure to government officials—will potentially have a comparative advantage against competitors that do not have the qualification.

ISO 37001 may also prove helpful to companies caught in the crosshairs of government investigations, which increasingly involve multiple jurisdictions and enforcement authorities. Although the ISO 37001 certification does not absolve companies from liability for anticorruption law violations, it is expected to offer an independent validation of the company’s anticorruption compliance program, and therefore may help a company make the case that its internal controls are both “strong on paper” and strong in practice.[14]

In the United States, effective compliance programs may help companies avoid a contemplated prosecution entirely or otherwise achieve a more favorable settlement where charges are filed. The US Department of Justice’s Principles of Federal Prosecution of Business Organizations counsel prosecutors to evaluate “the existence and effectiveness of the corporation’s pre-existing compliance program” when determining whether to charge a corporation with a crime.[15] Chapter 8 of the US Sentencing Guidelines provides that prosecutors should consider whether a company had an “effective compliance and ethics program” at the time of the offense when assessing culpability, and such a compliance program could result in a reduction in the company’s culpability score, which is used top calculation the fine range. [16]

In conclusion, ISO 37001 will likely play an important role in the future with regard to establishing a more uniform set of anticorruption standards across industries and regions, providing companies with opportunities to mitigate risk and achieve greater clarity in measuring compliance programs’ effectiveness. It remains to be seen whether US enforcement authorities will rely on ISO 37001 as the ultimate measuring stick to evaluate compliance programs, but companies with anticorruption programs that achieve ISO 37001 certification will likely be better positioned to deal with the scrutiny that comes when the inevitable investigation reaches their doorsteps.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Eric W. Sitarchuk
John J. Pease, III

[2] ISO 37001, Introduction.

[3] Id. at Sec. 1.

[4] Id.

[5] Id.

[6] Id.

[7] Id. at Introduction. For information about countries involved in the drafting of ISO 37001, see ISO, “Technical Committees – ISO/PC 278 – Anti-bribery management systems” (2016),

[8] Id. at Sec. 1.

[9] Id. at Sec. 4.4; Crim. Div. of the US Dep't of Justice & Enforcement Div. of the US Sec. & Exch. Comm'n, A Resource Guide to the U.S. Foreign Corrupt Practices Act at 57 (Nov. 14, 2012), [hereinafter FCPA Resource Guide] (“[R]ecognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs.”); see also id. (“[E]ach compliance program should be tailored to an organization’s specific needs, risks, and challenges.”).

[10] ISO 37001, Sec. 4.4.

[11] Id. at Sec. 4.5; see also id., Annex, Sec. A.4.

[12] Id. at Sec. 4.5.

[13] Id. at Annex, Sec. A.4.1.

[14] FCPA Resource Guide at 57.

[16] See US Sentencing Guidelines, Sec. 8B2.1; see also id. at Sec. 8C2.5(f) (“If the offense occurred even though the organization had in place at the time of the offense an effective compliance and ethics program, as provided in §8B2.1 (Effective Compliance and Ethics Program), subtract 3 points.”).