What Is ISO 37001 and How Does It Affect Your Compliance Program?
As a health sciences company, compliance is part of your DNA. Regulations, rules, and standards are the norm. One standard is ISO 37001, which the International Organization for Standardization (ISO) issued in 2016. This set of compliance standards can serve as a framework for you to establish, implement, maintain, and improve anti-bribery management systems.
In this post, we’ll define the standards and how they can influence the design of your compliance program.
What Is ISO 37001?
ISO 37001 defines requirements and offers guidance for establishing, operationalizing, reviewing, and enhancing an anti-bribery management system.
It addresses several areas, including bribery in public, private, and not-for-profit sectors. It applies to an organization, its personnel, and those acting as business associates.
Its requirements and guidance relate only to bribery. It doesn’t address related activities, such as fraud. The standards are generic in nature and meant to apply to a wide variety of organizations.
To be ISO 37001 compliant, you’ll need to develop and implement an anti-bribery management system. Such a program should:
- Prevent, detect, and deter bribery
- Comply with anti-bribery laws
- Include systems that address bribery of foreign government officials and private and not-for-profit sectors.
- Target risks from active and passive bribery (active indicates you’re doing the bribing; passive indicates you are receiving the bribe)
What Are the Requirements?
The risk-based approach within the standards instructs companies to consider these requirements when developing their program:
- Company size and structure
- Regions where you operate
- Nature, scale, and complexity of your organization and its operations
- Entities of which you control
- Your business associates
- Interactions with public officials
- Applicable statutory, regulatory, contractual, and professional obligations and duties
From these requirements, you’ll need to perform a risk assessment.
Best Practices for Your Bribery Risk Assessment
Risk assessments look at both anti-bribery and anti-corruption laws and non-regulatory guidance like ISO 37001. In conducting these assessments, your goal is to identify risks then evaluate their potential to be a problem. You’ll have to study the controls you have that enable this discovery and response to bribery risks.
Only by completing a risk assessment can you determine how to allocate your compliance resources—including people and tools.
Other Requirements Beyond Risk Assessments
ISO 37001 lists additional requirements, as well, to define your program. Your organization should:
- Develop and maintain compliance policies and procedures
- Establish and launch compliance training
- Exhibit effective tone at the top
- Perform risk-based due diligence
- Acquire third-party compliance certifications and termination rights
- Receive compliance commitments from employees
- Employ internal controls
- Create reporting channels and ensure whistleblower protections
- Document compliance efforts
- Review and improve anti-corruption compliance controls at regular intervals.
- Ban facilitation payments
How Do ISO 37001 Standards Fit within Your Compliance Ecosystem?
For health sciences companies operating in the U.S., your anti-bribery compliance program revolves around the FCPA (Foreign Corrupt Practices Act) and the subsequent DOJ (Department of Justice) guidance, A Resource Guide to the U.S. Foreign Corrupt Practices Act, Second Edition. The content in the latter stands as simply guidance; it’s not a set of rules.
ISO 37001 isn’t regulatory in nature but acts again as a guide. While you may align your program with the standards, you can’t simply “check the box.” Without a concerted effort to allow the standards along with other resources to shape your compliance program, you could still be subject to risk regarding bribery.
How you incorporate ISO 37001 will depend on the maturity of your compliance practices. These are constantly evolving, but those with more seasoned programs will find it easier. They may already be doing many of the things it recommends.
Those organizations that are new or less mature for whatever reason should look holistically at their program and how ISO 37001 can make it more robust.
The standards within ISO 37001 may not be laws, but they certainly define the best practices for any anti-bribery compliance program. They provide you with parameters and objectives to strive for in ensuring your organization stays corruption-free.
Going through each requirement will give you a framework.
Should You Get Certified?
Currently, ISO certification isn’t mandatory. There’s a hefty list of requirements to consider when incorporating ISO 37001. While the reason driving you to follow it is to ensure compliance and limit risk, there are other advantages.
Advantages of Certification
Earning certification can boost your credibility and trustworthiness. Having this posture can improve relationships with clinicians, regulatory agencies, and consumers. It should enable you to make more informed decisions regarding business partners and other third parties. It could actually provide you an advantage over competitors, as health sciences is, unfortunately, a high-risk industry for corruption.
Should your organization be part of a DOJ investigation, certification could be useful. It certainly won’t absolve you if wrongdoing occurs. Rather, it provides independent validation of the robustness of your anti-bribery program and commitment to anti-corruption. You’ll also establish a consistent approach to anti-bribery compliance with a formal program.
Receiving certification also demonstrates to your employees that your culture is one of integrity. Employees will know their roles and the importance of compliance around this risk.
Certification Isn’t Easy
Earning certification is no easy feat. It includes qualifiers like “appropriate” and “reasonable,” which leave much open to interpretation. Being successful in certification will require dedicated effort to present validation of these subjective terms. Ultimately, it’s the substance of the program, not its specific format, that matters.
How Do You Earn ISO 37001 Certification?
To gain certification, you’ll work with a third-party certifier. Before you engage a party, you’ll need a plan that meets all the requirements in place.
Then, the third party conducts an audit, evaluating based on the requirements. Audits reveal what you’re doing well, areas for improvement, and nonconformities. Nonconformities come with a Corrective Action Plan for you to complete.
If there are major nonconformities, then a follow-up audit may be necessary. Once you meet the conditions and standards, you can obtain certification. Every three years, you’ll be subject to a recertification audit.
Expert Guidance for Health Sciences Compliance
Compliance is a complex environment for health sciences organizations. You can alleviate many of the challenges and mitigate risks with expert guidance from a team that delivers compliance solutions that meet your specific business needs. We can help you define and implement a program. Then continue with monitoring, investigation, and training. Explore how our consulting services can benefit you.