If you are looking to certify your anti-bribery programme under the ISO 37001 standard, one of the first things that you need to do is choose your certification provider. As a practitioner and lead auditor, I strongly urge decision makers to exercise some degree of caution and due diligence when choosing a provider.
Time and time again, I see companies and compliance officers who are upset or annoyed because they made an uninformed decision (or were forced to go with a provider as directed by procurement in some misguided attempt to simplify providers and go with someone 'on the system'). Think about it: if you were being investigated for a global corruption event, would you instruct a law firm that has no experience in anti-corruption to represent you? Of course not; that would be absurd. So why select a certification body or auditor that has no experience in anti-bribery just because they certified your 'quality' programme and you want to somehow leverage the existing relationship? Ignoring the fact that an accredited body would never allow themselves to be influenced, the focus needs to instead be on quality and performance.
Before making a decision on an ISO 37001, ISO 37301 or ISO 37002 certification body, you must do the following three things.
- Make sure the certification body is accredited on ISO 37001. This is the number one thing. The certification provider will advertise their accreditation, but you should also check the website of the accrediting body. Do not choose a certification company that is not specifically accredited on ISO 37001 – while they may be accredited on some ISO standards, they need to be accredited on ISO 37001 particularly. (And, at last check, you could count the providers that have been accredited on ISO 37001 on one hand.)
- Check the backgrounds of the auditors. If the auditor mentions lots of experience around standards, numbers or codes that don’t sound familiar to you, or their CV or LinkedIn profile only mentions their experience in quality or other irrelevant areas: stay away. These people are likely quality engineers that think they can now certify companies on anti-bribery compliance just because they went to a three-day training course. Anyone working as a lead auditor doing anti-bribery certifications should have proven experience either as a lawyer (preferably working in house) or specifically in building and maintaining anti-bribery programmes.
You should also exercise caution with mega certification bodies. These companies often don’t have an ounce of experience in this space and are most likely outsourcing the entire project to contractors, unless the work is being subcontracted to someone you know as being highly experienced and knowledgeable, the delivery will be likely disjointed, lacking in controls, authority and direction. Even if you have an existing relationship because that body certifies you in other areas (e.g. quality or environment) does not mean they have any skills when it comes to certifying against corruption and fraud, so engaging them will waste your time and cost you more money.
- Focus on the lead auditor and their soft skills. These auditors will be working with you for several years and interviewing you, your staff, your CEO and most of your managers globally, so they need to be professional, tactful and polite and have a coaching mindset. If the lead auditor isn't smarter than you in this space, then what makes you think they can help you improve your system through auditioning and monitoring and ultimately certification? They can't and will likely just embarrass you in front of your business partners, tainting the entire project.
Getting certified is a great achievement. However, you must exercise caution when selecting a certification body to ensure you make a wise decision.