In recent times, private, public or non-profit organisations regardless of their size, business nature, industry or geographical operations, have been learning more about legislations that arrest corruption:
i. MACCA[1] [Act A1567] on corporate liability for corruption;
ii. AMLATFPUA[2] which provides for offences like money-laundering, terrorism-
financing & proceeds from unlawful activities;
iii. WPA[3] on protecting whistleblowers from any prejudicial effect for disclosing
misconducts;
iv. Penal Code [Act 574] criminalising the giving or receiving of gratification involving
public servants; and
v. CCMA[4] [Act 614] on beneficial ownership of legal persons.
Regulators too learning from global anti-corruption enforcement peers, are focused on governance, transparency and accountability in advocacy, education & investigation work, and are competent to enforce these laws by now.
With these mounting pressures come the anti-bribery and anti-corruption (“ABC”) vanguard that would help organisations to define or sharpen their rules of engagement and sense of integrity.
[1] Malaysian Anti-Corruption Commission (Amendment) Act 2018 [Act A1567] [2] Anti-Money Laundering, Anti-Terrorism Financing & Proceeds of Unlawful Activities Act 2001 [3] Whistleblower Protection Act 2010 [4] Companies Commission of Malaysia Act 2001.
Ethics & Compliance Programs
Anti-corruption compliance framework consists of an Ethics & Compliance (“E&C”) Program that embodies anti-bribery and anti-corruption principles into compliance policies, internal controls and infrastructure. Compliance has the meaning of abiding to laws, rules and regulations including policies. The other intrinsic part of E&C Programs is Ethics, the quintessence of which is in doing the right thing even when no one is watching, thus compliance is the by-product of just doing one’s job mindfully.
ISO37001: 2016 ABMS
The International Organisation for Standardisation published the ISO37001 in 2016 is a standard that sets out the minimum requirements to “establish, implement, maintain, review and improve an anti-bribery management system”. Upon completing an audit of the control measures that would meet those requirements, ISO37001 certification shall be awarded by a certification body. Recertification audit will not take place for another three years. A management system by itself, it can be outfitted as a freestanding anti-bribery initiative or be integrated into an E&C Program.
How so differently & similarly?
The regulatory & non-regulatory compliance ecosystem
Authoritative guidance documents like the OECD’s Good Practice Guidance on Internal Controls, Ethics & Compliance, Resource Guide to FCPA, Guidance to the UK Bribery Act and the French Anti-Corruption Agency Guidelines provide insights to establishing Compliance Programs as a corruption mitigation device. Many organisations operating in multiple jurisdictions have adapted E&C Programs to internalise ethical sensibility into conducts and interactions.
ISO37001 certification, being an international standard on anti-bribery management system, and not restricted to a legislation or any international economic bloc, has similar guidelines. Like E&C Programs, internal controls, both financial & non-financial, are elaborated into processes & procedures to prevent, detect and respond to bribery conducts particularly.
When deciding which alternative would fit their enterprise risks, organisations can weigh in aspects which include but are not limited to:
risk assessment of the business, customers, suppliers, government relations, etc., consultation with relevant expertise on risks & legal obligations and appraisal of the workforce size, competency & limitations against resources;
costs, savings, benefits, contractual requirement by some industries, infrastructure (IT, work environment) and own readiness; and
being equipped to actualise a new or revitalise an existing ABC system - from assigning the ABC stewardship to the Leadership, introducing, training & communicating the Code of Conduct & relevant ABC policies, rolling out whistleblowing avenues & third-party due diligence tools, testing & monitoring control measures to auditing & improving the ABC system.
1. An E&C Program is stretched out to preserve ethical sensibility and introduce acceptable behaviour that represent an organisation’s integrity through a Code of Conduct/ Ethics and risk-based ABC policies. These expressly written instruments set the premise for instructions to be issued formally, taught in abundance and observed under any circumstance.
1.1 The Code of Conduct/ Ethics is the `north star' that employees are:
trained to look to at decision-making junctures; and
reminded of to uphold the highest standards in conduct & ethics.
1.2 ABC policies set out requirements to satisfy when inclining towards the activity of a particular ABC policy.
2. An ISO37001 certification assures that over time, the anti-bribery processes & organisation’s demonstrated compliance, the leadership’s commitment & support in making resources available and continual improvement have met the ISO37001 requirements. It does not specifically address fraud, cartels, anti-competition offences, money-laundering or other conducts that could involve elements of corruption (influence-peddling, embezzlement, insider trading, misappropriation of funds, obstruction of justice, etc).
3. Some organisations already have a running E&C Program, and ISO37001 certification is not a replacement device for the entire E&C Program. Rather, it can be testament to the tried and tested anti-bribery regiment within the E&C Program.
A means to an end
Organisations are not legally bound to get ISO certified but for some, certification is to be attained for various reasons, inter alia, because of a business need, in absence of a compliance program, as potential defence against corporate liability for bribery or to gain competitive edge. Even so, having ISO37001 certification in organisations does not always preclude some morally-flawed individuals from getting involved in improper conducts. From regulators’ viewpoint, it is the certification body’s assessment into how an organisation appropriately implements & shows continual work to enforcing the ISO379001 requirements that is paramount, not the certification alone.
Final thoughts
Organisations should endeavour to foster a Culture of Ethics amongst employees & business associates and within the Leadership. To reiterate `doing the right thing even when no one is watching, thus compliance is the by-product of just doing one’s job mindfully’, adopting a Code of Conduct helps to amplify the way of doing things in an organisation, as a living document that emphasises observing ABC policies issued, reporting concerns in good faith, non-retaliation, accepting diversity & inclusivity, practising social and environmental responsibility, embracing the organisation’s core values, etc.
Every organisation has own distinctive risk profiles & commercial needs and faces different regulatory challenges. Organisations need to ask themselves where they stand with their ABC regiment – whether it is implementing new ABC initiatives, revamping pre-existing compliance program or to implement in conjunction with existential quality management system, ie. ISO9001.
Assess how the T.R.U.S.T. Principles have been implemented reasonably and appropriately to an organisation's risks:
Top-level commitment
Risk Assessment
Undertaking control measures
Systematic review, monitoring & enforcement
Training & communication
For some organisations, the way their ISO37001 certification intertwine with E&C Program can progressively turn best practices into the gold standards that they strive for, will be nothing short of reassuring investors, business partners, vendors, customers, employees and other stakeholders.
_edited.jpg)
Comments