Fighting bribery and corruption in Italy: Pros and cons of ISO 37001 for companies already compliant with Legislative Decree no. 231/2001
By Giovanni Foti
Posted: 12th March 2018 08:16Significant steps have been taken in order to fight bribery and corruption in Italy, first with Legislative Decree no. 231/2001 (on administrative liability of legal entities), followed by Law no. 190/2012 (on prevention and suppression of corruption within public administration) and Legislative Decree no. 38/2017 (on corruption among private parties).
The progress can be contextualised in the international framework through the release of the rule ISO 37001, on 15 October 2016. What makes it unquestionably valuable is the specificity of such rule with reference to the topic of corruption.
It is well known that, in Italy, ISO 37001 is applicable to both private and public sectors, and for a wide range of entities, (i) those who have either 231 Organizational Models or international compliance programmes (e.g. according to the UK Bribery Act or to the US FCPA) effectively in place, which only need to be revised and customized to be compliant to ISO 37001, and (ii) those totally lacking an anticorruption compliance programmes, but for which ISO 37001 allows the design and implementation from scratch of a corruption prevention system.
If we made a comparison between Legislative Decree no. 231/2001 and ISO 37001, we would certainly discover that, while Legislative Decree no. 231/2001 is broader and includes various topics other than anti-bribery, ISO 37001 is more specific and focused on anti-bribery and corruption. As such, the Legislative Decree has already considered all the matters disclosed by the rule in a full comprehensive Law which allows interactions among anti-bribery, anti-corruption and anti-money laundering within a systematic Model. Furthermore, in countries other than Italy, Legislative Decree no. 231/2001 is not widespread, therefore ISO 37001 is able to give an international flavour with respect to corruption topic, making it possible for different countries, with different law systems, to speak the same language on the topic of corruption.
In addition, while Legislative Decree no. 231/2001 focuses on corruptive acts made to the benefit of legal entities, ISO 37001 is targeted at passive corruption acts committed to the benefit of individuals as well. Nevertheless, regardless of the regulation to which the Organizational Model in place is inspired to, it is absolutely essential for the organisational model to be tailor-made according to the business and market in which the entity operates, being flexible and well-respondent to the entity’s rules and procedures in place, in order to be actually effective.
But why would ISO 37001 be a plus, for companies who are already compliant with Legislative Decree no. 231/2001?
Firstly, it must be taken into account that ISO 37001 does not outclass existing laws, included Legislative Decree 231/2001, but would certainly well integrate and complete the protection already provided to the adopting entity by the Legislative Decree in case of offences, offering a best practice in fighting bribery and corruption.
Here is where consultants come into play, with an essential role: provide assistance, in cooperation with both the entity’s attorneys and compliance department, in designing a perfectly customised Organizational Model, combining their diverse expertise – the ability to identify criticalities within processes and the extensive knowledge of similar cases.
It must be considered that, for those entities which have already implemented an effective 231 Organizational Model, the investment required for the design and implementation of an organisational system compliant with ISO 37001 would be moderate.
Definitely, the process to obtain ISO 37001 certification is not a bowl of cherries, and a wrong interpretation of the usefulness of such International Standard could be of detriment to the adopting entity.
The main disincentive related to the implementation of ISO 37001 could certainly be its high generality. Being a high-level, International Standard, makes ISO 37001 difficult to be used by companies as a vade-mecum which to refer to for the specific implementation of its content.
Moreover, the compliance process of the Organizational Model with ISO 37001 should not be either a “once in a lifetime” or a “copy and paste” process: it should be tailor-made, adjusted according to the entities’ specificities and risks, and it would need regular reviews. Indeed, what is intrinsic to the nature of the Standard ISO 37001 is the fact that no certification would be issued if, for instance, an entity performed its due diligence process based only on blacklists and watch lists screening. In fact, a relevant characteristic of the ISO 37001 is to certify the effort made by the company, not only to comply with pure and simple law requirements but, more importantly, to demonstrate the willingness to ground the company itself on integrity and transparency principles. Investing in a compliance process with ISO 37001, while not respecting such principles, would make the process become of detriment to the entity.
Last, but not least, it must be taken into consideration that neither an Organizational Model according to Legislative Decree no. 231/01, nor full compliance with ISO 37001 would guarantee an indisputable and complete protection against potential engagements in corruptive acts made in the interest of the adopting entity, but it would certainly increase the entity’s chances of liability exemption. In fact, especially at an international level, the degree of protection guaranteed by Legislative Decree no. 231/01 is not the highest, while the integration of a 231 Organizational Model with an IS0 37001 certification would be able to smooth the way within international courts.
+39 02 366 962 04
Giovanni Foti, partner at Accuracy, specialises in fraud investigation and dispute services. He focuses on fraud investigations, forensic accounting and compliance risk management. As a certified chartered accountant, he has performed valuations and financial analyses, appraisals and fairness opinions. Before setting up Accuracy Italy, Mr. Foti worked as executive director in the fraud investigation and dispute practice of Ernst & Young, dealing with fraud investigation, litigation, arbitration, expert witness, forensic accounting and compliance risk management. Previously, he matured extensive experience as an auditor at Arthur Andersen.