Should companies use the TI-UK Adequate Procedures for their Anti-Bribery Management System, or ISO 37001?
In today’s article, Trident CEO Dr Mark Lovatt explores this question that frequently arises in the business integrity field: should companies use the ISO 37001 or the TI-UK Adequate Procedures Guidance? In both private and public conversations, corporates and integrity practitioners have been debating which standards would be most useful to the design of their anti-bribery management system.
TI-UK’s Adequate Procedures were launched in response to the UK Bribery Act 2010, complete with implementation materials and guidelines. The ISO 37001 was published in 2016, intending to set an international standard that could be certified, and provide more assurance for businesses and their stakeholders. Both documents provide excellent guidance, but which one is most compatible with the business context of Malaysia today?
As companies consider how to establish the “adequate procedures” required under the Malaysian Anti-Corruption Commission (Amendment) Act 2018, some are considering using the well-known Transparency International UK booklets Adequate Procedures Guidance and its accompanying Checklist as the basis for the programme. The TI-UK documents are certainly well-designed and comprehensive, however, they may not be suitable for companies operating in Malaysia, especially those considering ISO 37001 certification. Here are a few reasons why.
1. The documents are designed for a different jurisdiction
While Malaysian law is based on UK law, the way the Malaysian Anti-Corruption Commission (MACC) 2009 Act and 2018 Amendment are not identical to the UK Bribery Act 2010. In particular, the way corporate liability works is fundamentally different, with the MACC Act operating primarily through the acts of an individual, with the corporate entity brought into the picture on a deemed basis. The UK Bribery Act, by contrast, focuses on the actions and responsibilities of the company as a legal entity, with the individuals involved being secondary; see the article in GCN for example.
The Malaysian requirements for adequate procedures also emphasise different areas, as the FCPA Blog recognises in its recent article on 2018 Amendment. So while the TI-UK materials are useful, they are not an exact match, and this can create problems for companies further down the line if they try and use the UK materials as the basis for their anti-bribery programme.
2. For companies considering ISO 37001 certification, the checklist is not directly compatible.
While both documents cover broadly similar ground, the structure of the Adequate Procedures Guidance is very different from the ISO. This makes assessment on ISO 37001 readiness difficult to achieve as a great deal of time consuming cross-referencing is required to identify where the company falls short on the ISO. The cross-referencing may also not be very accurate, depending on how experienced the people are who are doing it. So going for the TI-UK approach initially, then later pursuing ISO 37001, won’t work very well. The ISO will require a fresh start, with the additional time, trouble and cost which that will involve.
3. The UK documentation has items which are difficult to meet and not required for either the ISO or the GIACC Guidelines
The TI-UK checklist runs to 231 detailed questions, and includes a number of items many companies are likely to find difficult to meet. Tricky items include:
- No. 12: Anti-bribery is a standing item on the board agenda
- No. 44: The company reports publicly on its bribery risks
- No. 116: The company reports publicly on the extent and quality of its anti-bribery training
- No. 127: The company reports publicly on the number of whistleblowing reports with number of reports investigated, closed or resulting in management action
The TI-UK document is a voluntary checklist so these items can be ignored; but then the Compliance Department / Integrity Department is starting to pick and choose, and where do they draw the line? That can be a dangerous road to go down, bearing in mind that the personal well-being of the directors and senior management of the company is at stake.
Also, certain parts of the checklist (including the items above) are not required for either ISO 37001 or the GIACC Adequate Procedures. So companies can work hard to reach a level of compliance which has ultimately little value and is not likely to be relevant for their ultimate goal of assurance and recognition. Is it really worth the extra effort for these items when they are not needed or recognised?
4. The ISO 37001 is a more recent publication
The Adequate Procedures Guidance were published in 2010, some 6 years before the publication of ISO 37001. As in any evolving industry, the newer system is often better designed and more effective, making use of the best elements of the previous version but also taking into account the learnings gained in the meantime. So why not start with the more up-to-date materials rather than play catch-up later?
5. The Adequate Procedures Guidelines are not recognised by the Malaysian Government
Nowhere in the Malaysian legislation or the National Anti-Corruption Plan 2019 are the TI-UK Guidelines mentioned (or other similar guidelines from overseas jurisdictions). Compare this with the ISO 37001, which is mentioned specifically, and the reason why companies should pursue ISO 37001 rather than use the TI-UK documentation becomes clear. Of the approaches available, the ISO simply has more recognition both locally and internationally, and so ultimately has more value for the organisation.
6. The TI UK Adequate Procedures can’t be certified
This is probably the biggest issue. Unlike the ISO, no recognised certification body we could find gives an award based on the TI-UK procedures. While an external party may be used to try and assess the company based on the TI-UK documentation, it is not possible to then produce a recognised certificate to show to the relevant stakeholders that the system has reached the required standard. This can be a major problem, especially when working internationally or with the Malaysian Government. Achieving assurance internally may also be a problem, bearing in mind corporate liability. Directors and top management want to know the system is up to standard, not hope for the best based on an internal department’s or even a consultant’s report.
By way of conclusion, we can state that the TI-UK Adequate Procedures Guidelines (and other documentation available in the public domain) can be useful under certain circumstances for companies looking at implementing the adequate procedures required under the MACC 2018 Amendment. Taking this approach has a number of disadvantages though, some of them quite serious. Bearing in mind the substantial long-term value of ISO 37001, using other materials can result in companies investing a great deal of time and effort to implement something which later proves to fall short of what is required.
It should also be remembered that while the downloads are free, the in-house resources needed to implement them are not, and they also take a significant level of expertise to manage. So our recommended approach is to base the adequate procedures programme on the ISO from the start to establish the right platform, and build from there. That looks to be the best long-term option for sure.