Today’s headline is inspired by two recent notices; the first is from a January 25 ENI Press Release crowing that “Eni is the first Italian company to receive that certification”. The second came from an article in the Financial Times (FT) entitled “Eni chief Claudio Descalzi charged with international corruption” by James Politi, where he began his piece with the opening, “Claudio Descalzi, chief executive of Eni, has suffered a setback after Italian prosecutors charged him with international corruption following a lengthy investigation into the Italian energy group’s 2011 purchase of a Nigerian exploration licence. Mr Descalzi was asked to stand trial along with Paolo Scaroni, the former chief executive of Eni, as well as nine other individuals who were involved in the $1.3bn transaction, according to Fabio De Pasquale, the lead prosecutor on the case.”
The international corruption, also involving Royal Dutch Shell, involved questions regarding “an offshore exploration bloc called OPL 245, which is estimated to contain up to 9bn barrels of oil and is considered one of Nigeria’s most highly-prized energy prospects.” It was further noted that “The main accusation is that Eni and Shell knew the money paid to the government for OPL 245 would then be funnelled to other Nigerian individuals, essentially as bribes.” In what can only be said is a non-denial denial, both “Eni and Shell have said that they simply transferred money to the Nigerian government, without making any arrangements with third parties or the ultimate beneficiaries.”
The problem I see with one headline is that it brings up the uselessness of the ISO certification process. One might reasonably ask how a company could receive a certification for its “AntiBribery Management Systems” when both its current and former chief executives are under indictment for ‘international corruption’? The ISO certification issue is separate and stands apart from the ISO 37001 standards themselves. When I sat down to read the more than 100 pages of what might constitute good compliance practices, I, for the most part, did not have too many disagreements with the articulation. However, in the global world of anti-bribery/anti-corruption enforcement there were multiple standards for an effective compliance program, including, but not limited to the Ten Hallmarks of an Effective Compliance Program, Six Principles of Adequate Procedures, the OECD 13 Good Practices and multiple others. Indeed, I published an entire book some 2 1/2 years ago to laying out what constitutes an effective compliance program. So while it is mildly interesting from an intellectual perspective, the reality is that it is not anything new, different or innovative.
Yet the title of this blog post makes clear that any ISO 37001 certification is much worse, for it can lead an unsuspecting person to conclude that because a company has the ISO 37001 certification, it is actually doing compliance. From the ENI Press Release it stated, “quality of the system of rules and controls aimed at preventing corruption”. If that does not sound like a paper compliance program I do not know what does. I should also note the same Press Release goes on to state that since 2009, Eni has enshrined the principle of “zero tolerance” as “expressed in its Code of Ethics.” I wonder if either the current or former ENI chief executive under indictment read or even knew about this robust ENI Code of Ethics. Interestingly, the Press Release also stated that Stage 2 of the ISO 37001 certification process involved “interviews with people on the ground” to assure compliance with the program. It is safe to assume these interviews did not include the current or former ENI chief executive.
What is a counter-party to ENI to conclude about the robustness of its anti-corruption compliance program? How about any other company which has an ISO 37001 certification? This is where the worse than useless part comes into play. People might actually think that this certification affirms the company which holds it is committed to doing compliance and will continue to do so going forward. The counter-party who does business with such an ISO 37001 certificate holder may well assume this certification forms some basis of protection against a Foreign Corrupt Practices Act (FCPA), UK Bribery Act or (you name the law) investigation for bribery and corruption. Nothing could be further from the truth.
The Department of Justice (DOJ), Securities and Exchange Commission (SEC) and Serious Fraud Office (SFO) continually make abundantly clear that a company is responsible for its counter-parties not violating applicable anti-corruption laws. Put another way, a third-party, with an ISO 37001 certification who violates the FCPA, UK Bribery Act or any other similar law puts your company at just as much risk as a third-party with no ISO 37001 certification. Putting it as simply as I can, an ISO 37001 certification from a counter-party is of less than zero worth to your company, your compliance program or indeed any defense against a FCPA enforcement action.
What about a company which thinks it needs an ISO 37001 certification? This is equally problematic but for different reasons. The DOJ and SEC jointly issued FCPA Guidance made clear that an effective compliance program is based upon a company assessing its own risks and then setting up a program to manage those risks going forward through training, incentives and discipline and ongoing monitoring. The Ten Hallmarks were designed to be flexible to allow each company to assess and then manage its risks. Moreover, this flexibility allows a Chief Compliance Officer (CCO) or compliance practitioner to put forward clear evidence of compliance with this approach if the government comes knocking in a FCPA investigation. The evidence from the Pilot Program is that the DOJ is taking this approach into account and has doled out multiple declinations and Non-Prosecution Agreements (NPAs) since its inception in April 2016.
So which headline is right: that ENI received an ISO 37001 certification or that the chief executive of ENI will stand trial for corruption? Unfortunately, they are both right and that simple answer communicates to every CCO and compliance practitioner across the globe that the ISO 37001 certification process is worse than useless. This is both for the company assessing the effect of such a certification from a potential third-party and a company considering whether it should obtain the certification to prove it is actually doing compliance.
An ISO 37001 certification provides no evidence a company is actually doing compliance.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2017