An interview with Prof. Chang Hoon Cho on the risks and benefits of ISO 37001 and the task of the Korean government.
TI-Korea: What is the main message ISO 37001 sends to our society and business?
Cho Chang Hoon: There are global standards that can govern the ‘giving side’ as well as the ‘receiving side’. ISO 37001 is a global legislation governing the ‘giving side’. And the “Improper Solicitation and Graft Act of Korea” (Kim Young-ran Act) is an anti-corruption law which regulates the ‘receiving side’. In recent years, bribery and corruption-related accidents are spreading in Korea, not only in private companies but also within public institutions. To be precise, implicit practices in various areas have been exposed to the outside world.
In the meantime, the “Improper Solicitation and Graft Act of Korea” was characterized by the fact that it was a law for public officials and executives of public organizations in order to “reject” bribery and fraud. However, bribery and improper solicitation are also common in the private sector, where they provide money or economic benefits to employees of public institutions. The “Improper Solicitation and Graft Act” does not specifically regulate the ‘private sector’ where it is still possible to bribe or cheat with money. If we have specifically regulated the recipient, we must govern the ‘giving side’ accordingly. There are no relevant domestic laws yet.
ISO 37001 has been designed to become a management system that could be a global and normative factor of the anti-bribery management system in the private sector. Therefore, if a company or an organization has consistently and faithfully fulfilled each of the requirements described in ISO 37001 (and if there happens to be unreasonable matters related to bribery and fraud), then, if this company is faced with investigation, sanction, and judicial judgment, you will be able to actively counter-argue to the law enforcement authorities.
What is a necessary requirement that Korean companies should comply with?
‘Processing authenticity’ is absolutely necessary. The character of ISO 37001 is not a job which can be finished and publicly announced to have been completed in a short term. The intent and purpose of ISO 37001 should be a ‘continuous process’ in which an organization strives to minimize the risk of bribery in business practices in line with the specific requirements. I believe ISO37001 is not a job that can be finished within two or three months.
Rather than emphasizing the sincere implementation of ISO 37001 on a company-wide basis over a long period of time, companies and public institutions should publicize the introduction and implementation of ISO 37001 in such a way that they only accomplish short-term tasks or show short-term achievements. If they receive certifications from certification bodies which do not have sufficient expertise in the area of bribery prevention related compliance, it would be a bigger problem. What will happen if there are bribery- or corruption-related incidents in those companies and institutions which have publicly promoted themselves as having no risk of bribery because they are certified by ISO 37001?
As you know, nowadays we witness bribery and corruption-related accidents buffeted by incident after incident in the public sector as well as in private companies. Properly speaking, it is not sudden problems happening at this point, but it is a process that those implicitly customized problems are unveiled by the outside and are causing ethical and legal problems. I expect that this will continue for a while. It is not the time to promote achievements of the introduction and operation of ISO 37001 outside of companies, but the time to review the whole organization with all candidness.
What is the most important task related with ISO 37001?
It is ‘Authenticity’. It is necessary to be able to link ‘opportunity cost’ with ‘authenticity’ for a long time. It depends on the management responsibility. If you want to faithfully implement the contents of ISO 37001, actually there will be several costs in the short term. Business practices need to be reviewed in a way that it is totally different from present practices. However, if such an in-depth cost analysis is not done at the company level, companies may lack authenticity. It might be just a formal implementation.
There are two main reasons why a commercial company is interested in ISO 37001. One is business. In the global business environment, foreign companies which have prominent status sometimes ask Korean business partners for authentication certificates in order to replace a basic due diligence program. Acquiring an ISO 37001 certification may be considered to be faithfully fulfilling basic bribery prevention related tasks. Therefore, if they do not have an ISO 37001 certificate, companies may face difficulties in contracting at a global market. However, if companies get a certification only for formal reasons, this can lead to a problem in the future due to intentional deception of the other party.
And another reason is to reduce sanction risks from bribery incidents from regulators and the judiciary. From the perspective of profit-making companies, the sincere implementation of ISO 37001 can be a specific reason for not applying for the provisions of the dual liability. Management must, therefore, accept that ISO 37001 compliance is not an issue that can be easily addressed in the short term in the respect of cost problems or management strategic point of views. And it should be followed by activities of the management that show the authenticity of the company so that internal employees can feel it. This will prove to the supervisory agencies and law enforcement authorities in the future that the company does it faithfully. However, if they get certification of ISO 37001 only formally and wish to present it as a basis for non-application or exemption of the dual liability, there is also a risk that this may be deemed deceptive to the supervisory agencies and judicial authorities.
What do you think about the claim that Korean companies are only interested in formal requirements and tend not to stick to compliance?
Yes! I have already mentioned this issue in detail. To fulfill ISO 37001 faithfully, companies have to endure a lot of opportunity costs. There is a tendency to approach ISO 37001 as a short-term task for specific departments, while management lacks sufficient authenticity. The management needs an enterprise-wide review and has to consider the feelings of employees. Those trends can also be confirmed by checking the preparation period and company-wide efforts to obtain ISO 37001 certification. If the companies have authenticity, they should approach with short, medium and long-term plans in terms of management strategy in consideration of the costs. But it is difficult to see such a development. I wonder whether this reality is becoming more and more clear with ‘certification risks’.
Do you think ISO 37001 might be related to Korean companies’ competitiveness and credit standing?
Now, it is expected that the implementation of ISO 37001 will be a viable requirement of a company’s continuous transactions, not the strengthening of competitiveness and the enhancement of credibility. We have experienced a regime change due to the recent presidential scandal in South Korea. In the course of this scandal, big Korean companies were exposed to bribery and solicitation risks. In the wake of such developments, entrepreneurs find themselves in the situation that they have to be judged on the issue of providing economic benefits to solicitors. As you know, this has become an international issue and continues until now. We do not want to admit it, but it is also the result of big companies failing to meet the requirements of ISO 37001. And now there are enough negative influences of Korea’s leading companies on the global market.
Therefore, Korean companies need to demonstrate a different appearance on the global market – because they have a history of breaking bribery and of illegal solicitation for public officials. In order to do so, it is necessary to demonstrate the faithful implementation of ISO 37001.
Should the Korean government support an anti-bribery management system?
The government should provide specific guidelines for an effective anti-bribery management system and then comply with ISO 37001. The specific guidelines should be presented in legal and criminal precedence and be based on specific criteria for the supervision and sanction of government authorities.
Establishing and operating an effective anti-bribery management system – the core of ISO 37001 – is a necessary law in the private sector. The “Improper Solicitation and Graft Act of Korea” regulates the public sector. However, the domestic regulatory authorities and the judiciary have not yet established specific criteria for evaluating the construction and operation of effective anti-bribery management systems in the private sector.
So, there is something more to be done on the government side. First of all, the Ministry of Justice will have to make a specific reference to the court for handling the exemption of dual liability. In addition, administrative authorities and prosecutors should provide specific recommendations for the establishment and operation of an effective anti-bribery management system that emphasizes preventive functions. This will be an economic basis for continued investment in commercial companies’ anti-bribery compliance systems. It is important to make sure that the economic benefits of trying to reduce the risks of bribery and fraud are more important than the short-term economic benefits of bribery and solicitation.
What about Korea’s certification business?
I am worried about ‘certification risks’. As a person who has specialized in compliance and anti-money laundering business practices, I am now worried about the domestic ISO 37001 certification business. I am also an ISO 37001 technical expert. Certification risk is the risk that can be caused by being easily certified by a poor certification authority. This risk is jointly created by a certification institution which has a poor compliance experience with bribery prevention practices; and by corporations that want to receive easy certifications from these institutions.
Recently, Korea has experienced problems with eco-friendly egg certification systems which had been fraudulently operated. There have been collaborative results created by the irresponsibility of the regulatory authorities, the wrong practices of the certification bodies and employers. I worry about the possibilities that such problems might occur in the ISO 37001 certification business – because ISO 37001 should be handled with professional issues based on basic compliance work and knowledge. Also, the certification should be conducted through proper processes, and a strong internal audit level review should be retained properly. I am afraid that there are not enough domestic certification institutions which have relevant professional competence. The overseas certification agencies working in Korea face the same risk. Actually, for the first time, the ISO 37001 certification business is a compliance-related topic. So it’s hard to say if the current certification institutions have enough relevant experience with compliance-related topics.
What happens if certified subjects experience a domestic or global legal issue related to bribery? The certification institution which has a professional competency should be fully concerned about the ripple effects of poor certification.
Interview by Sang Hak Lee (Board Member of TI-Korea)
Prof. Cho Chang Hoon
Cho Chang Hoon taught compliance at Sogang University and holds a PH.D. in law. He is an expert on business and financial ethics as well as global compliance. Prof. Cho has worked for several years as a compliance officer for the Korean Banking Institute and is a professional instructor of integrity education at the Anti-Corruption and Civil Rights Commission of Korea (ACRC).