SlideShare a Scribd company logo

ISO 31000 Vs ABC Laws

S
Stefano Barlini
1 of 8
Download to read offline
This work is licensed under a Creative Commons Attribution 4.0 International License. To read a copy of the license visit the web site http://creativecommons.org/licenses/by-nc/4.0/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. Approaching the Anti-Bribery Law requirements with the use of ISO 31000 standard on Risk Management The application of the ISO 31000:2009 Risk Management – “Principles and guidelines” standard to the compliance programs with the Country Anti-Bribery requirements. by Stefano Barlini, CT31000, CIA, CISA, CCSA, QAR, qualified professional in risk consulting and training services. He is a member of a number of Supervisory Boards established according to the Italian Anti-Bribery Act. Associate with Crowe Horwath AS for the risk consulting services. Crowe Horwath AS is an accounting and advisory firm established since 1987 in Milan, Rome and Turin, providing the following professional services: Audit, Risk Consulting, Financial Advisory and Forensic Accounting. Crowe Horwath AS is a member of Crowe Horwath International which is a top 10 largest worldwide networks with more than 140 independent accounting and advisory services firms and 640 offices in more than 100 countries around the world.
The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 2 Objectives and Acknowledgments This work is intended to initiate a discussion with other professionals interested in Risk Management over the use of ISO 31000:2009 standard to the compliance programs adopted to address the Country Anti- Bribery Law (OECD Convention based) requirements. This work follows a number of other publications by the same author on ISO 31000:2009 which are available at his LinkedIn profile. The author gratefully acknowledges The Global Institute for Risk Management Standards for the aid provided also through the LinkedIn Group “ISO 31000 Risk Management Standard”.
The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 3 Can the ISO 31000 standard help in approaching the Country Anti-Bribery (OECD Convention based) rules requirements? To try to answer this question it may be useful a brief summary of the ISO 31000 standard, while on the other side the Italian Anti-Bribery Act (Legislative Decree 231/2001) is here taken as an example of rules adopted at country level to address the OECD convention on Combating Bribery of Foreign Public Officials in International Business Transactions. Indeed other countries have implemented and enforced the same OECD Anti-Bribery convention through different ways and steps (http://www.oecd.org/daf/anti- bribery/countryreportsontheimplementationoftheoecdanti-briberyconvention.htm), although all of them basically arise from the same source. This document is not intended neither to compare nor to explore those different ways, rather to encourage and initiate a discussion on the possible benefits from approaching worldwide through the use of the same standard (ISO 31000:2009), the similar requirements in preventing the risk of crimes (more specifically the risk of bribery of foreign public officials in international business transactions) by an organisation and/or its managers and employees. ISO 31000:2009 “Risk Management – Principles and guidelines” The ISO 31000 “Risk Management – Principles and guidelines” standard was firstly published in November 2009 and so far it has been adopted as their official Risk Management standard by the great majority of the countries, including EU countries (Germany, United Kingdom, France, Italy, etc.), USA, Canada, Brazil, Japan, Russia, China, Australia, India, South-Africa, etc. (http://g31000.org/national-standards-adopt-iso31000/). As an ISO standard to its definitive accomplishment, it is built on international consensus on its definitions and practices by the different stakeholders. Due to the high number and heterogeneity of the interested stakeholders, this consensus is necessarily more complicated and therefore requires more time. On this regard, we can easily appreciate these difficulties by considering even only the different sectors/specific risks and related professionals or stakeholders potentially interested by the ISO 31000 standard: 1. Workplace health and safety risks 2. Regulatory compliance risks 3. Financial risks and/or investment risk and/or credit risks etc. 4. Risk of loss 5. IT risks 6. Fraud risks 7. Quality risks 8. Environmental risks 9. Fire and explosion risks 10. Risk of life/death 11. ...
The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 4 As one of its goals is providing a common approach in the development or revision of other standards dealing with specific risks and/or sectors, it is therefore impossible to list all the possible applications of the ISO 31000 standard. It is indeed applicable to all types of organisations, of any size and in whichever industry, business, sector or activity that necessarily in pursuing its objectives faces with the uncertainty on: • what (e.g. objective 1 or 2?) • at what percentage (e.g. at 100% or at 50%?) • when (e.g. by this month or by this year?) Hence we can conclude the ISO 31000 standard has to be referred and applied to the company management system (the actual and specific one) through which the decisions are taken at any level (i.e. strategic, tactic, operations) and/or area (i.e. processes, functions, products, services, assets, projects, etc.) to achieve company’s objectives. Italian Anti-Bribery Act (Legislative Decree 231/2001) The Italian Legislative Decree 231/2001 (Italian Anti-Bribery Act) is the main act adopted by Italy to implement and enforce the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. Here some of the main features of the Italian Anti-Bribery Act: 1) it has introduced into the Italian legal system the direct criminal liability for companies and other entities with regard to their worldwide operations; based on that Italian criminal courts have the authority to initiate and conduct legal proceedings both against companies and individuals (e.g. directors, officers and employees) who have committed those crimes; 2) it lists a number of crimes that may originate the corporate criminal liability, when these crimes are committed in the interest of the company and/or to its benefit (e.g. bribery of public official to obtain a contract from a government-owned enterprise) by its management and/or staff; once committed, the company may be prosecuted for its “organisational fault” for not having adopted adequate and effective countermeasures to prevent those crimes and on the other side for obtaining a benefit and/or for having an interest in that conduct; 3) beyond bribery and fraud crimes (including financial and/or accounting fraud), pursuant to the Italian Anti-Bribery act, a firm may also be liable for other crimes listed by the same act: o health and safety offences at work o money laundering o insider trading and market abuse crimes o computer crimes o IP crimes o environmental crimes o etc. 4) it introduces penalties (issued also as precautionary measures in some circumstances) of capital magnitude as a possible consequence for a company found guilty:
The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 5 o monetary fines; o injunctions (ban on doing business, recall and/or cancellation of authorizations, licenses or other permissions/subsidies granted by government, ban on promoting goods and services, etc.); o confiscation; 5) it enables a company, also in the occurrence of a crime, to avoid being held liable for it (“corporate liability exclusion”) or to obtain important reductions of penalties, in case an adequate compliance program to prevent such crimes has been effectively implemented and enforced; 6) it explicitly requires that such a compliance program should: o be based on the identification and assessment of the activities at risk of crime (company risk profile); e.g. areas of operations where a crime might be committed within the company interest and/or to its benefit; o establish proper controls, particularly over the use of company financial resources, and ensure their adequacy and effectiveness to prevent and/or reduce the risk of crime; o include a Supervisory Board in charge of and put in the proper conditions to monitor the observance and review the effectiveness of the same compliance program’s provisions and particularly of the above mentioned controls; o implement proper flows of communication across the company to enable the Supervisory Board to address its responsibilities (e.g. prompt information on changes to the organisation and/or to the company business model may trigger the initiation of the review by the SB of the risk assessment as well as of the risk treatment) ; o define the disciplinary actions to be imposed for the violations of the compliance program provisions. 7) in connection with the Italian Health and Safety at work Act provisions (Legislative Decree 81/2008) and only considering the risks of health and safety offences at work, a certified OHSAS 18001:2007 Occupational Health and Safety management system may be considered appropriate and able to exclude company criminal liability. Hence we can conclude the Italian Anti-Bribery Act as the other Country (OECD Convention based) Anti- Bribery Laws requirements, in combating corporate crimes including bribery of public officials in business transactions, add some risks (with costly and burdensome consequences) to a company in achieving its objectives. How to use ISO 31000 standard in approaching the Country Anti-Bribery (OECD Convention based) rules requirements? Once we have introduced the ISO 31000 and an example of Country Anti-Bribery (OECD Convention based) law requirements, we can now try to illustrate some possible applications of the first to second. We highlighted that: • the Country Anti-Bribery (OECD Convention based) Acts add some risks to companies in achieving their objectives;
The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 6 • the ISO 31000 standard has to be applied to the company management system through which decisions are taken at any level (i.e. strategic, tactic, operations) and/or area (i.e. processes, functions, products, services, assets, projects, etc.) to achieve company’s objectives. The ISO 31000 may be firstly applied in approaching the risks arising from the Country Anti-Bribery Law (OECD Convention based) requirements. The first and most crucial step of a compliance program to any Country Anti-Bribery Law (OECD Convention based) requirements is indeed the risk assessment through which the company becomes aware of the risks upon its objectives arising from those requirements and is able to take informed decisions in accordance with its risk profile. Based on the (risk) priorities established with the risk assessment exercise, the second step of a compliance program to any Country Anti-Bribery Law (OECD Convention based) requirements will be focused on the risk treatment options and subsequent efforts. Again here the ISO 31000 standard may support this phase of the risk management process: of course, more the risk profile will be accurate, more the risk treatment options will be better evaluated and approached. Another common requirement of a compliance program to any Country Anti-Bribery Law (OECD Convention based), is the capability of that compliance program to ensure on a continuous basis its (design) adequacy and effectiveness. Again the ISO31000 standard provides specific guidance on the monitoring and review phase both at process and framework level according to the continuous improvement approach (plan-do-check-act cycle) which is widely adopted by ISO standards. By taking again the example of the Italian Anti-Bribery Law (OECD Convention based), through the table below the main components of a compliance program (generally called “231 Model”) to those requirements are reported in the following with the references to the ISO 31000 standard, differentiated among its three pillars (principles, framework and process): Table 1 – Compliance program (“231 Model”) to the Italian Anti-Bribery Act (Legislative Decree 231/2001) vs. ISO 31000:2009 ISO 31000 231 Model Principles Framework Process 1. Assessment of the activities at risk of crime a) Creates Value c) Part of decision making • Establishing the context (5.3) • Risk Assessment (5.4) 2. Internal Controls analysis and improvement b) Integral part of organisational processes g) Tailored • Risk Treatment (5.5) 3. Monitoring and review of the compliance program and of its provisions j) Dynamic, iterative and responsive to change • Monitoring and Review (5.6) • Recording the risk management process (5.7)
The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 7 ISO 31000 231 Model Principles Framework Process 4. Supervisory Board • Mandate and commitment (4.2) • Monitoring and review of the framework (4.5) • Continual improvement of the framework (4.6) 5. Flows of information to the Supervisory Board i) Transparent and inclusive • Communication and Consultation (5.2) 6. Disciplinary System • Risk Treatment (5.5) Some additional notes may be useful in explaining the relationships reported on the above table: a. the 11 principles represent one of the three pillars of the ISO 31000 standard and all of them (the 11 principles) have to be the basis of any risk management system, including in our example the basis of the “231 Model” (in our example a specific risk management system focused on the compliance to the requirements arising from the Italian Anti-Bribery Act). The above relationships are therefore only intended to put in greater evidence some principles than other with a higher correlation with one of the 231 Model components. For example the principle “a) Creates value” states explicitly the legal and regulatory compliance as one of the objectives a risk management contributes to achieve, in this way creating and protecting value for the company. b. the framework which is based on the 11 principles and in its turn is the basis of the risk management process, is here linked to the “Supervisory Board” component, according to the assumption of a 231 Model already running and therefore previously adopted (Design of framework for managing risk – 4.3) and implemented (Implementing risk management – 4.4), that is granted to the Supervisory Board for its review and monitoring activities as reported in the above association. Of course the scope of the framework is greater than the one of the 231 Model which is basically focused only over the risk of committing crimes that lead to the Corporate liability. c. the risk management process according to the ISO 31000 includes in a very straightforward way the main process of a compliance program to the Italian Anti-Bribery Act requirements, with a key role assigned to the risk assessment (“risk identification”, “risk analysis” and “risk evaluation”) including the previous establishment of the (internal and external) context (5.3), as well as to the “monitoring and review” activities on one side and to the “communication and consultation” activities on the other side”. Finally the ISO 31000 standard gives great attention to requirement of recording the risk management process (5.7) to ensure traceability; in the above table this has been referred only to the review activities, as one of the key objective of any audit activity is to acquire
The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 8 evidences to support opinions, including the ones to be released by the Supervisory Board over the (design and operating) effectiveness of the 231 Model and its provisions. d. the “risk treatment”, which has a key role both for the ISO 31000 standard and for the Italian Anti- Bribery Act requirements, is in the table linked to the “Internal Controls analysis and improvement” component of a compliance program, through which the company, in evaluating the different options (including the retention of the risk by an informed decision), “modifies” the risks it is facing with (e.g. by preventing or reducing the likelihood of occurrence of committing a crime in the interest and/or to the benefit of the same company). With a certain stretching, the disciplinary system (an essential component of the compliance program to the Italian Anti-Bribery Act requirements) is here associated with the “risk treatment”; this, considering the fact that the provision of disciplinary sanctions has itself a deterrent value and therefore is able to modify the behaviours that may be potentially illegal or in any case at risk of crime. Which benefits from the use of the ISO 31000 in approaching the Country Anti-Bribery (OECD Convention based) rules requirements? We have demonstrated it is possible to implement (if new) or critically review (if implemented) a compliance program to any Country Anti-Bribery Act based on the ISO 31000:2009. However, are there any benefits which are valid for any compliance program? Among the possible benefits, it is possible to include the following: 1. Basing the compliance program on an international standard which is on its turn based on the best practices available internationally in any sector and/or industry, and has the intrinsic strength of an ISO standard, may be very useful especially in front of any (internal or external) party that is called to provide an opinion on the adequacy and/or effectiveness of that compliance program. 2. The integration of the compliance program to a wider risk management system or even better to the same company management system (through which the decisions are really taken), is essential to ensure the effectiveness of such a compliance program (the most difficult requirement of any compliance program). One of the first objectives of the ISO 31000 is indeed to “integrate the process for managing risks into the organisation’s overall governance, strategy and planning, management, reporting processes, policies, values and culture” (see the Introduction of the ISO 31000:2009). 3. The ISO 31000 standard is evolving continuously and besides having been adopted as their own national risk management standard by the great majority of the most important Countries, including the UE members (Germany, Great Britain, France, Italy, etc.), USA, Canadian, Brazil, Japan, Russia, China, Australia, India, South-Africa, etc. (http://g31000.org/national-standards-adopt- iso31000/), it is possible to expect more and more consensus and application, as well as its same development and strengthening also with further publications and guidance (on this regard see the news on the meeting of the ISO committee ISO / TC 262 that has been in charge of the two publications of “ISO Guide 73:2009 Risk management – Vocabulary” and the same “ISO 31000:2009 Risk management – Principles and guidelines”).

Recommended

FERMA Newsletter #70
FERMA Newsletter #70FERMA Newsletter #70
FERMA Newsletter #70FERMA
 
Mexico. Inclusion in the EU list of non-cooperative tax jurisdictions
Mexico. Inclusion in the EU list of non-cooperative tax jurisdictionsMexico. Inclusion in the EU list of non-cooperative tax jurisdictions
Mexico. Inclusion in the EU list of non-cooperative tax jurisdictionsArturo Treviño Villarreal
 
~~ Chakra chart new ~~from google.com
~~ Chakra chart new ~~from google.com~~ Chakra chart new ~~from google.com
~~ Chakra chart new ~~from google.comDeepak Somaji-Sawant
 
E-legitimationer
E-legitimationerE-legitimationer
E-legitimationerE-delegationen
 
Lez 5 strumenti compensativi e dispensativi per video
Lez 5 strumenti compensativi e dispensativi per videoLez 5 strumenti compensativi e dispensativi per video
Lez 5 strumenti compensativi e dispensativi per videoiva martini
 
ECMalana_CV
ECMalana_CVECMalana_CV
ECMalana_CVEduardo Malana
 
Peruano y mi familia sanchium
Peruano y mi familia sanchiumPeruano y mi familia sanchium
Peruano y mi familia sanchiumsegundotoribiosanchium
 
Bio Derm Press Kit
Bio Derm Press KitBio Derm Press Kit
Bio Derm Press KitAmy Coelho
 

Recommended

FERMA Newsletter #70
FERMA Newsletter #70FERMA Newsletter #70
FERMA Newsletter #70FERMA
 
Mexico. Inclusion in the EU list of non-cooperative tax jurisdictions
Mexico. Inclusion in the EU list of non-cooperative tax jurisdictionsMexico. Inclusion in the EU list of non-cooperative tax jurisdictions
Mexico. Inclusion in the EU list of non-cooperative tax jurisdictionsArturo Treviño Villarreal
 
~~ Chakra chart new ~~from google.com
~~ Chakra chart new ~~from google.com~~ Chakra chart new ~~from google.com
~~ Chakra chart new ~~from google.comDeepak Somaji-Sawant
 
E-legitimationer
E-legitimationerE-legitimationer
E-legitimationerE-delegationen
 
Lez 5 strumenti compensativi e dispensativi per video
Lez 5 strumenti compensativi e dispensativi per videoLez 5 strumenti compensativi e dispensativi per video
Lez 5 strumenti compensativi e dispensativi per videoiva martini
 
ECMalana_CV
ECMalana_CVECMalana_CV
ECMalana_CVEduardo Malana
 
Peruano y mi familia sanchium
Peruano y mi familia sanchiumPeruano y mi familia sanchium
Peruano y mi familia sanchiumsegundotoribiosanchium
 
Bio Derm Press Kit
Bio Derm Press KitBio Derm Press Kit
Bio Derm Press KitAmy Coelho
 
Hispanic scholarships
Hispanic scholarshipsHispanic scholarships
Hispanic scholarshipspxyoqctr
 
Temp-Sensitive Inhibition of Development in Dictyostelium - Dev Bio 251 18-26...
Temp-Sensitive Inhibition of Development in Dictyostelium - Dev Bio 251 18-26...Temp-Sensitive Inhibition of Development in Dictyostelium - Dev Bio 251 18-26...
Temp-Sensitive Inhibition of Development in Dictyostelium - Dev Bio 251 18-26...James Silverman
 
Test Driven Development: Abre alas
Test Driven Development: Abre alasTest Driven Development: Abre alas
Test Driven Development: Abre alasMarcos Pereira
 
梵蒂岡再拾零
梵蒂岡再拾零梵蒂岡再拾零
梵蒂岡再拾零Jaing Lai
 
Nitrousfitz Presents
Nitrousfitz PresentsNitrousfitz Presents
Nitrousfitz PresentsFrancis Walsh
 
Cuidado a dengue mata se não prevenir ela tem mata
Cuidado a dengue mata se não prevenir ela tem mataCuidado a dengue mata se não prevenir ela tem mata
Cuidado a dengue mata se não prevenir ela tem matajusakrai
 
FLOOR AND DESCRIPT
FLOOR AND DESCRIPTFLOOR AND DESCRIPT
FLOOR AND DESCRIPTLynn Nguyen
 
Stanek ekonomická prognóza
Stanek ekonomická prognózaStanek ekonomická prognóza
Stanek ekonomická prognózaoikos Bratislava
 
"Friends of Tiger" U.S. Open wrap podcast
"Friends of Tiger" U.S. Open wrap podcast"Friends of Tiger" U.S. Open wrap podcast
"Friends of Tiger" U.S. Open wrap podcastgolfaddict50
 
Banco Nuevo Mundo Subasta depositos sector publico -dec1998-sep2001
Banco Nuevo Mundo Subasta depositos sector publico -dec1998-sep2001Banco Nuevo Mundo Subasta depositos sector publico -dec1998-sep2001
Banco Nuevo Mundo Subasta depositos sector publico -dec1998-sep2001gonzaloromani
 
Worship Guide - Easter 2011 - 04/24/2011
Worship Guide - Easter 2011 - 04/24/2011Worship Guide - Easter 2011 - 04/24/2011
Worship Guide - Easter 2011 - 04/24/2011tpog
 
Festividade dia do circo
Festividade dia do circoFestividade dia do circo
Festividade dia do circoanaluciabicudo
 
GIACC Italy - ISO 37001
GIACC Italy - ISO 37001GIACC Italy - ISO 37001
GIACC Italy - ISO 37001Ciro Strazzeri
 
G20 anti corruption-action_plan
G20 anti corruption-action_planG20 anti corruption-action_plan
G20 anti corruption-action_planDr Lendy Spires
 
Bortoletti, pharmaceutical compliance congress, fight against corruption, bud...
Bortoletti, pharmaceutical compliance congress, fight against corruption, bud...Bortoletti, pharmaceutical compliance congress, fight against corruption, bud...
Bortoletti, pharmaceutical compliance congress, fight against corruption, bud...Maurizio Bortoletti
 
Jurisdiction update italy insurance - First published on Thomson Reuters Acce...
Jurisdiction update italy insurance - First published on Thomson Reuters Acce...Jurisdiction update italy insurance - First published on Thomson Reuters Acce...
Jurisdiction update italy insurance - First published on Thomson Reuters Acce...Nicolò Juvara
 
Best Practices on combating the abuse of non-profit organisations. Recommenda...
Best Practices on combating the abuse of non-profit organisations. Recommenda...Best Practices on combating the abuse of non-profit organisations. Recommenda...
Best Practices on combating the abuse of non-profit organisations. Recommenda...Maria García Aguado
 
Risk management & ISO 31000
Risk management & ISO 31000Risk management & ISO 31000
Risk management & ISO 31000Javier Caravantes
 
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...International Federation of Accountants
 
Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey Paul Hamilton
 
Legal shorts 19.06.15 including MiFID II and ESMA launches new strategy
Legal shorts 19.06.15 including MiFID II and ESMA launches new strategyLegal shorts 19.06.15 including MiFID II and ESMA launches new strategy
Legal shorts 19.06.15 including MiFID II and ESMA launches new strategyCummings
 
Fighting Private Sector Corruption And Fraud[1]
Fighting Private Sector Corruption And Fraud[1]Fighting Private Sector Corruption And Fraud[1]
Fighting Private Sector Corruption And Fraud[1]Alphons Ranner
 

More Related Content

Viewers also liked

Hispanic scholarships
Hispanic scholarshipsHispanic scholarships
Hispanic scholarshipspxyoqctr
 
Temp-Sensitive Inhibition of Development in Dictyostelium - Dev Bio 251 18-26...
Temp-Sensitive Inhibition of Development in Dictyostelium - Dev Bio 251 18-26...Temp-Sensitive Inhibition of Development in Dictyostelium - Dev Bio 251 18-26...
Temp-Sensitive Inhibition of Development in Dictyostelium - Dev Bio 251 18-26...James Silverman
 
Test Driven Development: Abre alas
Test Driven Development: Abre alasTest Driven Development: Abre alas
Test Driven Development: Abre alasMarcos Pereira
 
梵蒂岡再拾零
梵蒂岡再拾零梵蒂岡再拾零
梵蒂岡再拾零Jaing Lai
 
Nitrousfitz Presents
Nitrousfitz PresentsNitrousfitz Presents
Nitrousfitz PresentsFrancis Walsh
 
Cuidado a dengue mata se não prevenir ela tem mata
Cuidado a dengue mata se não prevenir ela tem mataCuidado a dengue mata se não prevenir ela tem mata
Cuidado a dengue mata se não prevenir ela tem matajusakrai
 
FLOOR AND DESCRIPT
FLOOR AND DESCRIPTFLOOR AND DESCRIPT
FLOOR AND DESCRIPTLynn Nguyen
 
Stanek ekonomická prognóza
Stanek ekonomická prognózaStanek ekonomická prognóza
Stanek ekonomická prognózaoikos Bratislava
 
"Friends of Tiger" U.S. Open wrap podcast
"Friends of Tiger" U.S. Open wrap podcast"Friends of Tiger" U.S. Open wrap podcast
"Friends of Tiger" U.S. Open wrap podcastgolfaddict50
 
Banco Nuevo Mundo Subasta depositos sector publico -dec1998-sep2001
Banco Nuevo Mundo Subasta depositos sector publico -dec1998-sep2001Banco Nuevo Mundo Subasta depositos sector publico -dec1998-sep2001
Banco Nuevo Mundo Subasta depositos sector publico -dec1998-sep2001gonzaloromani
 
Worship Guide - Easter 2011 - 04/24/2011
Worship Guide - Easter 2011 - 04/24/2011Worship Guide - Easter 2011 - 04/24/2011
Worship Guide - Easter 2011 - 04/24/2011tpog
 
Festividade dia do circo
Festividade dia do circoFestividade dia do circo
Festividade dia do circoanaluciabicudo
 

Viewers also liked (12)

Hispanic scholarships
Hispanic scholarshipsHispanic scholarships
Hispanic scholarships
 
Temp-Sensitive Inhibition of Development in Dictyostelium - Dev Bio 251 18-26...
Temp-Sensitive Inhibition of Development in Dictyostelium - Dev Bio 251 18-26...Temp-Sensitive Inhibition of Development in Dictyostelium - Dev Bio 251 18-26...
Temp-Sensitive Inhibition of Development in Dictyostelium - Dev Bio 251 18-26...
 
Test Driven Development: Abre alas
Test Driven Development: Abre alasTest Driven Development: Abre alas
Test Driven Development: Abre alas
 
梵蒂岡再拾零
梵蒂岡再拾零梵蒂岡再拾零
梵蒂岡再拾零
 
Nitrousfitz Presents
Nitrousfitz PresentsNitrousfitz Presents
Nitrousfitz Presents
 
Cuidado a dengue mata se não prevenir ela tem mata
Cuidado a dengue mata se não prevenir ela tem mataCuidado a dengue mata se não prevenir ela tem mata
Cuidado a dengue mata se não prevenir ela tem mata
 
FLOOR AND DESCRIPT
FLOOR AND DESCRIPTFLOOR AND DESCRIPT
FLOOR AND DESCRIPT
 
Stanek ekonomická prognóza
Stanek ekonomická prognózaStanek ekonomická prognóza
Stanek ekonomická prognóza
 
"Friends of Tiger" U.S. Open wrap podcast
"Friends of Tiger" U.S. Open wrap podcast"Friends of Tiger" U.S. Open wrap podcast
"Friends of Tiger" U.S. Open wrap podcast
 
Banco Nuevo Mundo Subasta depositos sector publico -dec1998-sep2001
Banco Nuevo Mundo Subasta depositos sector publico -dec1998-sep2001Banco Nuevo Mundo Subasta depositos sector publico -dec1998-sep2001
Banco Nuevo Mundo Subasta depositos sector publico -dec1998-sep2001
 
Worship Guide - Easter 2011 - 04/24/2011
Worship Guide - Easter 2011 - 04/24/2011Worship Guide - Easter 2011 - 04/24/2011
Worship Guide - Easter 2011 - 04/24/2011
 
Festividade dia do circo
Festividade dia do circoFestividade dia do circo
Festividade dia do circo
 

Similar to ISO 31000 Vs ABC Laws

GIACC Italy - ISO 37001
GIACC Italy - ISO 37001GIACC Italy - ISO 37001
GIACC Italy - ISO 37001Ciro Strazzeri
 
G20 anti corruption-action_plan
G20 anti corruption-action_planG20 anti corruption-action_plan
G20 anti corruption-action_planDr Lendy Spires
 
Bortoletti, pharmaceutical compliance congress, fight against corruption, bud...
Bortoletti, pharmaceutical compliance congress, fight against corruption, bud...Bortoletti, pharmaceutical compliance congress, fight against corruption, bud...
Bortoletti, pharmaceutical compliance congress, fight against corruption, bud...Maurizio Bortoletti
 
Jurisdiction update italy insurance - First published on Thomson Reuters Acce...
Jurisdiction update italy insurance - First published on Thomson Reuters Acce...Jurisdiction update italy insurance - First published on Thomson Reuters Acce...
Jurisdiction update italy insurance - First published on Thomson Reuters Acce...Nicolò Juvara
 
Best Practices on combating the abuse of non-profit organisations. Recommenda...
Best Practices on combating the abuse of non-profit organisations. Recommenda...Best Practices on combating the abuse of non-profit organisations. Recommenda...
Best Practices on combating the abuse of non-profit organisations. Recommenda...Maria García Aguado
 
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...International Federation of Accountants
 
Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey Paul Hamilton
 
Legal shorts 19.06.15 including MiFID II and ESMA launches new strategy
Legal shorts 19.06.15 including MiFID II and ESMA launches new strategyLegal shorts 19.06.15 including MiFID II and ESMA launches new strategy
Legal shorts 19.06.15 including MiFID II and ESMA launches new strategyCummings
 
Fighting Private Sector Corruption And Fraud[1]
Fighting Private Sector Corruption And Fraud[1]Fighting Private Sector Corruption And Fraud[1]
Fighting Private Sector Corruption And Fraud[1]Alphons Ranner
 
Latin American Meeting on Private Sector Responsibility in the Fight against ...
Latin American Meeting on Private Sector Responsibility in the Fight against ...Latin American Meeting on Private Sector Responsibility in the Fight against ...
Latin American Meeting on Private Sector Responsibility in the Fight against ...EUROsociAL II
 
UNODC: Doing Business in Myanmar Without Bribery
UNODC: Doing Business in Myanmar Without BriberyUNODC: Doing Business in Myanmar Without Bribery
UNODC: Doing Business in Myanmar Without BriberyEthical Sector
 
Legal shorts 28.11.14 including FCA reminder of new ‘connect’ portal for firm...
Legal shorts 28.11.14 including FCA reminder of new ‘connect’ portal for firm...Legal shorts 28.11.14 including FCA reminder of new ‘connect’ portal for firm...
Legal shorts 28.11.14 including FCA reminder of new ‘connect’ portal for firm...Cummings
 
ISO 31022 Management of Legal Risks IE Law School Masterclass Hernan Huwyler
ISO 31022 Management of Legal Risks IE Law School Masterclass Hernan Huwyler ISO 31022 Management of Legal Risks IE Law School Masterclass Hernan Huwyler
ISO 31022 Management of Legal Risks IE Law School Masterclass Hernan Huwyler Hernan Huwyler, MBA CPA
 
Presentacion Ing. Neill Stansbury "Progreso en la implementación- internacio...
Presentacion Ing. Neill Stansbury "Progreso en la implementación- internacio...Presentacion Ing. Neill Stansbury "Progreso en la implementación- internacio...
Presentacion Ing. Neill Stansbury "Progreso en la implementación- internacio...CPIC
 
Eba fin tech roadmap
Eba fin tech roadmapEba fin tech roadmap
Eba fin tech roadmapJonas Mercier
 
Legal shorts 20.03.15 including March 2015 Budget and disguised fee income su...
Legal shorts 20.03.15 including March 2015 Budget and disguised fee income su...Legal shorts 20.03.15 including March 2015 Budget and disguised fee income su...
Legal shorts 20.03.15 including March 2015 Budget and disguised fee income su...Cummings
 
Cms guide-to-anti-bribery-and-corruption-laws
Cms guide-to-anti-bribery-and-corruption-lawsCms guide-to-anti-bribery-and-corruption-laws
Cms guide-to-anti-bribery-and-corruption-lawsDianBrouwer
 
G20 leaders commitments_compilation_sept_2013
G20 leaders commitments_compilation_sept_2013 G20 leaders commitments_compilation_sept_2013
G20 leaders commitments_compilation_sept_2013Dr Lendy Spires
 

Similar to ISO 31000 Vs ABC Laws (20)

GIACC Italy - ISO 37001
GIACC Italy - ISO 37001GIACC Italy - ISO 37001
GIACC Italy - ISO 37001
 
G20 anti corruption-action_plan
G20 anti corruption-action_planG20 anti corruption-action_plan
G20 anti corruption-action_plan
 
Bortoletti, pharmaceutical compliance congress, fight against corruption, bud...
Bortoletti, pharmaceutical compliance congress, fight against corruption, bud...Bortoletti, pharmaceutical compliance congress, fight against corruption, bud...
Bortoletti, pharmaceutical compliance congress, fight against corruption, bud...
 
Jurisdiction update italy insurance - First published on Thomson Reuters Acce...
Jurisdiction update italy insurance - First published on Thomson Reuters Acce...Jurisdiction update italy insurance - First published on Thomson Reuters Acce...
Jurisdiction update italy insurance - First published on Thomson Reuters Acce...
 
Best Practices on combating the abuse of non-profit organisations. Recommenda...
Best Practices on combating the abuse of non-profit organisations. Recommenda...Best Practices on combating the abuse of non-profit organisations. Recommenda...
Best Practices on combating the abuse of non-profit organisations. Recommenda...
 
Risk management & ISO 31000
Risk management & ISO 31000Risk management & ISO 31000
Risk management & ISO 31000
 
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...
Leveraging ISO 31000 for Effective Integration of Risk Management and Interna...
 
Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey
 
Legal shorts 19.06.15 including MiFID II and ESMA launches new strategy
Legal shorts 19.06.15 including MiFID II and ESMA launches new strategyLegal shorts 19.06.15 including MiFID II and ESMA launches new strategy
Legal shorts 19.06.15 including MiFID II and ESMA launches new strategy
 
Fighting Private Sector Corruption And Fraud[1]
Fighting Private Sector Corruption And Fraud[1]Fighting Private Sector Corruption And Fraud[1]
Fighting Private Sector Corruption And Fraud[1]
 
Latin American Meeting on Private Sector Responsibility in the Fight against ...
Latin American Meeting on Private Sector Responsibility in the Fight against ...Latin American Meeting on Private Sector Responsibility in the Fight against ...
Latin American Meeting on Private Sector Responsibility in the Fight against ...
 
UNODC: Doing Business in Myanmar Without Bribery
UNODC: Doing Business in Myanmar Without BriberyUNODC: Doing Business in Myanmar Without Bribery
UNODC: Doing Business in Myanmar Without Bribery
 
Legal shorts 28.11.14 including FCA reminder of new ‘connect’ portal for firm...
Legal shorts 28.11.14 including FCA reminder of new ‘connect’ portal for firm...Legal shorts 28.11.14 including FCA reminder of new ‘connect’ portal for firm...
Legal shorts 28.11.14 including FCA reminder of new ‘connect’ portal for firm...
 
ISO 31022 Management of Legal Risks IE Law School Masterclass Hernan Huwyler
ISO 31022 Management of Legal Risks IE Law School Masterclass Hernan Huwyler ISO 31022 Management of Legal Risks IE Law School Masterclass Hernan Huwyler
ISO 31022 Management of Legal Risks IE Law School Masterclass Hernan Huwyler
 
Presentacion Ing. Neill Stansbury "Progreso en la implementación- internacio...
Presentacion Ing. Neill Stansbury "Progreso en la implementación- internacio...Presentacion Ing. Neill Stansbury "Progreso en la implementación- internacio...
Presentacion Ing. Neill Stansbury "Progreso en la implementación- internacio...
 
Eba fin tech roadmap
Eba fin tech roadmapEba fin tech roadmap
Eba fin tech roadmap
 
Legal shorts 20.03.15 including March 2015 Budget and disguised fee income su...
Legal shorts 20.03.15 including March 2015 Budget and disguised fee income su...Legal shorts 20.03.15 including March 2015 Budget and disguised fee income su...
Legal shorts 20.03.15 including March 2015 Budget and disguised fee income su...
 
Cms guide-to-anti-bribery-and-corruption-laws
Cms guide-to-anti-bribery-and-corruption-lawsCms guide-to-anti-bribery-and-corruption-laws
Cms guide-to-anti-bribery-and-corruption-laws
 
GRI Making Headway in Europe
GRI Making Headway in EuropeGRI Making Headway in Europe
GRI Making Headway in Europe
 
G20 leaders commitments_compilation_sept_2013
G20 leaders commitments_compilation_sept_2013 G20 leaders commitments_compilation_sept_2013
G20 leaders commitments_compilation_sept_2013
 

ISO 31000 Vs ABC Laws

  • 1. This work is licensed under a Creative Commons Attribution 4.0 International License. To read a copy of the license visit the web site http://creativecommons.org/licenses/by-nc/4.0/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. Approaching the Anti-Bribery Law requirements with the use of ISO 31000 standard on Risk Management The application of the ISO 31000:2009 Risk Management – “Principles and guidelines” standard to the compliance programs with the Country Anti-Bribery requirements. by Stefano Barlini, CT31000, CIA, CISA, CCSA, QAR, qualified professional in risk consulting and training services. He is a member of a number of Supervisory Boards established according to the Italian Anti-Bribery Act. Associate with Crowe Horwath AS for the risk consulting services. Crowe Horwath AS is an accounting and advisory firm established since 1987 in Milan, Rome and Turin, providing the following professional services: Audit, Risk Consulting, Financial Advisory and Forensic Accounting. Crowe Horwath AS is a member of Crowe Horwath International which is a top 10 largest worldwide networks with more than 140 independent accounting and advisory services firms and 640 offices in more than 100 countries around the world.
  • 2. The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 2 Objectives and Acknowledgments This work is intended to initiate a discussion with other professionals interested in Risk Management over the use of ISO 31000:2009 standard to the compliance programs adopted to address the Country Anti- Bribery Law (OECD Convention based) requirements. This work follows a number of other publications by the same author on ISO 31000:2009 which are available at his LinkedIn profile. The author gratefully acknowledges The Global Institute for Risk Management Standards for the aid provided also through the LinkedIn Group “ISO 31000 Risk Management Standard”.
  • 3. The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 3 Can the ISO 31000 standard help in approaching the Country Anti-Bribery (OECD Convention based) rules requirements? To try to answer this question it may be useful a brief summary of the ISO 31000 standard, while on the other side the Italian Anti-Bribery Act (Legislative Decree 231/2001) is here taken as an example of rules adopted at country level to address the OECD convention on Combating Bribery of Foreign Public Officials in International Business Transactions. Indeed other countries have implemented and enforced the same OECD Anti-Bribery convention through different ways and steps (http://www.oecd.org/daf/anti- bribery/countryreportsontheimplementationoftheoecdanti-briberyconvention.htm), although all of them basically arise from the same source. This document is not intended neither to compare nor to explore those different ways, rather to encourage and initiate a discussion on the possible benefits from approaching worldwide through the use of the same standard (ISO 31000:2009), the similar requirements in preventing the risk of crimes (more specifically the risk of bribery of foreign public officials in international business transactions) by an organisation and/or its managers and employees. ISO 31000:2009 “Risk Management – Principles and guidelines” The ISO 31000 “Risk Management – Principles and guidelines” standard was firstly published in November 2009 and so far it has been adopted as their official Risk Management standard by the great majority of the countries, including EU countries (Germany, United Kingdom, France, Italy, etc.), USA, Canada, Brazil, Japan, Russia, China, Australia, India, South-Africa, etc. (http://g31000.org/national-standards-adopt-iso31000/). As an ISO standard to its definitive accomplishment, it is built on international consensus on its definitions and practices by the different stakeholders. Due to the high number and heterogeneity of the interested stakeholders, this consensus is necessarily more complicated and therefore requires more time. On this regard, we can easily appreciate these difficulties by considering even only the different sectors/specific risks and related professionals or stakeholders potentially interested by the ISO 31000 standard: 1. Workplace health and safety risks 2. Regulatory compliance risks 3. Financial risks and/or investment risk and/or credit risks etc. 4. Risk of loss 5. IT risks 6. Fraud risks 7. Quality risks 8. Environmental risks 9. Fire and explosion risks 10. Risk of life/death 11. ...
  • 4. The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 4 As one of its goals is providing a common approach in the development or revision of other standards dealing with specific risks and/or sectors, it is therefore impossible to list all the possible applications of the ISO 31000 standard. It is indeed applicable to all types of organisations, of any size and in whichever industry, business, sector or activity that necessarily in pursuing its objectives faces with the uncertainty on: • what (e.g. objective 1 or 2?) • at what percentage (e.g. at 100% or at 50%?) • when (e.g. by this month or by this year?) Hence we can conclude the ISO 31000 standard has to be referred and applied to the company management system (the actual and specific one) through which the decisions are taken at any level (i.e. strategic, tactic, operations) and/or area (i.e. processes, functions, products, services, assets, projects, etc.) to achieve company’s objectives. Italian Anti-Bribery Act (Legislative Decree 231/2001) The Italian Legislative Decree 231/2001 (Italian Anti-Bribery Act) is the main act adopted by Italy to implement and enforce the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. Here some of the main features of the Italian Anti-Bribery Act: 1) it has introduced into the Italian legal system the direct criminal liability for companies and other entities with regard to their worldwide operations; based on that Italian criminal courts have the authority to initiate and conduct legal proceedings both against companies and individuals (e.g. directors, officers and employees) who have committed those crimes; 2) it lists a number of crimes that may originate the corporate criminal liability, when these crimes are committed in the interest of the company and/or to its benefit (e.g. bribery of public official to obtain a contract from a government-owned enterprise) by its management and/or staff; once committed, the company may be prosecuted for its “organisational fault” for not having adopted adequate and effective countermeasures to prevent those crimes and on the other side for obtaining a benefit and/or for having an interest in that conduct; 3) beyond bribery and fraud crimes (including financial and/or accounting fraud), pursuant to the Italian Anti-Bribery act, a firm may also be liable for other crimes listed by the same act: o health and safety offences at work o money laundering o insider trading and market abuse crimes o computer crimes o IP crimes o environmental crimes o etc. 4) it introduces penalties (issued also as precautionary measures in some circumstances) of capital magnitude as a possible consequence for a company found guilty:
  • 5. The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 5 o monetary fines; o injunctions (ban on doing business, recall and/or cancellation of authorizations, licenses or other permissions/subsidies granted by government, ban on promoting goods and services, etc.); o confiscation; 5) it enables a company, also in the occurrence of a crime, to avoid being held liable for it (“corporate liability exclusion”) or to obtain important reductions of penalties, in case an adequate compliance program to prevent such crimes has been effectively implemented and enforced; 6) it explicitly requires that such a compliance program should: o be based on the identification and assessment of the activities at risk of crime (company risk profile); e.g. areas of operations where a crime might be committed within the company interest and/or to its benefit; o establish proper controls, particularly over the use of company financial resources, and ensure their adequacy and effectiveness to prevent and/or reduce the risk of crime; o include a Supervisory Board in charge of and put in the proper conditions to monitor the observance and review the effectiveness of the same compliance program’s provisions and particularly of the above mentioned controls; o implement proper flows of communication across the company to enable the Supervisory Board to address its responsibilities (e.g. prompt information on changes to the organisation and/or to the company business model may trigger the initiation of the review by the SB of the risk assessment as well as of the risk treatment) ; o define the disciplinary actions to be imposed for the violations of the compliance program provisions. 7) in connection with the Italian Health and Safety at work Act provisions (Legislative Decree 81/2008) and only considering the risks of health and safety offences at work, a certified OHSAS 18001:2007 Occupational Health and Safety management system may be considered appropriate and able to exclude company criminal liability. Hence we can conclude the Italian Anti-Bribery Act as the other Country (OECD Convention based) Anti- Bribery Laws requirements, in combating corporate crimes including bribery of public officials in business transactions, add some risks (with costly and burdensome consequences) to a company in achieving its objectives. How to use ISO 31000 standard in approaching the Country Anti-Bribery (OECD Convention based) rules requirements? Once we have introduced the ISO 31000 and an example of Country Anti-Bribery (OECD Convention based) law requirements, we can now try to illustrate some possible applications of the first to second. We highlighted that: • the Country Anti-Bribery (OECD Convention based) Acts add some risks to companies in achieving their objectives;
  • 6. The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 6 • the ISO 31000 standard has to be applied to the company management system through which decisions are taken at any level (i.e. strategic, tactic, operations) and/or area (i.e. processes, functions, products, services, assets, projects, etc.) to achieve company’s objectives. The ISO 31000 may be firstly applied in approaching the risks arising from the Country Anti-Bribery Law (OECD Convention based) requirements. The first and most crucial step of a compliance program to any Country Anti-Bribery Law (OECD Convention based) requirements is indeed the risk assessment through which the company becomes aware of the risks upon its objectives arising from those requirements and is able to take informed decisions in accordance with its risk profile. Based on the (risk) priorities established with the risk assessment exercise, the second step of a compliance program to any Country Anti-Bribery Law (OECD Convention based) requirements will be focused on the risk treatment options and subsequent efforts. Again here the ISO 31000 standard may support this phase of the risk management process: of course, more the risk profile will be accurate, more the risk treatment options will be better evaluated and approached. Another common requirement of a compliance program to any Country Anti-Bribery Law (OECD Convention based), is the capability of that compliance program to ensure on a continuous basis its (design) adequacy and effectiveness. Again the ISO31000 standard provides specific guidance on the monitoring and review phase both at process and framework level according to the continuous improvement approach (plan-do-check-act cycle) which is widely adopted by ISO standards. By taking again the example of the Italian Anti-Bribery Law (OECD Convention based), through the table below the main components of a compliance program (generally called “231 Model”) to those requirements are reported in the following with the references to the ISO 31000 standard, differentiated among its three pillars (principles, framework and process): Table 1 – Compliance program (“231 Model”) to the Italian Anti-Bribery Act (Legislative Decree 231/2001) vs. ISO 31000:2009 ISO 31000 231 Model Principles Framework Process 1. Assessment of the activities at risk of crime a) Creates Value c) Part of decision making • Establishing the context (5.3) • Risk Assessment (5.4) 2. Internal Controls analysis and improvement b) Integral part of organisational processes g) Tailored • Risk Treatment (5.5) 3. Monitoring and review of the compliance program and of its provisions j) Dynamic, iterative and responsive to change • Monitoring and Review (5.6) • Recording the risk management process (5.7)
  • 7. The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 7 ISO 31000 231 Model Principles Framework Process 4. Supervisory Board • Mandate and commitment (4.2) • Monitoring and review of the framework (4.5) • Continual improvement of the framework (4.6) 5. Flows of information to the Supervisory Board i) Transparent and inclusive • Communication and Consultation (5.2) 6. Disciplinary System • Risk Treatment (5.5) Some additional notes may be useful in explaining the relationships reported on the above table: a. the 11 principles represent one of the three pillars of the ISO 31000 standard and all of them (the 11 principles) have to be the basis of any risk management system, including in our example the basis of the “231 Model” (in our example a specific risk management system focused on the compliance to the requirements arising from the Italian Anti-Bribery Act). The above relationships are therefore only intended to put in greater evidence some principles than other with a higher correlation with one of the 231 Model components. For example the principle “a) Creates value” states explicitly the legal and regulatory compliance as one of the objectives a risk management contributes to achieve, in this way creating and protecting value for the company. b. the framework which is based on the 11 principles and in its turn is the basis of the risk management process, is here linked to the “Supervisory Board” component, according to the assumption of a 231 Model already running and therefore previously adopted (Design of framework for managing risk – 4.3) and implemented (Implementing risk management – 4.4), that is granted to the Supervisory Board for its review and monitoring activities as reported in the above association. Of course the scope of the framework is greater than the one of the 231 Model which is basically focused only over the risk of committing crimes that lead to the Corporate liability. c. the risk management process according to the ISO 31000 includes in a very straightforward way the main process of a compliance program to the Italian Anti-Bribery Act requirements, with a key role assigned to the risk assessment (“risk identification”, “risk analysis” and “risk evaluation”) including the previous establishment of the (internal and external) context (5.3), as well as to the “monitoring and review” activities on one side and to the “communication and consultation” activities on the other side”. Finally the ISO 31000 standard gives great attention to requirement of recording the risk management process (5.7) to ensure traceability; in the above table this has been referred only to the review activities, as one of the key objective of any audit activity is to acquire
  • 8. The application of the ISO 31000 to the compliance programs to the Country Anti-Bribery Act 8 evidences to support opinions, including the ones to be released by the Supervisory Board over the (design and operating) effectiveness of the 231 Model and its provisions. d. the “risk treatment”, which has a key role both for the ISO 31000 standard and for the Italian Anti- Bribery Act requirements, is in the table linked to the “Internal Controls analysis and improvement” component of a compliance program, through which the company, in evaluating the different options (including the retention of the risk by an informed decision), “modifies” the risks it is facing with (e.g. by preventing or reducing the likelihood of occurrence of committing a crime in the interest and/or to the benefit of the same company). With a certain stretching, the disciplinary system (an essential component of the compliance program to the Italian Anti-Bribery Act requirements) is here associated with the “risk treatment”; this, considering the fact that the provision of disciplinary sanctions has itself a deterrent value and therefore is able to modify the behaviours that may be potentially illegal or in any case at risk of crime. Which benefits from the use of the ISO 31000 in approaching the Country Anti-Bribery (OECD Convention based) rules requirements? We have demonstrated it is possible to implement (if new) or critically review (if implemented) a compliance program to any Country Anti-Bribery Act based on the ISO 31000:2009. However, are there any benefits which are valid for any compliance program? Among the possible benefits, it is possible to include the following: 1. Basing the compliance program on an international standard which is on its turn based on the best practices available internationally in any sector and/or industry, and has the intrinsic strength of an ISO standard, may be very useful especially in front of any (internal or external) party that is called to provide an opinion on the adequacy and/or effectiveness of that compliance program. 2. The integration of the compliance program to a wider risk management system or even better to the same company management system (through which the decisions are really taken), is essential to ensure the effectiveness of such a compliance program (the most difficult requirement of any compliance program). One of the first objectives of the ISO 31000 is indeed to “integrate the process for managing risks into the organisation’s overall governance, strategy and planning, management, reporting processes, policies, values and culture” (see the Introduction of the ISO 31000:2009). 3. The ISO 31000 standard is evolving continuously and besides having been adopted as their own national risk management standard by the great majority of the most important Countries, including the UE members (Germany, Great Britain, France, Italy, etc.), USA, Canadian, Brazil, Japan, Russia, China, Australia, India, South-Africa, etc. (http://g31000.org/national-standards-adopt- iso31000/), it is possible to expect more and more consensus and application, as well as its same development and strengthening also with further publications and guidance (on this regard see the news on the meeting of the ISO committee ISO / TC 262 that has been in charge of the two publications of “ISO Guide 73:2009 Risk management – Vocabulary” and the same “ISO 31000:2009 Risk management – Principles and guidelines”).