We don’t know what will happen with ISO 37001. Will it flourish and become a global standard, or will it languish? But there is certainly room to improve what we have been given. The following are suggested possible changes to address the concerns raised by ISO 37001.
1. Test reading comprehension. Conduct a reader comprehension test/analysis to determine what the reading level is.
2. Edit. Retain a top-notch editor, and rewrite the Standard to eliminate unnecessary duplication and excess verbiage. Replace unnecessarily complex language by simpler and more understandable language, in conversational style.
3. Unnecessary definitions. Eliminate all definitions that are not essential to the Standard. Do not define the obvious.
4. Replace certification. Replace certification with a process for obtaining reviews of compliance programs. Reports can indicate relative strengths and weaknesses in compliance programs, but without a “pass-fail” result.
5. Clarify scope of reviews. Clarify that reviews look at three levels of analysis: The design of the program, its implementation and its impact/effectiveness.
6. Deeper reviews. Make clear that in reviews there must be transaction testing, field reviews, and interviews with employees selected by the reviewer.
7. Reviewer access. Specify that the reviewer must have free access to all facilities, all documents, and all people at all levels of the business, without the reviewing company having control. Company representatives may not control or require that they participate in interviews.
8. Quality control. Arrange more quality control on reviews of company compliance programs.
9. Reviewer selection. Reviewers should be selected by ISO or another neutral party, not the company being reviewed.
10. Central database. Maintain a central database of companies that have been reviewed, indicating what entity conducted the review, and what parts of a company were reviewed/omitted from the review.
11. Free access. Make ISO 37001 available for all online, for free. Cover expenses through the review process. Companies conducting ISO approved reviews would pay ISO a license fee.
12. Integrate the Annex. Integrate the Annex more closely into the Standard, e.g. by providing a presumption that steps set out in the Annex would meet the Standard.
13. Move Annex requirements. Move from the Annex to the Standard all references to things that “should” be done and more of the practical guidance.
14. Ethics. Integrate the introduction’s emphasis on ethics and values into the text of the Standard.
15. CECO. Provide specifically that the Compliance Function must be led by a top manager (e.g. Chief Ethics and Compliance Officer, CECO).
16. CECO reporting. Revise 9.4 to add language from A.6.3 and clarify that compliance officer reporting to the highest governing authority must be in person and not subject to any one else’s control or censorship. Add to 5.1.1 that the board requires that the CECO report to the board in person and have access to the board as needed.
17. Independence. Revise A.6.2 d) to clarify that “independence” means not being under another person’s control.
18. Effectiveness. Delete the definition of “effectiveness” in 3.9.
19. Planned frequencies. Modify the reference to “planned” frequencies of activities so that planning must match the degree of risk and be at least as often as industry practice.
20. Industry practice. Provide that programs should be at least as good as industry practice.
21. Internal programs. Permit only outsourcing of some compliance program elements, and delete “all” from the reference.
22. Board controls CECO. Add to 5.1.1 that the board controls the role and treatment of the CECO.
23. Managers failures. Provide for discipline of managers for failure to take reasonable steps to prevent and detect violations.
24. Program evaluations. Provide more detail and examples on how to evaluate compliance programs.
25. Preventing retaliation. Revise item 220.127.116.11 d) to provide guidance on what would constitute protective procedures against retaliation.
26. Scope of retaliation. Revise item 8.9 d) to bar retaliation against those engaged in the full range of compliance program activities.
27. Board training. Revise A.9.3 to clarify that governing authority/board training is required.
28. 3rd party programs. Modify A.13.3.6 to replace “requesting copies of its relevant policies” to read “requesting the opportunity to talk with the third party’s compliance officer.”
29. Controls that don’t help. In the Annex’s coverage of third parties not controlled by the company, delete the reference to not requiring controls if they “would not help mitigate the relevant risk” and rely on existing references to controls that are appropriate.
30. Lacking resources. Delete from the Annex item A.13.3.3 c) that says “It will normally not be practicable when the business associate lacks the resources or expertise to be able to implement controls.”
31. Risk appetite. Delete from A.4.1 in the Annex the buzzword “risk appetite.”
32. Financial & internal controls. Shift the detail on financial controls and internal controls from the Annex to the Standard.
33. Communications. For the coverage of “communications” include more current examples in the Annex such as apps, social networks and other technological tools.
34. “Non-conformity.” Replace the antiseptic word “non-conformity” with the more compelling word “violations.”
35. Monitoring. Add to Annex A.19 specific examples of how monitoring can be done and how it differs from auditing.
36. Investigation confidentiality. Revise 8.10 f) to recognize that confidentiality is limited by the need to conduct an investigation, and note that disclosure may be required by law or by legal process, and voluntary disclosure of violations to the government may also necessitate yielding of confidentiality.
37. Investigation reports. Revise A.18.7 to require that investigation results be reported to the highest governing authority, not just top management.
38. Bibliography. Add to the bibliography the major sources that formed the compliance field, including the US Sentencing Guidelines and the DOJ/SEC Guide on the FCPA.
39. 3rd party diligence. If certification is retained, provide that third party due diligence for any entity with ISO 37001 certification includes review of the underlying certification review report and background papers.
40. Reviewer independence. Specify that an entity (including all affiliates) conducting a review for a company must be independent from that company and may not have done any work relating to that company’s compliance program for years before, and will also not conduct any such work for years afterward, to avoid conflicts of interest.
41. Program integration. Add a statement that anti-corruption programs are more effective if integrated with the overall compliance framework.
42. Participation. For future drafting, include representatives from enforcement agencies with experience in this area, and minimize representation from those whose only connection is familiarity with other ISO standards and the traditional certification process.
43. Alternatives. If ISO cannot do these things, then hand this project off to an organization that knows the bribery area and can be flexible enough to develop a more effective system.
44. Needed reforms. Urge reforms of the legal system, so compliance work is protected and not used against companies, e.g., misapplication of GDPR to undercut key tools such as helplines, and use of review reports against companies. See Joseph E. Murphy, Policies in conflict: Undermining corporate self-policing, 69 Rutgers U.L. Rev. 421 (2017).
* * *
Join the conversation by leaving a comment below or writing to Joe here.
Joe Murphy is a Certified Compliance and Ethics Professional and author of 501 Ideas for Your Compliance and Ethics Program: Lessons from 30 Years of Practice (SCCE; 2008) and A Compliance & Ethics Program on a Dollar a Day. He has worked in the compliance field for over 40 years. He can be contacted here.
many thanks for some of your comments (the specific ones, that reference the ISO text). I'd certainly be happy for you to get involved with your national member body (ANSI) when improving the standard, adding your expertise to the large number of compliance and anti-bribery experts that worked on ISO 37001.
This is not the place to address each of Joe Murphy's 44 points. However, as Michael Kayser points out, these points could have been raised, and still can be, as the ISO procedure to develop standards is a very inclusive one that aims to reach a high degree of consensus. In the case of ISO 37001, the development of the standard took place in an international committee that involved some 140 experts from more than 50 countries and some 30 non-voting liaison representatives of other ISO committees or of non-member organizations interested in the standard.
In addition, all national ISO member bodies were consulted at various stages of the standard development. ISO national member bodies formed national working groups, so-called mirror committees, that provided the required expertise to provide comments. In the course of the three years that it took to develop the standard, several meetings were held in various locations to examine hundreds and hundreds of comments.
The international committee as well as the national mirror committees included many anti-bribery and compliance practitioners from many countries, including US experts who made, and still make, highly valuable contributions. ISO 37001 was not created out of the blue but built on these experts' wealth of experience to create a global standard that reflects good practices developed internationally over the last decades.
ISO 37001 is a so-called requirements standard, meaning that conformity with the standard can be reviewed and certified. ISO itself is not involved in certification. However, it has developed a framework to guarantee the impartiality and integrity of the certification process. Organizations need to be accredited by a national accreditation body (e.g. ANAB in the US) that will also monitor their compliance with the framework put in place by ISO and by the International Accreditation Forum (IAF). This framework addresses several of the points raised by Joe Murphy, including those related to the independence and competencies of the auditors involved in the certification process.
Accreditation is a serious process and it has taken time for accreditation bodies to develop he capacity to conduct ISO 37001 accreditations and for candidates to certification to prepare themselves. Only two companies have e.g. been recently (September 2018) accredited in the UK and one in France and 3 or 4 applicants await accreditation in Germany.
It is important for the public and for candidates to certification to understand that the integrity of the certification process is only independently guaranteed by accredited certifications. Neither ISO nor the accreditation bodies have the regulatory power to prevent private "certifications" by non-accredited organizations. However, the worth of these "certifications" rests entirely on the integrity of the auditing body itself. Candidates for certification should therefore be aware that third parties will not attach the same value to certification by a non-accredited certifier as to one by a properly accredited certifier.
Thank you for your suggestion, Michael. In my experience, each organization has its own organizational logic and culture, and its ways of doing things. In that context there is an enormous inertial push toward doing things the way they always have been done. So while I have raised questions about specific language, I am also questioning other parts of the picture. To me, the beginning point should be, what is most effective in fighting the crime of bribery and corruption. So while I am happy to discuss this with anyone, including any nation’s ISO representatives, I think the discussion should be a broad and open one, without predetermined limits, in this forum and in others. In that respect there are some real concerns about this standard as a defining tool in the fight against bribery.
Looking just at the language, I will pull out one example that alarmed me. In the Standard as it exists it provides specifically that a company can outsource parts or all of its compliance function. Yet neither ISO 19600 nor the British predecessor to 37001 has such disturbing language allowing an entire program to be outsourced. I have difficulty understanding how people who were experts in either compliance or fighting bribery would have endorsed such language. In my posting here I suggest deleting the reference to “all” but how could such a flaw have been included in the first place? It may well be that there were a “large number of compliance and anti-bribery experts” involved, but my experience with organizations teaches me that group behavior can lead to actions that no individual member of the group would have done. Organizational logic can take hold that leads to misdirected results.
For anyone who would like to understand the rationale behind any of my suggestions, I have drafted a 50+ page analysis of ISO 37001 and its related processes. In this draft I examine the pros and cons related to this Standard. I am happy to email this to anyone, and am looking for any comments: both the positives and the concerns. I do believe there is value in at least some of what ISO is trying to do, but there also are some serious concerns, both as to the drafting details and as to the certification process.
Comments are closed for this article!