We don’t know what will happen with ISO 37001. Will it flourish and become a global standard, or will it languish? But there is certainly room to improve what we have been given. The following are suggested possible changes to address the concerns raised by ISO 37001.
1. Test reading comprehension. Conduct a reader comprehension test/analysis to determine what the reading level is.
2. Edit. Retain a top-notch editor, and rewrite the Standard to eliminate unnecessary duplication and excess verbiage. Replace unnecessarily complex language by simpler and more understandable language, in conversational style.
3. Unnecessary definitions. Eliminate all definitions that are not essential to the Standard. Do not define the obvious.
4. Replace certification. Replace certification with a process for obtaining reviews of compliance programs. Reports can indicate relative strengths and weaknesses in compliance programs, but without a “pass-fail” result.
5. Clarify scope of reviews. Clarify that reviews look at three levels of analysis: The design of the program, its implementation and its impact/effectiveness.
6. Deeper reviews. Make clear that in reviews there must be transaction testing, field reviews, and interviews with employees selected by the reviewer.
7. Reviewer access. Specify that the reviewer must have free access to all facilities, all documents, and all people at all levels of the business, without the reviewing company having control. Company representatives may not control or require that they participate in interviews.
8. Quality control. Arrange more quality control on reviews of company compliance programs.
9. Reviewer selection. Reviewers should be selected by ISO or another neutral party, not the company being reviewed.
10. Central database. Maintain a central database of companies that have been reviewed, indicating what entity conducted the review, and what parts of a company were reviewed/omitted from the review.
11. Free access. Make ISO 37001 available for all online, for free. Cover expenses through the review process. Companies conducting ISO approved reviews would pay ISO a license fee.
12. Integrate the Annex. Integrate the Annex more closely into the Standard, e.g. by providing a presumption that steps set out in the Annex would meet the Standard.
13. Move Annex requirements. Move from the Annex to the Standard all references to things that “should” be done and more of the practical guidance.
14. Ethics. Integrate the introduction’s emphasis on ethics and values into the text of the Standard.
15. CECO. Provide specifically that the Compliance Function must be led by a top manager (e.g. Chief Ethics and Compliance Officer, CECO).
16. CECO reporting. Revise 9.4 to add language from A.6.3 and clarify that compliance officer reporting to the highest governing authority must be in person and not subject to any one else’s control or censorship. Add to 5.1.1 that the board requires that the CECO report to the board in person and have access to the board as needed.
17. Independence. Revise A.6.2 d) to clarify that “independence” means not being under another person’s control.
18. Effectiveness. Delete the definition of “effectiveness” in 3.9.
19. Planned frequencies. Modify the reference to “planned” frequencies of activities so that planning must match the degree of risk and be at least as often as industry practice.
20. Industry practice. Provide that programs should be at least as good as industry practice.
21. Internal programs. Permit only outsourcing of some compliance program elements, and delete “all” from the reference.
22. Board controls CECO. Add to 5.1.1 that the board controls the role and treatment of the CECO.
23. Managers failures. Provide for discipline of managers for failure to take reasonable steps to prevent and detect violations.
24. Program evaluations. Provide more detail and examples on how to evaluate compliance programs.
25. Preventing retaliation. Revise item 126.96.36.199 d) to provide guidance on what would constitute protective procedures against retaliation.
26. Scope of retaliation. Revise item 8.9 d) to bar retaliation against those engaged in the full range of compliance program activities.
27. Board training. Revise A.9.3 to clarify that governing authority/board training is required.
28. 3rd party programs. Modify A.13.3.6 to replace “requesting copies of its relevant policies” to read “requesting the opportunity to talk with the third party’s compliance officer.”
29. Controls that don’t help. In the Annex’s coverage of third parties not controlled by the company, delete the reference to not requiring controls if they “would not help mitigate the relevant risk” and rely on existing references to controls that are appropriate.
30. Lacking resources. Delete from the Annex item A.13.3.3 c) that says “It will normally not be practicable when the business associate lacks the resources or expertise to be able to implement controls.”
31. Risk appetite. Delete from A.4.1 in the Annex the buzzword “risk appetite.”
32. Financial & internal controls. Shift the detail on financial controls and internal controls from the Annex to the Standard.
33. Communications. For the coverage of “communications” include more current examples in the Annex such as apps, social networks and other technological tools.
34. “Non-conformity.” Replace the antiseptic word “non-conformity” with the more compelling word “violations.”
35. Monitoring. Add to Annex A.19 specific examples of how monitoring can be done and how it differs from auditing.
36. Investigation confidentiality. Revise 8.10 f) to recognize that confidentiality is limited by the need to conduct an investigation, and note that disclosure may be required by law or by legal process, and voluntary disclosure of violations to the government may also necessitate yielding of confidentiality.
37. Investigation reports. Revise A.18.7 to require that investigation results be reported to the highest governing authority, not just top management.
38. Bibliography. Add to the bibliography the major sources that formed the compliance field, including the US Sentencing Guidelines and the DOJ/SEC Guide on the FCPA.
39. 3rd party diligence. If certification is retained, provide that third party due diligence for any entity with ISO 37001 certification includes review of the underlying certification review report and background papers.
40. Reviewer independence. Specify that an entity (including all affiliates) conducting a review for a company must be independent from that company and may not have done any work relating to that company’s compliance program for years before, and will also not conduct any such work for years afterward, to avoid conflicts of interest.
41. Program integration. Add a statement that anti-corruption programs are more effective if integrated with the overall compliance framework.
42. Participation. For future drafting, include representatives from enforcement agencies with experience in this area, and minimize representation from those whose only connection is familiarity with other ISO standards and the traditional certification process.
43. Alternatives. If ISO cannot do these things, then hand this project off to an organization that knows the bribery area and can be flexible enough to develop a more effective system.
44. Needed reforms. Urge reforms of the legal system, so compliance work is protected and not used against companies, e.g., misapplication of GDPR to undercut key tools such as helplines, and use of review reports against companies. See Joseph E. Murphy, Policies in conflict: Undermining corporate self-policing, 69 Rutgers U.L. Rev. 421 (2017).
* * *
Join the conversation by leaving a comment below or writing to Joe here.
Joe Murphy is a Certified Compliance and Ethics Professional and author of 501 Ideas for Your Compliance and Ethics Program: Lessons from 30 Years of Practice (SCCE; 2008) and A Compliance & Ethics Program on a Dollar a Day. He has worked in the compliance field for over 40 years. He can be contacted here.