My prior post for the FCPA Blog suggested that changes are needed to the ISO 37001 anti-bribery management system before countries, agencies, and companies move forward with large-scale adoption.
One of my suggestions in particular — that ISO replace certification with a process for obtaining reviews of compliance programs — attracted thoughtful opposing comments and some criticism.
I’d like to respond.
If well-known and respected ISO 37001 advocates such as Jean-Pierre Méan and Kristy Grant-Hart were doing all the reviews for certification, I might share their optimism about the value of ISO 37001 as currently proposed. But they are not, and I do not.
Take a look at the Transparency International map of world corruption. Essentially any one of those countries could do what Jean-Pierre described in his comment to my earlier post, and empower an entity that will then authorize reviewing houses that grant the full “certification.” This does not fill me with confidence.
Then consider that companies can freely shop for the entity that does their certification. This also does not fill me with confidence.
We should also be asking whether a simple, pass-fail system of “certification” makes sense or is a good idea. I have serious concerns about this. What will this do to the third-party due diligence process? Busy companies looking for third party partners are not likely to delve into the details behind a company’s certification. This can easily become a box-checking exercise, where a third party need only have some basis for claiming “certification” to get a pass.
This system also sets up what is likely a losing fight against human nature. Once you give someone a pass under a pass/fail system, you are inviting them to celebrate the success and move on. After all, once you have passed why do more? Sure the technical language used by ISO says certified companies have to keep improving, but is it really likely that the same auditors who first gave the passing grade, and who are selected and paid by the company, are going to stand on principle and demand significant innovation when they have already found the compliance program to be passing?
There may also be confusion about how much of any large company has actually been certified. There will also be questions about how deep the review actually was. How deep was the testing? Were reviews based on any form of statistical sampling? Did the reviewers really have free license to examine anything in the business? And what about the cost of a truly deep review? My understanding of the reviews would lead me to recommend to any company looking for a third party partner that claims to be certified, to request the full certification examination file, and not to settle for a simple certification certificate or a small summary of the review. But will companies do this? I doubt it.
As for the number of committees and countries in the drafting process, I have been a student of organizational conduct too long to find much comfort in this. I do not know how many of the meetings any one of the participants actually attended, or what compromises were made to get buy-in, or whether the enforcement people who have most familiarity with the evils of bribery were included (although I have been told they were not).
But whatever the process might have been, all that matters is the product. And I find this troublesome. In my draft report I note some definite strong points, but also go into detail about the drafting weaknesses. It is informative to look at ISO 19600 and the predecessor British Standard; there were changes introduced to ISO 37001 that just made no sense. Yet I assume ISO 19600 and the British Standard also had expert input.
There is also the anomalous disconnect between the ISO 37001 Standard, where the drafting is particularly troublesome, and the Annex, which contains some excellent detail. Yet the Annex is stripped of any power by being limited as “illustrative” only. This is so, even though the Annex at key points speaks in compelling terms. I see far more signs of expertise in the Annex than I do in the Standard, but only the Standard matters.
Whatever the history, we are now dealing with ISO 37001 and need to decide whether it should be adopted by companies or made a part of public policy and play an important role in the crucial fight against bribery. All that matters to me is whether it helps in that fight, or should be improved for that purpose, or should be replaced with something more effective. We all have an interest in that debate.
Joe Murphy is a Certified Compliance and Ethics Professional and author of 501 Ideas for Your Compliance and Ethics Program: Lessons from 30 Years of Practice (SCCE; 2008) and A Compliance & Ethics Program on a Dollar a Day. He has worked in the compliance field for over 40 years. He can be contacted here.