More on Compliance Program Certification/Verification: The Proposed ISO Standard

My last post, inspired by Transparency International USA’s recent publication of a report on verifying the effectiveness of corporate anti-bribery programs, talked a bit about the emergence of a set of private firms that provide “certifications” for such programs. I expressed some skepticism about the value of these certification services. Some of my concerns — also expressed in the TI-USA report — had to do the opacity and apparent inconsistency in the methodology that certification firms employ. One possible response to this concern might be to develop an “official” international standard for anti-bribery compliance, and to provide certification that firms meet that standard.

Such an effort is already underway, through an organization called the International Organization for Standardization (ISO), a consortium of national (generally private) standard-setting bodies in 163 different countries. Traditionally, the ISO promulgates international standards with respect to quality control, safety, and technical compatibility. External auditing firms then provide certifications that a firm meets the ISO standard(s) in the relevant areas. The ISO is now already in the process of developing an ISO standard (ISO 37001) for anti-bribery programs — which would be the first ISO standard to deal with a topic like bribery. The draft standard is supposed to be available for public comment by 2015.

Before proceeding further, I should disclose that I’ve been involved — very marginally — in the U.S. Technical Assistance Group that’s supposed to provide commentary on this developing standard. (Basically, I’ve listened in on a few phone calls and seen a few documents circulated to the group.) So I need to be careful what I say on this subject, so as not to disclose anything confidential. I actually think there’s little risk of that, because what I really want to do in this post is not to focus on specific features of the proposed standard, but rather to raise questions about the whole enterprise. The more I think about it, the less justification I can imagine for promulgating an international standard like this. Indeed, it strikes me as entirely the wrong way to go about promoting the very worthy cause of improved corporate anti-bribery compliance programs.

Why do I say this? A few reasons, but here’s the big one: If there’s one thing virtually everyone who works in this field seems to agree on, is that’s there’s no “one-size-fits-all” approach to anti-bribery compliance. The right approach depends on particular features of the company in question – its size, culture, line of business, countries of operation, etc. So a “check-the-box” approach to compliance is not likely to be appropriate. Now, of course one could make the standard flexible — and indeed, the British Standards Institute, which promulgated a UK anti-bribery standard, on which the ISO project is based (BS 10500) — claims that its standard can be tailored to the size of an organization and its risk profile. But if that’s really true, then it’s not clear we’ve really achieved “standardization” at all, especially when compliance with the standard will in practice turn much more on the subjective judgment of the individual auditor than on any objective criteria.  The TI-USA report makes essentially the same point, using cautious, mild language:

It will be particularly challenging to develop an effective standard in a field where objective metrics are hard to define. Additionally, anti-corruption programs must be risk-based and therefore the program and its implementation will vary from company to company. Much of the implementation of an anti-corruption program has to be judged on a qualitative basis, rather than a quantitative one, so it is difficult to envision quantifiable metrics.

TI-USA, of course, is participating in the ISO process and has every incentive to make it work, so they say this a bit more politely than I would have. Here’s what my version would have looked like:

It will be particularly challenging impossible to develop an effective standard in a field where objective metrics are hard to define generally unavailable. Additionally, anti-corruption programs must be risk-based and therefore the program and its implementation will vary from company to company. Much of the implementation of an anti-corruption program has to be judged on a qualitative basis, rather than a quantitative one, so it is difficult to envision valid and reliable quantifiable metrics do not exist. And therefore this whole exercise is a misguided waste of time and resources, which benefits only the private organizations (including the standards-setting organizations themselves) that sell the certification services.

This relates to the point I tried to make in my last post, about certification more generally: even if we put aside, or solve, the problems related to inconsistency and lack of transparency, the whole enterprise is likely to prove wasteful at best, and counterproductive at worst. There’s a good chance these certifications will be ignored by government regulators and other market participants, in which case the whole exercise will be pointless. If the certifications are not ignored, then things might be even worse: The ISO certification process might demand too little of firms (making it possible to get the ISO gold star with only a “paper program”) or it might demand too much (with rigid outside auditors insisting on features that the company does not need, given its risk profile). And why do we need this? Why not do what we have been doing — use a combination of the threat of legal liability and the promotion of ethical business norms to encourage a better compliance culture, without trying to reduce everything to a single international standard?

When I’ve raised concerns of this sort to people in the anticorruption and compliance world (at anticorruption NGOs, at private compliance consulting shops, and in the business community), I tend to get the same answer: A sigh, a shrug, and the statement, “Yes, but the train has already left the station.” Meaning: We’re going to get an ISO anti-bribery standard by the end of next year, so at this point the best we can hope for is to make it as good it can possibly be.  I certainly can’t fault that response — it’s entirely reasonable under the circumstances.  But would it be too much to ask everyone involved in this process to take a deep breath, take a step back, and ask why exactly we’re doing this in the first place?  At the very least couldn’t we wait a few years until there’s been a bit more experience in the UK with the British standard, to see if it’s actually doing anything useful, before charging ahead with a global version?  Just asking.

2 thoughts on “More on Compliance Program Certification/Verification: The Proposed ISO Standard

  1. Pingback: The Draft ISO 37001 Anti-Bribery Standard’s Promise and Limitations | Global Investigations + Strategic Intelligence

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s