More on Compliance Certification–A Response to TRACE International

In a recent post, which built directly on a report from Transparency International USA, I raised some questions about the value of the compliance program “certifications” that certain private firms offer to provide.  (In a follow-up post, I also expressed even greater skepticism about current efforts to generate an International Organization for Standards (ISO) anti-bribery compliance program standard.) I won’t repeat everything in the original post here, but to summarize quickly: I expressed concern that “certifying” a compliance program (as distinct from reviewing and assessing it) could prove counterproductive because (1) the certification would not (or should not) be treated as significant by government enforcers or third parties, and (2) the certification might lead companies either to do too little or too much.

TRACE, one of the leading firms that offers compliance certification services (and also, through a separate but affiliated nonprofit, provides anti-bribery compliance support to member companies), has provided a thoughtful, thorough, and enlightening response to my post on the TRACE blog. The TRACE post takes issue with my criticisms, and also uses my post as an opportunity to “address head-on some common assumptions and misunderstandings that … surround anti-bribery certifications.”

I highly recommend that readers interested in this debate — which TI-USA deserves credit for kicking off — read TRACE’s post; I won’t try to summarize it here.  Let me say a few words about where I think we actually agree, then highlight what I think are the most significant points of disagreement, and then highlight one particularly intriguing aspect of the TRACE post that may deserve more extensive consideration.

First, let me highlight what I believe are points where TRACE and I are in full agreement:

  1. Outside review and evaluation of compliance programs, of the sort that TRACE and similar organizations provide, are useful, perhaps indispensable, for firms operating in challenging markets — particularly small & medium-sized enterprises (SMEs) that might not have the resources or expertise to develop and evaluate compliance programs internally. And review of a potential business partner’s compliance program should generally be part of the due diligence process.
  2. Although this sort of compliance review might will be treated as relevant by law enforcement agencies assessing a company’s good faith efforts to prevent bribery, a compliance “certification” will not and should not be treated by law enforcement as evidence that a company had an “adequate compliance program,” and no company should make the mistake of thinking that a compliance certification eliminates the need for ongoing monitoring, evaluation, and improvement of its compliance efforts.
  3. There is no “one size fits all” approach to compliance, and so any good compliance program — and any good compliance certification — would have to be sensitive to the particular needs and circumstances of the particular company.

Despite agreeing (I think) on those major points, our perspectives diverge with respect to two issues: (1) the value of the public certification (as distinct from the review and assessment that forms the basis for the certification), and (2) the desirability of promoting uniform standards for anti-bribery certification.  Let me say a few words about each:

  • With respect to the first point, it’s important again to emphasize the distinction between the consulting/advisory services that TRACE and similar firms provide (and which TRACE’s post nicely summarizes) and the “gold star” of public certification.  (I’m also distinguishing, and mostly putting aside, due diligence performed on an individual potential business partner in connection with a particular transaction.)  As I noted above, I’m 100% in favor of the former.  The question is, if you provide those evaluation and advisory services, what additional purpose is served by the gold star?  Indeed, mightn’t the gold star — the public certification — prove counterproductive, for some of the reasons I sketched in my original post? After all, although TRACE is careful to warn that its certification “does not mean that the company is problem-free,” there is always the concern that this qualifier will get lost in practice. It its post, TRACE observes that certification skeptics “all too often obsess over the word ‘certification’ … [which] seems duplicitous, adding a pretense of certainty in an uncertain world.”  That’s very well put — better than I put it myself in the original post.  TRACE goes on to say that critics should “focus[] less on the form of the word and more on the substance of the review.” Well, maybe… but it’s the certification companies that are using the word!  It’s precisely the word — and its connotations of certainty (same etymologic root, after all) — that the skeptics are worried about.
  • As to the second point: TRACE is one of the most reputable firms out there, and I don’t doubt that its approach — nicely summarized in its post — is rigorous and appropriately-tailored to individual country circumstances.  But as the TI-USA report pointed out, there’s a great deal of variation in the methods that different certification firms use, and not always as much transparency.  One way to address this is through the creation of a uniform certification standard, like the ISO standard mentioned above. In its blog post TRACE endorses that effort at standardization, describing itself as “heavily committed to efforts aimed at standardizing anti-bribery certifications.” Here is where I find myself in sharpest disagreement with TRACE (and the ISO) — I won’t go into details, since I’ve already explained my skepticism about the ISO anti-bribery standard in one of my earlier posts, except to say that I think this sort of standardization will cause more problems than it solves. I very much hope that TRACE (or other supporters of the proposed ISO standard) will respond to that post directly if and when they have an opportunity to do so.  For now, suffice it to say that I fear that much of the nuance and context-sensitivity that TRACE rightly advertises as hallmarks of its own certification program may be lost in the creation of a uniform international standard, to be applied by any number of auditors.

Before closing, let me call attention to one aspect of TRACE’s post that intrigued me, and that I need to give much more thought. In formulating my original reasons for skepticism about anti-bribery certifications, I had assumed that the main audiences for such certifications would be: (1) law enforcement agencies, and (2) other non-corrupt companies or individuals who may want to do business with the company undergoing certification — and who want assurance that the company will not get itself and its partners into bribery trouble. (That is, the certification would be a substitute for individualized due diligence).  But the TRACE post identifies another audience for the public certification: corrupt public officials. The idea, as their post explains, is that the certification is a way for companies to signal that they will not pay bribes, which in turn helps them resist bribe demands — and this is all the more effective when a large number of firms in the relevant market acquire such certifications. This argument is worth quoting in full here:

“Conspicuous certifications backed by internationally-recognized organizations like TRACE are tangible tools that SMEs can proudly display on their websites, in their offices or on the back of their contracts — and often do — to show that they will not acquiesce to bribe demands. It is an open, public display that they are committed to responsible business dealings and provides a solid foundation (policies, training, etc.) with which to resist government graft. Certification also builds strength in numbers. It allows SME to take matters into their own hands to create a better business environment for themselves.”

I’m not sure what I think of this argument yet — I need to reflect on it a bit more.  It’s not obvious to me that it’s right, but it’s certainly plausible.  The question remains whether a certification of this sort is really an effective way to credibly signal willingness to resist bribe demands.  That’s an empirical question, but I doubt if there’s much hard data.  I’ll mull further, and perhaps post some more later if I come up with anything useful to say.

One thought on “More on Compliance Certification–A Response to TRACE International

  1. Hi Mathew,

    I just came across this blog post while researching Trace’s certification of Unaoil. Your post more than highlighted the challenges Trace is now facing to exonerate its self. In retrospect, it is surprising that no one saw the potential problems such certifications create as we now note with the Unaoil case.

    Thanks for sharing your thoughts. I will look up the earlier post you referred to.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s