By Joe Murphy, CCEP
A newly evolving approach to program evaluation is certification, particularly to meet an ISO standard. Mostly notably, ISO 37001 provides for certification of anti-corruption compliance programs. There is a great deal of controversy about this certification. Here I will touch on some of the questions that arise.
First there is the question of what standard is being used. ISO 37001 sets out one global standard for anti-bribery compliance programs, and this is the one that is subject to certification. It may also incorporate other relevant standards (e.g., if specific compliance program elements are required by applicable law, they would also have to be met to obtain ISO certification), but that would have to be determined in the certification process.
A second question is how an evaluation would be done. Does the review just look at the program’s design, or does it look at whether it is fully implemented? Most difficult is to determine how well it is actually operating – does the program actually have an effect? A company considering certification would have to look at this carefully, considering the language of ISO 37001, and what is supposed to be the scope of the review. There is also a question of what parts of larger companies are actually covered in a review and certification. The fact that a global company claims that is has ISO 37001 certification does not necessarily indicate which parts of the company were subject to this certification and which parts have not yet been reviewed.
A third question is who conducts the review. This could be a murky area. ISO has a process for designating what entities are qualified to conduct a review, but this is determined by ISO bodies in a broad list of countries; will all those qualified in these different countries operate at the same level of diligence? Moreover, there remains a question whether a company claiming it meets the ISO 37001 standards was actually reviewed by an entity that met the ISO qualification requirements. Could any entity conduct a verification review, even if not officially qualified? Again, companies will need to be careful in this area.
What happens after certification? Are companies now free to focus elsewhere, being done with their work on the compliance program? Will certification discourage innovation and further work? According to ISO’s rules, certification is good for 3 years, and each year there must be ongoing review. Companies can lose their certification if they aren’t walking the walk, and the ISO standard mandates continuous improvement and documented evidence of program needs evaluation to keep certification. But once a company has its certification, will it then nevertheless be difficult to convince management to do anything new or innovative? After all, once you pass the exam why keep studying and learning?
Given the uncertainties, why would a company pursue certification? There may be an element of prestige in this, being able to claim that one’s program is certified. There may be a hope that regulators and enforcement personnel will view certification as a positive step, indicating that the company’s management really does want to do the right thing. ISO makes no claim that certification renders a company bullet proof, but there remains the potential that certification will be considered by enforcers and courts.
But the most likely push will come from the marketplace. At least in the anti-corruption area, dealings with third parties create the highest compliance risks. It is typically necessary to conduct due diligence on third parties to ensure they are legitimate. How much better would it be if there were a system that made at least part of this determination for companies? Again, ISO does not claim that certification of one’s compliance program ensures compliance. But for a major company trying to ensure its supply chain does not get it into trouble, requiring ISO certification by its agents and other third parties may be a strong plus.
Thus the most likely impetus will be the marketplace. Companies will have an incentive to require certification of their agents and suppliers. Governments, too, may add this as a requirement for their procurement processes.
Will this work? Will it help fight bribery, or will it instead discourage innovation? Will it make dealing with third parties easier for companies, or will it mislead them? Will the certification process result in genuine program assessments, or will it be just a surface step?
This is a development well worth watching. But in any case, certification or not, companies need to keep evaluating their own programs and ensuring they meet the applicable standards. Most importantly, companies need to keep evaluating whether their compliance and ethics programs actually work.
For 40 years, Joe Murphy, CCEP, has been a tireless champion of compliance and ethics in organizations and has done compliance work on six continents. Joe has published over 100 articles and given over 200 presentations in 19 countries. Joe is author of 501 Ideas for Your Compliance & Ethics Program and A Compliance & Ethics Program on a Dollar a Day. He is a Certified Compliance & Ethics Professional and editor of the SCCE magazine, Compliance & Ethics Professional. Joe was named one of The National Law Journal’s 50 Governance, Risk and Compliance Trailblazers and Pioneers 2014 and was a recipient of the SCCE Compliance and Ethics Award. He can be reached at firstname.lastname@example.org .