The ISO 37001 anti-corruption compliance program standard: What’s good, what’s bad, and why it matters

What follows is the beginning summary portion of the paper I wrote analyzing ISO 37001. The full paper is available here.

I. Executive summary: Key points in this review

The promulgation of the ISO standard for anti-bribery management systems, ISO 37001, is undoubtedly a major development in the compliance and ethics field relating to the fight against bribery. It has, however, generated a considerable amount of controversy. The following analysis of ISO 37001 is offered to shed light on this topic.

These are the key points covered in this review:

a. Certification. Organizations can have their anti-bribery programs certified under ISO 37001. Certification may be the raison d’être for the Standard, but it raises some real concerns.

1. First, the standard may be too general to permit real certification.
2. Second, once a company has achieved certification, it has an implied incentive to backslide. Surveillance reviews are required, but will these be effective checks against backsliding?
3. Third, there is a question about quality control. Is there sampling of the certification work sufficient to determine that no one is gaming the system?
4. Fourth, there is an inherent conflict of interest in having companies select their own certifier. This could invite a race to the bottom using the least expensive supplier.
5. Fifth, certification can invite atrophy and failure to innovate.
6. Sixth, there may be confusion about whether a company has been certified. Some may be certified by a reviewer that does not have credentials in accordance with the processes established by ISO. Moreover, each nation has its own ISO organization that can also issue credentials, so while certification might be difficult from a reviewer in the UK or the US, there are other countries around the world that could give reviewers the necessary credentials, even if not truly merited. There is no central database listing 1) what entities have been authorized to give accreditation by an ISO national authority, 2) what organizations have been legitimately certified, or 3) who conducted the certification for those organizations.
7. Seventh, it may be unclear what the fact of certification signals about a company’s anti-bribery management system.
8. On the positive side, a valid certification program could lead more companies to embrace compliance efforts, and move this effort down their supply chains. In some environments a company’s having this certification might also signal to potential bribe seekers not to expect a bribe from that company, but to approach easier prey instead.
9. The review and certification process can act as a catalyst to mobilize management to take steps to improve the program. While all may support a program in concept, it is important to get managers actually engaged in implementing appropriate steps. A review deadline can help enormously in this respect.
10. The certification process can also build positive team spirit for the compliance effort. Working together to prevent future problems can be a challenging effort, because there is no immediate reward. But working to achieve certification is goal-oriented, with a visible, positive result. Managers can see themselves as part of a team driving toward a specific goal.

b. Standards as a revenue source. Access to ISO 37001 must usually be purchased. This is the only anti-bribery standard for which one has to spend money to obtain access. This restriction could severely limit access, make it less likely copies could be widely available in companies, present a cost for small businesses who are already fighting to control expenses, and possibly thwart public analysis and commentary.

c. Drafting. There are serious questions about the quality of the Standard’s drafting. This may be behind some of the angry resistance to the Standard. In key areas where guidance is needed, readers may walk away unsatisfied.

d. The Annex. The guidance in the Annex is useful, but may be ignored because it is only “illustrative.” The drafters failed to integrate the Annex properly with the Standards and the certification process.

e. Management. The Standard does an enormous service by emphasizing that compliance is about effective management steps. Compliance is not policies and preaching; it is about all the types of management steps spelled out in ISO 37001 (and in other standards). The Standard also, at least arguably, provides a “common language” for communications about anti-bribery compliance programs globally.

f. CECO. Compliance programs will live or die based on the empowerment and independence of the Chief Ethics and Compliance Officer (CECO). The Standard has some words intended to help, but misses a crucial point which may cause it to fall well short in this crucial mission.

g. Evaluation. The definition used for “effectiveness,” one of the most important elements in any compliance standard, also raises serious questions.

h. Industry practice. An important missing piece is any reference to industry practice, or the need to keep up with innovations in the field.

i. No in-house program. The standard would permit organizations to outsource the entire compliance program.

j. Third parties. The Standard does a superior job of emphasizing the role of third parties. However, if companies indiscriminately accept ISO certification from third parties, instead of doing appropriate due diligence, the result could be a step backward.

k. Other points. There are a number of points throughout that should be improved or represent strong positive elements.

The full paper is available here.