One question I often get is my views on ISO 37001 (the “Anti-bribery management system – Requirements with guidance for use”, published October 15, 2016) and/or certification programs in general. An associated question is how does the Department of Justice (DoJ) view such certifications.
On the second question, Dan Kahn, the Chief of the FCPA Unit in the Fraud Section of DoJ’s Criminal Division, has been very consistent: prosecutors will not outsource their responsibilities. DoJ policies require prosecutors to assess companies’ compliance programs in evaluating charging decisions, and while certifications may be a point of reference, it cannot substitute the prosecutors’ own inquiry and judgment.
My views on ISO 37001 and other certification programs fully support such position, and in fact question their validity even as a point of reference.
Let’s start with ISO 37001 standard itself. The most fundamental flaw is that there is no statistical evidence to prove that the implementation of such a “management system” would be effective in actually reducing the instances of bribery. Let’s compare this with the World Health Organization’s (WHO) Surgical Safety Checklist. As the practitioners gathered in 2007 to discuss ways to reduce complications from surgery, they already had specific data from hospitals that had employed some form or surgical checklist: infection and complication rates before and at intervals after the introduction of such checklists. Next, the WHO working group conducted a pilot study in eight selected hospitals across different environments around the globe, tracking data of thousands of patients from three months before the introduction of the checklist to six months after. They scrubbed the data to distinguish causation from correlation. Only when the resulting data proves the improvement to be significant (36% drop in complication rate, 47% drop in death rate) was the checklist made public in January 2009.
Where are the statistics and pilot studies for ISO 37001?
Indeed, other than a token mention that “[t]he anti-bribery system objectives shall…be measurable (if applicable)” (Section 6.2(b), which also happens to be the only requirement in this section to carry a parenthetical “out”), nowhere else does the document mandates or even suggests that organizations should actually measure the effectiveness of their programs and actions.
For a one-page, 19-step, two-minute checklist, WHO can show data of numbers of complications avoided and lives saved. For a 22-page document that requires too many steps to count and potentially millions of dollars and hours of investment, can ISO show data on how many bribes prevented?
This is not so much a criticism of the standard itself – I simply do not know if it works – as it is of both an international organization’s willingness to publish a standard without any attempt to define, evaluate, measure, and test, and the compliance community’s willing acceptance of such undefined, untested, and unproven standard.
= = = = =
Even if the standard had been proven to be effective, which it most definitely has not or even pretended to, certification is a whole different ball game altogether. The questions I always have when it comes to certifications are: who is doing the certification and how are they doing it?
The “who” questions relate to the competency, experience, and judgment of those conducting the certification. Too often I have seen people ill-equipped to be conducting the types of evaluation and assessments they claim to be experts in conducting: lacking substantive expertise, practical experience, common sense, social intelligence are among the most common. Having a big title or being a fancy firm does not make someone an expert assessor of E&C programs: having actual experience, common sense, social intelligence, and statistical discipline does.
The “how” question relates to the methodology used for the certification. Most of the prevailing certification programs on the market today rely on self-reported data and paper-based reviews of policies and procedures. I will not belabour how unreliable such reliance can be. Even if a certification goes beyond these sources, I would want to know what methodologies are used to measure and assess the different metrics and components of E&C programs, and how the reliability of these measurements and assessments have been tested.
There should be a third question: why? Why do organizations seek certification? In my experience, it is more often than not a public relations exercise. If there is no evidence a particular set of exercises is useful in actually achieving results, what is the value of saying you have done that set of exercises?
It’s time the E&C profession recognizes that we need evidence and data to backup our claims that our programs are accomplishing anything other than spending and bureaucracy.