One question I often get is my views on ISO 37001 (the “Anti-bribery management system – Requirements with guidance for use”, published October 15, 2016) and/or certification programs in general. An associated question is how does the Department of Justice (DoJ) view such certifications.
On the second question, Dan Kahn, the Chief of the FCPA Unit in the Fraud Section of DoJ’s Criminal Division, has been very consistent: prosecutors will not outsource their responsibilities. DoJ policies require prosecutors to assess companies’ compliance programs in evaluating charging decisions, and while certifications may be a point of reference, it cannot substitute the prosecutors’ own inquiry and judgment.
My views on ISO 37001 and other certification programs fully support such position, and in fact question their validity even as a point of reference.
Let’s start with ISO 37001 standard itself. The most fundamental flaw is that there is no statistical evidence to prove that the implementation of such a “management system” would be effective in actually reducing the instances of bribery. Let’s compare this with the World Health Organization’s (WHO) Surgical Safety Checklist. As the practitioners gathered in 2007 to discuss ways to reduce complications from surgery, they already had specific data from hospitals that had employed some form or surgical checklist: infection and complication rates before and at intervals after the introduction of such checklists. Next, the WHO working group conducted a pilot study in eight selected hospitals across different environments around the globe, tracking data of thousands of patients from three months before the introduction of the checklist to six months after. They scrubbed the data to distinguish causation from correlation. Only when the resulting data proves the improvement to be significant (36% drop in complication rate, 47% drop in death rate) was the checklist made public in January 2009.
Where are the statistics and pilot studies for ISO 37001?
Indeed, other than a token mention that “[t]he anti-bribery system objectives shall…be measurable (if applicable)” (Section 6.2(b), which also happens to be the only requirement in this section to carry a parenthetical “out”), nowhere else does the document mandates or even suggests that organizations should actually measure the effectiveness of their programs and actions.
For a one-page, 19-step, two-minute checklist, WHO can show data of numbers of complications avoided and lives saved. For a 22-page document that requires too many steps to count and potentially millions of dollars and hours of investment, can ISO show data on how many bribes prevented?
This is not so much a criticism of the standard itself – I simply do not know if it works – as it is of both an international organization’s willingness to publish a standard without any attempt to define, evaluate, measure, and test, and the compliance community’s willing acceptance of such undefined, untested, and unproven standard.
= = = = =
Even if the standard had been proven to be effective, which it most definitely has not or even pretended to, certification is a whole different ball game altogether. The questions I always have when it comes to certifications are: who is doing the certification and how are they doing it?
The “who” questions relate to the competency, experience, and judgment of those conducting the certification. Too often I have seen people ill-equipped to be conducting the types of evaluation and assessments they claim to be experts in conducting: lacking substantive expertise, practical experience, common sense, social intelligence are among the most common. Having a big title or being a fancy firm does not make someone an expert assessor of E&C programs: having actual experience, common sense, social intelligence, and statistical discipline does.
The “how” question relates to the methodology used for the certification. Most of the prevailing certification programs on the market today rely on self-reported data and paper-based reviews of policies and procedures. I will not belabour how unreliable such reliance can be. Even if a certification goes beyond these sources, I would want to know what methodologies are used to measure and assess the different metrics and components of E&C programs, and how the reliability of these measurements and assessments have been tested.
There should be a third question: why? Why do organizations seek certification? In my experience, it is more often than not a public relations exercise. If there is no evidence a particular set of exercises is useful in actually achieving results, what is the value of saying you have done that set of exercises?
=====
It’s time the E&C profession recognizes that we need evidence and data to backup our claims that our programs are accomplishing anything other than spending and bureaucracy.
Hui Chen Ethics 
Your call for a more evidence-based approach is compelling, but why single out ISO 37001? Does your argument similarly apply to regulatory E&C standards and guidance documents? If not, why?
LikeLike
I believe in scientific rigor across the board. ISO 37001 is being used an example as it is a significant international undertaking, and this month is its first year anniversary.
LikeLike
The purpose of ISO 37001 is not to provide a foolproof blueprint to prevent bribery: it’s purpose is to provide a standard, against which, an organisation’s anti-bribery management can be assessed and certified. The same is true of other management system standards such as ISO 9001, ISO 14001, OHSAS 18001, ISO/IEC 27001 and ISO 22301. The standard has be applicable to differing legislation around the world and its companion auditing standard ISO/IEC TS 17021-9 is important in ensuring this. The views of the DoJ (and SEC, the UK SFO etc.) are irrelevant; it is not for them. The compliance community will have no choice over whether to accept ISO 37001 or not. Its future will be decided by the actual end users of all management system standards, namely procurement departments. These are staffed by people who know about procurement but individually know little or nothing about all of quality, environmental, information security and anti-bribery management and compliance etc. Certification provides a cost efficient method to preselect potential suppliers. If procurers decide to start requiring ISO 37001 certification, companies will have to achieve it. Companies achieving ISO 37001 certification now are simply hedging their bets that it will be beneficial to them.
LikeLike
Hi Anthony, interesting reply… I’ll be honest – I had to re-read your post several times because there’s a lot being said and going on and it seemed to me you’re arguing points against the post yet within your critique make statements which support the post… let me try to explain:
First and foremost, I am trying to reconcile your lead-in statement against what ISO has documented on their website, which states, 37001 is “…designed to help an organization to PREVENT, detect and respond to bribery…” If there is no concrete data to support the effectiveness of this standard in assisting an organization in preventing bribery then on what basis can anyone assess and measure for certification? I believe that was part of Hui’s argument. The WHO checklist served as a great analogy in that it was only released for adoption after meaningful (and measurable) data was available to support.
I can’t speak to the other ISOs but my understanding of IS9001 is that its history actually ties back to government procurement standards – namely defense contracts. If that’s the case then I feel its a little bit ‘apples and oranges’ since there is a tie-in to actual government practices so one can make the argument that yes, the views of the government are actually relevant for that standard, where as 37001 isn’t similarly as grounded.
Your statement of DoJ’s view are irrelevant and companies are hedging their bets – I feel you’re somewhat arguing Hui’s points for her. Remember, companies are going to them (not the other way around) asking the DoJ whether obtaining such certification could be viewed favorably in reducing penalties associated with FCPA charges. It would seem your points here would be better suited to companies, rather than the DoJ itself.
Your statements re: procurement being end users is interesting in that similar to compliance, I view procurement as as a function responsible for supporting and even empowering the end-users… not taking ownership or responsibility of their actions/intentions. I interpreted what you wrote as implying procurement somehow defines the business needs and requirements rather than saying procurement asks this of end users and assists them by effectively and efficiently going out to find vendors that suit their needs within the context of company procurement practices.
Regardless of the above, I feel we all somewhat land on the same conclusion, which is companies are hedging their bets that it will be beneficial. I would simply make the distinction that the only ‘hedging’ at this very moment companies are attempting to do would be around DoJ enforcement penalties and public perception. IFF IS37001 truly did assist companies prevent bribery then they wouldn’t need to explain themselves. It would simply be the right thing to do. But the fact that there is no concrete data (at least at this very moment) to support benefits to the company itself, the only angle left to play is external facing perception. Wouldn’t you agree?
LikeLike
Excellent points made. I thought the medical analogy was very interesting. In the first course at Harvard on Corruption Control we were given a paper on epidemiology to read as background in relation to thinking about strategies for addressing corruption in industries, a city or a country.
I would think that there is in fact a lot of data in the public domain about the effectiveness of various anti corruption strategies and tactics. The work done in relation to the reform of the NYPD was also part of our reading during that course. There did seem to be some very interesting points made in relation to criminology and the psychology at work in the minds of perpetrators, collaborators and victims. In Hong Kong the ICAC has a lot of experience in community outreach and in targeting various fact patterns and industries. They do publish quite a bit of material to assist firms design corruption control programs. I am sure that other national enforcement agencies have similar initiatives.
Thanks for the blog, very interesting.
LikeLike
What alternatives to the ISO 37001 do you think companies can ask to their providers?
LikeLike
The single most important way to manage providers for compliance is active ongoing monitoring of the relationship and transactions.
LikeLike