Testing ISO 37001

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

Hui Chen

By Hui Chen

Hui Chen ( www.HuiChenEthics.com) was the Justice Department’s first-ever compliance counsel expert before leaving in June to start her own private compliance consulting service. Before she joined the DOJ, Hui served in global senior compliance lead positions at Microsoft, Pfizer, and Standard Chartered Bank.

In October 2016, the International Organization for Standardization (“ISO”) published ISO 37001: “Anti-Bribery Management Systems – Requirements with Guidance for Use.” This set of standard and guidance has received no shortage of attention in the anti-bribery and corruption (“ABC”) circles. Of particular interest is the availability of certifications of a company’s ABC compliance program against the standards. What there has not been sufficient debate of are questions relating to the transparency of its development process, evidence of its effectiveness, and how it impacts the implementing organization as a whole.

ISO 37001 is an impressively multilateral project, involving 37 participating countries, 22 observing countries, and eight liaison organizations, including the OECD and Transparency International. I have not, however, seen much transparency as to what actual expertise was available, what interests had been represented, and how participants were compensated in the development process. There is a similar lack of transparency as to the methodology. ISO 37001 purports to “reflect[] international good practice.” How was a practice judged to be “good”—based on how many delegates liked/used it, or on empirical testing or data analytics? This lack of transparency for an anti-corruption standard seems ironic.

More importantly, there has been no empirical or statistical evidence to demonstrate that ISO 37001 is actually effective. Neill Stansbury, who led the ISO 37001 development committee, claims that “You cannot measure bribery prevention like vaccinations.” That statement contradicts years of prevention measurement work not just in public health, but in crime prevention (bribery is, after all, a crime). For starters, one could measure perception of a company’s commitment to ABC. Perception, as anyone who has ever cited Transparency International’s annual Corruption Perception Index would know, can be measured, at least in relative terms. Similarly, certain common indicators of potentially corrupt transactions can be identified and audited. Reporting and investigation data, too, provide measures of how and what employees report and responses to such reports. Training can be measured by testing employee performance on activities being trained. These are among many measurements that can be taken before and after implementation of a system to assess its effectiveness.

Finally, measurements must not stop at the ABC compliance system itself, but needs to be taken to assess the impact of the ABC system on the organization as a whole. Assuming resources are finite, an investment in one system represents a resource allocation choice that is likely to impact other parts of the organization. Is it possible that focus on an ABC compliance system comes at a cost of another type of compliance, or to other critical aspects of the company’s operations? Does the pursuit of an ABC compliance certification take away resources and attention from other equally important programs or does it have a positive multiplier effect? To my knowledge, no such overall impact studies have been conducted to measure the effects of a specialized compliance system on the organization as a whole, yet I believe this information would be critical in determining the sustainability of any compliance system, as well as its value to the organization.

Why focus on ISO 37001? As many have rightly pointed out, none of the guidance issued by government agencies or organizations such as the OECD have been empirically tested. “We have never done it before,” however, is a poor excuse to refuse the pursuit of evidence: The medical profession had been letting blood as a common treatment for centuries until evidence-based medicine began to challenge its validity. I believe ISO 37001 would be a good place to start the pursuit of evidence-based compliance because: (1) of the multilateral nature of its development, (2) it is preceded by decades of lessons learned and should have benefited from prior system data, and (3) it was published by an organization that began its work in manufacturing and technology, where data and empirical testing have proven their value. In other words, testing a compliance system with the ISO model is too good an opportunity to be wasted.

I can think of few scientific fields where standards with global applications would be rolled out with no empirical testing. I also would expect responsible business leaders to question any investment that has yet to evidence its value. It would be tremendously illuminating if we could implement a multi-year pilot study of ISO 37001, with a team representing expertise in forensic accounting, social psychology, statistics, and corporate compliance. The team would define a methodology and a set of metrics, apply them to five to ten organizations of varying sizes, industries, and geographies, and compare pre-implementation baseline measurements with post-certification measurements. The only thing we have to fear in such an exercise is finding out that our “good practices” might not live up to our expectations. If that should be the case, it would mean we can finally stop letting blood and focus on finding treatments that actually work. If they do work, we would then actually have evidence to show for it.

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law